Borderless Networks and PCI compliancepalo/Rozne/cisco-expo-2009/Presentation - DA… · Content...

of 35/35
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1 Borderless Networks and PCI compliance Philippe Roggeband - [email protected] Emerging Markets Borderless Networks
  • date post

    06-Jun-2020
  • Category

    Documents

  • view

    2
  • download

    0

Embed Size (px)

Transcript of Borderless Networks and PCI compliancepalo/Rozne/cisco-expo-2009/Presentation - DA… · Content...

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

    Borderless Networks and PCI compliance

    Philippe Roggeband - [email protected]

    Emerging Markets Borderless Networks

    mailto:[email protected]

  • One year ago…

    In what could be the biggest security incident in history, Heartland Payment Systems announced on Tuesday 20th of January that it was the victim of a data breach that possibly compromised more than 100 million accounts after malicious software was found in its payment processingsystem.

    http://www.crn.com/encyclopedia/defineterm.jhtml?term=software&x=&y=http://www.crn.com/encyclopedia/defineterm.jhtml?term=processing&x=&y=

  • Philippe Roggeband - [email protected]

    Emerging Markets Borderless Networks team

    Borderless Networks and PCI Compliance

    mailto:%E2%80%[email protected]

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 4© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 4

    Borderless Networks Security & PCI compliance

    Agenda

    Cisco’s approach to security

    PCI Compliance overview

    Cisco’s PCI Compliance solutions

    Call to action

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 5© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 5

    Cisco Architectural Approach

    Security Policy

    Borderless Networks

    Collaboration Virtualization

    Product Portfolio

    DesktopVirtualizationMulti-Stream

    Video

    WAASWireless

    Switching

    Routing

    Security

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 6© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 6

    Anyone

    Anywhere

    Any Device

    Any Resource

    A Next Generation Architecture to Deliver the New Workspace Experience

    BORDERLESS NETWORKS

    The Transformation: The World Is Our New Workspace

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 7© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 7

    Changing Environment; Shifting Borders

    IT Consumerization

    Device Border

    Mobile Worker

    Location Border

    Video/Cloud

    IaaS,SaaS

    Application Border

    External-FacingApps Internal

    Apps

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 8© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 8

    Securing Borderless Networks

    Traditional Bordersare Blurred; Access

    From Anywhere

    Threats are Constantly Changing—Viruses and

    Worms to Malwareto Botnet

    Identity - Who Is Accessing the Network

    and What TheyCan Do

    How to Monitorand Enforce Global

    Policies

    Business Challenges

    Where? What? Who? How?

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 9© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 9

    Criminal Specialization Driving More

    Sophisticated Attacks

    The Evolving Security Threats

    Web Ecosystem Becomes Number

    one Threat Vector

    Criminals Exploit Users Trust, Challenging

    Traditional Security Solutions

    Creative Methods (Business

    Models) Used to Attract Victims

    9

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 10© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 10

    Building Secure Borderless Networks

    Borderless Security Architecture

    Network SecurityTrustedClient

    Content Security

    Appliance Hybrid HostedSecurity ModuleSoftware

    Policy and Identity

    Defend Extend Protect Comply

    Cisco Security Intelligence Operations

    Network Infrastructure

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 11© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 11

    Cisco Security Product Portfolio

    Network SecurityTrustedClient

    Content Security

    Cisco Security Intelligence Operations

    AnyConnect VPN Client

    ISR

    FWSM

    Network AdmissionControl

    ACE Web App Firewall

    IPS 4200

    Cisco Virtual Off ice

    Cisco Security Manager

    Cisco SecureACS

    IronPort Hosted Email Security

    IronPort S-Series

    IronPort C-Series

    Cisco Secure MARS

    ASA 5500

    IronPort M-Series

    Policy and Identity

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 12© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 1212

    Cisco Security Intelligence OperationsPowering Cisco Security

    SensorBase

    700,000+ global sensors over four threat vectors

    Historical library of 40,000 threats

    500 third-party feeds, 100 news feeds,

    open source, and vendor partnerships

    Threat Operations Center

    Automated tracking of over 200 parameters

    SenderBase: categorizes and rates reputation

    Global threat correlation

    Advanced Protection

    Automated rule and/or signature creation

    Innovative virus outbreak filters

    Fast Accurate Detection,Advanced Mitigations

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 13© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 13

