PCI Compliance Evolved

© SafeNet Confidential and Proprietary

PCI Compliance Evolved: Perpetual Compliance for 2.0 and Beyond

Mike Smart

Product and Solutions Director

[email protected]

2


Agenda

Growing Challenges with Compliance and the Cost of Breaches and Vulnerabilities

PCI Version 2.0

Holistic Compliance

New Technologies Beyond 2.0

Ease Compliance Management

3


What We Do: Compliance

SafeNet delivers compliance-ready infrastructures that enable customers to persistently comply with evolving regulations,

reduce audit complexity, and capitalize on new business models.

http://www.google.com/imgres?imgurl=http://1.bp.blogspot.com/_tmXhFWjOQ0g/TC3QAxxaD4I/AAAAAAAAACI/IwWRcgoW5rA/s1600/unisys.gif&imgrefurl=http://thunderjobs.blogspot.com/2010_07_01_archive.html&usg=__ZhxMGDsMXbSTVJs0xey7Xbo-sok=&h=266&w=448&sz=10&hl=en&start=3&sig2=iBHJKFc8P24S-7XY93OEFg&zoom=1&um=1&itbs=1&tbnid=I8IkRRyFKVIzUM:&tbnh=75&tbnw=127&prev=/images?q=unisys&um=1&hl=en&sa=N&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=P5NRTdTJPIKKlwfi0-SSCQ

http://www.google.com/imgres?imgurl=http://www.theyeshivaworld.com/wp-content/uploads/2009/03/BH-Logo.jpg&imgrefurl=http://www.theyeshivaworld.com/?p=32290&usg=__5KqGVsgb4RvwrUaABJVsfdtMAE0=&h=200&w=200&sz=8&hl=en&start=1&sig2=eIHBn2QesXY6hZedauVhKA&zoom=1&um=1&itbs=1&tbnid=v5LAtsDFVfvrGM:&tbnh=104&tbnw=104&prev=/images?q=B&H+photo+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=gZNRTdeOOYSKlwfX8eWNCQ

http://www.google.com/imgres?imgurl=http://www.flightxpertproductions.com/resources/British%20Airways%20Logo.png&imgrefurl=http://www.flightxpertproductions.com/videos.php&usg=__UIcDdlfJ1ADdWSX25uABW84NSaE=&h=167&w=800&sz=21&hl=en&start=6&sig2=LQ9JQLlCvNBsw8Tug5Xhlg&zoom=1&um=1&itbs=1&tbnid=0CNW8pcAguWSNM:&tbnh=30&tbnw=143&prev=/images?q=british+airways+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=tJNRTaKqJoOclgeWs5GUCQ

http://www.google.com/imgres?imgurl=http://www.tutuka.com/images/layout/logo_tutuka.gif&imgrefurl=http://www.tutuka.com/&usg=__G6hnEWLUzRFZmGf1_dlsiD5HMHM=&h=33&w=199&sz=4&hl=en&start=8&sig2=YmVeeMzbR5IhIpTTySouJA&zoom=1&um=1&itbs=1&tbnid=BOHktLi_RQYc7M:&tbnh=17&tbnw=104&prev=/images?q=tutuka+software+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=z5NRTe7PJYG8lQe_ktWMCQ

http://www.google.com/imgres?imgurl=https://ric.5linx.com/ricnet/images/main/logo_netGiro.png&imgrefurl=https://ric.5linx.com/ricnet/eRepAgreement.aspx?enrin=L401245&usg=__0BLy0HivJsd5J-R8yDEA5AZRO6k=&h=30&w=92&sz=5&hl=en&start=7&sig2=lXZCEEcEm7ETzRHITCY0UA&zoom=0&um=1&itbs=1&tbnid=etVFx8f13Q0k6M:&tbnh=26&tbnw=79&prev=/images?q=netgiro+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=6ZNRTZ2VK4bGlQfS9cidCQ

http://www.google.com/imgres?imgurl=http://chattahbox.com/images/2010/06/starbucks-logo.jpg&imgrefurl=http://chattahbox.com/technology/2010/06/16/starbucks-finally-offers-free-wi-fi-big-whoop/attachment/starbucks-logo/&usg=__zDNA0vxXeCIBBx9HOo7bvM6C3FM=&h=734&w=713&sz=77&hl=en&start=2&sig2=CkBYzWSG9ZhJX9wDOD77Hg&zoom=1&um=1&itbs=1&tbnid=TFwGyNEcAXib8M:&tbnh=141&tbnw=137&prev=/images?q=starbucks+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=G5RRTZGzFMOclgfNhMCYCQ

