myths and realities of data security and compliance - isaca alanta - ulf mattsson jul 22 2016
TRANSCRIPT
11
Myths & Realities of Data Security & Compliance: Risk-based Data Protection
Ulf Mattsson, Chief Technology Officer, Compliance [email protected]
www.complianceengineers.com
2
Ulf Mattsson
Inventor of more than 25 US Patents
Industry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security
CSA - Cloud Security Alliance
ANSI - American National Standards Institute• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology• NIST Big Data Working Group
User Groups• Security: ISACA & ISSA
• Databases: IBM & Oracle
3
My work with PCI DSS Standards
Payment Card Industry Security Standards Council (PCI SSC)
1. PCI SSC Tokenization Task Force
2. PCI SSC Encryption Task Force
3. PCI SSC Point to Point Encryption Task Force
4. PCI SSC Risk Assessment SIG
5. PCI SSC eCommerce SIG
6. PCI SSC Cloud SIG
7. PCI SSC Virtualization SIG
8. PCI SSC Pre-Authorization SIG
9. PCI SSC Scoping SIG Working Group
10. PCI SSC 2013 – 2014 Tokenization Task Force
44
5
6
• The Dilemma for CISO, CIO, CFO, CEO, and Board • Where are my most valuable data asset?
• Who Has Access to it?
• Is it Secure?
• Insider/External Threats?
• Am I Compliant?
• What is/has been the Financial Cost?
• Am I Adhering to Best Practices? How Do I Compare to My Peers?
• Can I Automate the Lifecycle of Data Security?
The Security & Compliance Issue
7
8
9
Not Knowing Where Sensitive
Data Is
10
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
11
12
PCI-DSS and Beyond
13
Are You Ready for the
New Requirements of PCI-DSS V3.2?
14
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage
Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention.
Old PCI DSS Requirement 3.1
15
• PCI DSS v2 did not have data flow in the 12
requirements, but mentioned it in “Scope of
Assessment for Compliance with PCI DSS
Requirements.”
• PCI DSS v3.1 added data flow into a requirement.
• PCI DSS v3.2 added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
1616
Example of A Discovery
Process
Scoping
Asset Classification
Job Scan Definition
Scanning
Analysis
Reporting
Remediation
PCI DSS 3.2 Requirement - Discovery
17
• IT risk and security leaders must move from trying to prevent
every threat and acknowledge that perfect protection is not
achievable.
• Organizations need to detect and respond to malicious
behaviors and incidents, because even the best preventative
controls will not prevent all incidents.
• By 2020, 60% of enterprise information security budgets will
be allocated for rapid detection and response approaches, up
from less than 20% in 2015.
Shift in Cybersecurity Investment
Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
18
Growing Information Security Outsourcing
The information security market is estimated to have
grown 13.9% in revenue in 2015
with the IT security outsourcing segment
recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
19
HybridData Discovery
Example
20
Discovery Deployment Example
Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access
ApplianceDiscoveryAdmin
21
Example - Discovery Scanning Job Status List
22
STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface
Discovery Process (Step 4) – Scanning Job Lists
Discover all sensitive PII – Not just PCI data
23
Discovery Scanning Report
Discover All Sensitive PII – Not just PCI data
Database Schema Table Column Type Hits ConfidenceRows
ScannedTotal Rows Hit %
Scanned %
