tecnologías para el cumplimiento. alexandre bento. safenet

© SafeNet Confidential and Proprietary

1

Alexandre [email protected]

Tecnologías para el Cumplimiento


2

Agenda

¿Quién es Safenet?

Market Background PCI

Desafíos para PCI

Soluciones SafeNet para PCI

Caso de Éxito


3

¿Quien es Safenet?


4

SafeNet Fact SheetLa compañía más grande enfocada exclusivamente en la

protección de la información de alto valor.

Fundada: 1983

Capital: Privado

Éxito Global con más de 25.000 clientes en 100

paises

Empleados: Alrededor de 1.500 en 25 paises,

Reconocido liderazgo en Tecnología de Seguridad,

más de 550 ingenieros expertos en cifrado

Acreditados con los productos certificados en los más

altos estándares de seguridad


5

Líder en Confianza.

Protegemos cosas como:

> la mayoría del dinero que se mueve en el mundo. 80% de todas las

transferencias intrabancarias -SWIFT- $1 trillón por día

> la mayoría de las identidades digitales en el mundo. 84% de la cuota de

mercado de protección de claves raíces de PKI (Salomon Smith Barney) -

módulos criptográficos (HSMs)

>el número 1 en cifrado de conexiones WAN alta velocidad para Frame

Relay, ATM, líneas dedicadas y Ethernet

>el número 1 en Tokens USB en el mundo (IDC)


6

Market Background PCI


7

¿Cuales son las amenazas?

Fuente: Ponemon Institute, 2009


8

La Evolución de las Incidencias


9

¿Objetivo de los Ataques?

Data, Data and more Data

Vulnerabilities


10



Vulnerabilities


11



Vulnerabilities


12



Vulnerabilities


13

Fraude Online en Alta

Fuente: Anti-Phishing Working Group, marzo 2009

El número de páginas web infectando PCs con programas

diseñados para el robo de contraseñas alcanzo las 31,173 en

diciembre 2009, un incremento de 827 % desde enero de 2008.

Phishing: $3.2 Mil

Millones de Dólares

en 2007 solo en

EEUU

Gartner Dic. 2007


14

¿Cómo logran hacerlo?

Troyanos, Key loggers, Root kits

Vulnerabilidad Web o Aplicación

Miembro de la organización que se deja corromper


15

¿Cómo logran hacerlo?

Trojans, Key loggers, Root kits

Web or Application Vulnerabilities

The corruptible insider


16

¿Cuanto están costando?

Fuente: Ponemon Institute, 2009

47%


17

Desafios para PCI


18

¿PCI DSS es El Suelo o El Techo ?

• ―PCI DSS es El Techo‖

• Obstáculos a la Implementación―¿excusas?‖

• Demasiado Complejo

• No está al día con las actuales amenazas

• Demasiado tiempo para implementar

• Demasiado costoso para cumplir

• ―PCI DSS es solo El Suelo‖

• Apalancar la Inversión

• Mayor Protección

• 50% Ventaja de Coste


19

¿Cuanto está Costando?

Allocation of PCI Investment Best-in-Class All Others

Cost to achieve initial compliance $520K $958K

Time to report 11 mo 11 mo

Annual cost to sustain compliance $135K $300K

Average time since first reporting 2.0 yrs 2.3 yrs

Average total spend on PCI compliance $784K $1,642K

Build & Maintain a Secure Network $197K $375K

Protect Cardholder Data $186K $399K

Maintain a Vulnerability Mgmt Program $88K $188K

Implement Strong Access Control $93K $211K

Regularly Monitor and Test $124K $317K

Maintain an IS Policy $97K $152K

Fuente: Aberdeen Group, 2009


20

Buenas Prácticas

Es protección, no una Casilla de Punteo

Implique a los stakeholders

Descubrimiento y clasificación de los datos

Establezca el modelo de la amenaza

Documente y defina las políticas de seguridad y los

procedimientos

Determine dónde proteger datos


21

¿Cómo está la Industria hoy?

Objective Requirement Current

Capability

Known

Incidents

Avg. PCI

Spend

Build &

Maintain

Secure

Network

1. Firewall Configurations 85% 16% $250K

2. No Default Passwords 16%

Protect

Cardholder

Data

3. Protect Stored Cardholder Data 71% 23% $242K

4. Encrypt Transmission Across Networks 12%

Maintain

Vulnerability

Mgmt Program

5. Use &Update Antivirus Software 61% 19% $114K

6. Develop & Maintain Secure Applications 28%

Strong Access

Control

7. Restrict Access Business Need-to-Know 65% 24% $124K

8. Assign a Unique ID 18%

9. Restrict Physical Access 15%

Regularly

Monitor & Test

10. Track and Monitor Network Access 78% 23% $169K

11. Regularly Test Security Systems 22%

Maintain IS

Policy

12. Maintain Policies for IS 83% 23% $118K

Fuente: Aberdeen Group, 2009


22

Soluciones de Safenet para PCI


23

Proteja los datos del titular de la tarjeta que fueron

almacenadosReq. 3

Hard Disk Encryption

SafeNet ProtectDrive

Data Tokenization

SafeNet DataSecure

SafeNet Hardware Security Modules

File/Folder Encryption

SafeNet ProtectFile Unstructured Data

Database Encryption

SafeNet DataSecure for Structured Data


24

SafeNet DataSecure PlatformIntelligent Data Protection

DataSecure is the industry’s

most trusted platform to

provide intelligent data

protection for ALL

information assets—both

structured and unstructured,

using centralized:

