Retail IT 2013: Data Security & PCI Compliance Briefing
•
2 j'aime•1,212 vues
This document provides an overview of a briefing on data security, PCI compliance, and how systems management automation can help organizations stay compliant. The briefing covered the challenges of data security and PCI compliance for retailers, the process for satisfying credit card companies and security assessors, key areas to focus on, and how an integrated systems management solution from Kaseya and Omega can help by providing visibility, control, automation and security across an organization's network and endpoints. [/SUMMARY]
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Retail IT 2013: Data Security & PCI Compliance Briefing
Similaire à Retail IT 2013: Data Security & PCI Compliance Briefing (20)
Plus de Kaseya
Plus de Kaseya (20)
Dernier
Dernier (20)
Retail IT 2013: Data Security & PCI Compliance Briefing
- 1. Retail IT 2013: Data Security & PCI Compliance Briefing Kaseya and Omega
- 2. Data Security and PCI Compliance: Leveraging Systems Management Automation to Stay Compliant Speakers Shekar Swamy President & Senior Security Strategist Omega Randy Briggs US Director – Retail, Hospitality & Leisure Kaseya
- 3. Agenda • The Burden of Data Security & Compliance • The Process to Satisfy Card Brands and Security Assessment Firms • Key Areas To Pay Attention To • The Role of Systems Management Technology • ROI of an Integrated Solution • About Kaseya • Considerations & Recommendations • Helping You Bridge the Gaps • Q&A
- 4. The Burden of Data Security & PCI Compliance omegasecure.com
- 5. About Omega ATC 21-year history of performance in retail Omega systems and services – widely used in the market Helped many companies achieve compliance – Level 1, Level 2 and Level 4 merchants across the US Highly secure Data Center to manage data security Working relationship with major QSA firms Participating Organization in the PCI council NACS data security committee SIGMA Resource and participant Rapid deployment process
- 6. Some of our Customers EDN, INC. Jaco Oil Company
- 7. A Recent Experience
- 8. Actions taken by the Retailer
- 9. Lessons learned
- 11. Retail Challenges
- 12. The Process to Satisfy Card brands and Security Assessment Firms Abcdef
- 13. The Process to Satisfy Credit Card Companies & Security Assessors omegasecure.com
- 14. Who is responsible for your compliance? omegasecure.com
- 15. Key areas that Level 1 & 2 merchants need to pay attention to
- 16. Systems management complements Data Security omegasecure.com
- 17. The Stage… Retail Front End Payments Network Processor (Cards and LAN other traffic) Firewall/ Internet Router “BOS” LAN Payment In-store Appliance POS LAN Security Cameras Back Office PC omegasecure.com
- 18. Data Security identifies issues across your network omegasecure.com
- 19. Kaseya Systems Kaseya Systems Omega Data Security Omega Data Security Omega PCI Compliance Management Management 1. 1. Systems Management, Data alerting Discovery Discovery Consolidated reporting and Assistance from Security Strategists 2. Security, PCI Compliance 2. Automatic Deployment Automatic Deployment Logs for system events Perform External/Internal scanning 3. 3. Auditing Auditing Secure/ encrypted remote control Written information Security policies sessions 4. 4. Monitoring Monitoring Password management Implement policies 5. 5. Network Monitoring Network Monitoring File integrity monitoring Logging – remote control, firewall, Event logs, FIM logs, Security logs, Patch logs, Anti-virus, Anti-spyware., Anti-malware 6. 6. Secure Remote Control Secure Remote Control Wireless Intrusion Detection Evidentiary Reports 7. 7. Desktop Policy Settings Desktop Policy Settings Adequate access controls Working relationships 8. 8. Disk Backup Disk Backup Patching of systems • QSA firms 9. 9. Reporting Reporting Internal & External Scanning • POS vendors, back office vendors 10. Software distribution 10. Software distribution Verification of POS system applications • Network Service Providers 11. Scripting for automation 11. Scripting for automation Anti-malware • Partnership with Microsoft of tasks of tasks 12. Desktop Migration 12. Desktop Migration Anti-virus and anti-spyware • Security Strategists 13. Directory Services 13. Directory Services Mobile device management 14. Imaging and Deployment 14. Imaging and Deployment 15. Help Desk Ticketing 15. Help Desk Ticketing
