Upload
secude
View
168
Download
0
Tags:
Embed Size (px)
Citation preview
Keep it Confidential
• Established in 1996, Spin-Off from Fraunhofer & SAP• Developer of a Secure Login (SAP Single Sign-On)
technology, sold to SAP in 2011• SAP partner and Value Added Reseller (VAR)• Trusted by a large number of Fortune 500 and DAX
companies• 4 global locations: Switzerland, Germany, USA, India• New focus extends to data-centric security and
classification with Halocore solutions
SECUDE is an innovative global provider of IT data protection solutions for SAP customers. Our user-friendly solutions protect the integrity of data, prevent intellectual property theft and data breaches, while enforcing regulatory compliance.
Speakers
Aparna Jue, Technical Product ManagerAparna is the Product Manager for Secude and is responsible for product planning, voice of customer, design, project management and launch of key vertical products. Aparna holds a Bachelors of Science degree in Electrical and Computer Engineering from the Georgia Institute of Technology, focusing on Network Communications and has completed graduate research course work in Material Science Engineering in Semi Conductor technology.
David A. Kilgallon, ISA, PCIP, Director of Integration Services David has over 24 years of experience in the IT/Application Development, Deployment and Support fields. David has worked in positions of leadership at Oracle and Johnson & Johnson and supported numerous Fortune 500 companies. His Bachelor of Computer Engineering degree is from Lehigh University.
Rupali Goyal, SAP Solution ArchitectRupali is CardConnect’s SAP Solution Architect. She has nine years of experience in various SAP areas – FI-CO, SD – and has worked on other SAP products including SAP R/3, SAP ERP, SAP Enterprise Portal and SAP Solution Manager Systems. Before coming to CardConnect, Rupali worked for SAP Labs India and SAP America, Inc. PA.
Security Risk is on the Rise
Datafication• Businesses today cannot operate without their
data infrastructure• Every 2 years world’s data is doubling in size
BYOx• Bring Your Own… ANYTHING • IT consumerization leads to loss of control over
corporate data
Data Breaches• Credit Card loss has damaged brands• Even compliance isn’t sufficient
Security Risk is on the Rise
Borderless IT• Corporate perimeter is eroding/has eroded• Knowing where your data is has become a challenge• Keeping track of data is next to impossible• Data exists to be consumed and shared
• Locking everything down and disallowing employees to use data is counter-productive
• Data itself should be protected for secure movement and usage• Key data should be removed to prevent the possibility of theft
Security Risk is on the Rise
Businesses Aren’t Prepared
27% of IT professionals admitted that they did not know the trends of data loss incidents over
the past few years.(Cisco Systems)
39% of IT professionals
worldwide were more concerned about the threat from their own employees than the threat from outside hackers.
(Cisco Systems)
40% of organizations experienced a data breach or
failed a compliance
audit in the last year.
(2015 Vormetric Insider Threat Report)
\
93% of U.S. organizations said that they felt vulnerable
to insider attacks, only 7% felt safe.
(2015 Vormetric Insider Threat Report)
Cybercrime-related costs
increased 56% from the
previous year to US$5.9 million per incident in
2014. Deloitte
\
Security Risk is on the Rise
The Risk is RealSony Pictures: The Data Breach and How The Criminals Won
Home Depot’s 56 Million Card Breach Bigger Than Target’s
Cost of data breaches increasing to average of $3.8 million, study says
Millions exposed by latest health insurance hack
Uber Says Security Breach May Have Compromised Driver Data
Target agrees to pay $10 million to data breach victims
Anthem Hacked, Millions of Records Likely Stolen
Massive data breach could affect every federal agency
Security Risk is on the Rise
Costs Associated with Risk
42%
29%
30%
Cause of Data BreachMalicious attack System glitch
Human error
Financial consequences of a data breachDivided by categories
29%Reputationdamage
21%Lostproductivity
12%Forensics
19%Lostrevenue
10%Technicalsupport
8%Regulatory
$5.85 million
Source: IBM
Average cost of data breach in USA in 2013
Source: 2014 Cost of Data Breach, Ponemon Institute
Classification• Identify sensitive data extracted from SAP with intelligent
classification• Maximize SAP users’ investment in data governance solutions• Gain 360 degree visibility and control• Optimize Data Loss Prevention (DLP)
