Uploaded byDanteJara8
65 views

DataPower for PCI

The document is a presentation about IBM DataPower and PCI solutions. It discusses PCI standards and requirements, including the 12 requirements of the PCI Data Security Standard. It describes how IBM DataPower gateway appliances can help organizations meet many of the PCI requirements through their support of encryption, firewalling, access control, logging, and security policy enforcement capabilities for web services, applications, and networks. DataPower provides XML and web application firewalling, vulnerability management, access control measures, monitoring, and helps maintain security policies needed for PCI compliance.

Embed presentation

Download to read offline
Xchel Martínez Galicia IBM Hybrid Cloud: Technical Connectivity, Integration and SOA IT Specialist xchel@mx1.ibm.com César Tort Integration & Development - Key Accounts ctort@mx1.ibm.com March 27th, 2018 IBM DataPower - PCI Solutions
2 “Stores of the future will be more connected and experience-driven… Data security will be a major concern” Planet Retail
Confidential – Liverpool and IBM About this presentation 3 © Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Confidential – Liverpool and IBM • About PCI (Payment Card Industry) • PCI DSS (Data Security Standard) • Which kind of data should be protected? • What are WebSphere DataPower Appliances? • WebSphere DataPower and the PCI DSS “Digital Dozen” Content 4
About PCI (Payment Card Industry)
Confidential – Liverpool and IBM 6 About PCI (Payment Card Industry) § The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. § The Council was founded in 2006, with American Express, Discover Financial Services, Japan Credit Bureau International, MasterCard and Visa Inc. as founding members. § As of 2018, the PCI SSC lists 797 Participating Organizations around the world. IBM is one of them! § Founding members have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs.
PCI DSS (Data Security Standard)
Confidential – Liverpool and IBM 8 § For whom serves PCI DSS? Those who work with and are associated with payment cards. This includes: retail (e-commerce & brick & mortar), merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments. § What is the objective to work with PCI DSS? – Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. – Helping vendors understand and implement standards for creating/maintain secure payment solutions. § Why is important comply with PCI DSS? Potential liabilities • Lost confidence, so customers go to other merchants • Diminished sales • Cost of reissuing new payment cards • Fraud losses • Higher subsequent costs of compliance • Legal costs, settlements and judgments • Fines and penalties • Termination of ability to accept payment cards • Lost jobs (CISO, CIO, CEO and dependent professional positions) • Going out of business PCI DSS (Data Security Standard)
Confidential – Liverpool and IBM 9 But, what is PCI DSS? § What is PCI DSS? PCI DSS provides a baseline of technical and operational requirements designed to protect account data. It includes 12 requirements, below is a high-level overview
Which kind of data should be protected?
Confidential – Liverpool and IBM 11 Which kind of data should be protected? § Where are the crown jewels? Cardholder data refers to any information contained on a customer’s payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization.
Confidential – Liverpool and IBM 12 Which kind of data should be protected? § Here they are the crown jewels!!
What are WebSphere DataPower Gateway Appliances?
Confidential – Liverpool and IBM 14 What are WebSphere DataPower Gateway Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device.
Confidential – Liverpool and IBM 15 Over to 3,000 worldwide installations and growing! § Used by 95% of top global insurances firms § SaaS providers, ASPs, regulators, etc. § Agencies and ministries § Defense and security organizations § Crown corporations Insurance Government Banking § Retailers § Utilities, Power, Oil and Gas § Airlines § etc. Many, many, more § 80% of top 100 Banks § Numerous regional banks and credit unions § SaaS providers, ASPs, regulators, etc.
Confidential – Liverpool and IBM 16 Over 2200 DataPower Appliance clients § The largest portfolio of SOA appliances § 80% of customers are repeat buyers § Appliance Innovator: leading appliance market since 2003 § 90% of top 100 Financial Institutions are DataPower installations § Broadest support for open standards and programming models § Proven to accelerate time-to-market and lowers total cost of ownership “One of the strongest points for IBM comes from its industry-leading experience with both SOA and appliances. Because IBM has been in the SOA game for a long time, it has built up extensive and pervasive SOA skills globally...IBM has developed a solid business approach to the appliance marketplace, taking into account the challenges of adding new members to the range, maintaining a consistent focus and ensuring clients continue to get ongoing value.” ~ Source: November 2012, Lustratus Research, Inc: A Competitive Review of SOA Appliances Gartner reported that IBM continues to be number one in key areas including Integration Appliances - Source: April 2012, “IBM Named Marketshare Leader in Middleware Software” http://www-03.ibm.com/press/us/en/pressrelease/37376.wss IBM DataPower Appliances Lead the Market The Leader in SOA Appliances
