PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a...
Transcript of PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a...
![Page 1: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/1.jpg)
PCI DSS Compliance
Ulf Mattsson, CTO
![Page 2: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/2.jpg)
Bio
20 years with IBM Development & Services
• IBM Software Development & IBM Research consulting resource
• IBM Certified IT Architect in IT Architecture & IT Security
Created Protegrity's Data Security Technology
• Protegrity Policy driven Data Encryption (1994)
Inventor of 20+ Patents
• In the areas of Encryption Key Management, Separation of Duties, Policy Driven Data
Encryption, Tokenization, Internal Threat Protection, Data Usage Control, Dynamic Access
Control, Intrusion Prevention and Cross System Layer Security.
Master's degree in Physics and degrees in Finance and Electrical
engineering
• Research member of the International Federation for Information Processing (IFIP) WG 11.3
Data and Application Security.
• Member of IEEE, OASIS, Computer Security Institute (CSI), Object Management Group (OMG)
CORBA Security Service, Open Web Application Security Project (OWASP), Information
Systems Security Association (ISSA), Information Systems Audit and Control Association
(ISACA),, The International Association of Science and Technology for Development (IAST),
The Medical Records Institute (MRI), and The World Scientific and Engineering Academy and
Society for Computer Security (WSEAS).
02
![Page 3: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/3.jpg)
Agenda
Data Protection Options for PCI and Beyond
PCI Case Studies
Advanced Attacks on Data Flow
Determining Risks
Cost Effective Approach
![Page 4: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/4.jpg)
04
![Page 5: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/5.jpg)
05
![Page 6: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/6.jpg)
http://www.knowpci.com
Participating
Organization
![Page 7: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/7.jpg)
Discussion of Data Protection for PCI DSSBuild and maintain a secure
network.
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data. 3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a vulnerability
management program.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
Implement strong access control
measures.
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly monitor and test
networks.
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy.
12. Maintain a policy that addresses information
security
7
![Page 8: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/8.jpg)
PCI DSS Applicability Information & PII Aspects
8
![Page 9: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/9.jpg)
Requirement 3: Protect stored cardholder data
Section 3.4
Render PAN, at minimum, unreadable anywhere it is stored
(including on portable digital media, backup media, in logs) by using
any of the following approaches:
• One-way hashes based on strong cryptography
• Truncation
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key-management processes and
procedures
The MINIMUM account information that must be rendered
unreadable is the PAN.
Notes:
• If for some reason, a company is unable render the PAN unreadable, refer to
Appendix B: Compensating Controls.
• “Strong cryptography” is defined in the PCI DSS Glossary of Terms,
Abbreviations, and Acronyms
09
![Page 10: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/10.jpg)
Section 3.5
“Protect encryption keys used for encryption of cardholder data against both disclosure
and misuse.
• 3.5.1 Restrict access to keys to the fewest number of custodians necessary
• 3.5.2 Store keys securely in the fewest possible locations and forms.”
Section 3.6
“Fully document and implement all key management processes and procedures for keys
used for encryption of cardholder data, including the following:
• 3.6.1 Generation of strong keys
• 3.6.2 Secure key distribution
• 3.6.3 Secure key storage
• 3.6.4 Periodic changing of keys
• • As deemed necessary and recommended by the associated application (for example, re-
keying); preferably automatically. At least annually.
• 3.6.5 Destruction of old keys
• 3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or
three people, each knowing only their part of the key, to reconstruct the whole key)
• 3.6.7 Prevention of unauthorized substitution of keys
• 3.6.8 Replacement of known or suspected compromised keys
• 3.6.9 Revocation of old or invalid keys
010
Requirement 3: Protect stored cardholder data
![Page 11: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/11.jpg)
Split knowledge and dual control of keys requires two or three people, each
knowing only their part of the key, to reconstruct the whole key
The principle behind dual control and split knowledge is required to access the
clear text key.
• Only a single master key will be needed under this control.
• The determination of any part of the key must require the collusion between at least two
trusted individuals.
Any feasible method to violate this axiom means that the principles of dual
control and split knowledge are not being upheld.