    Defend

    Defend AgainstThreats

    Protect

    Protect Business Assets

    Extend

    Secure Enterprise Connectivity

    Comply

    Achieve Regulatory Compliance

    Cisco Solution Examples

    Threat Defense Secure Remote Workforce

    Data LossPrevention

    Solutionfor PCI

    Secure Borderless Network

    Securing the Borderless NetworkThrough Systems and Solutions

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 14© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 14

    Overview of PCI standards

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 15© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 15

    Who does what ?

    The PCI SSC sets the PCI DSS Standard

    Each card Brand has its own program for :

    Compliance

    Validation Levels

    Enforcement

    QSA – Qualified Security Assessor

    Assess compliance with the PCI DSS

    ASV – Approved Scanning Vendor

    Validate adherence to the PCI DSS Scan requirements by performingvulnerability scans of Internet-facing environments of merchants and service providers

    SAQ – Self Assessment Questionnaire

    Validation tool for organizations that are not required to undergo an on-site assessment for PCI DSS compliance

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 16© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 16

    Card brands websites

    American Express:

    www.americanexpress.com/datasecurity

    Discover Financial Services:

    www.discovernetwork.com/fraudsecurity/disc.html

    JCB International:

    www.jcb-global.com/english/pci/index.html

    MasterCard Worldwide:

    www.mastercard.com/sdp

    Visa Inc:

    www.visa.com/cisp

    http://www.americanexpress.com/datasecurityhttp://www.discovernetwork.com/fraudsecurity/disc.htmlhttp://www.jcb-global.com/english/pci/index.htmlhttp://www.jcb-global.com/english/pci/index.htmlhttp://www.jcb-global.com/english/pci/index.htmlhttp://www.mastercard.com/sdphttp://www.visa.com/cisp

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 17© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 17

    The Payment Card Industry (PCI) Data Security Standard

    Build and Maintain a

    Secure Network

    Protect Cardholder Data

    1. Install and maintain a firewall configuration to protect data

    2. Do not use vendor-supplied defaults for system passwords and other security parameters

    3. Protect stored data4. Encrypt transmission of cardholder data and

    sensitive information across public networks

    Maintain a Vulnerability Management

    Program

    5. Use and regularly update anti-virus software6. Develop and maintain secure systems and

    applications

    Implement Strong Access

    Control Measures

    7. Restrict access to data by business need-to-know

    8. Assign a unique ID to each person with computer access

    9. Restrict physical access to cardholder data

    Regularly Monitor and Test

    Networks

    10. Track and monitor all access to network resources and cardholder data

    11. Regularly test security systems and processes

    Maintain an Information

    Security Policy

    12. Maintain a policy that addresses information security

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 18© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 18

    PCI 1.2 Changes and ImpactNetwork Segmentation

    Network Segmentation reduces PCI scope => reduces cost of audit => reduces cost to achieve PCI compliance

    Network segmentation now needs to be proven effective

    If ineffective, the segmentation does not apply, and the cardholder data environment is now expanded

    Network segmentation with VLANs alone is no longer sufficient

    Firewalls are necessary to segment wireless LANs out of the cardholder data environment

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 19© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 19

    Scoping with Segmentation

    Determine Scope

    Can scope be reduced with segmentation?

    AuditPerformed

    Did assessorvalidate segmentation

    effectiveness?

