2. Enough is enough
2
Compliance
Security
Risk Management Compliance does not equal Security
It’s time to take a look at comprehensive risk
management
» What is the health of your organizations data
security program?
» The focus should be on protecting your
relationship with your customers and their PFI
» Ensure Risk Assessments are being
performed and cover all card processes
• Don’t follow the SAQ as a guideline for appropriate card
data risk management
• Are you aware of all sensitive assets involved in payment
processes?
• Are you aware of the threats?
• If you had to look beyond the PCI DSS to mitigate risk, where
would you start?
3. New Standards are Forcing the Issue
Major changes in the DSS 3.0 focus on
continuous compliance and ongoing
diligence in security operations
Don’t be compliant with your assessment;
be compliant with the standards
Compliance depends on day-in, day-out
adherence to control operations
Can you do more? Leverage good risk
management practices to identify areas of
weakness and opportunities for
improvement3
4. PCI DSS 3.0 – Scope and Segmentation
4
It’s important to review the guidance on how to accurately determine
the scope of a PCI DSS engagement and the intent of segmentation.
Systems that provide security services to
the CDE = “In Scope”
As per the PCI SSC
“Segmentation = Isolation”
Scope Identification Process
(for assessed organizations)
5. PCI DSS 3.0 – New Reporting Template
5
Guidance as to the intent of each PCI DSS requirement is now included within
the standard itself. The “Guidance” column helps clarify the PCI SSC’s intent
for each and every requirement.
Mandatory Reporting Template
For 3.0 assessments, QSAs must submit all Report
on Compliance (ROCs) on the new, SSC-controlled
3.0 Reporting Template.
Control Re-Numbering
Many requirements have been consolidated
and/or renumbered, which has cleaned up the
requirements table considerably.
Section-Specific Policy Requirements
Security policies and daily operational procedures (formerly requirements 12.1.1 and
12.2) have been given their own requirement in each of the PCI DSS Sections (at the
end of each).
6. Critical Changes to Existing Requirements –
Requirement 3 – Protect Stored Data
Restrict key access definitions and improved
key management process recommendations
Strengthen key access controls with split
knowledge
Clarify the intent of “unrecoverable data”
7. Critical Changes to Existing Requirements
Requirement 6.6 Flexibility
Added options to the interpretation of this
requirement by changing “web-application
firewall” to “automated technical solution that
detects and prevents web-based attacks”.
8. Critical Changes to Existing Requirements –
Requirement 7, Restrict Access to Cardholder Data
Requirement 7 Flexibility
Additional focus and sub controls
on restricting privileged user
access
9. PCI DSS 3.0 – Critical Changes to Existing
Requirements
Password Complexity Flexibility
Password complexity and strength
requirements have been combined into
a single requirement and the PCI SSC
has now allowed for some flexibility in
meeting these requirements.
10. More Critical Changes to Existing Requirements
Requirement 10, Track and Monitor Access
New Logging Events
Enhanced logging requirement
to include stopping or pausing
of the audit logs.
Log Reviews for Critical Components
Daily or continuous log reviews have been split into
two categories: Critical systems and
“Everything else”.
11. Renewed Emphasis on Security Management
11
• Awareness and testing of CDE
Boundaries and Approved Connections
(in AoC, 11.3)
• Periodic Evaluation of Antivirus Controls
(5.1.2)
• Awareness of Access Roles and Privileges
Required (7.1, 7.1.1)
• Device tampering detection procedures
& education (9.9)
• Point-of-Interaction Inventories (9.9.1.a)
• Expanded penetration tests (11.3)
• Service Provider Management (DSS
12.8.x)
12. How Strong is your IT Risk Management Program?
12
Risk assessment should be used to
identify areas of improvement beyond
compliance
Take a data-centric approach to security
to get greatest risk management
Defense in depth
Physical and logical access controls in
place
Sufficient network segmentation
SIEM solutions
Encryption and/or tokenization
What would your security
controls program look like?