• At least two people are required to „reconstruct‟ the key, and they each must have a physical
thing and they each must have some information that is required.
The use of a key in memory to encipher or decipher data, or access to a key
that is enciphered under another key does not require such control by PCI DSS.
• Keys appearing in the clear in memory, the principles of dual control and split knowledge are
difficult but not impossible to enforce.
Please review http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1126002 for
additional discussion.
011
Requirement 3.6.6: Split knowledge and dual control
![Page 12: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/12.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1051481
![Page 13: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/13.jpg)
PCI – Compensating Controls
13
![Page 14: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/14.jpg)
PCI Security Standards Council about Data in Transit
The PCI Security Standards Council
(https://www.pcisecuritystandards.org/) manages the PCI DSS
standards
• End-to-end encryption is likely to be a central focus as the council seeks input on
how this might best be achieved in the payment-card environment through
different technologies.
• If that is accomplished, it might result in a decidedly new PCI standard in the
future for card-data protection, PCI Security Standards Council says in
http://www.networkworld.com/news/2008/100108-pci-credit-card.html?page=2 .
• "Today we say if you're going outside the network, you need to be encrypted, but
it doesn't need to be encrypted internally," PCI Security Standards Council says.
"But as an example, if you add end-to-end encryption, it might negate
some requirements we have today, such as protecting data with
monitoring and logging.
• Maybe you wouldn’t have to do that. So we'll be looking at that in 2009."
014
![Page 15: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/15.jpg)
Data Protection Approaches
Data Access Control
• How the data is presented to the end user and/or
application
Data Protection
• How sensitive data is rendered unreadable
015
![Page 16: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/16.jpg)
Data Protection Options
Data Stored As
• Clear – actual value is readable
• Hash – unreadable, not reversible
• Encrypted – unreadable, reversible
• Replacement value (tokens) – unreadable, reversible
• Partial encryption/replacement – unreadable, reversible
016
![Page 17: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/17.jpg)
Data Protection Options
Data in the Clear
• Audit only
• Masking
• Access Control Limits
Advantages
• Low impact on existing applications
• Performance
• Time to deploy
Considerations
• Underlying data exposed
• Discover breach after the fact
• PCI aspects
017
![Page 18: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/18.jpg)
Data Protection Options
Hash
• Non – reversible
• Strong protection
• Keyed hash (HMAC)
• Unique value if salt is used
Advantages
• None really
Considerations
• Key rotation for keyed hash
• Size and type
• Transparency
018
![Page 19: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/19.jpg)
Data Protection Options
Strong Encryption
• Industry standard (NIST modes - AES CBC …)
• Highest security level
Advantages
• Widely deployed
• Compatibility
• Performance
Considerations
• Storage and type
• Transparency to applications
• Key rotation
019
![Page 20: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/20.jpg)
Data Protection Options
Format Controlling Encryption
• Maintains data type, length
Advantages
• Reduces changes to downstream systems
• Storage
• Partial encryption
Considerations
• Performance
• Security and compliance
• Key rotation
• Transparency to applications
020
![Page 21: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/21.jpg)
Data Protection Options
Replacement Value (i.e. tokens, alias)
• Proxy value created to replace original data
• Centrally managed, protected
Advantages
• No changes to most downstream systems
• Out of scope for compliance
• No local key rotation
• Partial replacement
Considerations
• Transparency for applications needing original data
• Availability and performance for applications needing
original data
021
![Page 22: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/22.jpg)
Different ‘Tokenizing’ Approaches & Topologies
ASP
Central
Tokenizer
On-site
Local
