Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet

© SafeNet Confidential and Proprietary
1
Alexandre Bento
alexandre.bento@safenet-inc.com
Tecnologías para el Cumplimiento

2
Agenda
 ¿Quién es Safenet?
 Market Background PCI
 Desafíos para PCI
 Soluciones SafeNet para PCI
 Caso de Éxito

3
¿Quien es Safenet?

4
SafeNet Fact Sheet
La compañía más grande enfocada exclusivamente en la
protección de la información de alto valor.
Fundada: 1983
Capital: Privado
Éxito Global con más de 25.000 clientes en 100
paises
Empleados: Alrededor de 1.500 en 25 paises,
Reconocido liderazgo en Tecnología de Seguridad,
más de 550 ingenieros expertos en cifrado
Acreditados con los productos certificados en los más
altos estándares de seguridad

5
Líder en Confianza.
Protegemos cosas como:
> la mayoría del dinero que se mueve en el mundo. 80% de todas las
transferencias intrabancarias -SWIFT- $1 trillón por día
> la mayoría de las identidades digitales en el mundo. 84% de la cuota de
mercado de protección de claves raíces de PKI (Salomon Smith Barney) -
módulos criptográficos (HSMs)
> el número 1 en cifrado de conexiones WAN alta velocidad para Frame
Relay, ATM, líneas dedicadas y Ethernet
> el número 1 en Tokens USB en el mundo (IDC)

6
Market Background PCI

7
¿Cuales son las amenazas?
Fuente: Ponemon Institute, 2009

8
La Evolución de las Incidencias

9
¿Objetivo de los Ataques?
 Data, Data and more Data
 Vulnerabilities

10
 Vulnerabilities

11
 Vulnerabilities

12
 Vulnerabilities

13
Fraude Online en Alta
Fuente: Anti-Phishing Working Group, marzo 2009
El número de páginas web infectando PCs con programas
diseñados para el robo de contraseñas alcanzo las 31,173 en
diciembre 2009, un incremento de 827 % desde enero de 2008.
Phishing: $3.2 Mil
Millones de Dólares
en 2007 solo en
EEUU
Gartner Dic. 2007

14
¿Cómo logran hacerlo?
 Troyanos, Key loggers, Root kits
 Vulnerabilidad Web o Aplicación
 Miembro de la organización que se deja corromper

15
¿Cómo logran hacerlo?
 Trojans, Key loggers, Root kits
 Web or Application Vulnerabilities
 The corruptible insider

16
¿Cuanto están costando?
Fuente: Ponemon Institute, 2009
47%

17
Desafios para PCI

18
¿PCI DSS es El Suelo o El Techo ?
• ―PCI DSS es El Techo‖
• Obstáculos a la Implementación―¿excusas?‖
• Demasiado Complejo
• No está al día con las actuales amenazas
• Demasiado tiempo para implementar
• Demasiado costoso para cumplir
• ―PCI DSS es solo El Suelo‖
• Apalancar la Inversión
• Mayor Protección
• 50% Ventaja de Coste

19
¿Cuanto está Costando?
Allocation of PCI Investment Best-in-Class All Others
Cost to achieve initial compliance $520K $958K
Time to report 11 mo 11 mo
Annual cost to sustain compliance $135K $300K
Average time since first reporting 2.0 yrs 2.3 yrs
Average total spend on PCI compliance $784K $1,642K
Build & Maintain a Secure Network $197K $375K
Protect Cardholder Data $186K $399K
Maintain a Vulnerability Mgmt Program $88K $188K
Implement Strong Access Control $93K $211K
Regularly Monitor and Test $124K $317K
Maintain an IS Policy $97K $152K
Fuente: Aberdeen Group, 2009

20
Buenas Prácticas
 Es protección, no una Casilla de Punteo
 Implique a los stakeholders
 Descubrimiento y clasificación de los datos
 Establezca el modelo de la amenaza
 Documente y defina las políticas de seguridad y los
procedimientos
 Determine dónde proteger datos

21
¿Cómo está la Industria hoy?
Objective Requirement Current
Capability
Known
Incidents
Avg. PCI
Spend
Build &
Maintain
Secure
Network
1. Firewall Configurations 85% 16% $250K
2. No Default Passwords 16%
Protect
Cardholder
Data
3. Protect Stored Cardholder Data 71% 23% $242K
4. Encrypt Transmission Across Networks 12%
Maintain
Vulnerability
Mgmt Program
5. Use &Update Antivirus Software 61% 19% $114K
6. Develop & Maintain Secure Applications 28%
Strong Access
Control
7. Restrict Access Business Need-to-Know 65% 24% $124K
8. Assign a Unique ID 18%
9. Restrict Physical Access 15%
Regularly
Monitor & Test
10. Track and Monitor Network Access 78% 23% $169K
11. Regularly Test Security Systems 22%
Maintain IS
Policy
12. Maintain Policies for IS 83% 23% $118K
Fuente: Aberdeen Group, 2009

