Embed Size (px)
Citation preview
11
How the Latest Trends in Data Security Can Help Your Data
Protection StrategyUlf Mattsson, Chief Technology Officer, Compliance Engineering
2
Ulf MattssonInventor of more than 25 US PatentsIndustry InvolvementPCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs
IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security
CSA - Cloud Security AllianceANSI - American National Standards Institute• ANSI X9 Tokenization Work Group
NIST - National Institute of Standards and Technology• NIST Big Data Working Group
User Groups• Security: ISSA & ISACA• Databases: IBM & Oracle
3
My work with PCI DSS StandardsPayment Card Industry Security Standards Council (PCI SSC)1. PCI SSC Tokenization Task Force2. PCI SSC Encryption Task Force3. PCI SSC Point to Point Encryption Task Force4. PCI SSC Risk Assessment SIG5. PCI SSC eCommerce SIG6. PCI SSC Cloud SIG7. PCI SSC Virtualization SIG8. PCI SSC Pre-Authorization SIG9. PCI SSC Scoping SIG Working Group10. PCI SSC 2013 – 2014 Tokenization Task Force
4
Where We Are Now and
Where are Things Headed?
5
Not Knowing Where Sensitive
Data Is
6
• The Dilemma for CISO, CIO, CFO, CEO, and Board • Where are my most valuable data asset? • Who Has Access to it? • Is it Secure? • Insider/External Threats? • Am I Compliant?• What is/has been the Financial Cost?• Am I Adhering to Best Practices? How Do I Compare to My Peers? • Can I Automate the Lifecycle of Data Security?
The Security & Compliance Issue
7
Not Knowing Where Sensitive Data Is
Source: The State of Data Security Intelligence, Ponemon Institute, 2015
8
FS-ISAC* Summit about
“Know Your Data”
*: FS-ISAC is the leading ISAC in the security area
9
FS-ISAC Summit about “Know Your Data”• Encryption at rest has become the new norm • However, that’s not sufficient• Visibility into how and where it flows during the course
of normal business is critical
Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
10
Are You Ready for the
New Requirements of PCI-DSS V3.2?
11
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage
Discovery Results Supporting Compliance1. Limiting data storage amount and retention time to that which is required
for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored
cardholder data that exceeds defined retention.
Old PCI DSS Requirement 3.1
12
• PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.”
• PCI DSS v3.1 added data flow into a requirement.• PCI DSS v3.2 added data discovery into a requirement.
New PCI DSS 3.2 Standard – Data Discovery
Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
1313
Example of A Discovery
Process
Scoping Asset Classification
Job Scan DefinitionScanningAnalysis
ReportingRemediation
PCI DSS 3.2 Requirement - Discovery
14
• IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable.
• Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents.
• By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20% in 2015.
Shift in Cybersecurity Investment
Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
15
Growing Information Security Outsourcing
The information security market is estimated to have grown 13.9% in revenue in 2015
with the IT security outsourcing segment recording the fastest growth (25%).
Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
16
HybridData Discovery
Example
17
Discovery Deployment Example
Example of Customer Provisioning:• Virtual host to load Software or Appliance• User ID with “Read Only” Access• Firewall Access
ApplianceDiscoveryAdmin
18
Example - Discovery Scanning Job Status List
19
STEP 4:The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface
Discovery Process (Step 4) – Scanning Job Lists
Discover all sensitive PII – Not just PCI data
20
On Premise Data Discovery
Example
21
Example of On Premise Solution Scan
22
Example of On Premise Discovery Asset Management
23
24
Time
Total Cost of OwnershipStrong Encryption: 3DES, AES …
I2010I1970
How did Data Security Evolve 1970 - 2010?
I2005I2000
Type Preserving Encryption:FPE, DTP …Tokenization in Memory
High -
Low -
25
Type ofData
Use Case
IStructured
How Should I Secure Different Data?
IUn-structured
Simple -
Complex -
PCIPHI
PII
FileEncryptionCard
Holder Data
FieldTokenization / Encryption
ProtectedHealth
Information
25
26
Time
Total Cost of OwnershipStrong Encryption: 3DES, AES …
I2010I1970
Data Centric Security - What is Next?
I2005I2000
Type Preserving Encryption:FPE, DTP …Tokenization in Memory
High -
Low -I2016
27
FPE Gets NIST Stamp of Approval
28
NIST - Increasing Relevance
Crypto Modules
PCI DSSPayment Card Industry Data Security Standard
Hardware & Software Security Modules
NIST Federal Information Processing Standard FIPS 140
NIST Special Publication 800-57
AESAdvanced Encryption Standard
NIST U.S. FIPS PUB 197
FPEFormat Preserving Encryption
NIST Special Publication 800-38G
HIPAAHIPAA/HITECH/BREACH-NOTIFICATION
NIST SP 800-111
29
Need for Masking StandardsMany of the current techniques and procedures in use, such as the HIPAA Privacy Rule’s Safe Harbor de-identification standard, are not firmly rooted in theory. There are no widely accepted standards for testing the effectiveness of a de-identification process or gauging the utility lost as a result ofde-identification.
30
Defines Minimum Security Requirements
31
Cloud & Big Data
Do we know our sensitive
data?
Big Data
PublicCloud
32
Encryption Usage - Mature vs. Immature Companies
Source: Ponemon - Encryption Application Trends Study • June 2016
Less u
se of e
ncrypt
ion
Do we know our sensitive
data?