Tokenizer
Token
&
Encrypted
CCN
Token
&
Encrypted
CCN
Home Office / HQ
Branch Office / Stores
Outsourced / ASP
On-site
Central
Tokenizer
Token
&
Encrypted
CCN
Algorithmic
Tokenizer
‘Encryption’
Algorithm
Application
Token
CCN
123456 123456 1234
ABCDEF GHIJKL 1234
Network
Network
`
Token
![Page 23: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/23.jpg)
Limit Exposure across the Data Flow - Partial Encryption/Tokenizing
A policy driven approach
• Decide what sensitive bytes to protect
• A high level of transparency to applications
Application
Application
ApplicationApplication
ApplicationApplication
Application
ApplicationApplication
ApplicationApplication
ApplicationApplication
ApplicationApplication
Application
Few applications• Full clear data
Many applications/tools • Moving data around
Some applications • Partial clear data
Decryption
123456 777777 1234
![Page 24: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/24.jpg)
How to Protect the Data Flow Against Advanced Attacks
024
Point Of Data Acquisition
Payment
Authorization
Settlement &
Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
![Page 25: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/25.jpg)
025
Text
Data
Applications are Sensitive to the Data Format
Binary (Hash) -
Binary (Encryption) -
Alphanumeric (Token) -
Numeric (Token) -
Numeric (Clear Text) -
Data
Field
Length
Data Type
I
Original
I
Longer
All Applications
Most Applications
Many Applications
Few Applications
No Applications
This is a generalized example
Increased
intrusiveness:- Application changes
- Limitations in functionality
- Limitations in data search
- Performance issues
![Page 26: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/26.jpg)
026
123456 777777 1234
123456 123456 1234
aVdSaH 1F4hJ5 1D3a
!@#$%a^&*B()_+!@4#$2%p^&*
Text
Data
Preserving the Data Format
Hash -
Encryption -
Alphanumeric –
Encoding –
Partial Enc–
Clear Text -
Data
Field
Length
Data Type
I
Original
Length
I
Longer
!@#$%a^&*B()_+!@
This is a generalized example
666666 777777 8888 Token /
Encoding
Binary
Data
Numeric
![Page 27: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/27.jpg)
Field Level Data Protection Methods vs. Time
Time
Plain Hash
(SHA-1 on CCN)
High
Medium
Tokenized Data
Protection
Level
Strong Encryption
(AES CBC)
Keyed Hash
(HMAC)
Format Controlling
Encryption
(AES FCE)
Key
Rotation
![Page 28: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/28.jpg)
Format Controlling Encryption vs. Time
Time
High
Medium
Tokenized Data
Protection
Level
AES FCE
(numeric & IV)
AES FCE
(alphanumeric & fix IV)
![Page 29: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/29.jpg)
Field Level Data Protection Methods vs. Time
Time
High
Medium
Tokenized Data
Protection
Level
AES ECB
AES CBC (rotating IV)
AES CBC (fix IV, short data)
AES CBC (fix IV, long data)
![Page 30: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/30.jpg)
http://ssrn.com/abstract=1126002
![Page 31: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/31.jpg)
Data Protection Options & Cost Factors
Storage Performance Storage Security Transparency
Clear
Strong Encryption
Format Control
Encryption
Token (reversible)
Hash
031
Highest Lowest
![Page 32: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/32.jpg)
Data Protection Capabilities
Storage Performance Storage Security Transparency
Clear
Strong Encryption
Format Controlling
Encryption
Token
Hash
032
Highest Lowest
![Page 33: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/33.jpg)
Data Protection Implementation Choices
Data Protection Options are not mutually exclusive
Data Protection Layers
• Application
• Database
• File System
Data Protection Topologies
• Remote services
• Local service
Data Security Management
• Central management of keys, policy and reporting
033
![Page 34: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/34.jpg)
http://www.net-security.org/dl/insecure/INSECURE-Mag-2.pdf
![Page 35: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/35.jpg)
Topology Performance Scalability Security
Local Service
Remote Service
035
Highest Lowest
Data Protection Implementation Choices
System Layer Performance Transparency Security
Application
Database
File System
![Page 36: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/36.jpg)
Data Loading (Batch)
10 000 000 –
1 000 000 –
100 000 –
10 000 –
1 000 – Encryption
Topology
Rows Per Second
Data Warehouse
Platforms
Mainframe
