The Leader in Active Cyber Defense
MYTHBUSTERS:Can You Secure Payments in the Cloud?
KURT HAGERMAN | CISO, ARMOR
SEPTEMBER 2015
BETWEEN YOU AND THE THREAT
KURT HAGERMAN
• CISA- and CISSP-certified• Frequent speaker and author
on security for the payments industry, healthcare industry and cloud security
• 25-year veteran in IT, security consulting and auditing
Chief Information Security Officer | ARMOR
Fact or Fiction:Can You Secure Payments in the
Cloud?
BETWEEN YOU AND THE THREAT
• It’s not secure• Not trusted• Loss of control• Lack of compliance• Unknown location of data
Myths About the Cloud
You Against Them
BETWEEN YOU AND THE THREAT
No Easy Task
YOU ARE:
• Risk-Aware and in tune with your industry’s challenges.
• Required to meet numerous and overlapping regulations and mandates.
• Faced with customer demand to process sensitive data in online and mobile channels.
BETWEEN YOU AND THE THREAT
In the first 6 months of 2015
Source: Gemalto
RECORDS COMPROMISEDEVERY DAY
RECORDS COMPROMISED246,000,000
BREACHES888
RECORDS COMPROMISEDEVERY MINUTE
RECORDS COMPROMISED EVERY SECOND
169431,400,000
&
BETWEEN YOU AND THE THREAT
Security spendingdoubled in past 4 years
Many of these organizations were “compliant” on various security frameworks
Major shortage in security talent and getting worse
Average hacker dwell time is 205 days across enterprises
LATEST
2014
2013
2012
2011
A World of Targets
NONE SECURED IN THE
CLOUD
BETWEEN YOU AND THE THREAT
Where You’re Being HitMore than half of you have been targeted. This is where threat actors attack you most often.
62% of companies were targets of payments fraud in 2014.
77%
34%
27%
Source: Association for Financial Professionals 2015 Payments Fraud & Control Survey
CHECKS
WIRES
CREDIT & DEBIT CARDSMost Targeted Methods
The Compliance Landscape
BETWEEN YOU AND THE THREAT
“Why is cybersecurity so hard? In general, it’s hard because attacks & defenses evolve together: A system that was secure yesterday might no longer be secure tomorrow.”
Jeremy Epstein Lead Program DirectorNational Science Foundation
BETWEEN YOU AND THE THREAT
Regulatory Landscape
SOX
BETWEEN YOU AND THE THREAT
Legal Ramifications Evolving
“It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”FTC v. Wyndham Worldwide Corp., 14-3514, U.S. Court of Appeals for the Third Circuit (Philadelphia)
• Example of Government Overreach
• Ruling of “Harm” Left to FTC based on no published standards
• Virtually impossible to comply• Even When PCI-Compliant,
Your Organization Could Still be Liable for Data Loss
BETWEEN YOU AND THE THREAT
FISMANIST 800-53ISO 27001
Which Frameworks are Proven?
Each are good. But they lack the prescriptiveness needed to help you build or evaluate a strong security program.
What about the Payment Card Industry Data Security Standard?
BETWEEN YOU AND THE THREAT
12 Key PCI Security RequirementsCONTROL OBJECTIVES PCI DSS REQUIREMENTS
Build & MaintainSecure Network
1. Install and maintain a firewall configuration to protect cardholder data.2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect CardholderData
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain VulnerabilityManagement Program
5. Use and regularly update antivirus software on all systems commonly affected by malware.6. Develop and maintain secure systems and applications.
Implement Strong AccessControl Measures
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor &Test Networks
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
BETWEEN YOU AND THE THREAT
IT’S TRUSTED• Prescriptive framework• Vetted process• Widely adopted
IT’S EFFECTIVE• Helps manage risk• Protects brands• Mitigates loss during breach
response
The PCI Baseline
How Do You Secure This Data?
BETWEEN YOU AND THE THREAT
Follow PCI Best Practices
Leverage as strong baseline for all your sensitive data
Has been copied or mirrored by other governing bodies (NACHA for instance)
Includes cross-over into other compliance requirements
BETWEEN YOU AND THE THREAT
Use a Cloud Solution to Decouple Payment Data
• Decouple to secure infrastructure• Isolate and secure access to
sensitive data• Reduce scope for compliance• Faster audits and lower costs
AUTHORIZEDUSERS
INTERNAL & EXTERNALSYSTEM USERS
LARGE ITENVIRONMENT
BETWEEN YOU AND THE THREAT
We Trust The Experts For a Reason
A Real-World Case Study
BETWEEN YOU AND THE THREAT
The Company
Popular utility provider securesmillions of transactions eachmonth in PCI-compliant cloud.