Big Data
PublicCloud
33
Memory Based Tokenization
Type Preserving Encryption
Database Encryption
2016 -
2010 -2008 -
2004 -2002 -2000 -1998 -
Platform
Masking
Feature
Big Data
Cloud
History of Securing Sensitive Data - Examples
34
• Rather than making the protection platform based, the security is applied directly to the data, protecting it wherever it goes, in any environment
• Cloud environments by nature have more access points and cannot be disconnected
• Data-centric protection reduces the reliance on controlling the high number of access points
Data-Centric Protection Increases Security
35
Cloud Providers Not Becoming Security Vendors• There is great demand for security providers that can offer
orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure
• Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments
Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
36
Protect Sensitive Cloud Data - ExampleInternal Network
Administrator
AttackerRemote
User
InternalUser
Cloud Gateway
Public Cloud
Each sensitive field is protectedEach
authorized field is in clear
Each sensitive field is protected
Data encryption, tokenization or masking of fields or files (at transit and rest)
37
Securing Big Data - Examples
• Volume encryption in Hadoop• Hbase, Pig, Hive, Flume and Scope using protection API• MapReduce using protection API• File and folder encryption in HDFS• Export de-identified data
Import de-identified data
Export identifiable data
Export audit for reporting
Data protection at
database, application,
file
Or in a staging area
HDFS (Hadoop Distributed File System)
Pig (Data Flow) Hive (SQL) SqoopETL Tools BI Reporting RDBMS
MapReduce(Job Scheduling/Execution System)
OS File System
Big Data
Data encryption, tokenization or masking of fields or files (at transit and rest)
38
Are You Ready for PCI DSS 3.2 Requirement –Security Control Failures?
39
PCI DSS 3.2 – Security Control FailuresPCI DSS 3.2 include 10.8 and 10.8.1 that outline that service providers need to detect and report on failures of critical security control systems. PCI Security Standards Council CTO Troy Leach explained• “without formal processes to detect and alert to critical security control
failures as soon as possible, the window of time grows that allows attackers to identify a way to compromise the systems and steal sensitive data from the cardholder data environment.”
• “While this is a new requirement only for service providers, we encourage all organizations to evaluate the merit of this control for their unique environment and adopt as good security hygiene.”
40
MSSP - Managed Security Service Provider
• SOC – Security Operations Center
• Security monitoring• Firewall integration /
management• Vulnerability scanning• SIEM - Security Incident &
Event Monitoring and management
MTSS - Managed Tool Security Service
• Professional Services that applies best practices & expert analysis of your security tools
• Customized alarms and reports through SaaS
• Provides overall security tools management and monitoring
• Ticketing, Resolution & Reporting• Ensure availability of security
tools• License analysis
Examples of Security Outsourcing Models
WHO IS MONITORING YOUR MSSP?
41
Benefits of Managed Tool Security Services
Meet, then exceed industry compliance requirementsExternal and Internal Documentation support
Reduced burden of tools support and troubleshooting Ability to perform job function more effectively
Tools adequately support security operationsEffectively DETECT – BLOCK - RESPOND
Security Engineering
Security Operations Center
Compliance & Privacy Officer
42
Benefits of Managed Tool Security Service Security controls in place and functioning.Prepared to address information security when it becomes a Boardroom Issue
Visibility to measure ROIConfidence in reduced risk of data loss, damaged share price, stolen IP, etc.
Ability to produce a positive return on capital investments in tools.Cost reduction in (people, licenses, maintenance, etc.)Reduced risk of breach and associated costs (financial, reputational, regulatory losses)
43
Example - Managed Tool Security Service
API
MTSS
ManagementEnvironment
44
Managed Tools Security Services - Example
45
I think it is Time to Re-think our
Security ProcessCONFIDENTIAL 45
46
Critical Data Asset Discovery and Protection
MitigateTriage
SOC
Data Centric
4747
About Compliance Engineering
48
SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC)
Managed Tools Security Service
Software as a Service (SaaS) data discovery solution
Security Tools and Integrated Services
Discovery
Security Toolsand
Integrated Services
49
Compliance Assessments • PCI DSS & PA Gap• HIPAA (2013 HITECH)• SSAE 16-SOC 2&3*• GLBA, SOX• FCRA, FISMA• SB 1385, ISO 27XXX• Security Posture Assessments (based on industry best practices)• BCP & DRP (SMB market)
Professional Security Services• Security Architecture • Engineering/Operations• Staff Augmentation• Penetration Testing• Platform Baseline Hardening (M/F, Unix, Teradata, i-Series, BYOD, Windows)• IDM/IAM/PAM architecture• SIEM design, operation and implementation• eGRC Readiness & Deployment
E Security & Vendor Products• Data Discovery• Managed Tools Security Service• Data Loss Protection • SIEM & Logging • Identity and Access Management• EndPoint Protection• Network Security Devices• Encryption• Unified Threat• Multi-factor Authentication
Managed Security Services• MSSP/SOC • SIEM 365• Data Center SOC• IDM/IAM Security Administration• Healthcare Infrastructure Solutions (2013 3rd Qtr.• Vulnerability Scans• Penetration Testing
Samples of Our Services
5050
Ulf Mattsson, Chief Technology Officer, Compliance [email protected]
www.complianceengineers.com
51
How the Latest Trends in Data Security Can Help Your Data Protection Strategy - Ulf Mattsson Jul 12 2016
