Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
1
Myths & Realities of
Data Security & Compliance:
Risk-based Data Protection
Ulf Mattsson, Chief Technology Officer, Co...
2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry Involvement
PCI DSS - PCI Security Standards Council
• Encrypt...
3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Task F...
44
5
6
• The Dilemma for CISO, CIO, CFO, CEO, and Board
• Where are my most valuable data asset?
• Who Has Access to it?
• Is i...
7
8
9
Not Knowing
Where Sensitive
Data Is
10
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
11
12
PCI-DSS
and Beyond
13
Are You Ready
for the
New Requirements of
PCI-DSS V3.2?
14
Keep cardholder data storage to a minimum by implementing data retention
and disposal policies, procedures and processe...
15
• PCI DSS v2 did not have data flow in the 12
requirements, but mentioned it in “Scope of
Assessment for Compliance wit...
16
16
Example of
A Discovery
Process
Scoping
Asset Classification
Job Scan Definition
Scanning
Analysis
Reporting
Remediat...
17
• IT risk and security leaders must move from trying to prevent
every threat and acknowledge that perfect protection is...
18
Growing Information Security Outsourcing
The information security market is estimated to have
grown 13.9% in revenue in...
19
Hybrid
Data Discovery
Example
20
Discovery Deployment Example
Example of Customer Provisioning:
• Virtual host to load Software or Appliance
• User ID w...
21
Example - Discovery Scanning Job Status List
22
STEP 4:
The scanning
execution can
be monitored
by Provider
and the
customer via a
Job Scheduler
interface
Discovery Pr...
23
Discovery Scanning Report
Discover All Sensitive PII – Not just PCI data
Database Schema Table Column Type Hits Confide...
24
On Premise
Data Discovery
Example
25
Example of On Premise Solution Scan
26
Example of On Premise Discovery Asset
Management
27
28
FS-ISAC* Summit
about
“Know Your Data”
*: FS-ISAC is the leading ISAC in the security area
29
FS-ISAC Summit about “Know Your Data”
• Encryption at rest has become the new norm
• However, that’s not sufficient
• V...
30
Risk &
Remediation
31
Know Your Data – Identify High Risk Data
Begin by determining the risk profile of all relevant data collected and store...
32
Match Data Protection Solutions with Risk Level
Risk Level Solution
Monitor
Monitor, mask,
access control
limits, forma...
33
Different
Data Security
Methods
34
Memory
Tokenization
Type Preserving
Encryption
Strong
Encryption
in
Databases
2016 -
2010 -
2008 -
2004 -
2002 -
2000 -...
35
Time
Total Cost of
Ownership
Strong Encryption:
3DES, AES …
I
2010
I
1970
How did Data Security Evolve 1970 - 2010?
I
2...
36
Legend: Best
Worst
Choose Your Defenses – Strengths & Weakness
37
Compliance
38
NIST - Increasing Relevance
Crypto Modules
PCI DSS
Payment Card Industry Data Security Standard
Hardware & Software Sec...
39
FPE Gets NIST Stamp of Approval
40
Need for Masking Standards
Many of the current techniques
and procedures in use, such as
the HIPAA Privacy Rule’s Safe
...
41
Defines Tokenization Security Requirements
42
Type of
Data
Use
Case
I
Structured
How Should I Secure Different Data?
I
Un-structured
Simple -
Complex -
PCI
PHI
PII
F...
43
Data Location is
Important
44
NW
DMZ
Web Apps
TRUSTED
SEGMENT
Serve
r
Internet
Load
Balancing
Proxy
FW
Proxy
FW
Enterprise
Apps
Network
Devices
Serve...
45
Common Vulnerabilities in E-Commerce
Source: Verifone
46
Data Exposed in Cloud & Big Data
Do we
know our
sensitive
data?
Big
Data
Public
Cloud
47
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less...
48
• Rather than making the protection platform based, the security
is applied directly to the data, protecting it whereve...
49
Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote
User
Internal
User
Cloud Gateway
...
50
Cloud Providers Not Becoming Security Vendors
• There is great demand for security providers that can offer
orchestrati...
51
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less...
52
Attacking Big Data
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
...
53
Securing Big Data - Examples
• Volume encryption in Hadoop
• Hbase, Pig, Hive, Flume and Scope using protection API
• M...
54
Topology Performance Scalability Security
Local Service
Remote Service
Data Protection Implementation Layers
System Lay...
55
Are Your
Deployed
Security Controls
Failing?
56
57
PCI DSS 3.2 – Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to...
58
Example - Report on Failures of Critical Security controls
API
MTSS
Management
Environment
59
Managed Tools Security Services - Example
60
MSSP - Managed Security
Service Provider
• SOC – Security Operations
Center
• Security monitoring
• Firewall integratio...
61
Benefits of Managed Tool Security Service
Security controls in place and functioning.
Prepared to address information s...
62
I think it is Time to
Re-think
CONFIDENTIAL 62
63
64
64
About Compliance
Engineering
65
SOCTools
24/7 Eyes on
Glass (EoG)
monitoring,
Security
Operations
Center (SOC)
Managed
Tools Security
Service
Software ...
66
Compliance
Assessments
• PCI DSS & PA Gap
• HIPAA (2013
HITECH)
• SSAE 16-SOC 2&3*
• GLBA, SOX
• FCRA, FISMA
• SB 1385,...
67
67
Thank you
Ulf Mattsson, Chief Technology Officer, Compliance Engineering
umattsson@complianceengineers.com
www.compl...
Upcoming SlideShare
Loading in …5
×