22
Soluciones de Safenet para PCI

23
Proteja los datos del titular de la tarjeta que fueron
almacenadosReq. 3
Hard Disk Encryption
SafeNet ProtectDrive
Data Tokenization
SafeNet DataSecure
SafeNet Hardware Security Modules
File/Folder Encryption
SafeNet ProtectFile Unstructured Data
Database Encryption
SafeNet DataSecure for Structured Data

24
SafeNet DataSecure Platform
Intelligent Data Protection
DataSecure is the industry’s
most trusted platform to
provide intelligent data
protection for ALL
information assets—both
structured and unstructured,
using centralized:
key management
policy management
logging and auditing
Business Needs SafeNet Solution
Protect sensitive data at
the web, application,
mainframe, database
tiers, including file
servers
Protect Data at Risk –
Most flexible and scalable
hardware-based encryption
platform for heterogeneous
environments
Implement data
encryption controls for
compliance
Comply w/ Legislation –
Proven compliance with laws
requiring protection of
sensitive information
Reduce cost &
complexity with secure
key management and
centralized policy
management
Reduce Operational Cost –
Ease of management and
administration with best-in-
class security management
console

25
SafeNet DataSecure
Data Protection, Key, and Policy Management
Mainframes
Web/App
Servers
Endpoint
Devices
Network Shares
File Servers

26
DataSecure Database Integration
• Database Connectors
• Oracle 8i, 9i, 10g, 11g
• IBM DB2 version 8, 9
• IBM UDB version 8, 9
• Microsoft SQL Server 2000, 2005,
2008
• Teradata 12
• Application changes not required
• Batch processing tools for managing
large data sets
• Vendor Transparent Database
Integration
• SQL Server 2008
• Oracle 11g
Customer
Database

27
• Software Libraries
• Microsoft .NET, CAPI
• JCE (Java)
• PKCS#11 (C/C++)
• SafeNet ICAPI (C/C++)
• z/OS (Cobol, Assembler, etc.)
• XML
• Support for virtually all application and
web server environments
DataSecure Application Integration
Reporting
Application
Customer
Database
E-Commerce
Application

28
ProtectFile and ProtectDrive
 File Protection for PCs, File
Servers, and Network Shares
Windows Server 2003
Windows XP, Vista
RHEL 4, 5
 File Server Encryption
File Encryption Keys (FEKs)
protect files on disk
FEKs are encrypted with a Key
Encryption Key (KEK) that
resides on the DataSecure
appliance
 Policy configured on
DataSecure and pushed to file
systems
 Mobile Handset Support
 Full Disk Encryption with
ProtectDrive
End User
Laptop
Network Shares
Corporate
File Server

29
 File & Folder encryption whilst cryptographically
enforcing user and group permission-based access to
confidential data.
Protection of workgroup data against unauthorized access
File & Folder Encryption

30
 DataSecure—acts as the ―vault‖ for
sensitive data values and token by protecting
with strong encryption and key management
 Token Manager—replaces sensitive data
with format-preserving tokenization via:
Secure Message Layer - SOA-based interface,
callable from anywhere
Protected Zone - host of the Secure Message
Layer, handles calling DataSecure and generating tokens
DataSecure Tokenization
Protected
Zone
DataSecure
Secure
Message Layer
DataSecure
Token Manager

31
¿Que es la Tokenización?
 On the most basic level –
Replacement of sensitive structured data with
data of a similar size that is not sensitive (a
―token‖)
Stores sensitive data in an encrypted protected
zone
 More sophisticated approaches involve –
1-to-1 mapping of tokens to sensitive data
(referential integrity)
Presentation Options:
Masked data: XXXXX6789
Data with dashes in it: 123-45-6789
Token type options:
Purely random digits
Sequential
First two/last four, first six, etc.
 Benefits –
Data protection is
―transparent‖ to pure end
users and systems
Only the ―protected zone‖
remains in scope of
compliance audits
Only authenticated end
users or systems can access
data in the clear from the
protected zone

32
DataSecure Token Manager
 DataSecure—locks the ―vault‖ for
sensitive data values and token with strong
encryption and key management
 Token Manager—replaces sensitive
data with format-preserving tokenization
via:
Secure Message Layer— SOA-
based interface, callable from anywhere
Protected Zone— host of the Secure
Message Layer, handles calling DataSecure
and generating tokens
ProtectedZone
DataSecure
Secure Message
Layer
Data Vault

33
ProtectedZone
DataSecure
Secure Message
Layer
Data Vault
Tokenization Use Case – Credit Card #’s
PCI Auditor for
Compliance

34
SafeNet DataSecure Interface

35
SafeNet DataSecure Interface

36
 Disk encryption of desktops – in conjunction with
Certificate Services
 Access to Pre-Boot Authentication only with
Token/Certificate – no UserID/Password Logon
Protection of all data in case of theft, loss and end of life
Disk Encryption

