Security Trends and Client Approaches

Security Trends and Client Approaches

May 2010

Agenda

• 

Trends and Challenges

• 

Case Studies

• 

Global Hospitality Company

• 

US Specialty Retailer A

• 

US Specialty Retailer B

• 

Global Financial Services Company

• 

Lessons Learned

Information Security Trend

Where is the Bar Now? Much, Much Higher

Primary US Security & Privacy Regs/Stds

Commercial Organization Focus

• 

Payment Card Industry Data Security Standard

• 

Second Generation State Privacy Protection Laws

• 

MA 201 CMR 17; NV ; NY ; etc

• 

First Generation State Data Breach Notification Laws

• 

CA 1386 et al

• 

Federal Trade Commission

• 

Section 5 – Unfair and Deceptive Practices

• 

Health Insurance Portability & Accountability Act

• 

Including HITECH Amendments to HIPAA

• 

Sarbanes Oxley

• 

European Union Privacy Directive

The “Massachusetts” Law

•  Key Point

•  Written Security Program

•  Characteristics

•  Ownership

•  Inventory

•  Risk Assessment

•  Security Controls

•  Monitoring

•  Tech Security Controls

•  Access - Need to Know

“ROI” from a Security Technology Investment

Enabler to Business Agility

• 

You Have No Choice

• 

Comply with regulation or legal order

• 

Reduce Business Costs

• 

Out of Pocket, Headcount, Cost Avoidance, etc

• 

Increase Revenues

• 

Grow Demand from New and Existing Clients

• 

Improve Efficiency and/or Effectiveness

• 

Quality, Time-to-Market, etc

• 

Reduce Risk

Database Security - Why Buy Anything?

“Improve Business Agility”

• 

Consolidate and improve IT infrastructure

• 

Reduce the cost of systems management

• 

Enhance Reliability & Availability

• 

Leverage external staff augmentation

• 

Use less expensive contractors

• 

Shift employees to more critical tasks

• 

Share information with vendors and partners

• 

Accelerate IT projects

• 

Leverage outside experts and partners

• 

Reduce 3

rd

_{party risk inherent in outsource/offshore/cloud}

• 

Improve governance and auditability

• 

Reduce overall systems management cost

• 

Streamline business processes

Plus Meet

Compliance

What Are Encryption and Data Masking?

Data Losses from Production, Back-Up,

Development & Partners

Security Solution Case Studies

Global Hospitality Company

US Specialty Retailer A

US Specialty Retailer B

Case Study – Global Hospitality Company

Meeting PCI and SOX Compliance Requirements

•  Major Objective: More stringent controls to

meet PCI and Sox Compliance.

•  Other Objectives

•  Improve user administration and productivity,

•  Enforce policy-based access controls,

•  Minimize password maintenance overhead

•  Improve reporting capabilities against user

accounts and access levels

•  Environment

•  Large and varied user community (>110,000

users)

•  Heterogeneous operating environment

Global Hospitality Company (cont.)

Solution

• 

Identity Management

• 

Oracle Identity Manager

Secure Data and Access to Data

• 

Secure Data

• 

Encryption

• 

Data at rest

• 

Data in transition

• 

Key management

• 

Audit and compliance

• 

Control Access to Data

• 

Identity administration

• 

Credential management

• 

Access control

• 

Audit and compliance

Global Hospitality Company (cont.)

Benefits from Identity Management

Example Compliance Items

PCI – DSS

Section

Detection and remediation of password anomalies

2.1

Multiple levels of authentication of users

2.3

Secure all web access and web service requests.

2.3

Centralized authentication and authorization services

6.3

Separation of duties control

6.3

Role based access control

6.3

Restriction of access rights

7.1

Management attestation of access rights

7.1

Automated access control

7.1

Global Hospitality Company (cont.)

Benefits from Database Security

Example Compliance Items

PCI – DSS

Section

Encrypt all non-console administrative access.

2.3

Render PAN, at minimum, unreadable anywhere it is stored

3.4

Protect encryption keys used for encryption of cardholder data

against both disclosure and misuse:

Global Hospitality Company (cont.)

Meeting Complementary Demands

Case Study – US Specialty Retailer “A”

Meeting PCI and SOX Compliance Requirements

•  Major Objective: More stringent controls to

meet PCI and Sox Compliance.

