Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
The Leader in Active Cyber Defense
MYTHBUSTERS:
Can You Secure Payments in the Cloud?
KURT HAGERMAN | CISO, ARMOR
SEPTEMBE...
BETWEEN YOU AND THE THREAT
KURT HAGERMAN
• CISA- and CISSP-certified
• Frequent speaker and author on
security for the pay...
Fact or Fiction:
Can You Secure Payments in the Cloud?
BETWEEN YOU AND THE THREAT
• It’s not secure
• Not trusted
• Loss of control
• Lack of compliance
• Unknown location of da...
You Against Them
BETWEEN YOU AND THE THREAT
No Easy Task
YOU
ARE:
• Risk-Aware and in tune with your industry’s
challenges.
• Required to m...
BETWEEN YOU AND THE THREAT
In the first 6 months of 2015
Source: Gemalto
RECORDS
COMPROMISED
EVERY DAY
RECORDS COMPROMISED...
BETWEEN YOU AND THE THREAT
Security spending
doubled in past 4 years
Many of these organizations were
“compliant” on vario...
BETWEEN YOU AND THE THREAT
Where You’re Being Hit
More than half of you have been targeted.
This is where threat actors at...
The Compliance Landscape
BETWEEN YOU AND THE THREAT
“Why is cybersecurity so hard? In general,
it’s hard because attacks & defenses evolve
together...
BETWEEN YOU AND THE THREAT
Regulatory Landscape
SOX
BETWEEN YOU AND THE THREAT
Legal Ramifications Evolving
“It is not only appropriate, but
critical, that the FTC has the
ab...
BETWEEN YOU AND THE THREAT
FISMA
NIST 800-53
ISO 27001
Which Frameworks are Proven?
Each are good. But they lack
the presc...
BETWEEN YOU AND THE THREAT
12 Key PCI Security Requirements
CONTROL OBJECTIVES PCI DSS REQUIREMENTS
Build & Maintain
Secur...
BETWEEN YOU AND THE THREAT
IT’S TRUSTED
• Prescriptive framework
• Vetted process
• Widely adopted
IT’S EFFECTIVE
• Helps ...
How Do You Secure This Data?
BETWEEN YOU AND THE THREAT
Follow PCI Best Practices
Leverage as strong baseline for all your
sensitive data
Has been copi...
BETWEEN YOU AND THE THREAT
Use a Cloud Solution to Decouple Payment Data
• Decouple to secure infrastructure
• Isolate and...
BETWEEN YOU AND THE THREAT
We Trust The Experts For a Reason
A Real-World Case Study
BETWEEN YOU AND THE THREAT
The Company
Popular utility provider secures
millions of transactions each
month in PCI-complia...
BETWEEN YOU AND THE THREAT
• Large Southern Retail &
Commercial Utility Company
• Leveraged Legacy ERP System for
Online P...
BETWEEN YOU AND THE THREAT
• Traditional Check, Cash, Credit
Cards & ACH Payments
• Data-at-Rest Presented PCI
Challenge
•...
BETWEEN YOU AND THE THREAT
• Decouple Payment Data from
Corporate Environment
• Reduce Scope of PCI Audit
• Tokenization o...
BETWEEN YOU AND THE THREAT
• Designed as Fully Redundant
Environments
• Included Direct Contentions to
two Data Centers
• ...
What’s Your Strategy?
BETWEEN YOU AND THE THREAT
• More tools and technologies?
• How much is this going to cost?
• How am I going to implement?...
BETWEEN YOU AND THE THREAT
Comparing Cloud Responsibility
29
Security Layer Security Feature DIY Cloud Public Cloud Secure...
BETWEEN YOU AND THE THREAT
What To Look For From Cloud Vendors
The Key Attributes • Expertise
• Track record
• Technology
...
BETWEEN YOU AND THE THREAT
LIGHTEN IT & SECURITY
BURDEN
PROTECT YOUR BUSINESS
Focus on Your Business
Leave It to the Exper...
BETWEEN YOU AND THE THREAT
The Cloud Isn’t Secure
Enough
for Payment Transactions
The Leader in Active Cyber Defense
Kurt.hagerman@armor.com 1-877-262-3473 x8073
KURT HAGERMAN
Questions?
SEPTEMBER 2015
Prochain SlideShare
Chargement dans…5
×

MYTHBUSTERS: Can You Secure Payments in the Cloud?

