Meeting the Compliance Challenge

advertisement
1
Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure
2
Defining the
Challenge
3
Cost of Breaches Continues to Rise
• An increase in the total average cost of a data breach:
• For each reporting company, the average cost for a data breach was more
than $8.9 million per breach and ranged from $1.4 million to $46 million, a 6%
increase from 2011.
• An increase in lost business due to data breach:
• Lost business from denial of service, malicious insider and web-based
attacks account for 58% of data breach costs averaging $591,780 with a 24
day duration to resolve the attack, a 42% increase from 2011.
• An increase in third-party data breaches:
• Companies averaged 102 successful attacks per week, up from 72 last year
• An increase in disruption to business in response to breach:
• Information theft accounts for 44% of external costs up 4% from 2011
• Disruption to business and lost productivity accounts for 30% of external cost,
up 1% from 2011. Recovery and detection accounted for 47% of internal
activity cost.
4
Merchant Costs for a PCI Breach
• Card replacement costs now averaging about $4 per item
• Compliance fines now ranging from about $5,000 to $50,000 per event for a
small merchant (III, IV)
• Cost of forensic examination averaging between $25,000 and $35,000 per event
for these same merchants
• Additional fines for actual fraudulent utilization of stolen PAN varies
5
Breach Example
TJX: The “Pearl Harbor” of Credit Card Breaches (01/2007)
• Hackers spent 18 months exploiting weak wireless security outside thousands of
TJX stores
• 45.7 million credit and debit cards were stolen
• TJX stated the breach cost > $256 million
• Still incurring related expenses in years after the breach
• The average cost per breached card will be between $90 and $305
• Business and reputation costs are even greater
6
Consequences: New Oversight
Federal Trade Commission Response
•
As a consequence of the breach TJX Stores announced in 2007, the
FTC took enforcement action by treating the breach as an “unfair trade
practice”
•
State and local privacy laws are also increasingly applied to
information security breaches
•
What had been an industry challenge is now a regulatory challenge
7
PCI DSS
8
PCI Security Standards Council
Founders: Payment Brands
Participating Organizations:
Merchants, Banks, Processors, Developers, POS Vendors
Trademarks and logos used on this page are the property of their respective owners.
9
Developing Standards
• Established in 2006, the Security Standards Council was formed
to coordinate information security programs of the founding
payment brands.
• The PCI Security Standards Council has established multiple
standards for the industry including equipment manufacturers,
payment software application developers, merchants and
merchant service providers.
Manufactures
PCI PTS
Software
Developers
Merchants
& Processors
PCI PA-DSS
PCI DSS
WWW.PEAK10.COM
9
10
The PCI DSS
The PCI Data Security Standard
•
The Payment Card Industry Data Security Standard (PCI DSS) is
a proprietary information security standard for organizations that
store, process, or transmit cardholder data.
•
The PCI DSS applies to all entities that store, process, and/or
transmit cardholder data. If you are a merchant who accepts or
processes payment cards, you must comply with the PCI DSS
regardless of transaction volume.
WWW.PEAK10.COM
10
11
Elements of the PCI Data
Security Standard
12
Moving to
the Cloud
13
Understanding the Cloud
Service Models
Public Cloud
The cloud infrastructure is
made available to the
general public or a large
industry group and is
owned by an organization
selling cloud services.
Private Cloud
Community Cloud
Hybrid
The cloud infrastructure
is operated solely for a
single organization. It
may be managed by the
organization or a third
party, and may exist onpremises or off premises.
The cloud infrastructure is
shared by several
organizations and
supports a specific
community that has
shared concerns (e.g.,
mission, security
requirements, policy, or
compliance
considerations). It may be
managed by the
organizations or a third
party and may exist onpremises or off-premises.
The cloud infrastructure is
a composition of two or
more clouds (private,
community, or public) that
remain unique entities but
are bound together by
standardized or
proprietary technology
that enables data and
application portability
(e.g., cloud bursting for
load-balancing between
clouds).
14
Understanding the Cloud
Service Models
•
Software as a Service (SaaS) – Capability for clients to use the provider’s
applications running on a cloud infrastructure. The applications are
accessible from various client devices through either a thin client interface,
such as a web browser, or a program interface.
•
Platform as a Service (PaaS) – Capability for clients to deploy their
applications (created or acquired) onto the cloud infrastructure, using
programming languages, libraries, services, and tools supported by the
provider.
•
Infrastructure as a Service (IaaS) – Capability for clients to utilize the
provider’s processing, storage, networks, and other fundamental computing
resources to deploy and run operating systems, applications and other
software on a cloud infrastructure.
WWW.PEAK10.COM
14
15
The Cloud Compliance Challenge: PCI DSS
What makes the cloud different?
•
The cloud is relatively new technology and may be misunderstood.
•
Clients may have limited visibility into the service providers underlying
infrastructure and the related security controls.
•
Some virtual components do not have the same level of access control, logging,
and monitoring as their physical counterparts.
•
It can be challenging to verify who has access to cardholder data process,
transmitted, or stored in the cloud environment.
•
Public cloud environments are usually designed to allow access from anywhere
on the Internet.
16
Meeting the
Challenge
17
Assessing PCI DSS Compliance
• Study PCI DSS Standard
• Learn what the standard requires of your business.
• Inventory IT Assets and Processes
• Identify all systems, personnel and processes involved in the
transmission, processing or storing of cardholder data.