    IN PLACENOT

    IN PLACE

    No

    Entire network is in scope for PCI DSS review

    Yes

    Assessor documentssegmentation in place and

    effective

    Scope limited forPCI DSS review

    Entire Network Is in Scope

    POSServers

    Branch

    Server Access

    Storage

    Data Center

    inventoryServers

    Server Access

    WANAccess

    CORE

    Headquarters

    Warehouse

    Wide AreaAccelerated

    Network

    Only Devices Passing Card Holder Data Is in Scope

    POSServers

    Branch

    Server Access

    Storage

    Data Center

    inventoryServers

    Server Access

    WANAccess

    CORE

    Headquarters

    Warehouse

    Wide AreaAccelerated

    Network

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 20© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 20

    PCI 1.2 Changes and Impact – QSA Audits

    PCI Security Standards Council started QSA Quality Assurance Program in November 2008

    QSAs (PCI Auditors) - more thorough due diligence during audit, need to provide more details in Report on Compliance (ROC)

    Test compensating controls for effectiveness

    Test network segmentation for effectiveness

    Justify sample size selection

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 21© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 21

    PCI 1.2 Major Areas - Wireless

    Wireless deadlines – in the cardholder data environment (CDE)

    No new WEP installations after 31 March 2009

    Existing WEP deployments must be decommissioned by 30 June 2010

    Written into the PCI DSS 1.2 standard

    Wireless Guidelines & Recommendations Published

    Guidelines map to existing PCI DSS 1.2 standard

    Recommendations may go above & beyond existing standard (wIPS for example)

    Anticipate (but not guarantee) most of the recommendations will be incorporated into the next PCI standard revision

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 22© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 22

    Published Deadlines, Fines and Level Validation Changes

    MasterCard Global PCI deadline is now Dec 31, 2010 for Level 1, 2, 3 Merchants and Service Providers

    Level 1 & 2 merchants must use an external QSA for on-site audits. Level 2 merchants must also still complete and submit a PCI Self-Assessment Questionnaire

    Service Provider (banks, payment processors) Tier 1 -transactions reduce from 1 Million transactions to 300,000 transactions

    Fines for non-compliance (not breach) per calendar year

    •Merchant Level 1 & 2, Service Providers - $25k, $50k, $100k, $200k consecutively

    •Level 3 - $10k, $20k, $40k, $80k consecutively

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 23© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 23

    MasterCard/VISA PCI Merchant Levels

    Level 1 Merchants

    Category Criteria

    Level 2 Merchants

    Level 4 Merchants

    One million to six million transactions annually (all channels)

    Less than 20,000 e-commerce transactions per annually and all other merchants processing up to one million Visa transactions annually

    Requirement

    Merchants processing over six million Visa/MC transactions annually (all channels) or global merchants identified as Level 1 by any card brand

    Any merchant that has suffered a hack or an attack that resulted in an account data compromise

    Level 3 Merchants

    20,000 to one million e-commerce transactions annually

    Annual on-site audit by Qualified Security Assessor (―QSA‖)

    Quarterly network scan by Approved Scan Vendor (―ASV‖)

    Attestation of Compliance Form

    Annual on-site Audit by QSA

    Annual Self-Assessment

    Quarterly Network Scan by ASV

    Annual SAQ recommended

    Compliance validation requirements set by acquirer

    Annual Self-Assessment (SAQ)

    Quarterly Network Scan by ASV

    Source: http://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdf

    http://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdfhttp://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdf

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 24© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 24

    PCI Security Standards Council Board of Advisors – Cisco Member

    Bank of America Exxon Mobil

    Corporation

    National Australia Bank

    Banrisul S.A. First Data PayPal

    Barclaycard Global Payments Inc Royal Bank of Scotland

    Group

    Chase Paymentech

    Solutions Inc

    JPMorgan Chase & Co Tesco Stores Ltd

    Cisco Lufthansa Systems

    Passenger Services

    TSYS Acquiring

    Solutions

    Citrix Systems, Inc McDonald’s Corporation VeriFone

    European Payments

    Council

    MICROS Systems, Inc Wal-Mart Stores, Inc

    2- year commitment (May 2009 – April 2011)

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 25© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 25

    ISR Series

    IP Video

    Email Security

    ASA 5500

    IPS 4200

    NAC Appliance

    Firewall

    VPN

    IPS

    NAC

    Video Monitor

    Email Security

    Cisco Security for PCI

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 26© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 26

    Cisco Wireless Security for PCI

    Mobility Services Engine802.11n Wireless Access

    Points

    Wireless LAN Controller

    WPA/WPA2

    Scan/monitor

    wIPS

    Device location

    Device hardening

    ISR Series with Wireless

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 27© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 27