This…
Or this…
14. Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
• Culture of security and
continual improvement
• Ongoing audits and
assurance
• Protection of large-scale
service endpoints
• Customers configure AWS
security features
• Get access to a mature
vendor marketplace
• Can implement and
manage their own controls
• Gain additional assurance
above AWS controls
Security is a shared responsibility between AWS and our
customers
15. Customers retain ownership of their intellectual property and content
• Customers manage their privacy objectives how they choose to
• Select the AWS geographical Region and no automatic replication elsewhere
• Customers can encrypt their content, retain management and ownership of keys
and implement additional controls to protect their content within AWS
The security of our services and customers is key to AWS
• Security starts at the top in Amazon with a dedicated CISO and strong
cultural focus
• Dedicated internal teams constantly looking at the security of our services
• AWS support personnel have no access to customer content
Customers retain full ownership and control of their content
16. Every customer has access to the same security capabilities
AWS maintains a formal control environment
• SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
• SOC 2 Security
• ISO 27001 Certification
• Certified PCI DSS Level 1 Service Provider
• FedRAMP (FISMA), ITAR, FIPS 140-2
• HIPAA and MPAA capable
Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability Zones
Edge Locations
17. PCI DSS Level 1 Service Provider
PCI DSS 2.0 compliant (Level 1 is >300,000 transactions/year, the
highest level)
14 services in scope (Aug 2013):
– EC2, EBS, S3, VPC, RDS, ELB, IAM, Glacier, Direct Connect, DynamoDB,
SimpleDB, Elastic Map Reduce, and new in 2013: CloudHSM, Redshift
Covers public services; no special configuration/options
Leverage the work of our QSA
AWS will work with merchants and designated Qualified Incident
Response Assessors (QIRA)
– can support forensic investigations
Includes all global regions
Yearly refresh cycle
18. PCI DSS Level 1 Service Provider
AWS Provides customers and customer’s
auditors with:
– Attestation of Compliance
– PCI Responsibility Summary
19. AWS partners can help you build secure solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
Hardened service endpoints
Fine-grained IAM capability
+ =
AWS partner solutions
These products and more are available on the AWS marketplace - WAF,
VPN, IPS, AV, API gateways, data encryption, user management
Your secure AWS
solutions
20. PREVENT LOSS OF SENSITIVE DATA, COMPLETE PCI
AUDITS, AT A LOWER TCO WITH HIGHLY SECURE
SERVER ENCRYPTION AND KEY MANAGEMENT.
PROVEN PCI 3.0
COMPLIANCE WITH
STRONGER DATA SECURITY
Sol Cates
Chief Security Officer
Vormetric
21. Vormetric Protects Cardholder
Information
Requirement 3
Protect stored
cardholder data
Requirement 7
Restrict access to
cardholder data by
business need
to know
Requirement 10
Track and monitor all
access to network
resources and
cardholder data
22. Vormetric Data Security Platform
Simple, efficient solution for the lowest TCO data-at-rest security
Vormetric Transparent Encryption
Big Data
Vormetric Application Encryption
Structured
Databases
Unstructured
Files
• File and Volume Level Encryption
• Access Control
Applications
Big Data
• Field Level Data Encryption
Vormetric Key Management
• KMIP Compliant
• Oracle and SQL Server TDE
• Certificate Storage
Vormetric Security
Intelligence
• Splunk
• HP ArcSight
• IBM QRadar
• LogRhythm
Vormetric Data Security Manager
• Key and Policy Manager
23. Encryption and Key Management
DSM in the cloud or on the customer premise supporting
Requirement 3
Policies &
Logs
Vormetric Data
Security Manager
Keys
Virtual or
Physical
Servers
Enforce separation of provider and enterprise responsibilities
Extensible to multiple cloud providers and traditional servers
Pay as you grow, deploy licenses on demand
Customer is always the custodian of policies and keys
Enterprise Data Center
Environment
VPN Link
24. *$^!@#)(
-|”_}?$%-
:>>
Encrypted
John Smith
401 Main Street
Clear Text
Vormetric Transparent Encryption
Simplified encryption and access control for Requirement 7
Storage
Database
Application
User
File
Systems
Volume
Managers
Vormetric
Security
Intelligence
Logs to SIEM
Big Data, Databases or Files
Allow/Block
Encrypt/Decrypt
Vormetric
Data Security Manager
on Enterprise premise or in cloud
virtual or physical appliance
Approved Processes
and Users
Privileged
Users
Cloud Provider /
Outsource
Administrators
*$^!@#)(
-|”_}?$%-
:>>
• Encryption
• Access Control
• Security Intelligence
DSM
25. Vormetric Security Intelligence
Supporting Requirement 10
of breaches took months,
or even years, to discover.66%
Verizon 2013 data breach investigations report
Log and audit data access, in support:
Alarm abnormal access patterns
Identify compromised users,
administrators and applications
Accelerate APT and malicious insider
recognition
Supports compliance and contractual
mandate reporting
of breaches were spotted
by an external party – 9%
were spotted by customers.
69%
26. attempted to read
and was denied access
Admin Dirk Snowman imitated user steve
this file because he violated this policy
27. Implement with Confidence
Vormetric Data Security is quick and
easy to administer, while having
negligible impact on performance.
It’s the perfect solution for
meeting PCI DSS requirements.
One of the tipping points for us was Vormetric’s
management console. It makes creating
encryption profiles -- which contain unique
guard points, security policies, and keys -- a
snap. It’s one of the easiest products to
implement I’ve ever used.
i i
Daryl Belfry, Director of IT,
TAB Bank
Jim Fallon, Security Ops manager,
Airlines Reporting Corporation
Coalfire White Paper:
Using Encryption and Access Control
for PCI DSS 3.0 Compliance in AWS
Vormetric.com -> Resources -> White Papers
28. Vormetric Data Security
Platform Delivers the Lowest
Total Cost of Ownership
Simplicity
Intuitive, consistent, repeatable, organization-wide policy
management reduces cost, resources and errors
Transparent deployment, application-layer when necessary
Efficiency
One platform – many use cases – ready for “what’s next”
Preserve SLAs and use fewer servers w/high-performance
encryption and HA
Better Security and Faster Compliance
File to field data-at-rest encryption, key management, privileged
users access control, and gathering of security intelligence
Accelerate the detection of insider abuse and APT