- 20. Path forward - integrated solutions with a single pane of glass omegasecure.com
- 21. Implementation - two options omegasecure.com
- 22. Where’s Your ROI? 90% of your problems disappear Your entire environment and systems function smoothly Eliminate the need to hire more people Automate hundreds of routine IT tasks – set it and forget it Data security that protects you Rapid deployment Scalable architecture – small, medium and large Expert support from System Engineers and Security Strategists Comply with 286+ controls
- 23. The Kaseya Automated IT Systems Management Solution for Retail IT
- 24. Private Global Company With 31 Offices In 20 Countries, 450+ employees, 15,000+ Customers , 53% Top 100 MSPs
- 25. Our Vision “Providing Enterprise-Class IT Systems Management for Everybody”
- 26. Designed With Security in Mind
- 27. Unified Systems Management Event Management Automation Business Intelligence • Alerts / Notifications • Scheduling • Reporting • System Events • Procedures • Dashboards • Logs • API/Messaging • Interactive Data Views IT Configuration Management Business Continuity • Remote Management • Image Deployment • Image Backup • File & Folder Backup • Software Deployment • Desktop Migration • Image Virtualization • Power Management • Mobile Device Management Asset Management Service Delivery • Network Discovery • Directory Services • Service Desk/Ticketing • Policy Compliance • Hardware Inventory • Software Inventory • Policy Management • Time Tracking • Service Billing Security Systems Monitoring • Anti-Virus • Patch Management • Systems Checks & Alerts • SNMP Monitoring • Anti-Malware • Software Updates • Event Monitoring • Log Monitoring • Performance Monitoring • VM Monitoring
- 28. Best Practice Management 100’s of Pre-Defined Views, Maintenance Routines, Policies and Automation Procedures • Device Views by Type By OS Type/Ver Exchange, SQL, IIS, etc • Maintenance Routines PC and Server Optimization • Monitor Sets Application Events/Logs Hardware Thresholds Up/Down Faults Servers, Database, Exchange and Domains 3rd Party Backup, Security and Network Infrastructure (Out -Of-The-Box BP Configuration Wizard)
- 29. Unified Security Protection is Critical • Endpoint security is achieved in layers: Managed Antivirus/Antimalware URL Filtering Local Firewall Device blocking Application blocking Logfile Monitoring Regular System Audits OS Patching Application Patching Remote System Tracking System Wiping
- 30. Security Considerations We’ve all heard the horror stories • In 2012 the Retail industry made up 45% of data breach investigations; a 15% increase from 2011 (Trustwave) • Average cost of a data breach is $5.5 million per breach – (Ponemon Institute) • Symantec source code stolen recently PC-Anywhere – stop using • Uninstall/Disable Java everywhere if possible • Dexter Malware – POS systems IS the target • The number of new endpoint malware Kaspersky sees on a daily basis averages about 71,000 Targeted attacks will continue…
- 31. Security Considerations • Network Perimeter Disappearing • Endpoint IS the Target (including mobile) • Compromised Endpoint = Compromised EVERYTHING (including cloud) • AV is NOT a commodity • Security is not ONLY Anti-virus • Layered Security is Important • Monitoring and Remediation as Part of the Solution Retail E-Commerce Websites and POS Systems are a Prime Target
- 32. Recommendations • Bridge the Points of IT Service Disconnect (Silos) the total solution is much better than the sum of its parts • Centralize Management even if you have Decentralized Roles • Gain complete visibility and control of remote systems (on/off your network) • Be proactive not reactive (monitoring and alerting is not good enough if you can’t quickly remediate) • Choose partners and technology providers who specialize in your industry Systems Management Suite Will Help You Take Security To The Next Level
- 33. Recommendations • Embrace Systems Management AUTOMATION Routine repetitive tasks (set it and forget it) Proactive remediation (diagnostics, executables & processes) Extensibility & integration w/ other systems Customized services to your environment Rules, Checks & Balances (if, then, else logic) The best policies are those that can be enforced Manage thousands of systems as easily as you can manage one system
