life after compliance march 2010 v2

All information provided in this document is proprietary, confidential information of SafeNet, Inc. and its affiliates, and is for informational purposes only. This information is not disclosed to you for any other purpose, and will be used for no other purpose. All warranties relating

to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law, and SafeNet, Inc. undertakes no obligation to update this information.

SafeNetThe Foundation of Information Security

Life After Compliance: Get More Out of Your PCI Investment

1



Agenda

• SafeNet • Market Background • Current Approaches and Challenges• Addressing Challenges and Best Practices• Data Protection• SafeNet Approach



SAFENET



• Founded: 1983• Ownership: Private• Global Footprint with more than

25,000 customers in 100 countries• Employees: 1,600 in 25 countries• Recognized Security technology

leadership, over 600 encryption engineers strong

• Accredited with products certified to the highest security standards

The largest company exclusively focused on the protection of high-value information assets.

SafeNet Fact Sheet

4



Proven Leader. Trusted to Protect.

5

SafeNet protects:• the most money that

moves in the world. 80% of all electronic banking transfers -- $1 trillion a day

• the most digital identities in the world. Most PKI identities for governments and F-100 companies

• the most high-value software in the world. 80 million hardware keys; more than any other vendor

• the most classified information in the world. The largest deployment of government communications security



MARKET BACKGROUND



Market Trends, Threat Drivers

7



Online Fraud is on the Rise

Source: Anti-Phishing Working Group, March 2009

The number of crimeware‐spreading sites infecting PCs with

password‐stealing crimeware reached an all time high of 31,173 in

December, an 827 percent increase from January of 2008.

The number of crimeware‐spreading sites infecting PCs with

password‐stealing crimeware reached an all time high of 31,173 in

December, an 827 percent increase from January of 2008.

Phishing: $3.2 Billion lost in 2007 in the US alone

Phishing: $3.2 Billion lost in 2007 in the US alone

Gartner Dec. 2007



What Are The Threats?

Source: Ponemon Institute, 2009



A Look Back: PCI DSS Effectiveness



What Is It Costing?

Source: Ponemon Institute, 2009

47%



CURRENT APPROACH AND CHALLENGES



Is PCI DSS The Floor or Ceiling?

• “PCI DSS is the ceiling”

• Implementation obstacles “excuses?”

• It is overly complex

• Out of touch with current threats

• Longer time to implement

• More costly to meet compliance

• “PCI DSS is only the floor”

• Leveraged the investment

• 10% greater protection

• 50% cost advantage



What Is It Costing?

Allocation of PCI Investment Best-in-Class All Others

Cost to achieve initial compliance $520K $958K

Time to report 11 mo 11 mo

Annual cost to sustain compliance $135K $300K

Average time since first reporting 2.0 yrs 2.3 yrs

Average total spend on PCI compliance $784K $1,642K

Build & Maintain a Secure Network $197K $375K

Protect Cardholder Data $186K $399K

Maintain a Vulnerability Mgmt Program $88K $188K

Implement Strong Access Control $93K $211K

Regularly Monitor and Test $124K $317K

Maintain an IS Policy $97K $152K

Source: Aberdeen Group, 2009



Where Is The Industry Today?

Objective Requirement Current Capability

Known Incidents

Avg. PCI Spend

Build & Maintain Secure Network

1. Firewall Configurations 85% 16% $250K

2. No Default Passwords 16%

Protect Cardholder Data

3. Protect Stored Cardholder Data 71% 23% $242K

4. Encrypt Transmission Across Networks 12%

Maintain Vulnerability Mgmt Program

5. Use &Update Antivirus Software 61% 19% $114K

6. Develop & Maintain Secure Applications

28%

Strong Access Control

7. Restrict Access Business Need-to-Know

65% 24% $124K

8. Assign a Unique ID 18%

9. Restrict Physical Access 15%

Regularly Monitor & Test

10. Track and Monitor Network Access 78% 23% $169K

11. Regularly Test Security Systems 22%

Maintain IS Policy

12. Maintain Policies for IS 83% 23% $118KSource: Aberdeen Group, 2009



ADDRESSING CHALLENGES AND BEST PRACTICES



Compliance Questions You Should Be Asking

• Do I need to keep card data?• How do I de-scope?• Are there technologies that can help me de-scope?• Does outsourcing work for me?• What happens if my business processes change?• How do I keep abreast of new legislation?• How do I make sure that people accessing protected data

are who they say they are?

Can my firewall help me? My IPS? My Disk Encryption? What approach should I take? Should I just encrypt all of my databases?



Lesson #1: It’s Protection, not a Check Box

PCI-DSS has evolved, as well as interpretation and enforcement

Learn from other’s mistakes It’s more than just passing an audit

PCI is about protecting your business and your customers

It’s more than just PCIPlan for protecting PII, IP and other sensitive

data.



