MYTHBUSTERS: Can You Secure Payments in the Cloud?

The Leader in Active Cyber Defense

MYTHBUSTERS:Can You Secure Payments in the Cloud?

KURT HAGERMAN | CISO, ARMOR

SEPTEMBER 2015

BETWEEN YOU AND THE THREAT

KURT HAGERMAN

• CISA- and CISSP-certified• Frequent speaker and author

on security for the payments industry, healthcare industry and cloud security

• 25-year veteran in IT, security consulting and auditing

Chief Information Security Officer | ARMOR

Fact or Fiction:Can You Secure Payments in the

Cloud?


• It’s not secure• Not trusted• Loss of control• Lack of compliance• Unknown location of data

Myths About the Cloud

You Against Them


No Easy Task

YOU ARE:

• Risk-Aware and in tune with your industry’s challenges.

• Required to meet numerous and overlapping regulations and mandates.

• Faced with customer demand to process sensitive data in online and mobile channels.


In the first 6 months of 2015

Source: Gemalto

RECORDS COMPROMISEDEVERY DAY

RECORDS COMPROMISED246,000,000

BREACHES888

RECORDS COMPROMISEDEVERY MINUTE

RECORDS COMPROMISED EVERY SECOND

169431,400,000

&


Security spendingdoubled in past 4 years

Many of these organizations were “compliant” on various security frameworks

Major shortage in security talent and getting worse

Average hacker dwell time is 205 days across enterprises

LATEST

2014

2013

2012

2011

A World of Targets

NONE SECURED IN THE

CLOUD


Where You’re Being HitMore than half of you have been targeted. This is where threat actors attack you most often.

62% of companies were targets of payments fraud in 2014.

77%

34%

27%

Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey

CHECKS

WIRES

CREDIT & DEBIT CARDSMost Targeted Methods

The Compliance Landscape


“Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.”

Jeremy Epstein Lead Program DirectorNational Science Foundation


Regulatory Landscape

SOX


Legal Ramifications Evolving

“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia)

• Example of Government Overreach

• Ruling of “Harm” Left to FTC based on no published standards

• Virtually impossible to comply• Even When PCI-Compliant,

Your Organization Could Still be Liable for Data Loss


FISMANIST 800-53ISO 27001

Which Frameworks are Proven?

Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program.

What about the Payment Card Industry Data Security Standard?


12 Key PCI Security RequirementsCONTROL OBJECTIVES PCI DSS REQUIREMENTS

Build & MaintainSecure Network

1. Install and maintain a firewall configuration to protect cardholder data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect CardholderData

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks.

Maintain VulnerabilityManagement Program

5. Use and regularly update antivirus software on all systems commonly affected by malware.6. Develop and maintain secure systems and applications.

Implement Strong AccessControl Measures

7. Restrict access to cardholder data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

Regularly Monitor &Test Networks

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

Maintain an Information Security Policy 12. Maintain a policy that addresses information security.


IT’S TRUSTED• Prescriptive framework• Vetted process• Widely adopted

IT’S EFFECTIVE• Helps manage risk• Protects brands• Mitigates loss during breach

response

The PCI Baseline

How Do You Secure This Data?


Follow PCI Best Practices

Leverage as strong baseline for all your sensitive data

Has been copied or mirrored by other governing bodies (NACHA for instance)

Includes cross-over into other compliance requirements


Use a Cloud Solution to Decouple Payment Data

• Decouple to secure infrastructure• Isolate and secure access to

sensitive data• Reduce scope for compliance• Faster audits and lower costs

AUTHORIZEDUSERS

INTERNAL & EXTERNALSYSTEM USERS

LARGE ITENVIRONMENT


We Trust The Experts For a Reason

A Real-World Case Study


The Company

Popular utility provider securesmillions of transactions eachmonth in PCI-compliant cloud.

Region:Employees:Industry:Market:Customers:

SouthwestMore than 10,000

UtilitiesResidential & Commercial

1 - 5 Million


• Large Southern Retail & Commercial Utility Company

• Leveraged Legacy ERP System for Online Payments

• Couldn’t Meet PCI Compliance• Entire network was in Scope

The Challenge


• Traditional Check, Cash, Credit Cards & ACH Payments

• Data-at-Rest Presented PCI Challenge

• Data Existed Throughout Corporate Systems & Network

• Connected to Multiple Third-Party Banking & Payment Applications

The Details


• Decouple Payment Data from Corporate Environment

• Reduce Scope of PCI Audit• Tokenization of Payment

Data• Implement Business

Continuity Strategy

The Solution

“By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”


• Designed as Fully Redundant Environments

• Included Direct Contentions to two Data Centers

• Meets Strict Business Continuity Requirements

• Leverages multiple security layers to thwart targeted attacks

The Infrastructure

FPO4 LOAD BALANCERS

4 DATABASE SERVERS

4 WEB SERVERS

4 APPLICATION SERVERS

2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS

What’s Your Strategy?


• More tools and technologies?• How much is this going to cost?• How am I going to implement?• In what time period?• Do I have the people and

expertise?

Traditional DIY Approach:Difficult & Complex

BETWEEN YOU AND THE THREAT 29

Comparing Cloud ResponsibilitySecurity Layer Security Feature DIY Cloud Public Cloud Secure Managed

CloudIP Reputation Filtering C C V

Perimeter DDoS Mitigation C C V Web application firewall C C V

Segmentation C S V Network Network Firewall (Hypervisor based) C S V

Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V

Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V

OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V

Hardened Hypervisor C S V Virtual Isolated Management C V V

Secure Storage C V VRogue Wireless Scanning C V V

Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V

Vendor-ProvidedV

Vendor, Customer-SharedClient-ProvidedC

S

Key


What To Look For From Cloud VendorsThe Key Attributes

• Expertise• Track record• Technology• People

• Process• Certification• Ability to execute

and deliveryYou need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements.Your vendor should…….• Provide a clear concise explanation of the specific security controls they include and

how these benefit you• Be able to articulate the boundaries between their responsibility and yours• Provide you with documentation that backs up their claims about being “Compliant”

including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU


LIGHTEN IT & SECURITY BURDEN

PROTECT YOUR BUSINESS

Focus on Your Business

Leave It to the Experts

Increase Performance

Enhance Scalability

Get Better Security for your Environment

Make Compliance Less Costly and Time Consuming

Reduce Overall Costs

Facilitate BCDR Planning


The Cloud Isn’t Secure Enough

for Payment Transactions BUSTED

The Leader in Active Cyber Defense

[email protected] 1-877-262-3473 x8073

KURT HAGERMANQuestions?

SEPTEMBER 2015

MYTHBUSTERS: Can You Secure Payments in the Cloud?

Technology

Transcript of MYTHBUSTERS: Can You Secure Payments in the Cloud?