Platforms
Unix Platforms
Windows Platforms
Queries (Data Warehouse & OLTP)
Column Encryption Performance - Different Topologies
I
Network Attached
Encryption (SW/HW)
I
Local
Encryption (SW/HW)
![Page 37: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/37.jpg)
Generalization: Encryption at Different System Layers
Encryption
Layer
Ease of Deployment
(Transparency)
I
Application
Layer
High
LowI
Database
Layer
I
File System
Layer
Separation of Duties
(Security Level)
I
Storage Layer
SAN/NAS…
![Page 38: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/38.jpg)
Application Transparency – Encryption, Tokens & Hashing
High
Low
Database
Operation
Transparency level
Hashing
Database Encryption
I
Look-up
I
Range
Search
I
Process
Clear-values
![Page 39: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/39.jpg)
Application Transparency
High
Low
Security
Level
Transparency level
Plain
Hash
(SHA-2)
Key based
Hash
(HMAC)
Tokens
Database
File Encryption
Smart
Tokens
3rd Party Database
Column Encryption
Native Database
Column Encryption
![Page 40: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/40.jpg)
Business Value vs. Ease of Compliance
I I I I
Deleting Data Masking One-way Masking-Two-Way Clear Data
Ease of
Compliance
High
Low
Business
Value
Lost Data Reusable Data
Simple
Masking
Hashing
Tokenizing
Encryption
![Page 41: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/41.jpg)
Protecting the Data Flow:
Case Studies
041
![Page 42: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/42.jpg)
NW
DMZ
Web Apps
TRUSTED
SEGMENT
Serve
r
Inte
rne
t
Load
Balancing
Proxy
FW
Proxy
FW
Enterprise
Apps
Network
DevicesServer
SAN,
NAS,
Tape
Internal
UsersDB Server
Proxy
FW
TRANSACTIONS
IDS/
IPS
End-
point
Wire-
less
Data Level Attacks
DBA
ATTACK
MALWARE /
TROJAN
OS ADMIN
FILE ATTACK
SQL
INJECTIONMEDIA
ATTACK
SNIFFER
ATTACK
![Page 43: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/43.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1144290
![Page 44: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/44.jpg)
Case Studies
One of the most widely recognized credit and debit card brands in the world
• Their volume of data is in the multiple billions of rows and needed a solution that
would not degrade performance.
Major financial institution
• Protecting high-worth clients financial information.
• Central key management and separation of duties were of the utmost importance.
One of the world largest retailers
• Protecting the flow of sensitive credit card information from the store, through to
back office systems and into the data warehouse and storage.
• The central key management and ability to support thousands of stores was critical
for this success.
• Transparent to exiting applications.
• Protect sensitive information in their Teradata data warehouse. iSeries (AS/400),
zSeries (mainframe), Oracle and MS SQL Server, and to protect files that reside
across platforms including Unix and z/Series.
044
![Page 45: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/45.jpg)
Web
Apps
Polling
Server
Partners
(Financial
Institutions)
Security for the Sensitive Data Flow
Archive
HQ
Branches
/Stores
Store Back OfficePoints of collection
T-Logs,
Journals
Store Back
Office
Applications
Store
DB
Retail
Locales
Multiplexing
PlatformERP
`
Manager
$%&#$%&#$%&#
$%&#
$%&#
$%&#
Policy
$%^& *@K$
7ks##@
PolicyPolicyPolicyPolicyPolicyPolicy
Log
Log Log
Log
Reports
Collection
Aggregation
Operations
Tactical
Detailed Analytical
Focused / Summary Analytical
Active Access / Alerting
Analytics
Analytics
![Page 46: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/46.jpg)
Case 1: Goal – PCI Compliance & Application Transparency
File
Encryption
Windows
Database
Encryption:
DB2 (zOS, iSeries),
Oracle,
SQL Server
Application
Local
Store Location
(Branch)
Application
FTP
File
Encryption
Central HQ Location
File
Encryption:
Windows,
UNIX,
Linux,
zOS
Financial
Institution
Credit
Card
Entry
Settlement
Batch
![Page 47: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/47.jpg)
047
Case 1: File Encryption & FTP
File System (Memory)
POS
Application
FTP
Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive informationUnprotected sensitive information:
@$%$^D&^YTOIUO*^
123456 123456 1234
@$%$^D&^YTOIUO*^
123456 123456 1234
Attacker
Credit
Card
Entry
Attacker
![Page 48: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/48.jpg)
048
