© SafeNet Confidential and Proprietary
1
Alexandre [email protected]
Tecnologías para el Cumplimiento
© SafeNet Confidential and Proprietary
2
Agenda
¿Quién es Safenet?
Market Background PCI
Desafíos para PCI
Soluciones SafeNet para PCI
Caso de Éxito
© SafeNet Confidential and Proprietary
3
¿Quien es Safenet?
© SafeNet Confidential and Proprietary
4
SafeNet Fact SheetLa compañía más grande enfocada exclusivamente en la
protección de la información de alto valor.
Fundada: 1983
Capital: Privado
Éxito Global con más de 25.000 clientes en 100
paises
Empleados: Alrededor de 1.500 en 25 paises,
Reconocido liderazgo en Tecnología de Seguridad,
más de 550 ingenieros expertos en cifrado
Acreditados con los productos certificados en los más
altos estándares de seguridad
© SafeNet Confidential and Proprietary
5
Líder en Confianza.
Protegemos cosas como:
> la mayoría del dinero que se mueve en el mundo. 80% de todas las
transferencias intrabancarias -SWIFT- $1 trillón por día
> la mayoría de las identidades digitales en el mundo. 84% de la cuota de
mercado de protección de claves raíces de PKI (Salomon Smith Barney) -
módulos criptográficos (HSMs)
>el número 1 en cifrado de conexiones WAN alta velocidad para Frame
Relay, ATM, líneas dedicadas y Ethernet
>el número 1 en Tokens USB en el mundo (IDC)
© SafeNet Confidential and Proprietary
6
Market Background PCI
© SafeNet Confidential and Proprietary
7
¿Cuales son las amenazas?
Fuente: Ponemon Institute, 2009
© SafeNet Confidential and Proprietary
8
La Evolución de las Incidencias
© SafeNet Confidential and Proprietary
9
¿Objetivo de los Ataques?
Data, Data and more Data
Vulnerabilities
© SafeNet Confidential and Proprietary
10
¿Objetivo de los Ataques?
Data, Data and more Data
Vulnerabilities
© SafeNet Confidential and Proprietary
11
¿Objetivo de los Ataques?
Data, Data and more Data
Vulnerabilities
© SafeNet Confidential and Proprietary
12
¿Objetivo de los Ataques?
Data, Data and more Data
Vulnerabilities
© SafeNet Confidential and Proprietary
13
Fraude Online en Alta
Fuente: Anti-Phishing Working Group, marzo 2009
El número de páginas web infectando PCs con programas
diseñados para el robo de contraseñas alcanzo las 31,173 en
diciembre 2009, un incremento de 827 % desde enero de 2008.
Phishing: $3.2 Mil
Millones de Dólares
en 2007 solo en
EEUU
Gartner Dic. 2007
© SafeNet Confidential and Proprietary
14
¿Cómo logran hacerlo?
Troyanos, Key loggers, Root kits
Vulnerabilidad Web o Aplicación
Miembro de la organización que se deja corromper
© SafeNet Confidential and Proprietary
15
¿Cómo logran hacerlo?
Trojans, Key loggers, Root kits
Web or Application Vulnerabilities
The corruptible insider
© SafeNet Confidential and Proprietary
16
¿Cuanto están costando?
Fuente: Ponemon Institute, 2009
47%
© SafeNet Confidential and Proprietary
17
Desafios para PCI
© SafeNet Confidential and Proprietary
18
¿PCI DSS es El Suelo o El Techo ?
• ―PCI DSS es El Techo‖
• Obstáculos a la Implementación―¿excusas?‖
• Demasiado Complejo
• No está al día con las actuales amenazas
• Demasiado tiempo para implementar
• Demasiado costoso para cumplir
• ―PCI DSS es solo El Suelo‖
• Apalancar la Inversión
• Mayor Protección
• 50% Ventaja de Coste
© SafeNet Confidential and Proprietary
19
¿Cuanto está Costando?