actrs10-rs10prd ITMBK_BARB ITMBK_BARB.STAFF SSN ssn 5356 4 9481 9481 56.49% 100.00%actrs11-rs11prd AAPR AAPR.REG_AAP SSN ssn 12 4 12 12 100.00% 100.00%actrs11-rs11prd AAPTIR AAPTIR.APPLICANT SSN ssn 3 4 3 3 100.00% 100.00%actrs11-rs11prd BENESSE BENESSE.TRAIN SSN s-s-n 21 5 21 21 100.00% 100.00%actrs11-rs11prd CAAPPROD CAAPPROD.PN55650683 SSN ssn 58 4 58 58 100.00% 100.00%actrs11-rs11prd COMP COMP.AAPTIR SPEC_CDE ssn 4 1 4 4 100.00% 100.00%actrs11-rs11prd COMP COMP.AAPTIR SSN ssn 4 4 4 4 100.00% 100.00%actrs11-rs11prd FOOBAR1 FOOBAR1.SCORE SSN s-s-n 7 5 7 7 100.00% 100.00%actrs11-rs11prd INS INS.MSTEMP ANUMBER ssn 155 1 155 155 100.00% 100.00%
24
On Premise Data Discovery
Example
25
Example of On Premise Solution Scan
26
Example of On Premise Discovery Asset Management
27
28
FS-ISAC* Summit about
“Know Your Data”
*: FS-ISAC is the leading ISAC in the security area
29
FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm
• However, that’s not sufficient
• Visibility into how and where it flows during the course
of normal business is critical
Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
30
Risk &Remediation
31
Know Your Data – Identify High Risk Data
Begin by determining the risk profile of all relevant data collected and stored
• Data that is resalable for a profit • Value of the information to your organization • Anticipated cost of its exposure
Data Field Risk LevelCredit Card Number 25
Social Security Number 20CVV 20
Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
32
Match Data Protection Solutions with Risk Level
Risk Level Solution
Monitor
Monitor, mask, access control limits, format control encryption
Tokenization, strong encryption
Low Risk (1-5)
At Risk (6-15)
High Risk (16-25)
Data Field
Risk Level
Credit Card Number 25Social Security Number 20
CVV 20Customer Name 12Secret Formula 10
Employee Name 9Employee Health Record 6
Zip Code 3
Deploy Defenses
33
Different Data Security
Methods
34
Memory Tokenization
Type Preserving Encryption
Strong Encryption
inDatabases
2016 -
2010 -
2008 -
2004 -
2002 -
2000 -
1998 -
Platform
Masking
Feature
Securing Sensitive Data - Examples
35
Time
Total Cost of Ownership
Strong Encryption: 3DES, AES …
I2010
I1970
How did Data Security Evolve 1970 - 2010?
I2005
I2000
Type Preserving Encryption: FPE, DTP …
Tokenization in Memory
High -
Low -
36
Legend: Best
Worst
Choose Your Defenses – Strengths & Weakness
37
Compliance
38
NIST - Increasing Relevance
Crypto Modules
PCI DSSPayment Card Industry Data Security Standard
Hardware & Software Security Modules
NIST Federal Information Processing Standard FIPS 140
NIST Special Publication 800-57
AESAdvanced Encryption Standard
NIST U.S. FIPS PUB 197
FPEFormat Preserving Encryption
NIST Special Publication 800-38G
HIPAA
HIPAA/HITECH/BREACH-NOTIFICATION
NIST SP 800-111
39
FPE Gets NIST Stamp of Approval
40
Need for Masking Standards
Many of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory.
There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result ofde-identification.
41
Defines Tokenization Security Requirements
42
Type of Data
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple -
Complex -
PCI
PHI
PII
FileEncryption
CardHolder
Data
FieldTokenization / Encryption
ProtectedHealth
Information
42
Personally Identifiable Information
43
Data Location is Important
44
NW
DMZ
Web Apps
TRUSTED SEGMENT
Server
Inte
rnet Load
Balancing
ProxyFW
ProxyFW
EnterpriseApps
NetworkDevices
Server
SAN,NAS,Tape
InternalUsers
DB Server
ProxyFW
TRANSACTIONS
IDS/IPS
End-point
Wire-less
DBA ATTACK
MALWARE /TROJAN
OS ADMINFILE ATTACK
SQL INJECTION
MEDIA ATTACK
SNIFFER ATTACK
Data Attacks on the Enterprise Data Flow
45
Common Vulnerabilities in E-Commerce
Source: Verifone
46
Data Exposed in Cloud & Big Data
Do we know our sensitive
data?