Case 1: From Encrypted File to Encrypted Database
Database
Application
FTP Application
Network
Protected sensitive informationUnprotected sensitive information:
123456 123456 1234
Attacker
Attacker
@$%$^D&^YTOIUO*^
@$%$^D&^YTOIUO*^
123456 123456 1234
FileFile
![Page 49: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/49.jpg)
Case 2a: Goal – Addressing Advanced Attacks & PCI
Application
Local
Store Location
(Branch)
Application
FTP
Central HQ Location
Financial
Institution
Credit
Card
Entry
Settlement
FTP
Application
Encryption
Decryption
Continuously encrypted computing:
protection of sensitive data fields
File
Encryption
Windows
Database
Encryption:
DB2
Oracle
SQL Server
File
Encryption:
Windows,
UNIX,
Linux,
zOS
![Page 50: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/50.jpg)
050
Case 2a: Application Encryption to Encrypted Database
Point
Of Data
Acquisition
File
System
Database
POS
Application Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive informationUnprotected sensitive information:
123456 777777 1234
123456 123456 1234
![Page 51: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/51.jpg)
Case 2b: Goal – Addressing Advanced Attacks & PCI
Application
Local
Store Location
Application
FTP
Central
HQ Location
Credit
Card
EntryContinuously encrypted computing:
protection of sensitive data fields
Database
Encryption:
DB2 zOS
Database
Encryption:
SQL Server
![Page 52: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/52.jpg)
052
Case 2b: From Encrypted Database to File & FTP
File
Extraction
ApplicationFTP Application
Backup (Tape)
Storage (Disk)
Protected sensitive informationUnprotected sensitive information:
Point
Of Data
Acquisition
Order
Application
aVdSaH 1F4hJ5 1D3a
123456 123456 1234
Database aVdSaH 1F4hJ5 1D3a
aVdSaH 1F4hJ5 1D3a
![Page 53: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/53.jpg)
053
Case 2b: From Selectively Encrypted File to Encrypted Database
File
Database
Application
FTP Application
Network
Backup (Tape)
Storage (Disk)
Protected sensitive informationUnprotected sensitive information:
123456 123456 1234
aVdSaH 1F4hJ5 1D3aaVdSaH 1F4hJ5 1D3a
![Page 54: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/54.jpg)
Case 3: Goal – Addressing Advanced Attacks & PCI
Application
Local
Store Location
(Branch)
Central
HQ Location
Financial
Institution
Credit
Card
Entry
Authorization
TransactionOnline
Decrypting
Gateway
Continuously encrypted computing:
protection of sensitive data fields
Encrypting
Gateway Application
DatabasesFiles
![Page 55: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/55.jpg)
055
Case 3: Gateway Encryption
File System
Database
Encrypting Gateway
Applications
Network
Backup (Tape)
Storage (Disk)
Protected sensitive informationUnprotected sensitive information:
123456 777777 1234
123456 123456 1234
123456 777777 1234
123456 123456 1234
Attacker
Decrypting Gateway
Attacker
![Page 56: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/56.jpg)
056 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=940287
![Page 57: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/57.jpg)
Determine Risk
Data Security Risk=Data Value * Exposure
057
Data Field Value Exposure Risk Level
Credit Card Number 5 5 25
Social Security Number 5 4 20
CVV 5 4 20
Customer Name 3 4 12
Secret Formula 5 2 10
Employee Name 3 3 9
Employee Health Record 3 2 6
Zip Code 1 3 3
Enables prioritization
Groups data for potential solutions
![Page 58: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/58.jpg)
Matching Data Protection Solutions with Risk Level
058
Risk Solutions
Monitor
Monitor, mask,
access control
limits, format control
encryption
Replacement,
strong encryption
Low Risk
(1-5)
At Risk
(6-15)
High Risk
(16-25)
![Page 59: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/59.jpg)
Matching Data Protection Solutions with Risk Level
059
Risk Solutions
Monitor
Monitor, mask,
access control
limits, format
control
encryption
Replacement,
strong
encryption
Low Risk
(1-5)
At Risk
(6-15)
High Risk
(16-25)
Data Field Risk Level
Credit Card Number 25
Social Security Number 20
CVV 20
Customer Name 12
Secret Formula 10
Employee Name 9
Employee Health Record 6
Zip Code 3
Select risk-adjusted
solutions for costing
![Page 60: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/60.jpg)
Estimate Costs
Cost = Solution Cost + Operations Cost
Solution Cost = cost to license or develop, install
and maintain