    Cisco Data Center for PCI

    Storage

    Virtualization

    FW

    VPN

    IPS

    MDS Storage

    Encryption

    Nexus & UCS

    WAN Storage

    Encryption

    ASA 5500

    IPS 4200

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 28© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 28

    Cisco VLANs for PCI

    ISR Series

    802.11n Wireless Access

    Points

    Catalyst Switches

    VLANs

    Wireless VLANs

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 29© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 29

    Cisco Management for PCI

    ACS – Access Control System Cisco Security Manager

    (Provisioning)

    Wireless Control System

    (Provisioning)

    AAA

    Rule based Access

    Centralized Provisioning

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 30© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 30

    Cisco Unified Customer Voice PortalSecurity for PCI

    ASA 5500 ISR Series

    Voice Self Service

    Firewall

    VPN

    Application

    Security

    Catalyst Switches

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 31© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 31

    Cisco Validated Design Includes:

    Cisco PCI Validated Architectures

    Recommended architectures for networks, payment data at rest, and data in-transit

    Tested in a simulated retail enterprise

    Configuration, monitoring, and authentication management systems

    Architectural design guidance and audit review provided by PCI audit and remediation partners

    PCI Audit Partner

    Retail Solution Partners

    Validated DesignSmall Retail Store

    http://www.intermec.com/

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 32© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 32

    IdentitySecurity

    Intelligence

    IPS with Global

    Correlation

    Web

    Security

    Router

    SecurityVPN

    First to develop

    and bring NAC

    technology to

    the market

    Cisco TrustSec

    delivers

    security group

    tagging for

    RBAC

    Simplifies

    802.1x

    deployments

    with ―Open

    Mode‖ and

    ―Flexible

    Authentication‖

    SenderBase®

    Network the

    world's first and

    largest

    reputation

    database

    SensorBase®

    largest historical

    vulnerability and

    live network

    security threat

    feed

    Virus Outbreak

    Filters to detect

    zero-day threats

    First to

    implement IPS

    in modular

    format in

    switches/routers

    First to use

    global reputation

    in threat analysis

    Patented Risk

    Rating system

    Web Usage

    Controls:

    First to create

    Dynamic

    Vectoring and

    Streaming

    (DVS) for anti-

    malware

    defense

    First to create

    Dynamic

    Content

    Analysis (DCA)

    to evaluate and

    categorize web

    content (even

    hidden)

    First to use

    DTLS that

    optimizes

    connections for

    latency-

    sensitive traffic

    First offer client

    VPN on

    Windows

    Mobile Phones

    First VPN

    solution to

    support the

    iPhone

    • Industry-leading

    integration of

    VPN, routing,

    and QoS:

    DMVPN, GET

    VPN, SSL VPN,

    and Easy VPN

    • Embedded

    security:

    application

    firewall, IPS,

    and URL

    filtering

    • One-touch

    lockdown and

    security audit

    Cisco Security Innovations

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 33© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 33

    $100M spent on dynamic research and development

    250 certifications, 1000s publications, 25 books authored, and 100 security patents

    80+ PhDs, CCIEs, CISSPs, MSCEs

    Merging Innovative Security Technology with More Than 25 Years of Networking Expertise to Redefine Network Security

    Investment Market

    Solution Threat Intelligence

    Over 20 million security appliances and 100+ million clients deployed

    #1 enterprise security revenue over $2B

    #1 in network security appliances: firewall, email security, NAC, router security

    Comprehensive solutions: Layer 2 to purpose-built proxies

    Validated industry solutions: PCI, SAFE Data Center, UC

    Flexible delivery options: Appliances, security modules, cloud

    Threat operations team: 500 analysts, five global locations

    Largest sensor network: Millions of sensors

    Broadest data footprint: Network and application level

    LEADERSHIP

    Cisco Security Market Leadership

  • © 2009 Cisco Systems, Inc. All rights reserved. Cisco public

    Cisco Expo

    Bratislava 34© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 34

    ExpectGet

    Save

    MOREBorderless Network

    From Your

    Increase Productivity

    Focus on Strategic IT

    Superior Customer Experience

    Optimize Costs

    Single Point of Service