http://www.google.com/imgres?imgurl=http://www.mobilintech.com/wp-content/uploads/2010/07/dell-logo.jpg&imgrefurl=http://www.mobilintech.com/news-information/dell-has-beat-acer&usg=__jhjfWYXII_GA01ui-XBqb6R_NSM=&h=314&w=320&sz=26&hl=en&start=1&sig2=0lOpxByRbsm404VcnQlSlg&zoom=1&um=1&itbs=1&tbnid=A8R_g31lWlNacM:&tbnh=116&tbnw=118&prev=/images?q=dell+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=KpRRTeiPJ4G8lQeLv5mWCQ

http://www.google.com/imgres?imgurl=http://static.technorati.com/10/10/21/20427/US-Cellular-Logo-Feb-09.jpg&imgrefurl=http://technorati.com/business/advertising/article/us-cellular-launches-the-belief-project1/&usg=__CjPjECTgfQ9HeM-BdoN2W2N5BMU=&h=1106&w=4384&sz=167&hl=en&start=1&sig2=0zfMxtRn73z3OW1Qwco_sQ&zoom=1&um=1&itbs=1&tbnid=b99t5VgBu2_gVM:&tbnh=38&tbnw=150&prev=/images?q=us+cellular+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=Q5RRTefIKoaKlwfm5pyfCQ

http://www.google.com/imgres?imgurl=http://www.cycle-systems.co.uk/wp-content/uploads/2009/02/tfl-logo.jpg&imgrefurl=http://www.cycle-systems.co.uk/2009/04/17/tfl/&usg=__KvLq3k-4DuYSk_KALRRKCguQ-8c=&h=56&w=189&sz=15&hl=en&start=7&sig2=rhgYn1hcJKC0j7kaCSu3Ug&zoom=1&um=1&itbs=1&tbnid=PSz0IDjZMb3BaM:&tbnh=31&tbnw=103&prev=/images?q=transport+for+london+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=U5ZRTdj4C4a0lQeV9sCNCQ

http://www.google.com/imgres?imgurl=http://www.maclife.com/files/u57/apple-logo1.jpg&imgrefurl=http://www.maclife.com/article/news/apple_responds_shareholders_concerns&usg=__mh96c-4AoZdZqQJ6c_JyyLiJ10c=&h=480&w=397&sz=22&hl=en&start=2&sig2=t40WPTAKm3_s0zKD_PB4Yg&zoom=1&um=1&itbs=1&tbnid=HhYIr-Oz_5sLkM:&tbnh=129&tbnw=107&prev=/images?q=apple+logo&um=1&hl=en&rlz=1T4SKPB_enUS390US390&tbs=isch:1&ei=C5RRTfqVIMWAlAebs4SGCQ

http://www.urbanoutfitters.com/

4


The Growing Compliance Challenge

• New and diverse set of regional and global mandates makes compliance more difficult to achieve

Evolving Mandates

• Investments that solve one compliance issue do not solve the next; difficult to leverage investment beyond compliance

Investment Scale

• Complexity and scope of audits takes energy and effort from other business critical tasks

Audit Complexity

• Concerns over maintaining compliance in cloud and virtualized environments stalls adoption

Emerging Infrastructures

5


Cost of Breaches and Vulnerabilities:Across Industries

2005 2006 2007 2008 2009 20100

20

40

60

80

100

120

140

Unintended Disclosure

Hacking/Malware

Insider

Physical Loss

Portable Device

Cost per Breach: $204/ Record*Ponemon Institute Study 2010

6


Cost of Breaches and Vulnerabilities:Across Industries

Portable DevicesLaptop encryption and access

Mobile smart phones access and payment security

Unintended DisclosureControl access and distribution of

Structured Data: Database environments

Unstructured Data: File and folder

Hacking and MalwareMan-in-the Browser Attacks

Phishing and Pharming Attacks

DNSSEC Heirarchy Signing

© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary

Media Flash-drive

Laptop

Mobile

Branch Office

Audit Complexity, and Emerging InfrastructuresNumerous Points of Vulnerability

Web 2.0 Application

Remote Replication

Data Center

• Cryptographic Perimeter

• Application & DB Data• File-based Endpoints• Removable Media

contained

• Each Data-use is Tracked• Granular Access Controls• Assured User Authentication• Mobile Data LOCKED!

Forever Protection Ubiquitous Controls

CloudServices

Internet

SaaS Cloud

Extranet

WAN

© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary

Emerging Infrastructures:Sensitive Data Is Virtualized

The cloud changes everything– Multiple uses for a virtual resource that contains sensitive data make it

difficult to apply the needed controls The cloud changes nothing

– Every rule of a mandate still applies when migrating sensitive data to the cloud

– Many infrastructure roles and responsibilities may drop out of view once data moves into the cloud, but compliance responsibility remains the responsibility of the organization

9


What’s New in PCI Version 2.0?Highlights

Any type of cardholder data storage, rather than

just databases (1.2.7)

New optional testing procedure for virtualization

technologies (2.2)

Strong cryptography is required. (2.3)

Service providers should provide key management

guidance to customers covering transmission, storage, and update of

customer keys (3.6)

