The document discusses securing payment transactions in the cloud. It discusses common myths about cloud security, including that the cloud is not secure, trusted, or compliant. However, it argues that following best practices like PCI guidelines and using a managed cloud solution can securely decouple payment data. It provides an example of a utility company that processes millions of transactions securely in the cloud each month and discusses how to evaluate cloud vendors to find one that can help mitigate risks and address compliance needs.
CNIC Information System with Pakdata Cf In Pakistan
MYTHBUSTERS: Can You Secure Payments in the Cloud?
1. The Leader in Active Cyber Defense
MYTHBUSTERS:
Can You Secure Payments in the Cloud?
KURT HAGERMAN | CISO, ARMOR
SEPTEMBER 2015
2. BETWEEN YOU AND THE THREAT
KURT HAGERMAN
• CISA- and CISSP-certified
• Frequent speaker and author on
security for the payments industry,
healthcare industry and cloud
security
• 25-year veteran in IT, security
consulting and auditing
Chief Information Security Officer | ARMOR
6. BETWEEN YOU AND THE THREAT
No Easy Task
YOU
ARE:
• Risk-Aware and in tune with your industry’s
challenges.
• Required to meet numerous and overlapping
regulations and mandates.
• Faced with customer demand to process
sensitive data in online and mobile channels.
7. BETWEEN YOU AND THE THREAT
In the first 6 months of 2015
Source: Gemalto
RECORDS
COMPROMISED
EVERY DAY
RECORDS COMPROMISED
246,000,000BREACHES
888
RECORDS COMPROMISED
EVERY MINUTE
RECORDS COMPROMISED
EVERY SECOND
169431,400,000
&
8. BETWEEN YOU AND THE THREAT
Security spending
doubled in past 4 years
Many of these organizations were
“compliant” on various security
frameworks
Major shortage in security talent
and getting worse
Average hacker dwell time is 205
days across enterprises
LATEST
2014
2013
2012
2011
A World of Targets
9. BETWEEN YOU AND THE THREAT
Where You’re Being Hit
More than half of you have been targeted.
This is where threat actors attack you most often.
62%
of companies were
targets of payments
fraud in 2014.
77
%
34
%
27
%
Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey
CHECKS
WIRES
CREDIT &
DEBIT CARDS
Most Targeted Methods
11. BETWEEN YOU AND THE THREAT
“Why is cybersecurity so hard? In general,
it’s hard because attacks & defenses evolve
together: A system that was secure
yesterday might no longer be secure
tomorrow.”
Jeremy Epstein
Lead Program Director
National Science Foundation
13. BETWEEN YOU AND THE THREAT
Legal Ramifications Evolving
“It is not only appropriate, but
critical, that the FTC has the
ability to take action on behalf of
consumers when companies fail
to take reasonable steps to
secure sensitive consumer
information.”
FTC v. Wyndham Worldwide Corp., 14-3514, U.S.
Court of Appeals for the Third Circuit (Philadelphia)
• Example of Government
Overreach
• Ruling of “Harm” Left to FTC
based on no published standards
• Virtually impossible to comply
• Even When PCI-Compliant, Your
Organization Could Still be Liable
for Data Loss
14. BETWEEN YOU AND THE THREAT
FISMA
NIST 800-53
ISO 27001
Which Frameworks are Proven?
Each are good. But they lack
the prescriptiveness needed
to help you build or evaluate a
strong security program.
What about the Payment Card Industry Data Security
Standard?
15. BETWEEN YOU AND THE THREAT
12 Key PCI Security Requirements
CONTROL OBJECTIVES PCI DSS REQUIREMENTS
Build & Maintain
Secure Network
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder
Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain Vulnerability
Management Program
5. Use and regularly update antivirus software on all systems commonly affected by malware.
6. Develop and maintain secure systems and applications.
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor &
Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
16. BETWEEN YOU AND THE THREAT
IT’S TRUSTED
• Prescriptive framework
• Vetted process
• Widely adopted
IT’S EFFECTIVE
• Helps manage risk
• Protects brands
• Mitigates loss during breach response
The PCI Baseline
18. BETWEEN YOU AND THE THREAT
Follow PCI Best Practices
Leverage as strong baseline for all your
sensitive data
Has been copied or mirrored by other
governing bodies (NACHA for instance)
Includes cross-over into other
compliance requirements
19. BETWEEN YOU AND THE THREAT
Use a Cloud Solution to Decouple Payment Data
• Decouple to secure infrastructure
• Isolate and secure access to sensitive
data
• Reduce scope for compliance
• Faster audits and lower costs
AUTHORIZED
USERS
INTERNAL & EXTERNAL
SYSTEM USERS
LARGE IT
ENVIRONMENT
20. BETWEEN YOU AND THE THREAT
We Trust The Experts For a Reason
22. BETWEEN YOU AND THE THREAT
The Company
Popular utility provider secures
millions of transactions each
month in PCI-compliant cloud.
