系統02_關鍵的「特權+資料安全」最後一哩防線 解忠翰
Post on 13-Jan-2017
162 Views
Preview:
TRANSCRIPT
- +
2016.4.20
2
H1040039245
3
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
(Ligne Maginot)
5
WAF
6
IT
SSDLC
(VA)
(PT)
Web
WAF
7
IT
SSDLC
(VA)
(PT)
Web
WAF
9
IT
SSDLC
(VA)
(PT)
Web
WAF
11
IT
SSDLC
(VA)
(PT)
Web
(Ligne Maginot)
14
A
B
C
Dunkerque
Ardennen Erich von Manstein
Fall Gelb
WAF
15
IT
SSDLC
(VA)
(PT)
Web
APT
!!!
!!
WAF
16
IT
SSDLC
(VA)
(PT)
Web
APT
17
18source: http://www.nextmag.com.tw/magazine/news/20150415/17732133
( )
20
DEFECT
政府金融
1
24
稽
( ) ()
稽
中 高普
25
INVENTORYSYSTEMLocal
Windows
Active Directory
Service
AD Domain
Auditi
ngLocal Adminroot
AdministratorLinuxUNIX
AIX
Red Hat
SUSE
Microsoft SQL Server
Oracle
sa
Accou
nt T
ype
remote login
su
password age Account Expiration Date
lock
Computer Name
AD Bridge
Account GroupCompliance
R6
mainframeAccount C
ategory
Password Last Set
( )( )
稽
2
28
-
-
-
稽-
( )
中 高普
中 高普
中 高普
稽
3
29
稽!!!
( MS SQL sa)
稽中 高普
30
中
中
中
高
中
高
中
中
&
普
普
中
中
普
普
高
普
高
普
: 24
(AB Part)
3 4
31
Privileged Accounts
Routers, Firewalls, Hypervisors, Databases, Applications
WiFi Routers, Smart TVs
Routers, Firewalls, Servers, Databases, Applications
Laptops, Tablets, Smartphones
Power Plants, Factory Floors
Organizations typically have3-4x more Privileged Accounts
than employees
3 4
32
WiFi Routers, Smart TVs
Compromised Privileged Accounts
Laptops, Tablets, Smartphones
Power Plants, Factory Floors
Routers, Firewalls, Hypervisors, Databases, Applications
Routers, Firewalls, Servers, Databases, Applications
– (Tokenization)
33
原始資料
資料庫
電商平台商
d次變造資料
TMIeL VaulQ 資料變造庫
>aFeNeQ TMIeLHVaQHML :aLager
醫療院所
原始資料提供單位
金融銀行
二次變造資料統計研究機構
( 段 式 變 造確保保管單位及研究單位資料不具機敏性
自動化管理平台減少v員接觸資料風險
資料變造管理平台提供研究單位不涉個資n研究資料
■ ■ ■
– Tokenization & PCI-DSS Compliance
34
用戶端
SafeNet 雲端服務
加密資料儲存體
>aFeNeQ8ey>eCure
SafeNet 跨區
內部用戶
約,員工
35
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
要求 ).4 使用zg任d作法使所有位置 包括可攜 式數位媒體、備份媒體和日誌k) 儲存的 P2N 均無法讀取0 1 使用強式加密法的單向雜湊型函數 雜湊必須要有完整的 P2N)1 截詞 不能用雜湊替y P2N 被截詞的部分)1 索引記號和索引簿 索引簿必須安全地儲存)1 使用相關金鑰管理流程和程序的強式加密法
>aFeNeQ TMIeLHVaQHML 符合GD=-�).4,@?3H.��P2N 2,��N.��
36
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
要求 ).5.( 始終zg面d種 或多種) 形式儲存用於加密/解密持卡v資料的機密金鑰和私密金鑰0 1 使用至少和資料加密金鑰d樣等級的強式加密為金鑰加密,並將此 金鑰和資料加密金鑰分開儲存 1 在安全加密裝置 如l機安全模組 6>:) 或通過 PT> 核可的tr點裝置) 1 根據產業認可的方法,採用至少兩個全 長度金鑰元件或金鑰共u
>aFeNeQ 8ey>eCure使用多層式架構的金鑰再次加密金鑰。i設備通過 57P> 14&-( 9eSel ) 標準,支援)國政府確保金鑰管理不會受•竄改的要求。
>QMrage>eCure同時o是d台強大的加密裝置,通過 57P> 14&-( 認證,可由單d設備提供集k式的金鑰管理和加密金鑰儲存。
37
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
3.5.1
3.5.2
3.6
3.4
3.5
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
PCI-DSS 3.1 Compliance Combination(detail)
Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.
3.5.3 Store cryptographic keys in the fewest possible locations.
Always Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography Truncation Index tokens and pads Strong cryptography with associated key-management processes and procedures.
Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key Within a secure cryptographic device As at least two full-length key components or key shares, in accordance with an industry- accepted method.