Added “authentication” to allow for more flexibility

for companies using other authentication

mechanisms outside of passwords. (8.5)

10


Holistic Approach to Perpetual ComplianceData Protection Strategies Must Change as Well

Data Protection 2.0

• Perimeter focused security

• All-or-nothing encryption

• Keep bad guys out, authorized users get full access

• Multiple products to meet business and security needs

• High level or very specific policy only, • No proper central policy management

• Data-centric protection—intelligence to protect the data itself throughout its lifecycle

• Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)

• Granular data protection for authorized users, assure compartmentalization

• Centrally managed solution that addresses business, compliance, data governance & security

• Centralized policy and key management providing data use tracking and control

Data Protection 1.0

11


Holistic Approach to Perpetual ComplianceTwo Important Considerations:

Key Management

Deploy symmetric encryption

Centralize all keys and restrict access

Strong model for separation of duties

Plan a key rotation process

Plan robust key backup and recovery

Proper Access Control

Enable encryption process to validate user prior to allowing decryption to occur

Creates a security boundary within application or database framework

Leverage existing authentication and authorization solutions

Use strong multi-factor authentication to grant key access

Use authorization policies to enforce which functions encryption users can perform

Evaluate advanced authorization policies to protect against malicious authorized users

12


Approaches to Data Protection

The approaches

• Web/Application Encryption• Database Encryption• File Encryption• Storage Encryption• Tokens or Aliasing

The considerations

• Know your threat models• Application transparency• Performance • Business logic embedded

within database environments

• Batch processing & bulk import/export operations

• Indexing and primary/foreign key pairs

• Searching on encrypted data

13


Technology Beyond PCI v. 2.0Approach #1: Application Encryption

• Complete control over when and where to enforce encryption• Minimal performance impact at application logic• Protects against a broad range of threats

Pros

• Requires application code changes• Will not work with off the shelf applications that do not provide source code• Data access method problem• Indexing/searching is an issue depending on existing query structures, amount of data

within database and data to be encrypted

Cons

• Database schema changes• Data migration changes• Key rotation basics• When to use application level encryption – you have selective data you want to encrypt

(credit cards, SSN, Student ID’s, address etc.)

Considerations

14


Technology Beyond PCI v. 2.0 Approach #2: Database Encryption

• Can achieve complete application transparency depending on data encrypted• Can tie directly into database authentication scheme• Database changes can be automated (field width and type, creation of views/triggers etc.)• Tools can be used to understand attributes of each column• Can enable separation of duties and protect against malicious DBAs

Pros

• Indexing/searching becomes problematic due to view-based implementations• Equality queries are not supported unless deploying in conjunction with application encryption

(current solutions underway for specific DBMS environments)• Schema changes may have to occur for proper and practical implementation

Cons

• Column-level encryption within database environments• Enables application transparency – no changes to applications required for simple queries• Implementation generally done through ‘instead of’ triggers, views, and stored procedures• Inserts/updates/deletes used ‘instead of’ triggers• Selects use views• Stored procedure calls underlying provider that enables cryptographic functions

Considerations

15


Technology Beyond PCI v. 2.0 Approach #3: File Encryption

• Easy to implement• Transparent to users and applications• Protects unstructured data• Provides remote end point protection• Policy enforcement by user/group, file type and location.

Pros

• Not always a good fit for structured data

Cons

• Location of data and ensuring protection on data on servers, desktops and laptops.

Considerations

16


Technology Beyond PCI v. 2.0 Approach #4: Storage Encryption

• Easy to setup • Transparent to application• No concerns over app/database schemas, objects, searches• Performance can be very fast

Pros

• No granular control over what to encrypt – all or nothing proposition• No way to tie real access controls to data (auditing/logging implications) – only

access to file system• Does not protect against many of the aforementioned threats• Protects purely against theft (or loss) of physical medium.

Cons

• When all data in the database needs to be encrypted• Word, excel, other file formats need to be encrypted on central file server• Large images, blue prints etc.

Considerations

17


Technology Beyond PCI v. 2.0 Approach #5: Tokenization

• Potential to descope systems• May be easier to implement than Crypto APIs• In some cases, no changes are required to applications

Pros

• May require application changes where data needs to be processed in cleartext.

• Not all data lends itself to tokenizing

Cons

• Evaluate data flows and where data would need to be tokenized (and detokenized)

Considerations

18


Critical Step: Tackle Requirement 3 and Reduce the Key Management Scope

Source: Oasis

19



What’s the cost of unmanageable key management?

Planning time:Some organizations spent up to a year planning for key management issues including breaches and notifications*

Audit prep timeDemonstrate which apps and networks are using the keys and where in the world they are

Data Loss:Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations.

Maintenance costs:Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees.

* Source: TrustCatalyst

20



21


Thank you

Questions?

PCI Compliance Evolved

Technology

Transcript of PCI Compliance Evolved