Region:
Employees:
Industry:
Market:
Customers:
Southwest
More than 10,000
Utilities
Residential & Commercial
1 - 5 Million
23. BETWEEN YOU AND THE THREAT
• Large Southern Retail &
Commercial Utility Company
• Leveraged Legacy ERP System for
Online Payments
• Couldn’t Meet PCI Compliance
• Entire network was in Scope
The Challenge
24. BETWEEN YOU AND THE THREAT
• Traditional Check, Cash, Credit
Cards & ACH Payments
• Data-at-Rest Presented PCI
Challenge
• Data Existed Throughout
Corporate Systems & Network
• Connected to Multiple Third-Party
Banking & Payment Applications
The Details
25. BETWEEN YOU AND THE THREAT
• Decouple Payment Data from
Corporate Environment
• Reduce Scope of PCI Audit
• Tokenization of Payment Data
• Implement Business
Continuity Strategy
The Solution
“By decoupling data from monolithic IT
environments, utilities, eCommerce,
retailers and other financial institutions
are able to reduce the risk of data
breaches and achieve PCI compliance.”
26. BETWEEN YOU AND THE THREAT
• Designed as Fully Redundant
Environments
• Included Direct Contentions to
two Data Centers
• Meets Strict Business Continuity
Requirements
• Leverages multiple security
layers to thwart targeted attacks
The Infrastructure
FPO
4 LOAD BALANCERS
4 DATABASE SERVERS
4 WEB SERVERS
4 APPLICATION SERVERS
2 MPLS CIRCUITS FOR
DIRECT CONNECTION TO
ARMOR DATA CENTERS
28. BETWEEN YOU AND THE THREAT
• More tools and technologies?
• How much is this going to cost?
• How am I going to implement?
• In what time period?
• Do I have the people and expertise?
Traditional DIY Approach:
Difficult & Complex
29. BETWEEN YOU AND THE THREAT
Comparing Cloud Responsibility
29
Security Layer Security Feature DIY Cloud Public Cloud Secure Managed Cloud
IP Reputation Filtering C C V
Perimeter DDoS Mitigation C C V
Web application firewall C C V
Segmentation C S V
Network Network Firewall (Hypervisor based) C S V
Vulnerability Scanning C C V
Secure Remote Access C S V
Encryption in Transit C C S
Intrusion Detection C C V
Hardened Operating System C C V
Server/OS Secure Remote Administrative Access C S V
OS Patching C C V
Anti-Virus/Anti-Malware C C V
Log Management C C V
Time Synchronization C C V
File Integrity Monitoring C C V
Encryption C S S
DLP C C S
Configuration Management C C V
Host Intrusion Detection C C V
Hardened Hypervisor C S V
Virtual Isolated Management C V V
Secure Storage C V V
Rogue Wireless Scanning C V V
Physical 24x7 Support Staff C V V
Entry Controls C V V
Video Monitoring C V V
Environmental Controls C V V
Vendor-ProvidedV
Vendor, Customer-
Shared
Client-ProvidedC
S
Key
30. BETWEEN YOU AND THE THREAT
What To Look For From Cloud Vendors
The Key Attributes • Expertise
• Track record
• Technology
• People
• Process
• Certification
• Ability to execute
and delivery
You need to deal with vendors are transparent about how what they do directly assists you in
mitigating risk and addressing your compliance requirements.
Your vendor should…….
• Provide a clear concise explanation of the specific security controls they include and how these
benefit you
• Be able to articulate the boundaries between their responsibility and yours
• Provide you with documentation that backs up their claims about being “Compliant” including
independent audit reports that clearly state the scope of the assessment, the controls framework
used and especially how this compliance can be leveraged by YOU
31. BETWEEN YOU AND THE THREAT
LIGHTEN IT & SECURITY
BURDEN
PROTECT YOUR BUSINESS
Focus on Your Business
Leave It to the Experts
Increase Performance
Enhance Scalability
Get Better Security for your
Environment
Make Compliance Less Costly and
Time Consuming
Reduce Overall Costs
Facilitate BCDR Planning
32. BETWEEN YOU AND THE THREAT
The Cloud Isn’t Secure
Enough
for Payment Transactions
33. The Leader in Active Cyber Defense
Kurt.hagerman@armor.com 1-877-262-3473 x8073
KURT HAGERMAN
Questions?
SEPTEMBER 2015
Notes de l'éditeur
The popular breach chart on the left shows some of the top events that’s occurred over the last several years. Hacks are growing in size and frequency although security spending has doubled in the past 4 years. Furthermore, over 50% of hack victims were up-to-date on their specific compliance requirements (PCI, HIPAA, etc). This isn’t going to turn around anytime soon as we have a major shortage in security talent and the gap is getting wider. We are actually over 200,000 cybersecurity professionals short in the U.S. and over 1 million short world-wide. If we were short 200,000 doctors in the United States we would have a national crisis.
We’re embarrassed for the performance of the industry and a major metric we track is dwell time. Dwell time is the period of time from when a hacker infects a machine to when that machine is considered “clean”. The average from leading reports like Verizon data breach report and FireEye cyber report shows that across enterprises hackers have a dwell time of 205 days. That is absolutely unbelievable to think about a hacker having access to your environment for 205 days. What’s further concerning is the average was 214 days in 2014… Another 80 Billion spent world-wide in cybersecurity and the average was improved by 4%. We will discuss this later but Armor’s average hacker dwell time is 2 days and we’re working on ways to move from days to minutes.
What other regulatory entities leveraging PCI framework? And why is this important to treasury management professionals?