Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

系統02_關鍵的「特權+資料安全」最後一哩防線 解忠翰

系統02_關鍵的「特權+資料安全」最後一哩防線【解忠翰】

  • Login to see the comments

系統02_關鍵的「特權+資料安全」最後一哩防線 解忠翰

  1. 1. 
 - + 2016.4.20 2 H1040039245
  2. 2. 3
  3. 3. (Ligne Maginot) 5
  4. 4. WAF 6 IT SSDLC (VA) (PT) Web
  5. 5. WAF 7 IT SSDLC (VA) (PT) Web
  6. 6. WAF 9 IT SSDLC (VA) (PT) Web
  7. 7. WAF 11 IT SSDLC (VA) (PT) Web
  8. 8. (Ligne Maginot) 14 A B C Dunkerque Ardennen Erich von Manstein Fall Gelb
  9. 9. WAF 15 IT SSDLC (VA) (PT) Web APT ! ! ! ! !
  10. 10. WAF 16 IT SSDLC (VA) (PT) Web APT
  11. 11. 17
  12. 12. 18source: http://www.nextmag.com.tw/magazine/news/20150415/17732133
  13. 13. ( ) 20 
 D EFECT 政府 金融
  14. 14. 1 24 稽 ( ) ( ) 稽 
 中 高普
  15. 15. 25 INVENTORY SYSTEM Local Windows Active Directory Service AD Domain A uditingLocal Admin root Adm inistrator LinuxUNIX AIX Red Hat SUSE Microsoft SQL Server Oracle sa A ccount Type remote login su password age Account Expiration Date lock Computer Name AD Bridge Account GroupCompliance R6 mainframe Account Category Password Last Set ( ) ( ) 稽 

  16. 16. 2 28 - - - 稽 - ( ) 中 高普 中 高普 中 高普 稽
  17. 17. 3 29 稽!!! ( MS SQL sa) 稽 中 高普
  18. 18. 30 
 
 
 中 中 中 高 
 
 
 
 中 高 中 中 &
 
 
 
 
 
 
 
 
 