Confidential – Liverpool and IBM 17 • Data format & language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication (LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition (MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol (SNMP) ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ VMware Virtual Machine Disk Format (VMDK) • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation (DIME) – Multipurpose Internet Mail Extensions (MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
Confidential – Liverpool and IBM 18 Internet Trusted Domain Business Consumer 1 B2B Partner Gateway 2 Secure Gateway (Web Services, Web Applications) 3 Intelligent Load Distribution Application Application System z DMZ 4 Internal Security 5 Light Weight Integration 6 Web Service Management 7 Legacy Integration 8 Run time SOA Governance HMC Mobile WebSphere DataPower - Use Cases
WebSphere DataPower and the PCI DSS “Digital Dozen”
Confidential – Liverpool and IBM 20 WebSphere DataPower ideal solution for many requirements: ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks WebSphere DataPower and the PCI DSS “Digital Dozen” ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security
Confidential – Liverpool and IBM Req. 12 Req. 10 Req. 7,8,9 Req. 3,4 Req. 1 21 § Web Services (XML) - Filter on any content, metadata or network variables § Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling § Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed § Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation § Encryption of transport layer - HTTP, HTTPS, SSL. § Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol § XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc § Management & Logging - manage & track services, logging of all activities, audit. § Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. § Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) Req. 5 DataPower - Key Functions for PCI Compliance
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 22 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 23 ▪ An important – but small – part of the DataPower ▪ Integrated multi-layer filters: – IP-layer params (e.g., client IP address) – SSL params (e.g., client certificate) – Any part of HTTP header – XPath or XML configuration files for any part of SOAP header – XPath or XML configuration files on any part of XML payload – First-level filter select based on service, URL, etc. ▪ Easy “point and click” XPath Filtering ▪ Enable/Disable each SOAP method using WSDL wizard ▪ Can be applied at any point in message processing XML/SOAP Firewall
Confidential – Liverpool and IBM 24 Web Application Firewall ▪ URL-encoded HTTP application protection in addition to XML Web Services firewall security ▪ Protection for static or dynamic HTML-based applications ▪ Supports browser-based clients and HTTP/HTTPS backend servers ▪ Wizard-driven configuration ▪ Cross-site scripting and SQL Injection protection ▪ AAA framework support for web applications ▪ General name-value criteria boundary profiles for: – Query string and form parameters – HTTP headers – Cookies ▪ HTML Input Conversion Maps for form processing and handling ▪ Cookie watermarking (sign and/or encrypt) ▪ Rate limiting and traffic throttling/shaping ▪ HTTP Header stripping, injection, rewriting and method filtering ▪ Content-type filtering ▪ Dynamic routing and load balancing ▪ Session handling policies ▪ SSL Acceleration & Termination (Link) ▪ Customizable error handling
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 25 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 26 DataPower: Protecting Cardholder Data Encrypted & digitally signed Message <Credit Card> <Cust>Brian P. Bell</Cust> <Encrypted CCN> ws389maz301</Encrypted CCN> <Credit Type>AMEX</Credit Type> ………………. </Credit Card> Key Functions: Terminate SSL Defend against XML threats Validate XML (schema) Authentication Authorization Audit/Transaction Logging Filter data Encrypt/Decrypt message Digitally sign message Mask back-end resources Route based on content Encrypted XML data is delivered to the database to the encrypted credit card for later use DB2 9 Client sends credit card information to be stored in the database though an supported protocol Response message is sent confirming the insertion of the encrypted credit card number into the database Response message is received confirming the insertion of the encrypted credit card number into the database Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Incoming Message – data not encrypted <Credit Card> <Cust>Brian P. Bell</Cust> <CreditCardNumber> 3732 955939 395500</CreditCardNumber> <Credit Type>AMEX</Credit Type> ………………. </Credit Card>