Myths and realities of data security and compliance - Isaca Alanta - ulf mattsson jul 22 2016

364 views

Published on

Myths & Realities of Data Security & Compliance - ISACA Atlanta - Ulf Mattsson Jul 22 2016.

Data breaches are on the rise. The constant threat of cyber attacks combined with the high cost and a shortage of skilled security engineers has put many companies at risk. There is a shift in cybersecurity investment and IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. PCI DSS 3.2 is out with an important update on data discovery and requirements to detect security control failures.
In this session, cybersecurity expert Ulf Mattsson will highlight current trends in the security landscape based on major industry report findings, and discuss how we should re-think our security approach.

Published in: Technology
  • Be the first to comment

Myths and realities of data security and compliance - Isaca Alanta - ulf mattsson jul 22 2016

  1. 1. 1 1 Myths & Realities of Data Security & Compliance: Risk-based Data Protection Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com
  2. 2. 2 Ulf Mattsson Inventor of more than 25 US Patents Industry Involvement PCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security CSA - Cloud Security Alliance ANSI - American National Standards Institute • ANSI X9 Tokenization Work Group NIST - National Institute of Standards and Technology • NIST Big Data Working Group User Groups • Security: ISACA & ISSA • Databases: IBM & Oracle
  3. 3. 3 My work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC 2013 – 2014 Tokenization Task Force
  4. 4. 44
  5. 5. 5
  6. 6. 6 • The Dilemma for CISO, CIO, CFO, CEO, and Board • Where are my most valuable data asset? • Who Has Access to it? • Is it Secure? • Insider/External Threats? • Am I Compliant? • What is/has been the Financial Cost? • Am I Adhering to Best Practices? How Do I Compare to My Peers? • Can I Automate the Lifecycle of Data Security? The Security & Compliance Issue
  7. 7. 7
  8. 8. 8
  9. 9. 9 Not Knowing Where Sensitive Data Is
  10. 10. 10 Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015
  11. 11. 11
  12. 12. 12 PCI-DSS and Beyond
  13. 13. 13 Are You Ready for the New Requirements of PCI-DSS V3.2?
  14. 14. 14 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage Discovery Results Supporting Compliance 1. Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Old PCI DSS Requirement 3.1
  15. 15. 15 • PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.” • PCI DSS v3.1 added data flow into a requirement. • PCI DSS v3.2 added data discovery into a requirement. New PCI DSS 3.2 Standard – Data Discovery Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
  16. 16. 16 16 Example of A Discovery Process Scoping Asset Classification Job Scan Definition Scanning Analysis Reporting Remediation PCI DSS 3.2 Requirement - Discovery
  17. 17. 17 • IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. • Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents. • By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20% in 2015. Shift in Cybersecurity Investment Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
  18. 18. 18 Growing Information Security Outsourcing The information security market is estimated to have grown 13.9% in revenue in 2015 with the IT security outsourcing segment recording the fastest growth (25%). Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
  19. 19. 19 Hybrid Data Discovery Example
  20. 20. 20 Discovery Deployment Example Example of Customer Provisioning: • Virtual host to load Software or Appliance • User ID with “Read Only” Access • Firewall Access ApplianceDiscovery Admin
  21. 21. 21 Example - Discovery Scanning Job Status List
  22. 22. 22 STEP 4: The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface Discovery Process (Step 4) – Scanning Job Lists Discover all sensitive PII – Not just PCI data
  23. 23. 23 Discovery Scanning Report Discover All Sensitive PII – Not just PCI data Database Schema Table Column Type Hits Confidence Rows Scanned Total Rows Hit % Scanned % actrs10-rs10prd ITMBK_BARB ITMBK_BARB.STAFF SSN ssn 5356 4 9481 9481 56.49% 100.00% actrs11-rs11prd AAPR AAPR.REG_AAP SSN ssn 12 4 12 12 100.00% 100.00% actrs11-rs11prd AAPTIR AAPTIR.APPLICANT SSN ssn 3 4 3 3 100.00% 100.00% actrs11-rs11prd BENESSE BENESSE.TRAIN SSN s-s-n 21 5 21 21 100.00% 100.00% actrs11-rs11prd CAAPPROD CAAPPROD.PN55650683 SSN ssn 58 4 58 58 100.00% 100.00% actrs11-rs11prd COMP COMP.AAPTIR SPEC_CDE ssn 4 1 4 4 100.00% 100.00% actrs11-rs11prd COMP COMP.AAPTIR SSN ssn 4 4 4 4 100.00% 100.00% actrs11-rs11prd FOOBAR1 FOOBAR1.SCORE SSN s-s-n 7 5 7 7 100.00% 100.00% actrs11-rs11prd INS INS.MSTEMP ANUMBER ssn 155 1 155 155 100.00% 100.00%