key management

policy management

logging and auditing

Business Needs SafeNet Solution

Protect sensitive data at

the web, application,

mainframe, database

tiers, including file

servers

Protect Data at Risk –

Most flexible and scalable

hardware-based encryption

platform for heterogeneous

environments

Implement data

encryption controls for

compliance

Comply w/ Legislation –

Proven compliance with laws

requiring protection of

sensitive information

Reduce cost &

complexity with secure

key management and

centralized policy

management

Reduce Operational Cost –

Ease of management and

administration with best-in-

class security management

console


25

SafeNet DataSecureData Protection, Key, and Policy Management

Mainframes

Web/App

Servers

Endpoint

Devices

Network Shares

File Servers


26

DataSecure Database Integration

• Database Connectors

• Oracle 8i, 9i, 10g, 11g

• IBM DB2 version 8, 9

• IBM UDB version 8, 9

• Microsoft SQL Server 2000, 2005,

2008

• Teradata 12

• Application changes not required

• Batch processing tools for managing

large data sets

• Vendor Transparent Database

Integration

• SQL Server 2008

• Oracle 11g

Customer

Database


27

• Software Libraries

• Microsoft .NET, CAPI

• JCE (Java)

• PKCS#11 (C/C++)

• SafeNet ICAPI (C/C++)

• z/OS (Cobol, Assembler, etc.)

• XML

• Support for virtually all application and

web server environments

DataSecure Application Integration

Reporting

Application

Customer

Database

E-Commerce

Application


28

ProtectFile and ProtectDrive

File Protection for PCs, File Servers, and Network Shares

Windows Server 2003

Windows XP, Vista

RHEL 4, 5

File Server Encryption

File Encryption Keys (FEKs) protect files on disk

FEKs are encrypted with a Key Encryption Key (KEK) that resides on the DataSecure appliance

Policy configured on DataSecure and pushed to file systems

Mobile Handset Support

Full Disk Encryption with ProtectDrive

End User

Laptop

Network Shares

Corporate

File Server


29

File & Folder encryption whilst cryptographically

enforcing user and group permission-based access to

confidential data.

Protection of workgroup data against unauthorized access

File & Folder Encryption


30

DataSecure—acts as the ―vault‖ for

sensitive data values and token by protecting

with strong encryption and key management

Token Manager—replaces sensitive data

with format-preserving tokenization via:

Secure Message Layer - SOA-based interface,

callable from anywhere

Protected Zone - host of the Secure Message

Layer, handles calling DataSecure and generating tokens

DataSecure Tokenization

Protected

Zone

DataSecure

Secure

Message Layer

DataSecure Token Manager


31

¿Que es la Tokenización?

On the most basic level –

Replacement of sensitive structured data with

data of a similar size that is not sensitive (a

―token‖)

Stores sensitive data in an encrypted protected

zone

More sophisticated approaches involve –

1-to-1 mapping of tokens to sensitive data

(referential integrity)

Presentation Options:

Masked data: XXXXX6789

Data with dashes in it: 123-45-6789

Token type options:

Purely random digits

Sequential

First two/last four, first six, etc.

Benefits –

Data protection is

―transparent‖ to pure end

users and systems

Only the ―protected zone‖

remains in scope of

compliance audits

Only authenticated end

users or systems can access

data in the clear from the

protected zone


32

DataSecure Token Manager

DataSecure—locks the ―vault‖ for

sensitive data values and token with strong

encryption and key management

Token Manager—replaces sensitive

data with format-preserving tokenization

via:

Secure Message Layer— SOA-

based interface, callable from anywhere

Protected Zone— host of the Secure

Message Layer, handles calling DataSecure

and generating tokens

Pro

tecte

d Z

on

e

DataSecure

Secure Message

Layer

Data Vault


33

Pro

tecte

d Z

on

e

DataSecure

Secure Message

Layer

Data Vault

Tokenization Use Case – Credit Card #’s

PCI Auditor for

Compliance


34

SafeNet DataSecure Interface


35

SafeNet DataSecure Interface


36

Disk encryption of desktops – in conjunction with Certificate Services

Access to Pre-Boot Authentication only with

Token/Certificate – no UserID/Password Logon

Protection of all data in case of theft, loss and end of life

Disk Encryption


37

Codifique la transmisión de los datos de los titulares de las

tarjetas a través de redes públicas abiertas

Encrypt Network Communications

SafeNet High Speed Ethernet Encryption

Req. 4


38

Network Encryption

Edge Layer- SSL/IPSec

Boundary Layer- MPLS,

ATM, Frame Relay,

Ethernet transport

connecting branch offices,

remote sites, partners

Core Layer- Typically

SONET or Ethernet

transport over carrier WAN

or dark fiber


39

Best Fit for Layer 2 Encryption

Ethernet Encryption SONET Encryption

Ethernet Encryption

10/1G

100/10M


40

Simplified Management – Layer 2

Transport

Customer Premise Router

Layer 2 Encryptor

Carrier Switch

LAN

Operations

CenterDisaster

Recovery

Location

Operations

Center

When

something

changes

here…

or here…

or here!!!