Requirement 4 Encrypt transmission of cardholder data across open, public networks
4.1 Use strong cryptography and security protocols (for example, TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.
要求 )., 充分記錄並實作用於持卡v資料加密的所有金鑰 管理流程和程序,包括0 1 ).,.4 根據相關應用程式供應商或金鑰所有v的規定,並根據產業 佳作法和指南 例如《N7>T 特刊 .&&-5-a),在金鑰週期結束時 例 如指定期限過後和/或給定金鑰產生d定量的密文後) 對金鑰進行 變更。 1 ).,.5 金鑰的完整性變弱 例如知道 負責明文元件的員工離職)或懷疑金 鑰遭受威脅時,認為有必要註銷或替 換 例如歸檔、銷毀和/或撤銷)金鑰 1 ).,., 若使用手動明文金鑰管理操 作,則必須透 過 劃分知識和雙重控 制來管理這s操作。 1 ).,.- 防止未經授權替換加密金鑰 1 ).,.. 有關金鑰保管v正式確認理 解並接受加密金 鑰保管責v的要求
).,.4 ─ 8ey>eCure 可集k管理加密金鑰和政策─涵蓋所有金鑰管理周期,並遍及整個企業和:擬資料k心及公共雲環境。8ey>eCure 提供金鑰輪轉機制, z讓客戶可z高效率地根據安全政策輪轉金鑰。 ).,.5 ─ 金鑰永遠z加密形式儲存在8ey>eCure裝置k。8ey>eCure 的集k 式管理功能包─詳細的日誌和稽核追蹤,可…握所有金鑰狀態變更、系統管理員存取和政策變更的情形。稽核紀錄會被安全地儲存和簽(z避免否認。 ).,., ─ 透過 8ey>eCure 超過 (& 個的管理存取控制清單,可z支援不同v員 建立和刪除/存取金鑰的情形。安全團隊可z要求兩個系統管理員必須同時核准特定類型的操作方能進行─例如產生金鑰等。
44
CORPORATE ENVIRONMENT
Cloud Storage
Intellectual Property
Internal Privileged
Users
External Privileged
Users
金管會普遍稽核項目
1. 「帳號共用c問題
(. 「目錄共用c問題
). 對外t換的「4:A區檔案不落地c
4. 自動化傳輸程式碼k「密碼需保護c
5. 傳輸t換須有完整「稽核軌跡c
,. 檔案「傳輸加密c
-. 檔案「安全防護c 如0檔案權限控管、檔案加密)
.. 企業內部防火牆通訊埠「減少開放c
/. 檔案t換業務往「全面自動化c發展
45
1. 建立集k式檔案傳輸管理平台,能有多種傳輸方式
(. 加強檔案傳輸安全性
). 既有管理設定可簡化,加強5TP 服務管理功能
4. 保有完整的傳輸稽核記錄
5. 提升檔案權限控管的嚴謹度
6. 定期自動清除m未使用的檔案
-. 使用者帳密的存取與942P整合
.. 5TP >CrHNQ內的帳密非明碼
/. 內部5TP帳號的密碼由管理者控管
46
1. 建立對外集k式檔案傳輸管理平台,能有多種傳輸方式 ■ 支援多協定服務功能 5TP/>、6TTP/>、>5TP)
(. 加強檔案傳輸安全性 ■ 支援兩層式安全傳輸架構、4:A檔案不落地、傳輸加密/檔案加密
). 希望既有的管理設定可簡化,並加強5TP 服務管理功能 ■ 提供統d的管理介面、檔案傳輸自動化處理、傳輸異常l動通知…等
4. 保有完整的傳輸稽核記錄 ■ 提供傳輸紀錄/系統紀錄/管理員操作紀錄
5. 提升檔案權限控管的嚴謹度 ■ 支援檔案繞送、檔案的權限控管機制
,. 定期自動清除m未使用的檔案 ■ 原廠提供檔案清除>CrHNQ
-. 使用者帳密的存取與942P整合 ■ 支援多組942P功能
.. 5TP >CrHNQ內的帳密非明碼 ■ >eCure3lHeLQ可協助做•
/. 內部5TP帳號的密碼由管理者控管 ■ >eCure3lHeLQ可協助做•
47
48
Axway Endpoints
49
Axway Endpoints
DMZ /
50
Axway Endpoints
DMZ /
51
Axway Endpoints
DMZ /
52
Axway Endpoints
DMZ /
53
Axway Endpoints
DMZ /
FTP Script
54
Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters
2.3
2.12.2
Protect Cardholder Data Requirement 3 Protect stored cardholder data
3.6
3.43.5
Requirement 4 Encrypt transmission of cardholder data across open, public networks 4.1
Maintain a Vulnerability Management Program Requirement 6 Develop and maintain secure systems and applications
6.3
6.16.2
6.6
6.46.5
6.7Implement Strong Access Control Measures Requirement 7 Restrict access to cardholder data by business need to know
7.3
7.17.2
PCI-DSS 3.1 Compliance Combination
Build and Maintain a Secure Network and SystemRequirement 1 Install and maintain a firewall configuration to protect cardholder data 1.3
54
55
Implement Strong Access Control Measures Requirement 8 Identify and authenticate access to system components
8.3
8.18.2
10.1
10.3
10.8
10.610.7
Additional PCI DSS Requirements for Shared Hosting Providers Requirement A.1 Shared hosting providers must protect the cardholder data environment A.1
8.58.7
Regularly Monitor andTest Networks Requirement 10 Track and monitor all access to network resources and cardholder data
10.2
10.410.5
Regularly Monitor andTest Networks Requirement 11 Regularly test security systems and processes 11.1
PCI-DSS 3.1 Compliance Combination
WAF
58
IT
SSDLC
(VA)
(PT)
Web
59
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
André Maginot
Thanks
60
Q&A
61
top related