•  Key Concern

•  Required to meet requirements for detection

and reporting of unauthorized activity for

Point Of Sale devices and corporate data

centers

•  Environment

•  1,500 North American Retail Locations

•  15,000 Devices Being Monitored

•  500 Corporate Servers

Case Study – US Specialty Retailer “A”

Solution Approach

• 

Oracle Configuration Management

• 

Configuration Change Console for

Real-time event detection

• 

Deployed framework for tracking

unauthorized activities:

• 

Direct access

• 

File

• 

Configuration Changes

Case Study – US Specialty Retailer “A”

Solution Benefits

• 

Solution met

BOTH

corporate SOX and

PCI requirements

• 

Replaced VP’s Monthly Audit Meetings with

twice annual “checkoff reviews”

• 

Reduced the staff required for SOX and

PCI Auditing by over 25%

• 

Reduced monitoring system environment

by 80%, reducing system maintenance

• 

Closed loop on Change auditing

• 

Decreased downtime and simplified the

process of troubleshooting unplanned

downtime

• 

Returned focus to “selling product”

Case Study – US Specialty Retailer “B”

Meeting PCI Compliance Requirements

•  Major Objective: Comply with PCI

standards for protecting PAN

•  Key Concern

•  Proliferation of credit card information

throughout the system and potential costs for

encrypting information throughout the system

•  Environment

•  15,000 Employees

•  1,559 stores in 48 states

Case Study –

US Specialty Retailer

“B”

Solution Approach

• 

Tokenization of Credit Card PAN

• 

Replaces CC# with Token upon initial

entry

• 

Eliminated 98% of the use of CC#

• 

Secure Tokenization Repository

• 

Controlled Access

• 

Encryption of CC#

• 

At Rest and In Transit

• 

Oracle Advanced Security

• 

Transparent Data Encryption

Case Study –

US Specialty Retailer

“B”

Solution Benefits

• 

Solution exceeded requirements for

corporate PCI and SOX requirements

• 

Reduced use of credit card number by 98%

• 

Enabled single, hardened repository for

credit card information

• 

Virtually no impact to applications or

performance

Case Study – Global Financial Services

Meeting MA 201CMR 17 & PCI Requirements

•  Major Objective: Comply with New MA

Privacy Law plus PCI DSS

•  Key Concern

•  Introduction of Credit Card Information and

Bank Account Information into Oracle EBS

and Oracle PSFT

•  Providing Trusted Access on a “Need to

Know” basis

•  Environment

•  27,000 plus Employees

Case Study – Global Financial Services

Solution Approach

• 

Disguise Data in production

• 

Oracle Transparent Data Encryption

• 

De-identify data in development

• 

Oracle Data Masking

• 

Limit privileged account access

• 

Oracle Database Vault

• 

Limit end user access

• 

Oracle Virtual Private Database

Monitoring

Access Control

Trusted Access to Credit Card & Bank Data

Technical Control Requirements

Case Study – Global Financial

Services

Solution Benefits

• 

Solution achieved compliance prior

to MA 201 CMR 17:00 Effective

Date

• 

Operationalized within 4 months

with minimal disruption to existing

IT processes and applications

• 

Established foundation for

Lessons Learned

Consolidated Comments

• 

Don’t Underestimate Magnitude of Change

• 

Some things can’t get done (now)

• 

Look Hard at Scale

• 

How Big is It, Really?

• 

Vendor Resources & Experience Matter

• 

Enterprise/Complete vs Best of Breed

• 

Combine Compliance/Security Initiatives

• 

More for Your Money

• 

Start Simple, Fix Processes First, Add Controls Later

Summary

• 

Required investment in

security is rising, due to

• 

Increasing threats

• 

Increasing regulations

• 

Take holistic approach

• 

More than just PCI DSS

compliance

What Are You Trying to Do?

• 

Check the Box vs Protect

• 

Culture & Security ROI?

• 

Preventive vs. Detective

• 

Compensating Controls?

• 

Point-In-Time vs. Realtime

• 

Who’s to Blame?

Compliant

Secure

PCI leaders are "going beyond"

what their peers are doing to

secure their environments

Information Security Trend

Where is the Bar Now? Much, Much Higher