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 27 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 28 Field-level XML Security ▪ Sign, verify, encrypt & decrypt ▪ XML Encryption & XML Digital Signature at: – Message-level – Part-of-message or field-level – Headers, as building block of other security specs ▪ Field-level security configurable from the WebGUI ▪ Verify-all option (data-driven verification of all signatures) ▪ DataPower’s own implementation, listed in W3C Interop matrix: – http://www.w3.org/Signature/2001/04/05- xmldsig-interop.html – http://www.w3.org/Encryption/2002/02-xenc- interop.html – Agility for interoperability or customization ▪ Secure Attachment Processing: – Supports the full SOAP with Attachments specification (MIME/DIME) – WS-Security ▪ Last-mile Security for SOA
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 29 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 30 DataPower Anti-Virus Protection § Allows messages and attachments to be checked for viruses § Integrates with corporate virus checking software through the ICAP protocol § Anti-Virus Processing Action eases configuration and use of this capability § Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 31 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 32 Access Control Enforce Who can access Which Web service & When ▪ Deploy as a high-speed access policy enforcement point ▪ Modular authentication/authorization architecture: – x = extract-identity() – z = extract-resource() – zm = map-resource(z) – y = authenticate(x); if (y = null) reject – ym = map-credentials-attributes(y) – allowed = authorize(ym, zm); if (!allowed) reject – audit-and-post-processing(); ▪ Identity examples include: - WS-Security user/pass token - SSL client certificate - SAML assertion - HTTP basic-auth - Proprietary SSO cookie/token ▪ Resource examples: - URL - SOAP method
Confidential – Liverpool and IBM 33 Access Control (2) Leading Standards and Third-party Integration Support ▪ Access control policy: – On-board: certs, XML file [can start simple] – Off-board: external access control servers ▪ Standards-based integration: – LDAP (for CRL, authentication, authorization) – RADIUS (authentication) – XKMS (for CRL, authentication) – SAML (consume, authentication, authorization, produce) – WS-Security, WS-Trust, WS-* – Outbound SOAP or HTTP call ▪ Integration with access management solutions: – Tivoli Access Manager – Tivoli Federated Identity Manager – RSA ClearTrust – Microsoft Active Directory – Sun Identity Server – Netegrity SiteMinder or TransactionMinder – Oblix – CA eTrust – …others including custom integration with any customer environment
Confidential – Liverpool and IBM 34 Access Control (3) AAA Framework Diagram - Authenticate, Authorize, Audit Extract Identity Extract Resource Authenticate Authorize Audit & Accounting SAML WS -Security SSL client cert HTTP Basic -Auth SAML assertion Non -repudiation Monitoring Web Service URI SOAP op name Transfer amount DataPower AAA Framework SOAP/ XML Message SOAP/ XML Message External Access Control Server or On -Board Policy Map Credentials Map Resource
Confidential – Liverpool and IBM ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 35 The PCI DSS consists of 12 requirements:
Confidential – Liverpool and IBM 36 Compliance = Appliance! ▪ Regulatory Compliance is an ever-growing concern for large enterprise customers – e.g. The Financial Services industry alone has recently had to deal with Sarbanes-Oxley, Basel II and PCI DSS ▪ In practice, compliance consists of demonstrating that your company’s policies meet the regulations, and then “attesting” that you follow your documented policies – Attesting is the hard part! ▪ DataPower’s configured processing has always been labeled “policies” ▪ DataPower policies can be exported in human-readable form (XML), thereby reducing the pain associated with attestation – It makes an extremely difficult process much easier ▪ DataPower’s certification to a number of industry standards (FIPS 140- 2, CC EAL4 Evaluation) also makes it compliance-friendly
Confidential – Liverpool and IBM 37 WS-Policy/WS-Security Policy DataPower’s out-of-the-box support for the WS-Policy standards framework means that DataPower runtime policies can be expressed in a way that is both “human readable” and “universally understood” by multiple software solutions.
Confidential – Liverpool and IBM 38 Open Web Application Security Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks
Confidential – Liverpool and IBM 39 Summary: Business Benefits § Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device § Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost § Flexibility: Secure, integrate, bridge and version applications without application modification § Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic § Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” § Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification § Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives § A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways
3 “I’ve been in retail for 30 years. There has been more change in the last five years than in the previous 25 years” 40 Andy Clarke
Thank you!