Allocation of PCI Investment Best-in-Class All Others
Cost to achieve initial compliance $520K $958K
Time to report 11 mo 11 mo
Annual cost to sustain compliance $135K $300K
Average time since first reporting 2.0 yrs 2.3 yrs
Average total spend on PCI compliance $784K $1,642K
Build & Maintain a Secure Network $197K $375K
Protect Cardholder Data $186K $399K
Maintain a Vulnerability Mgmt Program $88K $188K
Implement Strong Access Control $93K $211K
Regularly Monitor and Test $124K $317K
Maintain an IS Policy $97K $152K
Fuente: Aberdeen Group, 2009
© SafeNet Confidential and Proprietary
20
Buenas Prácticas
Es protección, no una Casilla de Punteo
Implique a los stakeholders
Descubrimiento y clasificación de los datos
Establezca el modelo de la amenaza
Documente y defina las políticas de seguridad y los
procedimientos
Determine dónde proteger datos
© SafeNet Confidential and Proprietary
21
¿Cómo está la Industria hoy?
Objective Requirement Current
Capability
Known
Incidents
Avg. PCI
Spend
Build &
Maintain
Secure
Network
1. Firewall Configurations 85% 16% $250K
2. No Default Passwords 16%
Protect
Cardholder
Data
3. Protect Stored Cardholder Data 71% 23% $242K
4. Encrypt Transmission Across Networks 12%
Maintain
Vulnerability
Mgmt Program
5. Use &Update Antivirus Software 61% 19% $114K
6. Develop & Maintain Secure Applications 28%
Strong Access
Control
7. Restrict Access Business Need-to-Know 65% 24% $124K
8. Assign a Unique ID 18%
9. Restrict Physical Access 15%
Regularly
Monitor & Test
10. Track and Monitor Network Access 78% 23% $169K
11. Regularly Test Security Systems 22%
Maintain IS
Policy
12. Maintain Policies for IS 83% 23% $118K
Fuente: Aberdeen Group, 2009
© SafeNet Confidential and Proprietary
22
Soluciones de Safenet para PCI
© SafeNet Confidential and Proprietary
23
Proteja los datos del titular de la tarjeta que fueron
almacenadosReq. 3
Hard Disk Encryption
SafeNet ProtectDrive
Data Tokenization
SafeNet DataSecure
SafeNet Hardware Security Modules
File/Folder Encryption
SafeNet ProtectFile Unstructured Data
Database Encryption
SafeNet DataSecure for Structured Data
© SafeNet Confidential and Proprietary
24
SafeNet DataSecure PlatformIntelligent Data Protection
DataSecure is the industry’s
most trusted platform to
provide intelligent data
protection for ALL
information assets—both
structured and unstructured,
using centralized:
key management
policy management
logging and auditing
Business Needs SafeNet Solution
Protect sensitive data at
the web, application,
mainframe, database
tiers, including file
servers
Protect Data at Risk –
Most flexible and scalable
hardware-based encryption
platform for heterogeneous
environments
Implement data
encryption controls for
compliance
Comply w/ Legislation –
Proven compliance with laws
requiring protection of
sensitive information
Reduce cost &
complexity with secure
key management and
centralized policy
management
Reduce Operational Cost –
Ease of management and
administration with best-in-
class security management
console
© SafeNet Confidential and Proprietary
25
SafeNet DataSecureData Protection, Key, and Policy Management
Mainframes
Web/App
Servers
Endpoint
Devices
Network Shares
File Servers
© SafeNet Confidential and Proprietary
26
DataSecure Database Integration
• Database Connectors
• Oracle 8i, 9i, 10g, 11g
• IBM DB2 version 8, 9
• IBM UDB version 8, 9
• Microsoft SQL Server 2000, 2005,
2008
• Teradata 12
• Application changes not required
• Batch processing tools for managing
large data sets
• Vendor Transparent Database
Integration
• SQL Server 2008
• Oracle 11g
Customer
Database
© SafeNet Confidential and Proprietary
27
• Software Libraries
• Microsoft .NET, CAPI
• JCE (Java)
• PKCS#11 (C/C++)
• SafeNet ICAPI (C/C++)
• z/OS (Cobol, Assembler, etc.)