Big Data
PublicCloud
47
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less
use
of e
ncry
ptio
n
PublicCloud
48
• Rather than making the protection platform based, the security
is applied directly to the data, protecting it wherever it goes,
in any environment
• Cloud environments by nature have more access points and
cannot be disconnected
• Data-centric protection reduces the reliance on controlling the
high number of access points
Data-Centric Protection Increases Security
49
Protect Sensitive Cloud Data - Example
Internal Network
Administrator
Attacker
Remote User
Internal
User
Cloud Gateway
Public Cloud
Each sensitive field is protectedEach
authorized field is in clear
Each sensitive field is protected
Data encryption, tokenization or masking of fields or files (at transit and rest)
50
Cloud Providers Not Becoming Security Vendors
• There is great demand for security providers that can offer
orchestration of security policy and controls that span not just
multicloud environments but also extend to on-premises
infrastructure
• Customers are starting to realize that the responsibility for mitigating
risks associated with user behavior lies with them and not the
CSP — driving them to evaluate a strategy that allows for incident
detection, response and remediation capabilities in cloud
environments
Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
51
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less
use
of e
ncry
ptio
n
Big Data
52
Attacking Big Data
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce (Job Scheduling/Execution System)
OS File System
Big Data
53
Securing Big Data - Examples
• Volume encryption in Hadoop• Hbase, Pig, Hive, Flume and Scope using protection
API• MapReduce using protection API• File and folder encryption in HDFS• Export de-identified data
Import de-identified data
Export identifiable data
Export audit for reporting
Data protection
at database,
application, file
Or in a staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) Sqoop
ETL Tools BI Reporting RDBMS
MapReduce (Job Scheduling/Execution System)
OS File System
Big Data
Data encryption, tokenization or masking of fields or files (at transit and rest)
54
Topology Performance Scalability Security
Local Service
Remote Service
Data Protection Implementation Layers
System Layer Performance Transparency Security
Application
Database
File System
Legend: Best
Worst
55
Are Your Deployed
Security Controls Failing?
56
57
PCI DSS 3.2 – Security Control Failures
PCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to
detect and report on failures of critical security control systems.
PCI Security Standards Council CTO Troy Leach explained
• “without formal processes to detect and alert to critical security control
failures as soon as possible, the window of time grows that allows
attackers to identify a way to compromise the systems and steal
sensitive data from the cardholder data environment.”
• “While this is a new requirement only for service providers, we encourage
all organizations to evaluate the merit of this control for their unique
environment and adopt as good security hygiene.”
58
Example - Report on Failures of Critical Security controls
API
MTSS
ManagementEnvironment
59
Managed Tools Security Services - Example
60
MSSP - Managed Security Service Provider
• SOC – Security Operations Center
• Security monitoring• Firewall integration /
management• Vulnerability scanning• SIEM - Security Incident &
Event Monitoring and management
MTSS - Managed Tool Security Service
• Professional Services that applies best practices & expert analysis of your security tools
• Customized alarms and reports through SaaS
• Provides overall security tools management and monitoring
• Ticketing, Resolution & Reporting• Ensure availability of security
tools• License analysis
Examples of Security Outsourcing Models
WHO IS MONITORING YOUR MSSP?
61
Benefits of Managed Tool Security Service
Security controls in place and functioning.Prepared to address information security when it becomes a Boardroom Issue
Visibility to measure ROIConfidence in reduced risk of data loss, damaged share price, stolen IP, etc.
Ability to produce a positive return on capital investments in tools.Cost reduction in (people, licenses, maintenance, etc.)Reduced risk of breach and associated costs (financial, reputational, regulatory losses)
CIOCTOCISO
62
I think it is Time to Re-think
CONFIDENTIAL 62
63
6464
About Compliance Engineering
65
SOCTools
24/7 Eyes on Glass (EoG) monitoring,
Security Operations
Center (SOC)
Managed Tools Security
Service
Software as a Service (SaaS) data discovery solution
Security Tools and Integrated Services
Discovery
Security Tools and
Integrated Services
66
Compliance Assessments
• PCI DSS & PA Gap• HIPAA (2013
HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO
27XXX• Security Posture
Assessments (based on industry best practices)
• BCP & DRP (SMB market)
Professional Security Services
• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline
Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)
• IDM/IAM/PAM architecture
• SIEM design, operation and implementation
• eGRC Readiness & Deployment
E Security & Vendor Products
• Data Discovery• Managed Tools
Security Service• Data Loss
Protection • SIEM & Logging • Identity and Access
Management• EndPoint
Protection• Network Security
Devices• Encryption• Unified Threat• Multi-factor
Authentication
Managed Security Services
• MSSP/SOC • SIEM 365• Data Center
SOC• IDM/IAM
Security Administration
• Healthcare Infrastructure Solutions (2013 3rd Qtr.
• Vulnerability Scans
• Penetration Testing
Samples of Our Services