More Related Content

PDF
Data Power For Pci Webinar Aug 2012
bygaborvodics
 
PDF
IBM DataPower Gateway - Common Use Cases
byIBM DataPower Gateway
 
PDF
Common DataPower use cases, incl Caching with XC-10 appliance.
bysflynn073
 
PDF
Datapowercommonusecases 130509114200-phpapp02
byKrystel Hery
 
PDF
Datapowercommonusecases 130509114200-phpapp02
byCristina Garrido Lema
 
PDF
WebSphere Integration User Group 13 July 2015 : DataPower session
byHugh Everett
 
PDF
Datapower Steven Cawn
byValeri Illescas
 
PDF
Enterprise grade cloud services with data power virtual
bysflynn073
 
Data Power For Pci Webinar Aug 2012
bygaborvodics
 
IBM DataPower Gateway - Common Use Cases
byIBM DataPower Gateway
 
Common DataPower use cases, incl Caching with XC-10 appliance.
bysflynn073
 
Datapowercommonusecases 130509114200-phpapp02
byKrystel Hery
 
Datapowercommonusecases 130509114200-phpapp02
byCristina Garrido Lema
 
WebSphere Integration User Group 13 July 2015 : DataPower session
byHugh Everett
 
Datapower Steven Cawn
byValeri Illescas
 
Enterprise grade cloud services with data power virtual
bysflynn073
 

Similar to DataPower for PCI

PPT
Data power use cases
bysflynn073
 
PDF
Whats new in data power
bysflynn073
 
PPT
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
PDF
PCI Compliance white paper
byHelpSystems
 
PPT
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
byIBM Security
 
PPTX
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
byRui Santos
 
PDF
Enterprise grade cloud services with data power virtual
bysflynn073
 
PDF
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
byGlobal Business Events
 
PDF
DataPower API Gateway Performance Benchmarks
byIBM DataPower Gateway
 
PPT
Ibm security overview 2012 jan-18 sellers deck
byArrow ECS UK
 
PPTX
What Does a Full Featured Security Strategy Look Like?
byPrecisely
 
PDF
DataPower API Gateway Performance Benchmarks
byOzair Sheikh
 
PDF
Intorduction to Datapower
byShilpin Pvt. Ltd.
 
PPT
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
PDF
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
PDF
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
PDF
Big Data Requires Big Protection
byIBM Security
 
PDF
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
bynostradelboy
 
PPTX
Gdpr security services
byFrederick Penaud
 
PPTX
GDPR security services - Areyou ready ?
byFrederick Penaud
 
Data power use cases
bysflynn073
 
Whats new in data power
bysflynn073
 
eCommerce Summit Atlanta Mountain Media
byeCommerce Merchants
 
PCI Compliance white paper
byHelpSystems
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
byIBM Security
 
2015/06/12 - IBM Systems & Middleware - IBM DataPower and API Management
byRui Santos
 
Enterprise grade cloud services with data power virtual
bysflynn073
 
Brendan Byrne, Security Services Consulting and Systems Integration Leader at...
byGlobal Business Events
 
DataPower API Gateway Performance Benchmarks
byIBM DataPower Gateway
 
Ibm security overview 2012 jan-18 sellers deck
byArrow ECS UK
 
What Does a Full Featured Security Strategy Look Like?
byPrecisely
 
DataPower API Gateway Performance Benchmarks
byOzair Sheikh
 
Intorduction to Datapower
byShilpin Pvt. Ltd.
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
byMelanie Beam
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
byShaun O'keeffe
 
MTBiz May-June 2019
byMutual Trust Bank Ltd.
 