• XML
• Support for virtually all application and
web server environments
DataSecure Application Integration
Reporting
Application
Customer
Database
E-Commerce
Application
© SafeNet Confidential and Proprietary
28
ProtectFile and ProtectDrive
File Protection for PCs, File Servers, and Network Shares
Windows Server 2003
Windows XP, Vista
RHEL 4, 5
File Server Encryption
File Encryption Keys (FEKs) protect files on disk
FEKs are encrypted with a Key Encryption Key (KEK) that resides on the DataSecure appliance
Policy configured on DataSecure and pushed to file systems
Mobile Handset Support
Full Disk Encryption with ProtectDrive
End User
Laptop
Network Shares
Corporate
File Server
© SafeNet Confidential and Proprietary
29
File & Folder encryption whilst cryptographically
enforcing user and group permission-based access to
confidential data.
Protection of workgroup data against unauthorized access
File & Folder Encryption
© SafeNet Confidential and Proprietary
30
DataSecure—acts as the ―vault‖ for
sensitive data values and token by protecting
with strong encryption and key management
Token Manager—replaces sensitive data
with format-preserving tokenization via:
Secure Message Layer - SOA-based interface,
callable from anywhere
Protected Zone - host of the Secure Message
Layer, handles calling DataSecure and generating tokens
DataSecure Tokenization
Protected
Zone
DataSecure
Secure
Message Layer
DataSecure Token Manager
© SafeNet Confidential and Proprietary
31
¿Que es la Tokenización?
On the most basic level –
Replacement of sensitive structured data with
data of a similar size that is not sensitive (a
―token‖)
Stores sensitive data in an encrypted protected
zone
More sophisticated approaches involve –
1-to-1 mapping of tokens to sensitive data
(referential integrity)
Presentation Options:
Masked data: XXXXX6789
Data with dashes in it: 123-45-6789
Token type options:
Purely random digits
Sequential
First two/last four, first six, etc.
Benefits –
Data protection is
―transparent‖ to pure end
users and systems
Only the ―protected zone‖
remains in scope of
compliance audits
Only authenticated end
users or systems can access
data in the clear from the
protected zone
© SafeNet Confidential and Proprietary
32
DataSecure Token Manager
DataSecure—locks the ―vault‖ for
sensitive data values and token with strong
encryption and key management
Token Manager—replaces sensitive
data with format-preserving tokenization
via:
Secure Message Layer— SOA-
based interface, callable from anywhere
Protected Zone— host of the Secure
Message Layer, handles calling DataSecure
and generating tokens
Pro
tecte
d Z
on
e
DataSecure
Secure Message
Layer
Data Vault
© SafeNet Confidential and Proprietary
33
Pro
tecte
d Z
on
e
DataSecure
Secure Message
Layer
Data Vault
Tokenization Use Case – Credit Card #’s
PCI Auditor for
Compliance
© SafeNet Confidential and Proprietary
34
SafeNet DataSecure Interface
© SafeNet Confidential and Proprietary
35
SafeNet DataSecure Interface
© SafeNet Confidential and Proprietary
36
Disk encryption of desktops – in conjunction with Certificate Services
Access to Pre-Boot Authentication only with
Token/Certificate – no UserID/Password Logon
Protection of all data in case of theft, loss and end of life
Disk Encryption
© SafeNet Confidential and Proprietary
37
Codifique la transmisión de los datos de los titulares de las
tarjetas a través de redes públicas abiertas
Encrypt Network Communications
SafeNet High Speed Ethernet Encryption
Req. 4
© SafeNet Confidential and Proprietary
38
Network Encryption
Edge Layer- SSL/IPSec
Boundary Layer- MPLS,
ATM, Frame Relay,
Ethernet transport
connecting branch offices,
remote sites, partners
Core Layer- Typically
SONET or Ethernet
transport over carrier WAN
or dark fiber
© SafeNet Confidential and Proprietary
39
Best Fit for Layer 2 Encryption
Ethernet Encryption SONET Encryption
Ethernet Encryption
10/1G
100/10M
© SafeNet Confidential and Proprietary
40
Simplified Management – Layer 2
Transport
Customer Premise Router
Layer 2 Encryptor
Carrier Switch
LAN
Operations
CenterDisaster
Recovery
Location
Operations
Center
When
something
changes
here…
or here…
or here!!!
