SlideShare une entreprise Scribd logo

MYTHBUSTERS: Can You Secure Payments in the Cloud?

Télécharger en tant que PPTX, PDF
K
Kurt Hagerman

The document discusses securing payment transactions in the cloud. It discusses common myths about cloud security, including that the cloud is not secure, trusted, or compliant. However, it argues that following best practices like PCI guidelines and using a managed cloud solution can securely decouple payment data. It provides an example of a utility company that processes millions of transactions securely in the cloud each month and discusses how to evaluate cloud vendors to find one that can help mitigate risks and address compliance needs.

Technologie
1  sur  33
The Leader in Active Cyber Defense MYTHBUSTERS: Can You Secure Payments in the Cloud? KURT HAGERMAN | CISO, ARMOR SEPTEMBER 2015
BETWEEN YOU AND THE THREAT KURT HAGERMAN • CISA- and CISSP-certified • Frequent speaker and author on security for the payments industry, healthcare industry and cloud security • 25-year veteran in IT, security consulting and auditing Chief Information Security Officer | ARMOR
Fact or Fiction: Can You Secure Payments in the Cloud?
BETWEEN YOU AND THE THREAT • It’s not secure • Not trusted • Loss of control • Lack of compliance • Unknown location of data Myths About the Cloud
You Against Them
BETWEEN YOU AND THE THREAT No Easy Task YOU ARE: • Risk-Aware and in tune with your industry’s challenges. • Required to meet numerous and overlapping regulations and mandates. • Faced with customer demand to process sensitive data in online and mobile channels.
BETWEEN YOU AND THE THREAT In the first 6 months of 2015 Source: Gemalto RECORDS COMPROMISED EVERY DAY RECORDS COMPROMISED 246,000,000BREACHES 888 RECORDS COMPROMISED EVERY MINUTE RECORDS COMPROMISED EVERY SECOND 169431,400,000 &
BETWEEN YOU AND THE THREAT Security spending doubled in past 4 years Many of these organizations were “compliant” on various security frameworks Major shortage in security talent and getting worse Average hacker dwell time is 205 days across enterprises LATEST 2014 2013 2012 2011 A World of Targets
BETWEEN YOU AND THE THREAT Where You’re Being Hit More than half of you have been targeted. This is where threat actors attack you most often. 62% of companies were targets of payments fraud in 2014. 77 % 34 % 27 % Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey CHECKS WIRES CREDIT & DEBIT CARDS Most Targeted Methods
The Compliance Landscape
BETWEEN YOU AND THE THREAT “Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.” Jeremy Epstein Lead Program Director National Science Foundation
BETWEEN YOU AND THE THREAT Regulatory Landscape SOX
BETWEEN YOU AND THE THREAT Legal Ramifications Evolving “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia) • Example of Government Overreach • Ruling of “Harm” Left to FTC based on no published standards • Virtually impossible to comply • Even When PCI-Compliant, Your Organization Could Still be Liable for Data Loss
BETWEEN YOU AND THE THREAT FISMA NIST 800-53 ISO 27001 Which Frameworks are Proven? Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program. What about the Payment Card Industry Data Security Standard?
BETWEEN YOU AND THE THREAT 12 Key PCI Security Requirements CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build & Maintain Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
BETWEEN YOU AND THE THREAT IT’S TRUSTED • Prescriptive framework • Vetted process • Widely adopted IT’S EFFECTIVE • Helps manage risk • Protects brands • Mitigates loss during breach response The PCI Baseline
How Do You Secure This Data?
BETWEEN YOU AND THE THREAT Follow PCI Best Practices Leverage as strong baseline for all your sensitive data Has been copied or mirrored by other governing bodies (NACHA for instance) Includes cross-over into other compliance requirements
BETWEEN YOU AND THE THREAT Use a Cloud Solution to Decouple Payment Data • Decouple to secure infrastructure • Isolate and secure access to sensitive data • Reduce scope for compliance • Faster audits and lower costs AUTHORIZED USERS INTERNAL & EXTERNAL SYSTEM USERS LARGE IT ENVIRONMENT
BETWEEN YOU AND THE THREAT We Trust The Experts For a Reason
A Real-World Case Study
BETWEEN YOU AND THE THREAT The Company Popular utility provider secures millions of transactions each month in PCI-compliant cloud. Region: Employees: Industry: Market: Customers: Southwest More than 10,000 Utilities Residential & Commercial 1 - 5 Million
BETWEEN YOU AND THE THREAT • Large Southern Retail & Commercial Utility Company • Leveraged Legacy ERP System for Online Payments • Couldn’t Meet PCI Compliance • Entire network was in Scope The Challenge
BETWEEN YOU AND THE THREAT • Traditional Check, Cash, Credit Cards & ACH Payments • Data-at-Rest Presented PCI Challenge • Data Existed Throughout Corporate Systems & Network • Connected to Multiple Third-Party Banking & Payment Applications The Details
BETWEEN YOU AND THE THREAT • Decouple Payment Data from Corporate Environment • Reduce Scope of PCI Audit • Tokenization of Payment Data • Implement Business Continuity Strategy The Solution “By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”
BETWEEN YOU AND THE THREAT • Designed as Fully Redundant Environments • Included Direct Contentions to two Data Centers • Meets Strict Business Continuity Requirements • Leverages multiple security layers to thwart targeted attacks The Infrastructure FPO 4 LOAD BALANCERS 4 DATABASE SERVERS 4 WEB SERVERS 4 APPLICATION SERVERS 2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS
What’s Your Strategy?
BETWEEN YOU AND THE THREAT • More tools and technologies? • How much is this going to cost? • How am I going to implement? • In what time period? • Do I have the people and expertise? Traditional DIY Approach: Difficult & Complex
BETWEEN YOU AND THE THREAT Comparing Cloud Responsibility 29 Security Layer Security Feature DIY Cloud Public Cloud Secure Managed Cloud IP Reputation Filtering C C V Perimeter DDoS Mitigation C C V Web application firewall C C V Segmentation C S V Network Network Firewall (Hypervisor based) C S V Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V Hardened Hypervisor C S V Virtual Isolated Management C V V Secure Storage C V V Rogue Wireless Scanning C V V Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V Vendor-ProvidedV Vendor, Customer- Shared Client-ProvidedC S Key
BETWEEN YOU AND THE THREAT What To Look For From Cloud Vendors The Key Attributes • Expertise • Track record • Technology • People • Process • Certification • Ability to execute and delivery You need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements. Your vendor should……. • Provide a clear concise explanation of the specific security controls they include and how these benefit you • Be able to articulate the boundaries between their responsibility and yours • Provide you with documentation that backs up their claims about being “Compliant” including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
BETWEEN YOU AND THE THREAT LIGHTEN IT & SECURITY BURDEN PROTECT YOUR BUSINESS Focus on Your Business Leave It to the Experts Increase Performance Enhance Scalability Get Better Security for your Environment Make Compliance Less Costly and Time Consuming Reduce Overall Costs Facilitate BCDR Planning
BETWEEN YOU AND THE THREAT The Cloud Isn’t Secure Enough for Payment Transactions
The Leader in Active Cyber Defense Kurt.hagerman@armor.com 1-877-262-3473 x8073 KURT HAGERMAN Questions? SEPTEMBER 2015

