PCI Compliance Evolved
-
Upload
safenet -
Category
Technology
-
view
376 -
download
7
description
Transcript of PCI Compliance Evolved
© SafeNet Confidential and Proprietary
PCI Compliance Evolved: Perpetual Compliance for 2.0 and Beyond
Mike Smart
Product and Solutions Director
2
© SafeNet Confidential and Proprietary
Agenda
Growing Challenges with Compliance and the Cost of Breaches and Vulnerabilities
PCI Version 2.0
Holistic Compliance
New Technologies Beyond 2.0
Ease Compliance Management
3
© SafeNet Confidential and Proprietary
What We Do: Compliance
SafeNet delivers compliance-ready infrastructures that enable customers to persistently comply with evolving regulations,
reduce audit complexity, and capitalize on new business models.
4
© SafeNet Confidential and Proprietary
The Growing Compliance Challenge
• New and diverse set of regional and global mandates makes compliance more difficult to achieve
Evolving Mandates
• Investments that solve one compliance issue do not solve the next; difficult to leverage investment beyond compliance
Investment Scale
• Complexity and scope of audits takes energy and effort from other business critical tasks
Audit Complexity
• Concerns over maintaining compliance in cloud and virtualized environments stalls adoption
Emerging Infrastructures
5
© SafeNet Confidential and Proprietary
Cost of Breaches and Vulnerabilities:Across Industries
2005 2006 2007 2008 2009 20100
20
40
60
80
100
120
140
Unintended Disclosure
Hacking/Malware
Insider
Physical Loss
Portable Device
Cost per Breach: $204/ Record*Ponemon Institute Study 2010
6
© SafeNet Confidential and Proprietary
Cost of Breaches and Vulnerabilities:Across Industries
Portable DevicesLaptop encryption and access
Mobile smart phones access and payment security
Unintended DisclosureControl access and distribution of
Structured Data: Database environments
Unstructured Data: File and folder
Hacking and MalwareMan-in-the Browser Attacks
Phishing and Pharming Attacks
DNSSEC Heirarchy Signing
© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary
Media Flash-drive
Laptop
Mobile
Branch Office
Audit Complexity, and Emerging InfrastructuresNumerous Points of Vulnerability
Web 2.0 Application
Remote Replication
Data Center
• Cryptographic Perimeter
• Application & DB Data• File-based Endpoints• Removable Media
contained
• Each Data-use is Tracked• Granular Access Controls• Assured User Authentication• Mobile Data LOCKED!
Forever Protection Ubiquitous Controls
CloudServices
Internet
SaaS Cloud
Extranet
WAN
© SafeNet Confidential and Proprietary© SafeNet Confidential and Proprietary
Emerging Infrastructures:Sensitive Data Is Virtualized
The cloud changes everything– Multiple uses for a virtual resource that contains sensitive data make it
difficult to apply the needed controls The cloud changes nothing
– Every rule of a mandate still applies when migrating sensitive data to the cloud
– Many infrastructure roles and responsibilities may drop out of view once data moves into the cloud, but compliance responsibility remains the responsibility of the organization
9
© SafeNet Confidential and Proprietary
What’s New in PCI Version 2.0?Highlights
Any type of cardholder data storage, rather than
just databases (1.2.7)
New optional testing procedure for virtualization
technologies (2.2)
Strong cryptography is required. (2.3)
Service providers should provide key management
guidance to customers covering transmission, storage, and update of
customer keys (3.6)
Added “authentication” to allow for more flexibility
for companies using other authentication
mechanisms outside of passwords. (8.5)
10
© SafeNet Confidential and Proprietary
Holistic Approach to Perpetual ComplianceData Protection Strategies Must Change as Well
Data Protection 2.0
• Perimeter focused security
• All-or-nothing encryption
• Keep bad guys out, authorized users get full access
• Multiple products to meet business and security needs
• High level or very specific policy only, • No proper central policy management
• Data-centric protection—intelligence to protect the data itself throughout its lifecycle
• Granular, selective protection over subset of unstructured or structured data (files, fields, and columns)
• Granular data protection for authorized users, assure compartmentalization
• Centrally managed solution that addresses business, compliance, data governance & security
• Centralized policy and key management providing data use tracking and control
Data Protection 1.0
11
© SafeNet Confidential and Proprietary
Holistic Approach to Perpetual ComplianceTwo Important Considerations:
Key Management
Deploy symmetric encryption
Centralize all keys and restrict access
Strong model for separation of duties
Plan a key rotation process
Plan robust key backup and recovery
Proper Access Control
Enable encryption process to validate user prior to allowing decryption to occur
Creates a security boundary within application or database framework
Leverage existing authentication and authorization solutions
Use strong multi-factor authentication to grant key access
Use authorization policies to enforce which functions encryption users can perform
Evaluate advanced authorization policies to protect against malicious authorized users
12
© SafeNet Confidential and Proprietary
Approaches to Data Protection
The approaches
• Web/Application Encryption• Database Encryption• File Encryption• Storage Encryption• Tokens or Aliasing
The considerations
• Know your threat models• Application transparency• Performance • Business logic embedded
within database environments
• Batch processing & bulk import/export operations
• Indexing and primary/foreign key pairs
• Searching on encrypted data
13
© SafeNet Confidential and Proprietary
Technology Beyond PCI v. 2.0Approach #1: Application Encryption
• Complete control over when and where to enforce encryption• Minimal performance impact at application logic• Protects against a broad range of threats
Pros
• Requires application code changes• Will not work with off the shelf applications that do not provide source code• Data access method problem• Indexing/searching is an issue depending on existing query structures, amount of data
within database and data to be encrypted
Cons
• Database schema changes• Data migration changes• Key rotation basics• When to use application level encryption – you have selective data you want to encrypt
(credit cards, SSN, Student ID’s, address etc.)