nothing

changes

here…

No administrative

burden, no outages

and no security policy

changes

Company Confidential


41

Security Management Center II

• Easy Installation and Simple Ongoing Management

• Intuitive web-based GUI

• Virtualization Support with VMWare and Solaris Zones

Lowest Cost of Ownership

• Full Audit and Event logging and Reporting

• Secure Remote Management and Encrypted Communications

• Integrated Key Manager with Optional Hardware-Security

Secure Operations

• Simple Management Design for Thousands of Encryptors

• Rapid Deployment Tools for Large Installations

• Enterprise Class High-Availability Features

Scalability / Reliability

SMC II Is The Only Truly Enterprise Class

Encryptor Management Platform


42

Desarrolle y Mantenga Sistemas y Aplicaciones Seguras

Secure Application Development Tools


Approved Payment Applications


Req. 6


43

HSM - Protección de Transacciones

Los HSMs de SafeNet

proporcionan la forma más

segura, fácil y rápida de integrar

la solución de seguridad para

aplicaciones y transacciones

para empresas y gobiernos. Las

Certificaciones FIPS y Common

Criteria.

CA4

Luna PCM

ProtectServer Gold

Luna PCI

Luna SA / SP

ProtectHost EFT

Luna XML

Luna SX


44

HSM TechnologyBreadth of Hardware Security Offerings

Customizable,

Economical

SOA, Web

Services

FastestNetworked,

Scaleable

Perf

orm

ance

PCM, CA4

Luna PCI

Luna SA / SP / IS

Offline Key

Archive,

Registration

Auth

Protect Server

Luna XML

Protect Host EFT

Payments,

EMV/EFT

4000+/sec600/sec 7000/sec 27/sec 600/sec1200/sec

300+/sec


45

Restrinja el acceso a los datos y Asigne un ID exclusiva

para cada persona que tenga acceso al sistema informático

Privileged User Management

SafeNet Authentication

SafeNet DataSecure

Strong User Authentication


Network Access Management


Req. 7 & 8


46

PKI Certificates

User Name &

Passwords

Biometric

Credentials

Barcode & Magnetic

Swipe encoding*

Access Controls*

Photo ID*

* Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only

Protección de Identidades – Autenticación


47

Soluciones SafeNet para el Ecosistema PCI


48

Beneficios

Benefits Proof Points

Single Key Management and

Encryption Solution

Comprehensive, core-to-edge solution

from a SINGLE vendor

ONLY solution that secures data across

the connected enterprise for data at rest, in

transit, and in use

Reduces the Cost and Complexity Integrated security platform with

centralized policy management and

reporting

All critical PCI encryption and key

management requirements are centrally

implemented

Streamlined Implementation Designed for fast and easy integration

into existing IT infrastructure

Highest Security FIPS 140-2 Level 2 and Level 3, and CC

Validations

More than 25 years experience

Comprehensive Audit Trails Centralized logging and auditing of all

cryptographic functions


49

Caso de Éxito


50

British Airways

Business Drivers

• PCI info in Oracle DB, and mainframe

• Proprietary flight information on mainframe

Technical Requirement

• Sensitive data on their mainframes

• General security & granular level security.

• Gartner said “FIPS level 2 will eventually be a PCI requirement.”

Why SafeNet

• Batch processing between their mainframe and two other databases

• Files needed column level encryption at a command line to handle credit card data.

• Level 2 FIPS compliance

• SafeNet is the only company to offer command line file protection and conversion on the mainframe

Later Phases

• Working directly with business owners

• Sales

• Risk Management


51

British Airways

Bulk Load

TU

3rd Party Apps

InternalApps

z/OS Mainframe Linux MachinesWindows FTP

Servers

Windows File

Servers

NAS


52

Casos de Éxito

http://en.wikipedia.org/wiki/Image:Apple-logo.png

http://www.dell.com/content/default.aspx?c=us&l=en&s=gen

http://www.rubbermaid.com/rubbermaid/index.jhtml

http://www.corporateexpress.com/index.html

http://www.firstdata.com/

http://www.pb.com/cgi-bin/pb.dll/jsp/GlobalNavigation.do?moduleName=Home&lang=en&country=US

https://www.trustwave.com/index.php

http://www.tjx.com/index.html

http://www.cybersource.com/

http://www.containerstore.com/index.jhtml;jsessionid=FW1ZBSJEWDSILQFIAILCM5GAVABBOJVC

http://www.chicos.com/store/home.asp

http://www.ameriquestmortgage.com/index.html?sectionType=home&ad=AMERIQUESTMORTGAGE.COM

http://www.itochu.net/


53

Alexandre [email protected]

Gracias