Recommandé

Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
Micro Focus
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 

Recommandé

Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
centralohioissa
 
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...
Micro Focus
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
Casey Ellis
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
North Texas Chapter of the ISSA
 
Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
centralohioissa
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
Priyanka Aash
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
Withum
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
Trustmarque
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
DLP
DLPDLP
DLP
saurabh.sood
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
Fidelis Cybersecurity
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
Fidelis Cybersecurity
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
Digital Transformation EXPO Event Series
 
Computer Hacking Forensic Investigator - CHFI
Computer Hacking Forensic Investigator - CHFIComputer Hacking Forensic Investigator - CHFI
Computer Hacking Forensic Investigator - CHFI
EC-Council
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
Iftikhar Ali Iqbal
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
Dell EMC World
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
NetIQ
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Proceso de transporte
Proceso de transporteProceso de transporte
Proceso de transporte
Conie Elanie
 
Country temperatures
Country temperaturesCountry temperatures
Country temperatures
Worserbay
 

Contenu connexe

Tendances

Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
PECB
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
Fidelis Cybersecurity
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
ConSanFrancisco123
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
 

Tendances (20)

Lisa Guess - Embracing the Cloud
Lisa Guess - Embracing the CloudLisa Guess - Embracing the Cloud
Lisa Guess - Embracing the Cloud
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the Trenches
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply ChainsFortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
 