Considerations
14
© SafeNet Confidential and Proprietary
Technology Beyond PCI v. 2.0 Approach #2: Database Encryption
• Can achieve complete application transparency depending on data encrypted• Can tie directly into database authentication scheme• Database changes can be automated (field width and type, creation of views/triggers etc.)• Tools can be used to understand attributes of each column• Can enable separation of duties and protect against malicious DBAs
Pros
• Indexing/searching becomes problematic due to view-based implementations• Equality queries are not supported unless deploying in conjunction with application encryption
(current solutions underway for specific DBMS environments)• Schema changes may have to occur for proper and practical implementation
Cons
• Column-level encryption within database environments• Enables application transparency – no changes to applications required for simple queries• Implementation generally done through ‘instead of’ triggers, views, and stored procedures• Inserts/updates/deletes used ‘instead of’ triggers• Selects use views• Stored procedure calls underlying provider that enables cryptographic functions
Considerations
15
© SafeNet Confidential and Proprietary
Technology Beyond PCI v. 2.0 Approach #3: File Encryption
• Easy to implement• Transparent to users and applications• Protects unstructured data• Provides remote end point protection• Policy enforcement by user/group, file type and location.
Pros
• Not always a good fit for structured data
Cons
• Location of data and ensuring protection on data on servers, desktops and laptops.
Considerations
16
© SafeNet Confidential and Proprietary
Technology Beyond PCI v. 2.0 Approach #4: Storage Encryption
• Easy to setup • Transparent to application• No concerns over app/database schemas, objects, searches• Performance can be very fast
Pros
• No granular control over what to encrypt – all or nothing proposition• No way to tie real access controls to data (auditing/logging implications) – only
access to file system• Does not protect against many of the aforementioned threats• Protects purely against theft (or loss) of physical medium.
Cons
• When all data in the database needs to be encrypted• Word, excel, other file formats need to be encrypted on central file server• Large images, blue prints etc.
Considerations
17
© SafeNet Confidential and Proprietary
Technology Beyond PCI v. 2.0 Approach #5: Tokenization
• Potential to descope systems• May be easier to implement than Crypto APIs• In some cases, no changes are required to applications
Pros
• May require application changes where data needs to be processed in cleartext.
• Not all data lends itself to tokenizing
Cons
• Evaluate data flows and where data would need to be tokenized (and detokenized)
Considerations
18
© SafeNet Confidential and Proprietary
Critical Step: Tackle Requirement 3 and Reduce the Key Management Scope
Source: Oasis
19
© SafeNet Confidential and Proprietary
Critical Step: Tackle Requirement 3 and Reduce the Key Management Scope
What’s the cost of unmanageable key management?
Planning time:Some organizations spent up to a year planning for key management issues including breaches and notifications*
Audit prep timeDemonstrate which apps and networks are using the keys and where in the world they are
Data Loss:Up to 39 percent of organizations who have experienced key loss also lose data permanently or disrupt business operations.
Maintenance costs:Disparate systems means no economy of scale for maintenance costs. Each encryption system and key management solution could have 15-20% annual maintenance fees.
* Source: TrustCatalyst
20
© SafeNet Confidential and Proprietary
Critical Step: Tackle Requirement 3 and Reduce the Key Management Scope
21
© SafeNet Confidential and Proprietary
Thank you
Questions?