Big Data Requires Big Protection
byIBM Security
 
PCI DSS v 2.0 - Don't Fall In. Short & high level presentation for the Ecomme...
bynostradelboy
 
Gdpr security services
byFrederick Penaud
 
GDPR security services - Areyou ready ?
byFrederick Penaud
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Guided Substation Engineering with CoMPAS: Simplifying IEC 61850
byDanBrown980551
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 

DataPower for PCI

  • 1.
    Xchel Martínez Galicia IBMHybrid Cloud: Technical Connectivity, Integration and SOA IT Specialist xchel@mx1.ibm.com César Tort Integration & Development - Key Accounts ctort@mx1.ibm.com March 27th, 2018 IBM DataPower - PCI Solutions
  • 2.
    2 “Stores of thefuture will be more connected and experience-driven… Data security will be a major concern” Planet Retail
  • 3.
    Confidential – Liverpooland IBM About this presentation 3 © Copyright IBM Corporation 2018. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
  • 4.
    Confidential – Liverpooland IBM • About PCI (Payment Card Industry) • PCI DSS (Data Security Standard) • Which kind of data should be protected? • What are WebSphere DataPower Appliances? • WebSphere DataPower and the PCI DSS “Digital Dozen” Content 4
  • 5.
    About PCI (PaymentCard Industry)
  • 6.
    Confidential – Liverpool and IBM 6 About PCI (PaymentCard Industry) § The PCI Security Standards Council (PCI SSC) is a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security. § The Council was founded in 2006, with American Express, Discover Financial Services, Japan Credit Bureau International, MasterCard and Visa Inc. as founding members. § As of 2018, the PCI SSC lists 797 Participating Organizations around the world. IBM is one of them! § Founding members have agreed to incorporate the PCI Data Security Standard (PCI DSS) as part of the technical requirements for each of their data security compliance programs.
  • 7.
    PCI DSS (DataSecurity Standard)
  • 8.
    Confidential – Liverpool and IBM 8 § For whomserves PCI DSS? Those who work with and are associated with payment cards. This includes: retail (e-commerce & brick & mortar), merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments. § What is the objective to work with PCI DSS? – Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. – Helping vendors understand and implement standards for creating/maintain secure payment solutions. § Why is important comply with PCI DSS? Potential liabilities • Lost confidence, so customers go to other merchants • Diminished sales • Cost of reissuing new payment cards • Fraud losses • Higher subsequent costs of compliance • Legal costs, settlements and judgments • Fines and penalties • Termination of ability to accept payment cards • Lost jobs (CISO, CIO, CEO and dependent professional positions) • Going out of business PCI DSS (Data Security Standard)
  • 9.
    Confidential – Liverpool and IBM 9 But, what isPCI DSS? § What is PCI DSS? PCI DSS provides a baseline of technical and operational requirements designed to protect account data. It includes 12 requirements, below is a high-level overview
  • 10.
    Which kind ofdata should be protected?
  • 11.
    Confidential – Liverpool and IBM 11 Which kind ofdata should be protected? § Where are the crown jewels? Cardholder data refers to any information contained on a customer’s payment card. The data is printed on either side of the card and is contained in digital format on the magnetic stripe embedded in the backside of the card. Some payment cards store data in chips embedded on the front side. The front side usually has the primary account number (PAN), cardholder name and expiration date. The magnetic stripe or chip holds these plus other sensitive data for authentication and authorization.
  • 12.
    Confidential – Liverpool and IBM 12 Which kind ofdata should be protected? § Here they are the crown jewels!!
  • 13.
    What are WebSphereDataPower Gateway Appliances?
  • 14.
    Confidential – Liverpool and IBM 14 What are WebSphereDataPower Gateway Appliances? Product Value “Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.” Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the extremely low operational TCO of a true network device.
  • 15.
    Confidential – Liverpool and IBM 15 Over to 3,000worldwide installations and growing! § Used by 95% of top global insurances firms § SaaS providers, ASPs, regulators, etc. § Agencies and ministries § Defense and security organizations § Crown corporations Insurance Government Banking § Retailers § Utilities, Power, Oil and Gas § Airlines § etc. Many, many, more § 80% of top 100 Banks § Numerous regional banks and credit unions § SaaS providers, ASPs, regulators, etc.