Operations Cost = cost to change applications,
impact on downstream systems, meeting SLAs,
user experience
060
![Page 61: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/61.jpg)
Operation Cost Factors
Performance
• Impact on operations - end users, data processing
windows
Storage
• Impact on data storage requirements
Security
• How secure Is the data at rest
• Impact on data access – separation of duties
Transparency
• Changes to application(s)
• Impact on supporting utilities and processes
061
![Page 62: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/62.jpg)
Operation Cost Factors
Solution should be able to change with the
environment
• Progress from less to more secure solution, or the
reverse
• Add new defenses for future threats
• Plug into existing infrastructure, integrate with other
systems
062
![Page 63: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/63.jpg)
The Protegrity Defiance© Suite
Data Protection System (DPS)
• Encryption, monitoring, masking
• Database, file and application level
Threat Management System (TMS)
• Web application firewall
Enterprise Security Administrator
• Security policy
• Key management
• Alerting, reporting, and auditing
63
![Page 64: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/64.jpg)
Protegrity Solutions
064
Protecting data
Protecting web applications
Managing data security
![Page 65: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/65.jpg)
Protegrity and PCIBuild and maintain a secure
network.
1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect cardholder data. 3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a vulnerability
management program.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications
Implement strong access control
measures.
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer
access
9. Restrict physical access to cardholder data
Regularly monitor and test
networks.
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy.
12. Maintain a policy that addresses information
security
65
![Page 66: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/66.jpg)
Data Security Management
An integral part of technical and business process
Security Policy
• Centralized control of security policy
• Consistent enforcement of protection
• Separation of duties
Reporting and Auditing
• Compliance reports
• Organization wide security event reporting
• Alerting
• Integration with SIM/SEM
Key Management
066
![Page 67: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/67.jpg)
Cost Effective Data Protection
Uses Risk as an adjusting factor for determining a
Data Protection strategy
Risk=Data Value*Exposure
Determines solutions that fit the risk level, then
determines cost
Cost=Solution Cost + Operational Cost
Prepare for the future
067
![Page 68: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/68.jpg)
How to Protect the Data Flow Against Advanced Attacks
068
Point Of Data Acquisition
Payment
Authorization
Settlement &
Charge-back
123456 777777 1234
123456 123456 1234
Continuously protected data flow Encrypt
123456 123456 1234
123456 777777 1234
Decrypt
123456 123456 1234
123456 777777 1234
Decrypt
Protected sensitive information
Unprotected sensitive information:
![Page 69: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/69.jpg)
How to Protect the Weak Links in your Data Flow
069
Review Risk & Determine Protection Approach
• Analyze the Data Flow
• Identify Assets and Assign Business Value to each
• Identify Vulnerabilities for each Asset
• Identify potential Attack Vectors & Attackers
• Assess the Risk
• Compliance Aspects
• Select Data Protection Points & Protection Methods
Assess Total Impact
• Functionality Limitations
• Performance & Scalability
• Application Transparency
• Platform Support & Development Life Cycle Support
• Key Management, Administration & Reporting
• Deployment Cost, Time & Risk
Adjust
![Page 70: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/70.jpg)
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1330466
![Page 71: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/71.jpg)
071 http://www.quest-pipelines.com/newsletter-v7/0706_C.htm
![Page 72: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/72.jpg)
072
Data Masking – One-way vs. Two-way
Information
Life Cycle
I I I I I I I
Development Testing Staging Production Operational Analytics Archive
High –
Low –
Data Quality &
Exposed Details