Benefits of Halocore’s classification functionality:• Ability to tag data
extracted from SAP• Lowered compliance costs• Improved accuracy of DLP• Increased user awareness
Data Loss Prevention• Empower users with first SAP-native DLP functionality • Prevent accidental and malicious data leaks from SAP • Prevent certain types of compliance sensitive data from
leaving the enterprise
Deep integration with SAP and contextual awareness:• User (Roles,
Authorization)• Data (Transaction, Table)• Technical environment
(Front-end, App. Component)
Data Centric Protection• Apply granular access control and rights management to
documents extracted from SAP with Microsoft RMS• Minimize the risk of data breaches, theft and accidental loss• Secure data across mobile and cloud platforms• Enable secure sharing with colleagues and partners
By utilizing RMS, Halocore allows SAP users to restrict access to sensitive data:• Roles and authorizations
configured in SAP can be extended to data leaving it
• Protection stays with the file no matter where it travels
• Documents can be safely consumed on mobile devices
Next Steps• Start with Auditing!• Understand what data is extracted from SAP and how
sensitive it is• Identify risky areas, users, and transactions• Maintain a full audit trail for compliance purposes
Halocore can help SAP users to gain knowledge:• What sensitive data they have• Where it resides• Who is accessing their data• What actions they perform with it
Next Steps
• Find Out How Much Data is Leaving SAP• Identify Sensitive Data• Build Business Case for
– Classification– Blocking– Protection– Compliance
Compliance Landscape
The Data-fication of Businesses = Increasingly strict compliance regulations
Layered Security Approach• Network Protection: DLP, Firewalls, VPN
• Storage Protection: FDE, DB Encryption
• File-based Protection: IRM / DRM
PCI Cost Components
Key Compliance Cost: PCI DSS
• Consists of hard costs in real dollars spent with external auditors• It’s essential to prevent the exposure to loss of credit card data• PCI compliance alone is not sufficient to protect your data:
PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations.
Payment Card Industry (PCI) Data Security Standard, v3.0 Page 5 © 2006-2013PCI Security Standards Council, LLC.
All Rights Reserved. November 2013
PCI Cost Components
Businesses spend on average $225,000 per year to ensure PCI compliance
• Top 10% of businesses pay $500,000 or more annually• Where does the money go?
> Initial scope> QSA audits> Full time resources
> Self-Assessment Questionnaire
Average annual cost of PCI compliance audit? $225kEllen Messmer; Networkworld.com
PCI Scope Reduction
Before After
SAQ-D SAQ-A/B
QSA Costs - $100,000+ Reduced Audit Requirements - $3,000
2 Full-Time Equivalents 1 Full-Time Equivalent
P2PE and Tokenization
• Point-to-Point Encryption and patented tokenization> Irreversible tokens> Single-use vs. multi-use tokens
Why Tokenize?
• Tokenization removes sensitive data from SAP entirely – reducing PCI scope and ultimately, reducing cost
> Remove historical payment card data from SAP via batch tokenization> Implement encryption and tokenization for all new transactions
Secure Future Transactions
• Apply to existing sales channels> SAP GUI, iStore, integrations> POS, mobile, e-commerce, and more
• SAP-to-Gateway integration
SAP Process Flow
Create OrderIn SAP, execute VA01 and enter the required information for the order and hit enter. Enter the payment information using the ‘Enter Card’ button on the screen. The system automatically authorizes the sales order on ‘save’.
Create SettlementIn SAP, execute transaction FCC1 to run the settlement. The settlement batches are sent to CardConnect for processing.
SAP Payment Acceptance
Additional FeaturesAccount Updater> Update expired cards automatically
Level II/Level III> Lowers interchange costs
Bank Account Masking> Mask sensitive information
CardClear> Clear open invoices in SAP
Authorization and Settlement Reports> Detailed ALV reports outlining important information
Auth Increase | TokenSecure | Settlement Consolidation | CardDeposit | Address Fill | E-Check | PrePayInvoice Cancellation | Monitoring Report | Auth Reversal | Authorization Wrapper | Settlement Wrapper
CardCopy | Process Flow Report | Auth Recycle | CardMasking | Reconciliaiton Report
Aparna JueSECUDE
David Kilgallon, ISA, PCIPCardConnect
Rupali GoyalCardConnect
BREACHEDData Centric Security for SAP