  • 16.
    Confidential – Liverpool and IBM 16 Over 2200 DataPower Applianceclients § The largest portfolio of SOA appliances § 80% of customers are repeat buyers § Appliance Innovator: leading appliance market since 2003 § 90% of top 100 Financial Institutions are DataPower installations § Broadest support for open standards and programming models § Proven to accelerate time-to-market and lowers total cost of ownership “One of the strongest points for IBM comes from its industry-leading experience with both SOA and appliances. Because IBM has been in the SOA game for a long time, it has built up extensive and pervasive SOA skills globally...IBM has developed a solid business approach to the appliance marketplace, taking into account the challenges of adding new members to the range, maintaining a consistent focus and ensuring clients continue to get ongoing value.” ~ Source: November 2012, Lustratus Research, Inc: A Competitive Review of SOA Appliances Gartner reported that IBM continues to be number one in key areas including Integration Appliances - Source: April 2012, “IBM Named Marketshare Leader in Middleware Software” http://www-03.ibm.com/press/us/en/pressrelease/37376.wss IBM DataPower Appliances Lead the Market The Leader in SOA Appliances
  • 17.
    Confidential – Liverpool and IBM 17 • Data format& language – JavaScript ‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0 • Security policy enforcement ‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication (LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM) ‒ SAF & IBM RACF® integration with z/OS ‒ Internet Content Adaptation Protocol ‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3 Supported standards & protocols • Transport & connectivity – HTTP, HTTPS, WebSocket Proxy – FTP, FTPS, SFTP – WebSphere MQ – WebSphere MQ File Transfer Edition (MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout – NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0, POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle, Sybase, IMS • Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2 • Public key infrastructure (PKI) ‒ RSA, 3DES, DES, AES, SHA, X.509, CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8, PKCS#10, PKCS#12 ‒ XKMS for integration with Tivoli Security Policy Manager (TSPM) • Management ‒ Simple Network Management Protocol (SNMP) ‒ SYSLOG ‒ IPv4, IPv6 • Open File Formats ‒ Distributed Management Task Force (DMTF) Open Virtualization Format (OVF) ‒ VMware Virtual Machine Disk Format (VMDK) • Web services – WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management (WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation (DIME) – Multipurpose Internet Mail Extensions (MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and Integration (UDDI versions 2 and 3), UDDI version 3 subscription – WebSphere Service Registry and Repository (WSRR)
  • 18.
    Confidential – Liverpool and IBM 18 Internet Trusted Domain Business Consumer 1B2B Partner Gateway 2 Secure Gateway (Web Services, Web Applications) 3 Intelligent Load Distribution Application Application System z DMZ 4 Internal Security 5 Light Weight Integration 6 Web Service Management 7 Legacy Integration 8 Run time SOA Governance HMC Mobile WebSphere DataPower - Use Cases
  • 19.
    WebSphere DataPower andthe PCI DSS “Digital Dozen”
  • 20.
    Confidential – Liverpool and IBM 20 WebSphere DataPower idealsolution for many requirements: ▪ Build and Maintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks WebSphere DataPower and the PCI DSS “Digital Dozen” ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security
  • 21.
    Confidential – Liverpool and IBM Req. 12 Req. 10 Req.7,8,9 Req. 3,4 Req. 1 21 § Web Services (XML) - Filter on any content, metadata or network variables § Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling § Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed § Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation § Encryption of transport layer - HTTP, HTTPS, SSL. § Anti Virus Protection - messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol § XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc § Management & Logging - manage & track services, logging of all activities, audit. § Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. § Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) Req. 5 DataPower - Key Functions for PCI Compliance
  • 22.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 22 The PCI DSS consists of 12 requirements:
  • 23.