- 34. “Not a Question of If – But When” • It’s not a question of if – but when – your organization will experience a serious security breach Even enterprises with the most mature security organizations and advanced security controls can’t prevent every single breach Source: Forrester, “Planning For Failure” Nov 9, 2011
- 35. Live Q&A Thank You For Your Time! Randy Briggs Shekar Swamy 508-698-9725 (Direct) 636-557-7777 X 2450 617-834-1128 (Cell) Cell: 610-639-0172 randy.briggs@kaseya.com shekar.swamy@omegasecure.com www.kaseya.com www.omegasecure.com
Notes de l'éditeur
- Good morning, or good afternoon or good evening everyone depending on which time zone you might be in right now. Welcome to the Kaseya and Omega Data Security and PCI Compliance Briefing and taking time out of your busy day to join us on such an important topic, especially for the retail industry. Since we have a lot to cover, we’re going to go ahead and get started. Please feel free to submit your questions through the webinar chat session and we’ll do our best to answer as many of them as we have time for at the end of this presentation.(Next Slide)
- My name is Randy Briggs and I’m one of your speakers today. I’mthe US Director of our Retail Solutions vertical at Kaseya. Kaseya is an industry leading provider of IT Systems Management solutions and a visionary leader on Gartner’s magic quadrant for client management tools. Our solutions are widely adopted in the Retail industry among others to help companies achieve measurable and sustained improvements in IT Service delivery, cost containment and risk mitigation as it relates to systems management, security and compliance.I am joined today with Shekar Swami who is the President and Senior Security Strategist at Omega. Omega is a recognized provider of data security solutions and services that help retailers of all sizes overcome their systems management and security challenges. Through a combination of their solutions, security expertise and services using the Kaseya platform, Omega helps companies quickly build a foundation for success by assisting them with accelerating and maintaining PCI compliance. Shekar, thank you for joining me today.(Next Slide)
- Here is our agenda for today’s session:I am going to provide a brief overview of Kaseya and more importantly review the important role that IT Systems Management solutions plays in helping you achieve complete visibility and control of your distributed infrastructure and helping you take IT services and data security and compliance to the next level.Throughout our respective presentations, both Shekar and I will be pointing out specific security issues and challenges the retail industry is faced with and we’ll be suggesting recommendations based on best practices and our own experiences working with hundreds of retailers that you may want to consider implementing for your specific environment and situation to help bridge the gaps.(Next Slide)
- Good morning, or good afternoon or good evening everyone depending on which time zone you might be in right now. Welcome to the Kaseya and Omega Data Security and PCI Compliance Briefing and taking time out of your busy day to join us on such an important topic, especially for the retail industry. Since we have a lot to cover, we’re going to go ahead and get started. Please feel free to submit your questions through the webinar chat session and we’ll do our best to answer as many of them as we have time for at the end of this presentation.(Next Slide)
- Kaseya is a privately held global company who started in the year 2000 and has realized significant year over year growth over the last 12 years. We have over 30 offices located in 20 countries, we employ over 450 employees and have over 15,000 customers who use our technology every day to manage millions of IT assets. As I mentioned in my introduction, Kaseya is a leader on Gartner’s Magic Quadrant for client management tools and along with our corporate clients who deploy our solution in-house, we have a significant market share of the Managed Services industry who provide IT services to their customers as an outsourced service…like Shekar and his team of security experts at Omega. Currently 53 of the top 100 global MSPs use Kaseya to provide outsourced IT services to their clients. The solution is totally re-brandable to look and feel like it’s your own custom service application.Kaseya, in case you’re wondering what that means, is a Native American word that means to secure and protect. So to net it out, our sole focus and vision has been, and continues to be, to help companies and IT Service providers secure, protect and manage their IT assets and distributed networks.(Next Slide)