DLP
DLPDLP
DLP
 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Applying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacksApplying intelligent deception to detect sophisticated cyber attacks
Applying intelligent deception to detect sophisticated cyber attacks
 
A case for Managed Detection and Response
A case for Managed Detection and ResponseA case for Managed Detection and Response
A case for Managed Detection and Response
 
Computer Hacking Forensic Investigator - CHFI
Computer Hacking Forensic Investigator - CHFIComputer Hacking Forensic Investigator - CHFI
Computer Hacking Forensic Investigator - CHFI
 
Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)Symantec Data Loss Prevention - Technical Proposal (General)
Symantec Data Loss Prevention - Technical Proposal (General)
 
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in CybersecurityMT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
 
Advanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective ResponsesAdvanced Persistent Threat - Evaluating Effective Responses
Advanced Persistent Threat - Evaluating Effective Responses
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 

En vedette

Country temperatures
Country temperaturesCountry temperatures
Country temperatures
Worserbay
 

En vedette (11)

Proceso de transporte
Proceso de transporteProceso de transporte
Proceso de transporte
 
Country temperatures
Country temperaturesCountry temperatures
Country temperatures
 
Q4 w6 una celebración
Q4 w6 una celebraciónQ4 w6 una celebración
Q4 w6 una celebración
 
Boleto art posto teles pires
Boleto art posto teles piresBoleto art posto teles pires
Boleto art posto teles pires
 
Around the World in ISO 20022
Around the World in ISO 20022 Around the World in ISO 20022
Around the World in ISO 20022
 
Utk upi 15je001127
Utk upi 15je001127Utk upi 15je001127
Utk upi 15je001127
 
TDC2016POA | Trilha Fintech - Fintechs: Inovação ou Revolução do Sistema Ban...
TDC2016POA | Trilha Fintech - Fintechs: Inovação ou Revolução do Sistema Ban...TDC2016POA | Trilha Fintech - Fintechs: Inovação ou Revolução do Sistema Ban...
TDC2016POA | Trilha Fintech - Fintechs: Inovação ou Revolução do Sistema Ban...
 
N26 - NOAH16 London
N26 - NOAH16 LondonN26 - NOAH16 London
N26 - NOAH16 London
 
Fintech regulations presentation
Fintech regulations presentationFintech regulations presentation
Fintech regulations presentation
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
深入淺出 AWS 大數據工具
深入淺出 AWS 大數據工具深入淺出 AWS 大數據工具
深入淺出 AWS 大數據工具
 

Similaire à MYTHBUSTERS: Can You Secure Payments in the Cloud?

Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
OnRamp
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
Ulf Mattsson
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
Valencell, Inc.
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
Jim Kaplan CIA CFE
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

Similaire à MYTHBUSTERS: Can You Secure Payments in the Cloud? (20)

Where data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattssonWhere data security and value of data meet in the cloud ulf mattsson
Where data security and value of data meet in the cloud ulf mattsson
 
CSO CXO Series Breakfast
CSO CXO Series BreakfastCSO CXO Series Breakfast
CSO CXO Series Breakfast
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
EMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the CloudEMEA10: Trepidation in Moving to the Cloud
EMEA10: Trepidation in Moving to the Cloud
 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
 
ISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloudISSA Atlanta - Emerging application and data protection for multi cloud
ISSA Atlanta - Emerging application and data protection for multi cloud
 
Extending security in the cloud network box - v4
Extending security in the cloud network box - v4Extending security in the cloud network box - v4
Extending security in the cloud network box - v4
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
CyberSecurity Update Slides
CyberSecurity Update SlidesCyberSecurity Update Slides
CyberSecurity Update Slides
 
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital WorldEmpired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
Empired Convergence 2017 - Keeping Pace, Staying Safe in the Digital World
 
Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?Does cloud technology belong at your law firm?
Does cloud technology belong at your law firm?
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
How to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-SuiteHow to Raise Cyber Risk Awareness and Management to the C-Suite
How to Raise Cyber Risk Awareness and Management to the C-Suite
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
ICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference PublicationICRTITCS-2012 Conference Publication
ICRTITCS-2012 Conference Publication
 
David valovcin big data - big risk
David valovcin big data - big riskDavid valovcin big data - big risk
David valovcin big data - big risk
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the Headlines
 

Dernier

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

MYTHBUSTERS: Can You Secure Payments in the Cloud?