nothing
changes
here…
No administrative
burden, no outages
and no security policy
changes
Company Confidential
© SafeNet Confidential and Proprietary
41
Security Management Center II
• Easy Installation and Simple Ongoing Management
• Intuitive web-based GUI
• Virtualization Support with VMWare and Solaris Zones
Lowest Cost of Ownership
• Full Audit and Event logging and Reporting
• Secure Remote Management and Encrypted Communications
• Integrated Key Manager with Optional Hardware-Security
Secure Operations
• Simple Management Design for Thousands of Encryptors
• Rapid Deployment Tools for Large Installations
• Enterprise Class High-Availability Features
Scalability / Reliability
SMC II Is The Only Truly Enterprise Class
Encryptor Management Platform
© SafeNet Confidential and Proprietary
42
Desarrolle y Mantenga Sistemas y Aplicaciones Seguras
Secure Application Development Tools
SafeNet Hardware Security Modules
Approved Payment Applications
SafeNet Hardware Security Modules
Req. 6
© SafeNet Confidential and Proprietary
43
HSM - Protección de Transacciones
Los HSMs de SafeNet
proporcionan la forma más
segura, fácil y rápida de integrar
la solución de seguridad para
aplicaciones y transacciones
para empresas y gobiernos. Las
Certificaciones FIPS y Common
Criteria.
CA4
Luna PCM
ProtectServer Gold
Luna PCI
Luna SA / SP
ProtectHost EFT
Luna XML
Luna SX
© SafeNet Confidential and Proprietary
44
HSM TechnologyBreadth of Hardware Security Offerings
Customizable,
Economical
SOA, Web
Services
FastestNetworked,
Scaleable
Perf
orm
ance
PCM, CA4
Luna PCI
Luna SA / SP / IS
Offline Key
Archive,
Registration
Auth
Protect Server
Luna XML
Protect Host EFT
Payments,
EMV/EFT
4000+/sec600/sec 7000/sec 27/sec 600/sec1200/sec
300+/sec
© SafeNet Confidential and Proprietary
45
Restrinja el acceso a los datos y Asigne un ID exclusiva
para cada persona que tenga acceso al sistema informático
Privileged User Management
SafeNet Authentication
SafeNet DataSecure
Strong User Authentication
SafeNet Authentication
Network Access Management
SafeNet Authentication
Req. 7 & 8
© SafeNet Confidential and Proprietary
46
PKI Certificates
User Name &
Passwords
Biometric
Credentials
Barcode & Magnetic
Swipe encoding*
Access Controls*
Photo ID*
* Photo ID, Access Control, Bar Code/Magnetic Swipe are applicable to smart cards only
Protección de Identidades – Autenticación
© SafeNet Confidential and Proprietary
47
Soluciones SafeNet para el Ecosistema PCI
© SafeNet Confidential and Proprietary
48
Beneficios
Benefits Proof Points
Single Key Management and
Encryption Solution
Comprehensive, core-to-edge solution
from a SINGLE vendor
ONLY solution that secures data across
the connected enterprise for data at rest, in
transit, and in use
Reduces the Cost and Complexity Integrated security platform with
centralized policy management and
reporting
All critical PCI encryption and key
management requirements are centrally
implemented
Streamlined Implementation Designed for fast and easy integration
into existing IT infrastructure
Highest Security FIPS 140-2 Level 2 and Level 3, and CC
Validations
More than 25 years experience
Comprehensive Audit Trails Centralized logging and auditing of all
cryptographic functions
© SafeNet Confidential and Proprietary
49
Caso de Éxito
© SafeNet Confidential and Proprietary
50
British Airways
Business Drivers
• PCI info in Oracle DB, and mainframe
• Proprietary flight information on mainframe
Technical Requirement
• Sensitive data on their mainframes
• General security & granular level security.
• Gartner said “FIPS level 2 will eventually be a PCI requirement.”
Why SafeNet
• Batch processing between their mainframe and two other databases
• Files needed column level encryption at a command line to handle credit card data.
• Level 2 FIPS compliance
• SafeNet is the only company to offer command line file protection and conversion on the mainframe
Later Phases
• Working directly with business owners
• Sales
• Risk Management
© SafeNet Confidential and Proprietary
51
British Airways
Bulk Load
TU
3rd Party Apps
InternalApps
z/OS Mainframe Linux MachinesWindows FTP
Servers
Windows File
Servers
NAS
© SafeNet Confidential and Proprietary
52
Casos de Éxito