Protected sensitive informationUnprotected sensitive information:
Partner
Interface
Data Entry3rd Party
Interface
Testing
Fire
Fighting
Two-Way
MaskingTwo-Way
Masking
One-Way
Masking
One-Way
Masking
![Page 73: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/73.jpg)
073
![Page 74: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/74.jpg)
Yes -
No -
No -
Index
Protection
Separation of Duties (DBA)
Database
Column
Encryption
I
Yes
I
No
I
No
Database
Table
Encryption
Database
File
Encryption
Separation of Duties (DBA)
![Page 75: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/75.jpg)
The Goal: Good, Cost Effective Security
The goal is to deliver a solution that is a balance
between security, cost, and impact on the current
business processes and user community
Security plan - short term, long term, ongoing
How much is ‘good enough’
Security versus compliance
• Good Security = Compliance
• Compliance ≠ Good Security
075
![Page 76: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/76.jpg)
Risk Adjusted Data Protection
076
Assign value to your data
Assess exposure
Determine risk
Understand which Data Protection solutions are
available to you
Estimate costs
Choose most cost effective method
![Page 77: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/77.jpg)
Assign Value to Your Data
077
Identify sensitive data
• If available, utilize data classification project
• Rank what is sensitive on its own (think PCI)
• Consider what is sensitive in combination (think Privacy)
How valuable is the data to (1) your company and
(2) to a thief
• Corporate IP, Credit Card numbers, Personally
Identifiable Information
Assign a numeric value: high=5, low=1
![Page 78: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/78.jpg)
Assess Exposure
Locate the sensitive data
• Applications, databases, files, data transfers across
internal and external networks
Location on network
• Segmented
• External or partner facing application
Access
• How many users have access to the sensitive data?
• Who is accessing sensitive data?
• How much and how frequently data is being accessed?
Assign a numeric value: high=5, low=1
078
![Page 79: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/79.jpg)
Determine Risk
Data Security Risk=Data Value * Exposure
079
Data Field Value Exposure Risk Level
Credit Card Number 5 5 25
Social Security Number 5 4 20
CVV 5 4 20
Customer Name 3 4 12
Secret Formula 5 2 10
Employee Name 3 3 9
Employee Health Record 3 2 6
Zip Code 1 3 3
Enables prioritization
Groups data for potential solutions
![Page 80: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/80.jpg)
Example – Software Application
![Page 81: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/81.jpg)
Programming -
OS level-
SQL-
Damage
Level
Skill & Effort Level
Attack
Vector 3
I
Key Dump
I
Data Dump
I
Data Leakage
Attack
Vector 2
Attack
Vector 1
Example - Attack by DBA
![Page 82: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/82.jpg)
Confidential
Proprietary
Internal Use
Customer
Public
Process A
Msgs.
Location C
Department B
Struct.
Files
Access
DBs
Data in
Transit
Appl
Data
Central
Database
AE, R
B, A
R
B, A
E, R
B, A
A R
B, A
R
B, A
R
B, A
R
B, A
R
B, A
E, R
B, A
R
B, A
E, R
A
E = Encryption
R = Redundancy
B = Auto Backup
A = Access Control
Data
Class
Biz Risk
High
Med
Low
E, AAA
A
A
AA
AA
R
B, AA
A
A
Data Classification by Level of Protection
![Page 83: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/83.jpg)
Gap Analysis: Regulations - Policies - Enforcement - Practice
Written
Policies
Gap #1
Security
Practices
Enforce-
ment
Regu-
lations
Gap #2
Gap #3
Endpoint
Security
Network
Security
Access
Controls
Data
Encryption
Policies
99th
Percentile
Enforcemt
90th
Percentile
Practices
95th
Percentile
Policies
70th
Percentile
Enforcemt
80th
Percentile
Practices
40th
Percentile
Policies
80th
Percentile
Enforcemt
50th
Percentile
Practices
30th
Percentile
Policies
40th
Percentile
Enforcemt
30th
Percentile
Practices
10th
Percentile
![Page 84: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/84.jpg)
Security Documentation Review / Analysis
Policy Completeness Organization issues
Policy Enforceability Punishment specs
Policy Awareness Very good in IT
Security Architecture Security architect?
Network Security Excellent
Storage Security Not in most docs
Application Security Reviewed few apps
Database Security Being upgraded
Security Documentation Overall
Above Avg.AverageBelow Avg.