  • 1. The Leader in Active Cyber Defense MYTHBUSTERS: Can You Secure Payments in the Cloud? KURT HAGERMAN | CISO, ARMOR SEPTEMBER 2015
  • 2. BETWEEN YOU AND THE THREAT KURT HAGERMAN • CISA- and CISSP-certified • Frequent speaker and author on security for the payments industry, healthcare industry and cloud security • 25-year veteran in IT, security consulting and auditing Chief Information Security Officer | ARMOR
  • 3. Fact or Fiction: Can You Secure Payments in the Cloud?
  • 4. BETWEEN YOU AND THE THREAT • It’s not secure • Not trusted • Loss of control • Lack of compliance • Unknown location of data Myths About the Cloud
  • 6. BETWEEN YOU AND THE THREAT No Easy Task YOU ARE: • Risk-Aware and in tune with your industry’s challenges. • Required to meet numerous and overlapping regulations and mandates. • Faced with customer demand to process sensitive data in online and mobile channels.
  • 7. BETWEEN YOU AND THE THREAT In the first 6 months of 2015 Source: Gemalto RECORDS COMPROMISED EVERY DAY RECORDS COMPROMISED 246,000,000BREACHES 888 RECORDS COMPROMISED EVERY MINUTE RECORDS COMPROMISED EVERY SECOND 169431,400,000 &
  • 8. BETWEEN YOU AND THE THREAT Security spending doubled in past 4 years Many of these organizations were “compliant” on various security frameworks Major shortage in security talent and getting worse Average hacker dwell time is 205 days across enterprises LATEST 2014 2013 2012 2011 A World of Targets
  • 9. BETWEEN YOU AND THE THREAT Where You’re Being Hit More than half of you have been targeted. This is where threat actors attack you most often. 62% of companies were targets of payments fraud in 2014. 77 % 34 % 27 % Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey CHECKS WIRES CREDIT & DEBIT CARDS Most Targeted Methods
  • 11. BETWEEN YOU AND THE THREAT “Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.” Jeremy Epstein Lead Program Director National Science Foundation
  • 12. BETWEEN YOU AND THE THREAT Regulatory Landscape SOX
  • 13. BETWEEN YOU AND THE THREAT Legal Ramifications Evolving “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.” FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia) • Example of Government Overreach • Ruling of “Harm” Left to FTC based on no published standards • Virtually impossible to comply • Even When PCI-Compliant, Your Organization Could Still be Liable for Data Loss
  • 14. BETWEEN YOU AND THE THREAT FISMA NIST 800-53 ISO 27001 Which Frameworks are Proven? Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program. What about the Payment Card Industry Data Security Standard?
  • 15. BETWEEN YOU AND THE THREAT 12 Key PCI Security Requirements CONTROL OBJECTIVES PCI DSS REQUIREMENTS Build & Maintain Secure Network 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. Maintain Vulnerability Management Program 5. Use and regularly update antivirus software on all systems commonly affected by malware. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. Regularly Monitor & Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
  • 16. BETWEEN YOU AND THE THREAT IT’S TRUSTED • Prescriptive framework • Vetted process • Widely adopted IT’S EFFECTIVE • Helps manage risk • Protects brands • Mitigates loss during breach response The PCI Baseline
  • 17. How Do You Secure This Data?
  • 18. BETWEEN YOU AND THE THREAT Follow PCI Best Practices Leverage as strong baseline for all your sensitive data Has been copied or mirrored by other governing bodies (NACHA for instance) Includes cross-over into other compliance requirements
  • 19. BETWEEN YOU AND THE THREAT Use a Cloud Solution to Decouple Payment Data • Decouple to secure infrastructure • Isolate and secure access to sensitive data • Reduce scope for compliance • Faster audits and lower costs AUTHORIZED USERS INTERNAL & EXTERNAL SYSTEM USERS LARGE IT ENVIRONMENT
  • 20. BETWEEN YOU AND THE THREAT We Trust The Experts For a Reason
  • 22. BETWEEN YOU AND THE THREAT The Company Popular utility provider secures millions of transactions each month in PCI-compliant cloud. Region: Employees: Industry: Market: Customers: Southwest More than 10,000 Utilities Residential & Commercial 1 - 5 Million
  • 23. BETWEEN YOU AND THE THREAT • Large Southern Retail & Commercial Utility Company • Leveraged Legacy ERP System for Online Payments • Couldn’t Meet PCI Compliance • Entire network was in Scope The Challenge