 普 普 中 中 普 普 高 普 高 普 : 24 (AB Part)
  19. 19. 3 4 31 Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications WiFi Routers, Smart TVs Routers, Firewalls, Servers, Databases, Applications Laptops, Tablets, Smartphones Power Plants, Factory Floors Organizations typically have
 3-4x more Privileged Accounts than employees
  20. 20. 3 4 32 WiFi Routers, Smart TVs Compromised Privileged Accounts Laptops, Tablets, Smartphones Power Plants, Factory Floors Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications
  21. 21. – (Tokenization) 33 原始資料 資料庫 電商平台商 d次變造資料 TMIeL VaulQ 資料變造庫 >aFeNeQ TMIeLHVaQHML
 :aLager 醫療院所 原始資料提供單位 金融銀行 二次變造資料 統計研究機構 ( 段 式 變 造 確保保管單 位及研究單 位資料不具 機敏性 自動化管理 平台減少v 員接觸資料 風險 資料變造管理平台提供研究單位不涉個資n研究資料
  22. 22. ■ ■ ■ – Tokenization & PCI-DSS Compliance 34 用戶端 SafeNet 雲端服務 加密資料儲存體 >aFeNeQ
 8ey>eCure SafeNet 跨區
 內部用戶 約,員工
  23. 23. 35 Protect Cardholder Data Requirement 3 Protect stored cardholder data 3.5.1 3.5.2 3.6 3.4 3.5 Restrict access to cryptographic keys to the fewest number of custodians necessary. Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data. PCI-DSS 3.1 Compliance Combination(detail) Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 
 3.5.3 Store cryptographic keys in the fewest possible locations. Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures. Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method. Requirement 4 Encrypt transmission of cardholder data across open, public networks 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. 要求 ).4 使用zg任d作法使所有位置 包括可攜 式數位媒體、備份媒體和 日誌k) 儲存的 P2N 均無法讀取0 
 1  使用強式加密法的單向雜湊型函數 雜湊必須要有完整的 P2N)
 1  截詞 不能用雜湊替y P2N 被截詞的部分)
 1  索引記號和索引簿 索引簿必須安全地儲存)
 1  使用相關金鑰管理流程和程序的強式加密法 >aFeNeQ TMIeLHVaQHML 符合 ).4, P2N
  24. 24. 36 Protect Cardholder Data Requirement 3 Protect stored cardholder data 3.5.1 3.5.2 3.6 3.4 3.5 Restrict access to cryptographic keys to the fewest number of custodians necessary. Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data. PCI-DSS 3.1 Compliance Combination(detail) Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 
 3.5.3 Store cryptographic keys in the fewest possible locations. Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures. Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method. Requirement 4 Encrypt transmission of cardholder data across open, public networks 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. 要求 ).5.( 始終zg面d種 或多種) 形式儲存用於加密/解密持卡v
 資料的機密金鑰和私密金鑰0 1 使用至少和資料加密金鑰d樣等級的強式加密為金鑰加密,並將此
 金鑰和資料加密金鑰分開儲存 1 在安全加密裝置 如l機安全模組 6>:) 或通過 PT> 核可的tr點裝置) 1 根據產業認可的方法,採用至少兩個全 長度金鑰元件或金鑰共u >aFeNeQ 8ey>eCure使用多層式架構的 金鑰再次加密金鑰。i設備通過 57P> 14&-( 9eSel ) 標準,支援)國政府確保金鑰管理不會受•竄改的要求。 >QMrage>eCure同時o是d台強大的加密 裝置,通過 57P> 14&-( 認證,可由單d
 設備提供集k式的金鑰管理和加密金
 鑰儲存。
  25. 25. 37 Protect Cardholder Data Requirement 3 Protect stored cardholder data 3.5.1 3.5.2 3.6 3.4 3.5 Restrict access to cryptographic keys to the fewest number of custodians necessary. Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data. PCI-DSS 3.1 Compliance Combination(detail) Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse. 
 3.5.3 Store cryptographic keys in the fewest possible locations. Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures. Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method. Requirement 4 Encrypt transmission of cardholder data across open, public networks 4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. 要求 )., 充分記錄並實作用於持卡v資料加密的所有金鑰 管理流程和程序,包括0 1  ).,.4 根據相關應用程式供應商或金鑰所有v的規定,並根據產業最佳作法 和指南 例如《N7>T 特刊 .&&-5-a),在金鑰週期結束時 例 如指定期限過後 和/或給定金鑰產生d定量的密文後) 對金鑰進行 變更。 1  ).,.5 金鑰的完整性變弱 例如知道
 負責明文元件的員工離職)或懷疑金
 鑰遭受威脅時,認為有必要註銷或替
 換 例如歸檔、銷毀和/或撤銷)金鑰 
 1  ).,., 若使用手動明文金鑰管理操
 作,則必須透 過 劃分知識和雙重控
 制來管理這s操作。 1  ).,.- 防止未經授權替換加密金鑰 1  ).,.. 有關金鑰保管v正式確認理
 解並接受加密金 鑰保管責v的要求 ).,.4 ─ 8ey>eCure 可集k管理加密金鑰和政策─涵蓋所有金鑰管理周期,並遍及整 個企業和:擬資料k心及公共雲環境。8ey>eCure 提供金鑰輪轉機制, z讓客戶可 z高效率地根據安全政策輪轉金鑰。 ).,.5 ─ 金鑰永遠z加密形式儲存在8ey>eCure裝置k。8ey>eCure 的集k 式管理 功能包─詳細的日誌和稽核追蹤,可…握所有金鑰狀態變更、系統管理員存取和政 策變更的情形。稽核紀錄會被安全地儲存和簽(z避免否認。 ).,., ─ 透過 8ey>eCure 超過 (& 個的管理存取控制清單,可z支援不
 同v員 建立和刪除/存取金鑰的情形。安全團隊可z要求兩個系統
 管理員必須同時核准特定類型的操作方能進行─例如產生金鑰等。
  26. 26. 44 CORPORATE ENVIRONMENT Cloud Storage Intellectual Property Internal Privileged Users External Privileged Users 
 