  24. 24. 24 On Premise Data Discovery Example
  25. 25. 25 Example of On Premise Solution Scan
  26. 26. 26 Example of On Premise Discovery Asset Management
  27. 27. 27
  28. 28. 28 FS-ISAC* Summit about “Know Your Data” *: FS-ISAC is the leading ISAC in the security area
  29. 29. 29 FS-ISAC Summit about “Know Your Data” • Encryption at rest has become the new norm • However, that’s not sufficient • Visibility into how and where it flows during the course of normal business is critical Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
  30. 30. 30 Risk & Remediation
  31. 31. 31 Know Your Data – Identify High Risk Data Begin by determining the risk profile of all relevant data collected and stored • Data that is resalable for a profit • Value of the information to your organization • Anticipated cost of its exposure Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3
  32. 32. 32 Match Data Protection Solutions with Risk Level Risk Level Solution Monitor Monitor, mask, access control limits, format control encryption Tokenization, strong encryption Low Risk (1-5) At Risk (6-15) High Risk (16-25) Data Field Risk Level Credit Card Number 25 Social Security Number 20 CVV 20 Customer Name 12 Secret Formula 10 Employee Name 9 Employee Health Record 6 Zip Code 3 Deploy Defenses
  33. 33. 33 Different Data Security Methods
  34. 34. 34 Memory Tokenization Type Preserving Encryption Strong Encryption in Databases 2016 - 2010 - 2008 - 2004 - 2002 - 2000 - 1998 - Platform Masking Feature Securing Sensitive Data - Examples
  35. 35. 35 Time Total Cost of Ownership Strong Encryption: 3DES, AES … I 2010 I 1970 How did Data Security Evolve 1970 - 2010? I 2005 I 2000 Type Preserving Encryption: FPE, DTP … Tokenization in Memory High - Low -
  36. 36. 36 Legend: Best Worst Choose Your Defenses – Strengths & Weakness
  37. 37. 37 Compliance
  38. 38. 38 NIST - Increasing Relevance Crypto Modules PCI DSS Payment Card Industry Data Security Standard Hardware & Software Security Modules NIST Federal Information Processing Standard FIPS 140 NIST Special Publication 800-57 AES Advanced Encryption Standard NIST U.S. FIPS PUB 197 FPEFormat Preserving Encryption NIST Special Publication 800-38G HIPAA HIPAA/HITECH/BREACH-NOTIFICATION NIST SP 800-111
  39. 39. 39 FPE Gets NIST Stamp of Approval
  40. 40. 40 Need for Masking Standards Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory. There are no widely accepted standards for testing the effectiveness of a de- identification process or gauging the utility lost as a result of de-identification.
  41. 41. 41 Defines Tokenization Security Requirements
  42. 42. 42 Type of Data Use Case I Structured How Should I Secure Different Data? I Un-structured Simple - Complex - PCI PHI PII File Encryption Card Holder Data Field Tokenization / Encryption Protected Health Information 42
  43. 43. 43 Data Location is Important
  44. 44. 44 NW DMZ Web Apps TRUSTED SEGMENT Serve r Internet Load Balancing Proxy FW Proxy FW Enterprise Apps Network Devices Server SAN, NAS, Tape Internal Users DB Server Proxy FW TRANSACTIONS IDS/ IPS End- point Wire- less DBA ATTACK MALWARE / TROJAN OS ADMIN FILE ATTACK SQL INJECTION MEDIA ATTACK SNIFFER ATTACK Data Attacks on the Enterprise Data Flow
  45. 45. 45 Common Vulnerabilities in E-Commerce Source: Verifone
  46. 46. 46 Data Exposed in Cloud & Big Data Do we know our sensitive data? Big Data Public Cloud
  47. 47. 47 Encryption Usage - Mature vs. Immature Companies Source: Ponemon - Encryption Application Trends Study • June 2016 Lessuseofencryption Public Cloud
  48. 48. 48 • Rather than making the protection platform based, the security is applied directly to the data, protecting it wherever it goes, in any environment • Cloud environments by nature have more access points and cannot be disconnected • Data-centric protection reduces the reliance on controlling the high number of access points Data-Centric Protection Increases Security
  49. 49. 49 Protect Sensitive Cloud Data - Example Internal Network Administrator Attacker Remote User Internal User Cloud Gateway Public Cloud Each sensitive field is protectedEach authorized field is in clear Each sensitive field is protected Data encryption, tokenization or masking of fields or files (at transit and rest)
  50. 50. 50 Cloud Providers Not Becoming Security Vendors • There is great demand for security providers that can offer orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure • Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
