Time to re think our security process
0 likes446 views
Ulf Mattsson discusses the evolution of data security practices and the importance of understanding and managing sensitive data in compliance with PCI DSS standards. He emphasizes the shift towards rapid detection and response strategies in cybersecurity and the increasing outsourcing of information security services. The document outlines key industry trends, challenges, and compliance requirements relevant to organizations handling sensitive information.
Time to re think our security process
- 1. 1 1 Time to Re-think our Security Process Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com
- 2. 2 Ulf Mattsson Inventor of more than 25 US Patents Industry Involvement PCI DSS - PCI Security Standards Council • Encryption & Tokenization Task Forces, Cloud & Virtualization SIGs IFIP - International Federation for Information Processing • WG 11.3 Data and Application Security CSA - Cloud Security Alliance ANSI - American National Standards Institute • ANSI X9 Tokenization Work Group NIST - National Institute of Standards and Technology • NIST Big Data Working Group User Groups • Security: ISSA & ISACA • Databases: IBM & Oracle
- 3. 3 My work with PCI DSS Standards Payment Card Industry Security Standards Council (PCI SSC) 1. PCI SSC Tokenization Task Force 2. PCI SSC Encryption Task Force 3. PCI SSC Point to Point Encryption Task Force 4. PCI SSC Risk Assessment SIG 5. PCI SSC eCommerce SIG 6. PCI SSC Cloud SIG 7. PCI SSC Virtualization SIG 8. PCI SSC Pre-Authorization SIG 9. PCI SSC Scoping SIG Working Group 10. PCI SSC 2013 – 2014 Tokenization Task Force
- 4. 4
- 5. 5 Encryption Usage - Mature vs. Immature Companies Source: Ponemon - Encryption Application Trends Study • June 2016 Lessuseofencryption Do we know our sensitive data? Big Data Public Cloud
- 6. 6 Not Knowing Where Sensitive Data Is Source: The State of Data Security Intelligence, Ponemon Institute, 2015
- 7. 7 Not Managing Risks to Sensitive Data Source: The State of Data Security Intelligence, Ponemon Institute, 2015 Access Patterns Data Discovery Data Access
- 8. 8
- 9. 9 Cloud Providers Not Becoming Security Vendors • There is great demand for security providers that can offer orchestration of security policy and controls that span not just multicloud environments but also extend to on-premises infrastructure • Customers are starting to realize that the responsibility for mitigating risks associated with user behavior lies with them and not the CSP — driving them to evaluate a strategy that allows for incident detection, response and remediation capabilities in cloud environments Source: Gartner: Market Trends: Are Cloud Providers Becoming Security Vendors? , May 2016
- 10. 10 • Centrally managed security policy • Across unstructured and structured silos • Classify data, control access and monitoring • Protection – encryption, tokenization and masking • Segregation of duties – application users and privileged users • Auditing and reporting 2014: Data–Centric Audit and Protection (DCAP) Source: Gartner – Market Guide for Data – Centric Audit and Protection (DCAP), Nov 21 2014
- 11. 11 • IT risk and security leaders must move from trying to prevent every threat and acknowledge that perfect protection is not achievable. • Organizations need to detect and respond to malicious behaviors and incidents, because even the best preventative controls will not prevent all incidents. • By 2020, 60% of enterprise information security budgets will be allocated for rapid detection andr esponse approaches, up from less than 20% in 2015. 2016: Shift Cybersecurity Investment Source: Gartner - Shift Cybersecurity Investment to Detection and Response, 7 January 2016
- 12. 12 Security Outsourcing Fastest Growth The information security market is estimated to have grown 13.9% in revenue in 2015 with the IT security outsourcing segment recording the fastest growth (25%). Source: Gartner Forecast: Information Security, Worldwide, 2014-2020, 1Q16 Update
- 13. 13
- 14. 14 FS-ISAC Summit about “Know Your Data” • Encryption at rest has become the new norm • However, that’s not sufficient • Visibility into how and where it flows during the course of normal business is critical Source: On May 18, 2016 Lawrence Chin reported from the FS-ISAC Summit
- 15. 15
- 16. 16 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data storage Discovery Results Supporting Compliance 1. Limiting data storage amount and retention time to that which is required for legal, regulatory, and/or business requirements 2. Specific retention requirements for cardholder data 3. Processes for secure deletion of data when no longer needed 4. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention. Old PCI DSS Requirement 3.1
- 17. 17 • PCI DSS v2 did not have data flow in the 12 requirements, but mentioned it in “Scope of Assessment for Compliance with PCI DSS Requirements.” • PCI DSS v3.1 added data flow into a requirement. • PCI DSS v3.2 added data discovery into a requirement. New PCI DSS 3.2 Standard – Data Discovery Source: PCI DSS 3.2 Standard: data discovery (A3.2.5, A3.2.5.1, A3.2.6) for service providers
- 18. 18 18 Example of A Discovery Process Scoping Asset Classification Job Scan Definition Scanning Analysis Reporting Remediation PCI DSS 3.2 Requirement - Discovery
- 19. 19 Example - Discovery Scanning Job Status List
- 20. 20 Discovery Deployment Example Example of Customer Provisioning: • Virtual host to load Software or Appliance • User ID with “Read Only” Access • Firewall Access ApplianceDiscovery Admin Examples
- 21. 21 STEP 4: The scanning execution can be monitored by Provider and the customer via a Job Scheduler interface Discovery Process (Step 4) – Scanning Job Lists
- 22. 22 I think it is Time to Re-think our Security Process
- 23. 23 Are You Ready for PCI DSS 3.2 Requirement – Security Control Failures?
- 24. 24 SOCTools 24/7 Eyes on Glass (EoG) monitoring, Security Operations Center (SOC) Managed Tools Security Service Software as a Service (SaaS) data discovery solution Security Tools and Integrated Services Discovery Security Tools and Integrated Services
- 25. 25 Compliance Assessments • PCI DSS & PA Gap • HIPAA (2013 HITECH) • SSAE 16-SOC 2&3* • GLBA, SOX • FCRA, FISMA • SB 1385, ISO 27XXX • Security Posture Assessments (based on industry best practices) • BCP & DRP (SMB market) Professional Security Services • Security Architecture • Engineering/Operat ions • Staff Augmentation • Penetration Testing • Platform Baseline Hardening (M/F, Unix, Teradata, i- Series, BYOD, Windows) • IDM/IAM/PAM architecture • SIEM design, operation and implementation • eGRC Readiness & Deployment E Security & Vendor Products • Data Discovery • Managed Tools Security Service • Data Loss Protection • SIEM & Logging • Identity and Access Management • EndPoint Protection • Network Security Devices • Encryption • Unified Threat • Multi-factor Authentication Managed Security Services • MSSP/SOC • SIEM 365 • Data Center SOC • IDM/IAM Security Administration • Healthcare Infrastructure Solutions (2013 3rd Qtr. • Vulnerability Scans • Penetration Testing Samples of Our Services
- 26. 26 26 Ulf Mattsson, Chief Technology Officer, Compliance Engineering umattsson@complianceengineers.com www.complianceengineers.com