• Find Vulnerabilities
• Use the appropriate SAQ to guide the assessment, and
appropriate technologies to locate insecure systems.
• Validate with Third-Party Experts
• Your environment’s complexity may require a Qualified
Security Assessor and/or Approved Scanning Vendor to
execute proper assessment.
18
Tips for Successful PCI DSS Compliance
Tip #1 – Start Early
•Begin in the early stages of deciding to accept payment cards
•Perform an initial gap analysis
•Follow the PCI Prioritized Approach to avoid hitting big issues late in the project
•Select a QSA early in the project
Tip #2 – Manage as a Project
• Follow project management tenets: get a project sponsor, create a core team,
and make a project charter
Tip #3 – Limit scope as much as
possible
• Segregate the cardholder data environment to the maximum extent possible.
As data expands across the network the compliance scope increases multifold.
Tip #4 – Look beyond checklists
and tools: follow the intent behind
controls
• Leverage the opinion of you QSA and the guidance documents from the
Council on the intent of each requirement to avoid getting lost in technicalities
Tip #5 – Compliance with another
standard is not enough
• PCI DSS serves a specific purpose: protection of payment card data; being
compliant with another information security standard may not be sufficient
Tip # 6 – Validate your Vendors’
Compliance
• Compliance of service providers is as important as that of the merchant
• Even when you outsource an activity, you are still responsible for compliance
19
Control in the Cloud
Cloud Service Stack (typical)
Cloud Layer
IasS
PaaS
SaaS
Data
Interfaces (APIs, GUIs)
Applications
x
Solution Stack (programming languages)
x
Operating System (OS)
x
x
Virtual Machines
x
x
Virtual Network Infrastructure
x
x
Hypervisors
x
x
x
Processing and Memory
x
x
x
Data Storage (hard drives, removable disks, backups, ect.)
x
x
x
Network (interfaces and devices, communications infrastructure)
x
x
x
Physical Facilities / Data Centers
x
x
x
20
Responsibility in the Cloud
Client
Service Provider
The client may have limited control of userspecific appliacation configuration settings
SaaS
PaaS
IaaS
The client has control over the
deployed applications and
possibly configuration settings for
the application-hosting
environment.
The client has control over operating
systems, storage, deployed applications and
possible limited control of select networking
components (e.g. host firewalls)
21
Cloud Considerations
Sample of PCI Responsibilities in the Cloud
Requirement
IasS
PaaS
SaaS
1: Install and maintain a firewall configuration to protect cardholder data.
Both
Both
CSP
2: Do not use vendor-supplied defaults for system passwords and other
security parameters.
Both
Both
CSP
3: Protect stored cardholder data.
Both
Both
CSP
4: Encrypt transmission of cardholder data across open, public
networks.
Client
Both
CSP
5: Use and regularly update anti-virus software or programs.
Client
Both
CSP
6: Develop and maintain secure systems and applications.
Both
Both
Both
7: Restrict access to cardholder data by business need to know.
Both
Both
Both
8: Assign a unique ID to each person with computer access .
Both
Both
Both
9: Restrict physical access to cardholder data.
CSP
CSP
CSP
10: Track and monitor all access to network resources and cardholder
data.
Both
Both
CSP
11: Regularly test security systems and processes.
Both
Both
CSP
12: Maintain a policy that addresses information security for all
personnel.
Both
Both
Both
PCI DSS Appendix A: Additional PCI DSS Requirements for Shared
Hosting Providers.
CSP
CSP
CSP
22
Questions for Service Providers
• How long has the service provider been PCI DSS compliant?
• When was its last validation?
• What specific services and PCI DSS requirement were included in
the validation?
• What specific facilities and system components were included in
the validation?
•
Ask for proof:
• Copy of the AOC
• Applicable sections of the ROC
WWW.PEAK10.COM
22
23
Other Considerations
• Governance, Risk and Compliance
• Risk Management
• Due Diligence
• Service Level Agreements (SLAs)
• Business Continuity and Disaster Recovery
• Human Resources
• Physical Security
• Technical Security
• Identity and Access Management
• Logging and Audit Trails
WWW.PEAK10.COM
23
24
The 3 elements of
comprehensive
compliance
25
Cloud Considerations
Sample of PCI Responsibilities in the Cloud
Requirement
IasS
MSSP
1: Install and maintain a firewall configuration to protect cardholder data.
Both
Both
2: Do not use vendor-supplied defaults for system passwords and other
security parameters.
Both
Both
3: Protect stored cardholder data.
Both
Client
4: Encrypt transmission of cardholder data across open, public
networks.
Client
Both
5: Use and regularly update anti-virus software or programs.
Client
Both
6: Develop and maintain secure systems and applications.
Both
Both
7: Restrict access to cardholder data by business need to know.
Both
Both
8: Assign a unique ID to each person with computer access .
Both
Both
9: Restrict physical access to cardholder data.
CSP
CSP
10: Track and monitor all access to network resources and cardholder
data.
Both
Both
11: Regularly test security systems and processes.
Both
Both
12: Maintain a policy that addresses information security for all
personnel.
Both
Both
PCI DSS Appendix A: Additional PCI DSS Requirements for Shared
Hosting Providers.
CSP
CSP
26
Ongoing Process
PCI Compliance is an Ongoing Process of Continuous
Monitoring and Improvement.
Report
Assess
Remediate
The
assessment
stage is key.
27
THANK YOU!
Download