115 vues

Publié le

Discussion of if and how you can secure payments in the cloud. Covers the issue, compliance considerations, regulatory changes and their impact, and provides a rationale for using a cloud to decouple your payments processes from your legacy infrastructure.

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

MYTHBUSTERS: Can You Secure Payments in the Cloud?

  1. 1. The Leader in Active Cyber Defense MYTHBUSTERS: Can You Secure Payments in the Cloud? KURT HAGERMAN | CISO, ARMOR SEPTEMBER 2015
  2. 2. BETWEEN YOU AND THE THREAT KURT HAGERMAN • CISA- and CISSP-certified • Frequent speaker and author on security for the payments industry, healthcare industry and cloud security • 25-year veteran in IT, security consulting and auditing Chief Information Security Officer | ARMOR
  3. 3. Fact or Fiction: Can You Secure Payments in the Cloud?
  4. 4. BETWEEN YOU AND THE THREAT • It’s not secure • Not trusted • Loss of control • Lack of compliance • Unknown location of data Myths About the Cloud
  5. 5. You Against Them
  6. 6. BETWEEN YOU AND THE THREAT No Easy Task YOU ARE: • Risk-Aware and in tune with your industry’s challenges. • Required to meet numerous and overlapping regulations and mandates. • Faced with customer demand to process sensitive data in online and mobile channels.
  7. 7. BETWEEN YOU AND THE THREAT In the first 6 months of 2015 Source: Gemalto RECORDS COMPROMISED EVERY DAY RECORDS COMPROMISED 246,000,000BREACHES 888 RECORDS COMPROMISED EVERY MINUTE RECORDS COMPROMISED EVERY SECOND 169431,400,000 &
  8. 8. BETWEEN YOU AND THE THREAT Security spending doubled in past 4 years Many of these organizations were “compliant” on various security frameworks Major shortage in security talent and getting worse Average hacker dwell time is 205 days across enterprises LATEST 2014 2013 2012 2011 A World of Targets
  9. 9. BETWEEN YOU AND THE THREAT Where You’re Being Hit More than half of you have been targeted. This is where threat actors attack you most often. 62% of companies were targets of payments fraud in 2014. 77 % 34 % 27 % Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey CHECKS WIRES CREDIT & DEBIT CARDS Most Targeted Methods
  10. 10. The Compliance Landscape
  11. 11. BETWEEN YOU AND THE THREAT “Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.” Jeremy Epstein Lead Program Director National Science Foundation
  12. 12. BETWEEN YOU AND THE THREAT Regulatory Landscape SOX
  13. 13. BETWEEN YOU AND THE THREAT Legal Ramifications Evolving “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia) • Example of Government Overreach • Ruling of “Harm” Left to FTC based on no published standards • Virtually impossible to comply • Even When PCI-Compliant, Your Organization Could Still be Liable for Data Loss
  14. 14. BETWEEN YOU AND THE THREAT FISMA NIST 800-53 ISO 27001 Which Frameworks are Proven? Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program. What about the Payment Card Industry Data Security Standard?
  15. 15. BETWEEN YOU AND THE THREAT 12 Key PCI Security Requirements CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build & Maintain Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
  16. 16. BETWEEN YOU AND THE THREAT IT’S TRUSTED • Prescriptive framework • Vetted process • Widely adopted IT’S EFFECTIVE • Helps manage risk • Protects brands • Mitigates loss during breach response The PCI Baseline
  17. 17. How Do You Secure This Data?
  18. 18. BETWEEN YOU AND THE THREAT Follow PCI Best Practices Leverage as strong baseline for all your sensitive data Has been copied or mirrored by other governing bodies (NACHA for instance) Includes cross-over into other compliance requirements