![Page 85: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/85.jpg)
Control Effectiveness Rating
EffectivenessControl Pervasiveness In Practice Usage
DB access
control Externally facing Internally facing
Awareness of
control
Compliance with
control
Effectiveness ratings cover the use of the control across multiple organizations and applications in the enterprise
Corporate data center
Division data centers
Regional offices
Home offices
Remote users
Effectiveness ratings are also applied to service providers who handle sensitive data on behalf of the enterprise
Service providers
Resellers
Strong
Mixed
Weak
![Page 86: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/86.jpg)
Data Security Case Study - Interview
![Page 87: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/87.jpg)
Organization data security vulnerability points under study:1. Endpoint security / desktop security / wireless security
2. Customer access to Organization via Web Applications
3. Web application development and access controls
4. Global bulk file transfer to/from member institutions
5. Corporate network infrastructure, including firewalls, IDS/IPS
6. XxxNet/YyyNet global infrastructure
7. Application-to-database access controls
8. Database management controls, including separation of duties
9. Key management systems
10.Customer premises HW/SW data protection (the XXX)
11.Protection of stored data in SAN, NAS and backup tapes
NW
DMZ
Web Apps
TRUSTED SEGMENT
Serve
r
Inte
rne
tLoad
Balancing
Proxy
FW
Proxy
FW
Enterprise
Apps
Network
DevicesServe
r
KeysSAN,
NAS,
Tape
Internal
UsersDB Server
Proxy
FW
TRANSACTIONS
Members
DB
IDS/
IPS
End-
point
Wire-
less
Case Study - Data Security Vulnerability Points
![Page 89: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/89.jpg)
089 http://www.quest-pipelines.com/newsletter-v7/0706_C.htm
![Page 90: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/90.jpg)
![Page 91: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/91.jpg)
PCI 3.1 Keep cardholder data storage to a minimum.
91
![Page 92: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/92.jpg)
PCI 3.2 Do not store sensitive authentication data
92
![Page 93: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/93.jpg)
PCI 3.3 Mask PAN when displayed
93
![Page 94: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/94.jpg)
PCI 3.4 Render PAN unreadable anywhere it is stored
94
![Page 95: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/95.jpg)
PCI 3.5 Protect cryptographic keys
95
![Page 96: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/96.jpg)
PCI 3.6 Fully document and implement all key-management
processes and procedures
96
![Page 97: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/97.jpg)
Online Exposure2
097
2Slide source: Verizon Business 2008 Data Breach Investigations Report
•Insider incidences were much larger in terms of the amount of data compromised.
•Hacking and malcode proved to be the attack method of choice among cybercriminals,
targeting the application layer and data more than the operating system.
•The type of asset compromised most frequently (82%) is without doubt online data.
•Compromises to online data repositories were seen in more cases than all
other asset classes combined by a ratio of nearly five to one.
•Offline data, networks, and end-user devices were all closely grouped.
![Page 98: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/98.jpg)
Cloud Services
098
Why aren't enterprises falling all over themselves to buy and use cloud services? Is it risk
aversion? Is it a lack of confidence in the service providers? Is it just another version of
the insource/outsource debate? Or is it something else more fundamental as discussed at
http://www.internetevolution.com/document.asp?doc_id=170782&image_number=1
![Page 99: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/99.jpg)
099
![Page 100: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/100.jpg)
0100
![Page 101: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/101.jpg)
0101
![Page 102: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/102.jpg)
0102
![Page 103: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/103.jpg)
0103
![Page 104: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/104.jpg)
0104
![Page 105: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/105.jpg)
0105
![Page 106: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/106.jpg)
0106
![Page 107: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/107.jpg)
0107
![Page 108: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/108.jpg)
0108
![Page 109: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/109.jpg)
0109
![Page 110: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/110.jpg)
0110
![Page 111: PCI DSS Compliance · 2016-10-23 · Discussion of Data Protection for PCI DSS Build and maintain a secure network. 1. Install and maintain a firewall configuration to protect data](https://reader034.fdocuments.in/reader034/viewer/2022042216/5ebe3b9c61db6b3576635ed0/html5/thumbnails/111.jpg)
0111