- Our Vision is to provide Enterprise-Class IT Systems Management for Everybody. So whether you’re a small IT group who manages a hundred systems or a larger IT organization managing tens of thousands of systems, you can leverage the same functionality & best practices and experience the power of systems management automation to optimize IT service operations and lower your cost of service delivery regardless of your size or what industry you’re in.The other critical component of executing on this vision is to provide solutions that are Fast to implement and deploy (a few weeks vs. months); Easy to use and manage that will help you be more productive; and Affordable so it will fit your budget…but also to provide a solution that is flexible and scalable to adapt to changing technologies and will grow with you as your company grows and as your IT service needs change over time.This is best represented on the next slide describing the Kaseya Architecture(Next Slide)Fast; companies are able to implement in a very short period of time (a few weeks vs. months) and deploy across their entire environment within hours vs. days or weeksEasy to use and easy to manage; bringing your core service functions and tasks you perform on a daily basis together in a single pane-of-glass, giving you complete visibility & control of all your assets in one place and an intuitive interface that makes it very easy to use, the ability to leverage best practices and IT service automation to help you be more productive and do your job 10 times easier, and the ability to create your own reports and make system-wide changes on the fly.Affordable: Cost is based on number of endpoints you manage and service functions you choose; and customers have the choice of In-house or hosted SaaS subscription models to fit your budget and preferences.TechValidate, an independent survey company recently surveyed our customers and a high percentage of them realized a positive ROI within the first 6 months but can be as quick as only a few months depending on your situation.(Next Slide)
- Kaseya was developed from the ground-up with security in mindThe core framework or architecture is as important as the solutions built on top of itOur developers and engineers bring decades of experience designing secure systems for Government and Commercial applications across all industries including Banking and Financial Institutions, Education, Healthcare, and of course Retail among othersBack in 2000 our company was formed when our founders won a bid with the NSA who needed a secure architecture to deliver IT services to their remote systems from anywhere whether those assets were on or off their network. The result is what you see in this diagram.A small lightweightAgent gets deployed on the endpoint which initiates all communications back to your server and will not accept any inbound connectionsVirtually impossible for a 3rd party application to attack the agent from the networkAES 256 encryptedcommunications tunnel between the agent and the Kaseya server (no reliance on VPNs, appliances, or multiple port schemes)Proprietary and Patented algorithms for secure and efficient communications - Rolling key every time the server tasks the agent/endpointNo plain-text data packets passing over the network - nothing available for an attacker to exploitThe Kaseya web console (VSA) fully supports operating as an SSL web site
- We provide all of the content for you out of the box to help you get up and running quickly based on best practices configuration wizards, and allow you the flexibility to tweak these or build your own content and agent procedures (automation) as needed.
- Having all these services unified, integrated and feeding information to each other working in concert with each other provides a higher level of systems management vs. having disparate silo’d tools that don’t talk to each other or work together. You have a much higher level of visibility, control and intelligence over your environment allowing you to be much more efficient in delivering services, being proactive in identifying and remediating issues.