Lesson #2: Involve stakeholders



Lesson #3: Data Discovery and Classification



Lesson #4: Establish Threat Model



Lesson #5: Document and Define security policies and Procedures



Lesson #6: Determine Where to Protect Data

“Many organizations understand the benefits of encryption … but are dumbfounded by the question of just

where to encrypt the data?.”

Jon Oltsik, Senior Analyst, Enterprise Strategy Group

Deployment Effort

Security

Application/Web/Token

Database

Storage/Tape

File



DATA PROTECTION



As Threats ChangeData Protection Strategies Must Change as

WellData Protection 2.0

• Perimeter focused security

• All-or-nothing encryption

• Keep bad guys out, authorized users get full access

• Multiple products to meet business and security needs

• High level or very specific policy only,

•No proper central policy management

• Data-centric protection—intelligence to protect the data itself throughout its lifecycle

• Granular, selective protection over subset of unstructured or structured data (files, fields, and

columns)

• Granular data protection for authorized users, assure compartmentalization

• Centrally managed solution that addresses business, compliance, data governance & security

• Centralized policy and key management providing data use tracking and control

Data Protection 1.0



Qualifying Questions for Encryption

• What is the threat model you are protecting against?• Physical media theft (tapes, drives)• Logical threats (application, database, systems being compromised)

• What is the data you want to encrypt?• What threat model are you protecting against?• Where are you going to perform encryption?• Are you indexing on the data you want to encrypt?• Are you using the data as a primary or foreign key?• What is the access mode for the data?• How many applications access the data?• What types of queries do you perform on the data?• Are you using stored procedures and building logic into the

database?• Are you importing/exporting data from columns/fields you are

encrypting?• Are you running batched processes that operate on

encrypted data?



Approaches to Data Protection



SAFENET APPROACH



SafeNet Data Protection Portfolio

29

Identity Protection - Identity Protection - AuthenticationAuthentication

Offering the broadest range of authenticators, from smart cards and tokens to mobile phone auth—all managed from a single platform

The industry’s only unified authentication platform offering customers the freedom to adapt to changing environments

The market leader in certificate-based token authentication

Unique technology offerings with client-less tokens, high-assurance solutions, and more

Communication Communication Protection - High-Protection - High-

Speed Network Speed Network EncryptionEncryption

SafeNet high-speed network encryptors combine the highest performance with the easiest integration and management.

Solutions for Ethernet, SONET up to 10Gb

Best-in-class Security Management Center

Zero bandwidth loss, low- latency encryption

Unparalleled leverage across classified and COTS communication protection (FIPS 140-2 Level 3)

The fastest, most secure, and easiest to integrate application & transaction security solution for enterprise and government

Market leader in enterprise-grade HSMs

Industry innovator in payment HSMs

Widest portfolio of platforms and solutions

SafeNet delivered its 75,000th HSM—Sets industry milestone

Transaction and Transaction and Identity Protection - Identity Protection -

HSMHSM

World’s first and only unified platform that delivers intelligent data protection and control for ALL information assets

Data-centric, persistent protection across data centers, endpoints, and into the cloud

Centralized policy, key management, logging, and auditing

Integrated perimeter data leakage prevention

Appliance-based, proven scalability, and high performance

Data Encryption and Data Encryption and Control - DataSecureControl - DataSecure



30

SafeNet data encryption and control solutions protect information throughout its lifecycle – wherever it resides – from the data center to the broadest array of endpoint devices and into the cloud.

DataSecure is a unified platform for data encryption, key management, and granular access controls. eSafe Smart Suite offers data loss prevention capabilities.

.

DataSecureDataSecure

EdgeSecureEdgeSecure

ProtectDBProtectDB

ProtectAppProtectApp

ProtectZProtectZ

ProtectFileProtectFile

eSafe Smart Suite

eSafe Smart Suite

ProtectDriveProtectDrive

Identity Protection - Identity Protection - AuthenticationAuthentication

Communication Communication Protection - High-Protection - High-

Speed Network Speed Network EncryptionEncryption

Transaction and Transaction and Identity Protection - Identity Protection -

HSMHSM Data Encryption and Data Encryption and Control - DataSecureControl - DataSecure

Token ManagerToken Manager



Unrivaled Customer Success from Some of the World’s Most Respected and Admired

Companies



SafeNet DataSecureData Protection, Key, and Policy Management

Mainframes

Web/App

Servers

Endpoint

Devices

Network Shares

File Servers

Structured Data

Unstructured Data



QUESTIONS?

life after compliance march 2010 v2

Technology

pci compliance

data protection strategies

protected data

sensitive data

data discovery

card data

compliance pci dss

protection of high