  19. 19. BETWEEN YOU AND THE THREAT Use a Cloud Solution to Decouple Payment Data • Decouple to secure infrastructure • Isolate and secure access to sensitive data • Reduce scope for compliance • Faster audits and lower costs AUTHORIZED USERS INTERNAL & EXTERNAL SYSTEM USERS LARGE IT ENVIRONMENT
  20. 20. BETWEEN YOU AND THE THREAT We Trust The Experts For a Reason
  21. 21. A Real-World Case Study
  22. 22. BETWEEN YOU AND THE THREAT The Company Popular utility provider secures millions of transactions each month in PCI-compliant cloud. Region: Employees: Industry: Market: Customers: Southwest More than 10,000 Utilities Residential & Commercial 1 - 5 Million
  23. 23. BETWEEN YOU AND THE THREAT • Large Southern Retail & Commercial Utility Company • Leveraged Legacy ERP System for Online Payments • Couldn’t Meet PCI Compliance • Entire network was in Scope The Challenge
  24. 24. BETWEEN YOU AND THE THREAT • Traditional Check, Cash, Credit Cards & ACH Payments • Data-at-Rest Presented PCI Challenge • Data Existed Throughout Corporate Systems & Network • Connected to Multiple Third-Party Banking & Payment Applications The Details
  25. 25. BETWEEN YOU AND THE THREAT • Decouple Payment Data from Corporate Environment • Reduce Scope of PCI Audit • Tokenization of Payment Data • Implement Business Continuity Strategy The Solution “By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”
  26. 26. BETWEEN YOU AND THE THREAT • Designed as Fully Redundant Environments • Included Direct Contentions to two Data Centers • Meets Strict Business Continuity Requirements • Leverages multiple security layers to thwart targeted attacks The Infrastructure FPO 4 LOAD BALANCERS 4 DATABASE SERVERS 4 WEB SERVERS 4 APPLICATION SERVERS 2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS
  27. 27. What’s Your Strategy?
  28. 28. BETWEEN YOU AND THE THREAT • More tools and technologies? • How much is this going to cost? • How am I going to implement? • In what time period? • Do I have the people and expertise? Traditional DIY Approach: Difficult & Complex
  29. 29. BETWEEN YOU AND THE THREAT Comparing Cloud Responsibility 29 Security Layer Security Feature DIY Cloud Public Cloud Secure Managed Cloud IP Reputation Filtering C C V Perimeter DDoS Mitigation C C V Web application firewall C C V Segmentation C S V Network Network Firewall (Hypervisor based) C S V Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V Hardened Hypervisor C S V Virtual Isolated Management C V V Secure Storage C V V Rogue Wireless Scanning C V V Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V Vendor-ProvidedV Vendor, Customer- Shared Client-ProvidedC S Key
  30. 30. BETWEEN YOU AND THE THREAT What To Look For From Cloud Vendors The Key Attributes • Expertise • Track record • Technology • People • Process • Certification • Ability to execute and delivery You need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements. Your vendor should……. • Provide a clear concise explanation of the specific security controls they include and how these benefit you • Be able to articulate the boundaries between their responsibility and yours • Provide you with documentation that backs up their claims about being “Compliant” including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
  31. 31. BETWEEN YOU AND THE THREAT LIGHTEN IT & SECURITY BURDEN PROTECT YOUR BUSINESS Focus on Your Business Leave It to the Experts Increase Performance Enhance Scalability Get Better Security for your Environment Make Compliance Less Costly and Time Consuming Reduce Overall Costs Facilitate BCDR Planning
  32. 32. BETWEEN YOU AND THE THREAT The Cloud Isn’t Secure Enough for Payment Transactions
  33. 33. The Leader in Active Cyber Defense Kurt.hagerman@armor.com 1-877-262-3473 x8073 KURT HAGERMAN Questions? SEPTEMBER 2015

×