 

  27. 27. 金管會普遍稽核項目 1. 「帳號共用c問題 (. 「目錄共用c問題 ). 對外t換的「4:A區檔案不落地c 4. 自動化傳輸程式碼k「密碼需保護c 5. 傳輸t換須有完整「稽核軌跡c ,. 檔案「傳輸加密c -. 檔案「安全防護c 如0檔案權限控管、檔案加密) .. 企業內部防火牆通訊埠「減少開放c /. 檔案t換業務往「全面自動化c發展 45
  28. 28. 1. 建立集k式檔案傳輸管理平台,能有多種傳輸方式 (. 加強檔案傳輸安全性 ). 既有管理設定可簡化,加強5TP 服務管理功能 4. 保有完整的傳輸稽核記錄 5. 提升檔案權限控管的嚴謹度 6. 定期自動清除m未使用的檔案 -. 使用者帳密的存取與942P整合 .. 5TP >CrHNQ內的帳密非明碼 /. 內部5TP帳號的密碼由管理者控管 46
  29. 29. 1. 建立對外集k式檔案傳輸管理平台,能有多種傳輸方式 ■ 支援多協定服務功能 5TP/>、6TTP/>、>5TP) (. 加強檔案傳輸安全性 ■ 支援兩層式安全傳輸架構、4:A檔案不落地、傳輸加密/檔案加密 ). 希望既有的管理設定可簡化,並加強5TP 服務管理功能 ■ 提供統d的管理介面、檔案傳輸自動化處理、傳輸異常l動通知…等 4. 保有完整的傳輸稽核記錄 ■ 提供傳輸紀錄/系統紀錄/管理員操作紀錄 5. 提升檔案權限控管的嚴謹度 ■ 支援檔案繞送、檔案的權限控管機制 ,. 定期自動清除m未使用的檔案 ■ 原廠提供檔案清除>CrHNQ -. 使用者帳密的存取與942P整合 ■ 支援多組942P功能 .. 5TP >CrHNQ內的帳密非明碼 ■ >eCure3lHeLQ可協助做• /. 內部5TP帳號的密碼由管理者控管 ■ >eCure3lHeLQ可協助做• 47
  30. 30. 48 Axway Endpoints
  31. 31. 49 Axway Endpoints DMZ /
  32. 32. 50 Axway Endpoints DMZ /
  33. 33. 51 Axway Endpoints DMZ /
  34. 34. 52 Axway Endpoints DMZ /
  35. 35. 53 Axway Endpoints DMZ / FTP Script
  36. 36. 54 Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters 2.3 2.1 2.2 Protect Cardholder Data Requirement 3 Protect stored cardholder data 3.6 3.4 3.5 Requirement 4 Encrypt transmission of cardholder data across open, public networks 4.1 Maintain a Vulnerability Management Program Requirement 6 Develop and maintain secure systems and applications 6.3 6.1 6.2 6.6 6.4 6.5 6.7 Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need to know 7.3 7.1 7.2 
 
PCI-DSS 3.1 
 Compliance 
 Combination 
 Build and Maintain a Secure Network and System Requirement 1 Install and maintain a firewall configuration to protect cardholder data 1.3 54
  37. 37. 55 Implement Strong Access Control Measures Requirement 8 Identify and authenticate access to system components 8.3 8.1 8.2 10.1 10.3 10.8 10.6 10.7 Additional PCI DSS Requirements for Shared Hosting Providers Requirement A.1 Shared hosting providers must protect the cardholder data environment A.1 8.5 8.7 Regularly Monitor andTest Networks Requirement 10 Track and monitor all access to network resources and cardholder data 10.2 10.4 10.5 Regularly Monitor andTest Networks Requirement 11 Regularly test security systems and processes 11.1 
 

PCI-DSS 3.1 
 Compliance 
 Combination
  38. 38. WAF 58 IT SSDLC (VA) (PT) Web
  39. 39. 59 André Maginot
  40. 40. Thanks 60
  41. 41. Q&A 61

×