    Confidential – Liverpool and IBM 23 ▪ An important– but small – part of the DataPower ▪ Integrated multi-layer filters: – IP-layer params (e.g., client IP address) – SSL params (e.g., client certificate) – Any part of HTTP header – XPath or XML configuration files for any part of SOAP header – XPath or XML configuration files on any part of XML payload – First-level filter select based on service, URL, etc. ▪ Easy “point and click” XPath Filtering ▪ Enable/Disable each SOAP method using WSDL wizard ▪ Can be applied at any point in message processing XML/SOAP Firewall
  • 24.
    Confidential – Liverpool and IBM 24 Web Application Firewall ▪URL-encoded HTTP application protection in addition to XML Web Services firewall security ▪ Protection for static or dynamic HTML-based applications ▪ Supports browser-based clients and HTTP/HTTPS backend servers ▪ Wizard-driven configuration ▪ Cross-site scripting and SQL Injection protection ▪ AAA framework support for web applications ▪ General name-value criteria boundary profiles for: – Query string and form parameters – HTTP headers – Cookies ▪ HTML Input Conversion Maps for form processing and handling ▪ Cookie watermarking (sign and/or encrypt) ▪ Rate limiting and traffic throttling/shaping ▪ HTTP Header stripping, injection, rewriting and method filtering ▪ Content-type filtering ▪ Dynamic routing and load balancing ▪ Session handling policies ▪ SSL Acceleration & Termination (Link) ▪ Customizable error handling
  • 25.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 25 The PCI DSS consists of 12 requirements:
  • 26.
    Confidential – Liverpool and IBM 26 DataPower: Protecting CardholderData Encrypted & digitally signed Message <Credit Card> <Cust>Brian P. Bell</Cust> <Encrypted CCN> ws389maz301</Encrypted CCN> <Credit Type>AMEX</Credit Type> ………………. </Credit Card> Key Functions: Terminate SSL Defend against XML threats Validate XML (schema) Authentication Authorization Audit/Transaction Logging Filter data Encrypt/Decrypt message Digitally sign message Mask back-end resources Route based on content Encrypted XML data is delivered to the database to the encrypted credit card for later use DB2 9 Client sends credit card information to be stored in the database though an supported protocol Response message is sent confirming the insertion of the encrypted credit card number into the database Response message is received confirming the insertion of the encrypted credit card number into the database Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc Direct DB Connect Incoming Message – data not encrypted <Credit Card> <Cust>Brian P. Bell</Cust> <CreditCardNumber> 3732 955939 395500</CreditCardNumber> <Credit Type>AMEX</Credit Type> ………………. </Credit Card>
  • 27.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 27 The PCI DSS consists of 12 requirements:
  • 28.
    Confidential – Liverpool and IBM 28 Field-level XML Security ▪Sign, verify, encrypt & decrypt ▪ XML Encryption & XML Digital Signature at: – Message-level – Part-of-message or field-level – Headers, as building block of other security specs ▪ Field-level security configurable from the WebGUI ▪ Verify-all option (data-driven verification of all signatures) ▪ DataPower’s own implementation, listed in W3C Interop matrix: – http://www.w3.org/Signature/2001/04/05- xmldsig-interop.html – http://www.w3.org/Encryption/2002/02-xenc- interop.html – Agility for interoperability or customization ▪ Secure Attachment Processing: – Supports the full SOAP with Attachments specification (MIME/DIME) – WS-Security ▪ Last-mile Security for SOA
  • 29.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 29 The PCI DSS consists of 12 requirements:
  • 30.
    Confidential – Liverpool and IBM 30 DataPower Anti-Virus Protection §Allows messages and attachments to be checked for viruses § Integrates with corporate virus checking software through the ICAP protocol § Anti-Virus Processing Action eases configuration and use of this capability § Includes pre-configured Host Types (CLAM, Symantec, Trend, Webwasher) as well as customizability
  • 31.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 31 The PCI DSS consists of 12 requirements:
  • 32.
    Confidential – Liverpool and IBM 32 Access Control Enforce Whocan access Which Web service & When ▪ Deploy as a high-speed access policy enforcement point ▪ Modular authentication/authorization architecture: – x = extract-identity() – z = extract-resource() – zm = map-resource(z) – y = authenticate(x); if (y = null) reject – ym = map-credentials-attributes(y) – allowed = authorize(ym, zm); if (!allowed) reject – audit-and-post-processing(); ▪ Identity examples include: - WS-Security user/pass token - SSL client certificate - SAML assertion - HTTP basic-auth - Proprietary SSO cookie/token ▪ Resource examples: - URL - SOAP method