  51. 51. 51 Encryption Usage - Mature vs. Immature Companies Source: Ponemon - Encryption Application Trends Study • June 2016 Lessuseofencryption Big Data
  52. 52. 52 Attacking Big Data HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data
  53. 53. 53 Securing Big Data - Examples • Volume encryption in Hadoop • Hbase, Pig, Hive, Flume and Scope using protection API • MapReduce using protection API • File and folder encryption in HDFS • Export de-identified data Import de- identified data Export identifiable data Export audit for reporting Data protection at database, application, file Or in a staging area HDFS (Hadoop Distributed File System) Pig (Data Flow) Hive (SQL) Sqoop ETL Tools BI Reporting RDBMS MapReduce (Job Scheduling/Execution System) OS File System Big Data Data encryption, tokenization or masking of fields or files (at transit and rest)
  54. 54. 54 Topology Performance Scalability Security Local Service Remote Service Data Protection Implementation Layers System Layer Performance Transparency Security Application Database File System Legend: Best Worst
  55. 55. 55 Are Your Deployed Security Controls Failing?
  56. 56. 56
  57. 57. 57 PCI DSS 3.2 – Security Control Failures PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to detect and report on failures of critical security control systems. PCI Security Standards Council CTO Troy Leach explained • “without formal processes to detect and alert to critical security control failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment.” • “While this is a new requirement only for service providers, we encourage all organizations to evaluate the merit of this control for their unique environment and adopt as good security hygiene.”
  58. 58. 58 Example - Report on Failures of Critical Security controls API MTSS Management Environment
  59. 59. 59 Managed Tools Security Services - Example
  60. 60. 60 MSSP - Managed Security Service Provider • SOC – Security Operations Center • Security monitoring • Firewall integration / management • Vulnerability scanning • SIEM - Security Incident & Event Monitoring and management MTSS - Managed Tool Security Service • Professional Services that applies best practices & expert analysis of your security tools • Customized alarms and reports through SaaS • Provides overall security tools management and monitoring • Ticketing, Resolution & Reporting • Ensure availability of security tools • License analysis Examples of Security Outsourcing Models WHO IS MONITORING YOUR MSSP?
  61. 61. 61 Benefits of Managed Tool Security Service Security controls in place and functioning. Prepared to address information security when it becomes a Boardroom Issue Visibility to measure ROI Confidence in reduced risk of data loss, damaged share price, stolen IP, etc. Ability to produce a positive return on capital investments in tools. Cost reduction in (people, licenses, maintenance, etc.) Reduced risk of breach and associated costs (financial, reputational, regulatory losses)
  62. 62. 62 I think it is Time to Re-think CONFIDENTIAL 62
  63. 63. 63
  64. 64. 64 64 About Compliance Engineering
  65. 65. 65 SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC) Managed Tools Security Service Software as a Service (SaaS) data discovery solution Security Tools and Integrated Services Discovery Security Tools and Integrated Services
  66. 66. 66 Compliance Assessments • PCI DSS & PA Gap • HIPAA (2013 HITECH) • SSAE 16-SOC 2&3* • GLBA, SOX • FCRA, FISMA • SB 1385, ISO 27XXX • Security Posture Assessments (based on industry best practices) • BCP & DRP (SMB market) Professional Security Services • Security Architecture • Engineering/Operations • Staff Augmentation • Penetration Testing • Platform Baseline Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows) • IDM/IAM/PAM architecture • SIEM design, operation and implementation • eGRC Readiness & Deployment E Security & Vendor Products • Data Discovery • Managed Tools Security Service • Data Loss Protection • SIEM & Logging • Identity and Access Management • EndPoint Protection • Network Security Devices • Encryption • Unified Threat • Multi-factor Authentication Managed Security Services • MSSP/SOC • SIEM 365 • Data Center SOC • IDM/IAM Security Administration • Healthcare Infrastructure Solutions (2013 3rd Qtr. • Vulnerability Scans • Penetration Testing Samples of Our Services
  67. 67. 67 67 Thank you Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com

×