  • 24. BETWEEN YOU AND THE THREAT • Traditional Check, Cash, Credit Cards & ACH Payments • Data-at-Rest Presented PCI Challenge • Data Existed Throughout Corporate Systems & Network • Connected to Multiple Third-Party Banking & Payment Applications The Details
  • 25. BETWEEN YOU AND THE THREAT • Decouple Payment Data from Corporate Environment • Reduce Scope of PCI Audit • Tokenization of Payment Data • Implement Business Continuity Strategy The Solution “By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”
  • 26. BETWEEN YOU AND THE THREAT • Designed as Fully Redundant Environments • Included Direct Contentions to two Data Centers • Meets Strict Business Continuity Requirements • Leverages multiple security layers to thwart targeted attacks The Infrastructure FPO 4 LOAD BALANCERS 4 DATABASE SERVERS 4 WEB SERVERS 4 APPLICATION SERVERS 2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS
  • 28. BETWEEN YOU AND THE THREAT • More tools and technologies? • How much is this going to cost? • How am I going to implement? • In what time period? • Do I have the people and expertise? Traditional DIY Approach: Difficult & Complex
  • 29. BETWEEN YOU AND THE THREAT Comparing Cloud Responsibility 29 Security Layer Security Feature DIY Cloud Public Cloud Secure Managed Cloud IP Reputation Filtering C C V Perimeter DDoS Mitigation C C V Web application firewall C C V Segmentation C S V Network Network Firewall (Hypervisor based) C S V Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V Hardened Hypervisor C S V Virtual Isolated Management C V V Secure Storage C V V Rogue Wireless Scanning C V V Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V Vendor-ProvidedV Vendor, Customer- Shared Client-ProvidedC S Key
  • 30. BETWEEN YOU AND THE THREAT What To Look For From Cloud Vendors The Key Attributes • Expertise • Track record • Technology • People • Process • Certification • Ability to execute and delivery You need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements. Your vendor should……. • Provide a clear concise explanation of the specific security controls they include and how these benefit you • Be able to articulate the boundaries between their responsibility and yours • Provide you with documentation that backs up their claims about being “Compliant” including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
  • 31. BETWEEN YOU AND THE THREAT LIGHTEN IT & SECURITY BURDEN PROTECT YOUR BUSINESS Focus on Your Business Leave It to the Experts Increase Performance Enhance Scalability Get Better Security for your Environment Make Compliance Less Costly and Time Consuming Reduce Overall Costs Facilitate BCDR Planning
  • 32. BETWEEN YOU AND THE THREAT The Cloud Isn’t Secure Enough for Payment Transactions
  • 33. The Leader in Active Cyber Defense Kurt.hagerman@armor.com 1-877-262-3473 x8073 KURT HAGERMAN Questions? SEPTEMBER 2015

Notes de l'éditeur

  1. The popular breach chart on the left shows some of the top events that’s occurred over the last several years. Hacks are growing in size and frequency although security spending has doubled in the past 4 years. Furthermore, over 50% of hack victims were up-to-date on their specific compliance requirements (PCI, HIPAA, etc). This isn’t going to turn around anytime soon as we have a major shortage in security talent and the gap is getting wider. We are actually over 200,000 cybersecurity professionals short in the U.S. and over 1 million short world-wide. If we were short 200,000 doctors in the United States we would have a national crisis. We’re embarrassed for the performance of the industry and a major metric we track is dwell time. Dwell time is the period of time from when a hacker infects a machine to when that machine is considered “clean”. The average from leading reports like Verizon data breach report and FireEye cyber report shows that across enterprises hackers have a dwell time of 205 days. That is absolutely unbelievable to think about a hacker having access to your environment for 205 days. What’s further concerning is the average was 214 days in 2014… Another 80 Billion spent world-wide in cybersecurity and the average was improved by 4%. We will discuss this later but Armor’s average hacker dwell time is 2 days and we’re working on ways to move from days to minutes.
  2. What other regulatory entities leveraging PCI framework? And why is this important to treasury management professionals?
  3. Organizations such as yours have a daunting task.