37
Codifique la transmisión de los datos de los titulares de las
tarjetas a través de redes públicas abiertas
Encrypt Network Communications
SafeNet High Speed Ethernet Encryption
Req. 4

38
Network Encryption
 Edge Layer- SSL/IPSec
 Boundary Layer- MPLS,
ATM, Frame Relay,
Ethernet transport
connecting branch offices,
remote sites, partners
 Core Layer- Typically
SONET or Ethernet
transport over carrier WAN
or dark fiber

39
Best Fit for Layer 2 Encryption
 Ethernet
Encryption
 SONET
Encryption
 Ethernet
Encryption
10/1G
100/10M

40
Simplified Management – Layer 2
Transport
Customer Premise Router
Layer 2 Encryptor
Carrier Switch
LAN
Operations
Center
Disaster
Recovery
Location
Operations
Center
When
something
changes
here…
or here…
or here!!!
nothing
changes
here…
No administrative
burden, no outages
and no security policy
changes
Company Confidential

41
Security Management Center II
• Easy Installation and Simple Ongoing Management
• Intuitive web-based GUI
• Virtualization Support with VMWare and Solaris Zones
Lowest Cost of Ownership
• Full Audit and Event logging and Reporting
• Secure Remote Management and Encrypted
Communications
• Integrated Key Manager with Optional Hardware-Security
Secure Operations
• Simple Management Design for Thousands of Encryptors
• Rapid Deployment Tools for Large Installations
• Enterprise Class High-Availability Features
Scalability / Reliability
SMC II Is The Only Truly Enterprise Class
Encryptor Management Platform

42
Desarrolle y Mantenga Sistemas y Aplicaciones Seguras
Secure Application Development Tools
Approved Payment Applications
Req. 6

43
HSM - Protección de Transacciones
Los HSMs de SafeNet
proporcionan la forma más
segura, fácil y rápida de integrar
la solución de seguridad para
aplicaciones y transacciones
para empresas y gobiernos. Las
Certificaciones FIPS y Common
Criteria.
CA4
Luna PCM
ProtectServer Gold
Luna PCI
Luna SA / SP
ProtectHost EFT
Luna XML
Luna SX

44
HSM Technology
Breadth of Hardware Security Offerings
Customizable,
Economical
SOA, Web
Services
FastestNetworked,
Scaleable
Performance
PCM, CA4
Luna PCI
Luna SA / SP / IS
Offline Key
Archive,
Registration
Auth
Protect Server
Luna XML
Protect Host EFT
Payments,
EMV/EFT
4000+/sec600/sec 7000/sec27/sec 600/sec1200/sec
300+/sec

45
Restrinja el acceso a los datos y Asigne un ID exclusiva
para cada persona que tenga acceso al sistema informático
Privileged User Management
SafeNet Authentication
SafeNet DataSecure
Strong User Authentication
Network Access Management
Req. 7
& 8

46
PKI Certificates
User Name &
Passwords
Biometric
Credentials
Barcode & Magnetic
Swipe encoding*
Access Controls*
Photo ID*
* Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only
Protección de Identidades – Autenticación

47
Soluciones SafeNet para el Ecosistema PCI

48
Beneficios
Benefits Proof Points
Single Key Management and
Encryption Solution
 Comprehensive, core-to-edge solution
from a SINGLE vendor
 ONLY solution that secures data across
the connected enterprise for data at rest, in
transit, and in use
Reduces the Cost and Complexity  Integrated security platform with
centralized policy management and
reporting
All critical PCI encryption and key
management requirements are centrally
implemented
Streamlined Implementation  Designed for fast and easy integration
into existing IT infrastructure
Highest Security  FIPS 140-2 Level 2 and Level 3, and CC
Validations
 More than 25 years experience
Comprehensive Audit Trails  Centralized logging and auditing of all
cryptographic functions

49
Caso de Éxito

50
British Airways
Business
Drivers
• PCI info in Oracle DB, and mainframe
• Proprietary flight information on mainframe
Technical
Requirement
• Sensitive data on their mainframes
• General security & granular level security.
• Gartner said “FIPS level 2 will eventually be a PCI requirement.”
Why SafeNet
• Batch processing between their mainframe and two other databases
• Files needed column level encryption at a command line to handle credit card data.
• Level 2 FIPS compliance
• SafeNet is the only company to offer command line file protection and conversion on the
mainframe
Later Phases
• Working directly with business owners
• Sales
• Risk Management

51
British Airways
Bulk Load
TU
3rd Party Apps
InternalApps
z/OS Mainframe Linux MachinesWindows FTP
Servers
Windows File
Servers
NAS

52
Casos de Éxito

53
Alexandre Bento
alexandre.bento@safenet-inc.com
Gracias

Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (9)

Semelhante a Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet

Semelhante a Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet (20)

Mais de Internet Security Auditors

Mais de Internet Security Auditors (20)

Último

Último (20)

Tecnologías para el Cumplimiento. Alexandre Bento. SafeNet