Region:Employees:Industry:Market:Customers:
SouthwestMore than 10,000
UtilitiesResidential & Commercial
1 - 5 Million
BETWEEN YOU AND THE THREAT
• Large Southern Retail & Commercial Utility Company
• Leveraged Legacy ERP System for Online Payments
• Couldn’t Meet PCI Compliance• Entire network was in Scope
The Challenge
BETWEEN YOU AND THE THREAT
• Traditional Check, Cash, Credit Cards & ACH Payments
• Data-at-Rest Presented PCI Challenge
• Data Existed Throughout Corporate Systems & Network
• Connected to Multiple Third-Party Banking & Payment Applications
The Details
BETWEEN YOU AND THE THREAT
• Decouple Payment Data from Corporate Environment
• Reduce Scope of PCI Audit• Tokenization of Payment
Data• Implement Business
Continuity Strategy
The Solution
“By decoupling data from monolithic IT environments, utilities, eCommerce, retailers and other financial institutions are able to reduce the risk of data breaches and achieve PCI compliance.”
BETWEEN YOU AND THE THREAT
• Designed as Fully Redundant Environments
• Included Direct Contentions to two Data Centers
• Meets Strict Business Continuity Requirements
• Leverages multiple security layers to thwart targeted attacks
The Infrastructure
FPO4 LOAD BALANCERS
4 DATABASE SERVERS
4 WEB SERVERS
4 APPLICATION SERVERS
2 MPLS CIRCUITS FOR DIRECT CONNECTION TO ARMOR DATA CENTERS
What’s Your Strategy?
BETWEEN YOU AND THE THREAT
• More tools and technologies?• How much is this going to cost?• How am I going to implement?• In what time period?• Do I have the people and
expertise?
Traditional DIY Approach:Difficult & Complex
BETWEEN YOU AND THE THREAT 29
Comparing Cloud ResponsibilitySecurity Layer Security Feature DIY Cloud Public Cloud Secure Managed
CloudIP Reputation Filtering C C V
Perimeter DDoS Mitigation C C V Web application firewall C C V
Segmentation C S V Network Network Firewall (Hypervisor based) C S V
Vulnerability Scanning C C V Secure Remote Access C S V Encryption in Transit C C S Intrusion Detection C C V
Hardened Operating System C C V Server/OS Secure Remote Administrative Access C S V
OS Patching C C V Anti-Virus/Anti-Malware C C V Log Management C C V Time Synchronization C C V File Integrity Monitoring C C V Encryption C S S DLP C C S Configuration Management C C V Host Intrusion Detection C C V
Hardened Hypervisor C S V Virtual Isolated Management C V V
Secure Storage C V VRogue Wireless Scanning C V V
Physical 24x7 Support Staff C V V Entry Controls C V V Video Monitoring C V V Environmental Controls C V V
Vendor-ProvidedV
Vendor, Customer-SharedClient-ProvidedC
S
Key
BETWEEN YOU AND THE THREAT
What To Look For From Cloud VendorsThe Key Attributes
• Expertise• Track record• Technology• People
• Process• Certification• Ability to execute
and deliveryYou need to deal with vendors are transparent about how what they do directly assists you in mitigating risk and addressing your compliance requirements.Your vendor should…….• Provide a clear concise explanation of the specific security controls they include and
how these benefit you• Be able to articulate the boundaries between their responsibility and yours• Provide you with documentation that backs up their claims about being “Compliant”
including independent audit reports that clearly state the scope of the assessment, the controls framework used and especially how this compliance can be leveraged by YOU
BETWEEN YOU AND THE THREAT
LIGHTEN IT & SECURITY BURDEN
PROTECT YOUR BUSINESS
Focus on Your Business
Leave It to the Experts
Increase Performance
Enhance Scalability
Get Better Security for your Environment
Make Compliance Less Costly and Time Consuming
Reduce Overall Costs
Facilitate BCDR Planning
BETWEEN YOU AND THE THREAT
The Cloud Isn’t Secure Enough
for Payment Transactions BUSTED
The Leader in Active Cyber Defense
[email protected] 1-877-262-3473 x8073
KURT HAGERMANQuestions?
SEPTEMBER 2015