- We’ve all heard the horror stories – but the intent here is not to throw any particular retailer or brand under the bus. Let any retailer who hasn’t been through a security issue or breach cast the first stone! This first statistic is a big eye opener and reinforces the fact that the cybercriminals are attacking where the money is…intellectual and personal property and cardholder data.When it comes down to your intellectual property, your brand reputation and customer loyalty you don’t want to be tomorrow’s news about a security breach…and it costs a lot of money to recover as seen here that the average cost of a data breach is $5.5 Million per breach.Hackers are not only targeting the endpoint to penetrate your network and shoplift your data, they clearly are going after companies that create cyber-security applications … and that’s a trend that will continue.A few other key takeaways from the just released Trustwave 2013 Global Security Report was that - 63% of investigations revealed that it was a third-party provider that introduced security deficiencies easily exploited by hackers…and E-commerce sites accounted for 48% of all investigationsIt is clear that these targeted attacks will continue and the Retail Industry is a prime target
- Companies have done a good job in securing the network perimeter; so much so that the hackers aren’t spending their time going after the data center; but with the highly distributed nature of retail, there’s so much more to consider when it comes to security protection. Hackers know the endpoint is often the easiest path to gain entry into the retailer’s network and data.Clearly with a new generation of shoppers,increases in E-Commerce, tablets and mobile device usage, mobile payments, social media tools are all representing new security challenges for retailers. The retailer is forced to fight an advanced battle – often with platforms that work against them. Another key takeaway from the Trustwave report is that Mobile malware increased 400%, with malware found on Android devices growing from 50,000 to more than 200,000 samples.
- The questions you need to ask yourself is how quickly can you respond. Another interesting statistic from the Trustwave Global Security report was that 64% of organizations attacked took more than 90 days to detect an intrusion with the average time for detection being 210 days!So, how can you ensure early detection and do you have the tools and systems in place for quick remediation of incidents? How can you stay protected from the ever-growing global network of hackers? How quickly can you recover from what appears to be the inevitable security or compliance disaster that has the ability to damage or even destroy your brand reputation? How quickly can you detect, remove, uninstall, prevent access, re-deploy, avoid viruses from spreading to other systems…across hundreds or thousands of endpoints across your entire infrastructure?Just as having a good disaster recovery plan to get back to normal operations when a natural or man-made disaster strikes, when it comes to security and compliance, QUICK action is the key and you need a platform, an architecture, and a concert of service functions (Audit/Inventory, Patching, AV, AM, Monitoring & Remediation, your service desk…all your layered security components) working together to remediate as quickly as possible.
- Common myths & misconceptions of Automation:Scheduling Only – scheduling certain things to run at certain times (patches, AV & software updates, auditing, etc.)Automation is only used for routine maintenance tasksI need to have a script-God on my staff with a certain scripting language skill setWe’ve already spent too much time creating our own custom scripts and don’t want to start over recreating themI’m going to automate myself out of a job – replacing manual typewriters with electronic typewriters and then word processing applications never replaced the typist, just like Excel spreadsheets didn’t replace the number crunchers! Automation doesn’t mean replacing the human element; it’s a solution that makes your job easier and makes you more productive and allows you to take your skill sets and services to a higher level! Using the excel spreadsheet analogy, when you change a formula in one cell you want it to update the entire spreadsheet – the same concept applies across your entire infrastructure or across groups of machines, locations, types, etc.We’ve actually had people tell us when they left their job to work for another company, a major consideration when choosing their new employer was if they use Kaseya! When you have your house in order, it’s easier to attract and retain good skills and talentSo now that we explored the myths and what Automation is not…let’s explore the power of true ITSM Automation
- So it comes down to “not a question of if…but when” your organization will experience a serious security breach. An interesting recent survey from Forrester on this subject revealed:During the past 12 months, 25% of IT security decision-makers and influencers reported at least one breach of their sensitive information; but interesting to note that 21% of respondents didn’t feel comfortable answering that question – a testament to just how sensitive enterprises have become to the potential economic impact and damage to corporate reputation of a publicized security breach.In the same report, Forrester believes that even among those respondents that reported no breaches in the past 12 months, many of them suffered a breach – they just don’t know it.It’s important to realize that you need technology solutions to assist with compliance. In the case of PCI, there are many requirements that have to do with policies and procedures unrelated to technology but there other areas where you need to rely on technology to help you get and stay compliant. Having said that, just because you’re PCI compliant doesn’t mean your environment is secure and conversely, just because your systems and networks are secure doesn’t mean you’re in compliant. You need both, and that’s where the partnership between Kaseya and Omega comes in. To provide a blended approach where you can leverage the best technology along with a team of highly experienced security and compliance specialists to help you be successful in this on-going security battle.