  • 33.
    Confidential – Liverpool and IBM 33 Access Control (2) LeadingStandards and Third-party Integration Support ▪ Access control policy: – On-board: certs, XML file [can start simple] – Off-board: external access control servers ▪ Standards-based integration: – LDAP (for CRL, authentication, authorization) – RADIUS (authentication) – XKMS (for CRL, authentication) – SAML (consume, authentication, authorization, produce) – WS-Security, WS-Trust, WS-* – Outbound SOAP or HTTP call ▪ Integration with access management solutions: – Tivoli Access Manager – Tivoli Federated Identity Manager – RSA ClearTrust – Microsoft Active Directory – Sun Identity Server – Netegrity SiteMinder or TransactionMinder – Oblix – CA eTrust – …others including custom integration with any customer environment
  • 34.
    Confidential – Liverpool and IBM 34 Access Control (3) AAAFramework Diagram - Authenticate, Authorize, Audit Extract Identity Extract Resource Authenticate Authorize Audit & Accounting SAML WS -Security SSL client cert HTTP Basic -Auth SAML assertion Non -repudiation Monitoring Web Service URI SOAP op name Transfer amount DataPower AAA Framework SOAP/ XML Message SOAP/ XML Message External Access Control Server or On -Board Policy Map Credentials Map Resource
  • 35.
    Confidential – Liverpool and IBM ▪ Build andMaintain a Secure Network – Requirement 1: Install and maintain a firewall configuration to protect cardholder data – Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters ▪ Protect Cardholder Data – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data across open, public networks ▪ Maintain a Vulnerability Management Program – Requirement 5: Use and regularly update anti-virus software – Requirement 6: Develop and maintain secure systems and applications ▪ Implement Strong Access Control Measures – Requirement 7: Restrict access to cardholder data by business need-to-know – Requirement 8: Assign a unique ID to each person with computer access – Requirement 9: Restrict physical access to cardholder data ▪ Regularly Monitor and Test Networks – Requirement 10: Track and monitor all access to network resources and cardholder data – Requirement 11: Regularly test security systems and processes ▪ Maintain an Information Security Policy – Requirement 12: Maintain a policy that addresses information security 35 The PCI DSS consists of 12 requirements:
  • 36.
    Confidential – Liverpool and IBM 36 Compliance = Appliance! ▪Regulatory Compliance is an ever-growing concern for large enterprise customers – e.g. The Financial Services industry alone has recently had to deal with Sarbanes-Oxley, Basel II and PCI DSS ▪ In practice, compliance consists of demonstrating that your company’s policies meet the regulations, and then “attesting” that you follow your documented policies – Attesting is the hard part! ▪ DataPower’s configured processing has always been labeled “policies” ▪ DataPower policies can be exported in human-readable form (XML), thereby reducing the pain associated with attestation – It makes an extremely difficult process much easier ▪ DataPower’s certification to a number of industry standards (FIPS 140- 2, CC EAL4 Evaluation) also makes it compliance-friendly
  • 37.
    Confidential – Liverpool and IBM 37 WS-Policy/WS-Security Policy DataPower’s out-of-the-box supportfor the WS-Policy standards framework means that DataPower runtime policies can be expressed in a way that is both “human readable” and “universally understood” by multiple software solutions.
  • 38.
    Confidential – Liverpool and IBM 38 Open Web ApplicationSecurity Project Compliance Provides Protection Against 100 % Of OWASP Top 10 Risks
  • 39.
    Confidential – Liverpool and IBM 39 Summary: Business Benefits §Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device § Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost § Flexibility: Secure, integrate, bridge and version applications without application modification § Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic § Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy” § Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification § Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives § A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways
  • 40.
    3 “I’ve been inretail for 30 years. There has been more change in the last five years than in the previous 25 years” 40 Andy Clarke
  • 41.