Download - 1 Sensitive Data Management in Financial Systems Mike Gurevich President and CEO INVENTIGO
1
Sensitive Data Management in Sensitive Data Management in Financial SystemsFinancial Systems
Mike GurevichMike GurevichPresident and CEOPresident and CEO
INVENTIGOINVENTIGO
2
• Organizations spend a medium of 6% of their IT budget in security implementations.
• The worldwide market for information security services (including consulting, integration, management, and education and training) in 1998 was $4.8 billion. This figure is expected to grow to $16.5 billion by 2004 with security management services expected to be the fastest growing sector.
IDC's European Security Services Protecting e-businessIDC's Plugging the holes of e-commerce
Spending Profile: OverallSpending Profile: Overall
3
Security budgets are ballooning: • IDC’s research indicates the financial services sector will
continue to represent the single-largest source of security spending, growing from $848 million in 2000 to >$2 billion in 2005
Why IT security spending is growing?Why IT security spending is growing?Do Financial Institutions get the expected ROI?Do Financial Institutions get the expected ROI?
Spending Profile: Financial ServicesSpending Profile: Financial Services
4
Approach Determines Solutions.Approach Determines Solutions.Solutions Drive SpendingSolutions Drive Spending
Data in Transit
Data in Process
Data at Rest
Where is the main focus?Where is the main focus?
5
Insecurity of IT Environments Drive SolutionsInsecurity of IT Environments Drive Solutions
How secure is data in transit ?• Common practice: SSL (Secure Socket Layer) to encrypt communication links, PKI for
authentication, XKMS and SACRED for key exchange.• Security Issue: None, if certificate management and interoperability issues are solved (PKI
hygiene).
How secure is data in process?• Common practice: Generally not addressed. When “practiced”, is substituted by “access
entitlement” provisions. All data is processed in clear.• Security Issue: SSL endpoints create security gaps, data is in the clear at intermediary
processing systems (such as credit verification systems). Susceptible to code perversion (viruses and Trojan horses) and insufficient code quality assurance (sensitive data in log files, etc.)
How secure is data at rest?• Common practice: secure IT environment but not the data.• Security Issue: External intrusion and attacks by insiders. Vulnerability compounded with
storage area networks (SANs), DRP backups, and universal data repositories (‘wallets’).
Data at rest and data in process is at riskData at rest and data in process is at risk
6
External and internal attacks pose major threatsExternal and internal attacks pose major threats
WHO: Charles SchwabINCIDENT: Web site had a “cross-site scripting” vulnerability that could allow a hacker to access all of a customer’s account actions. A hacker could buy and sell stocks or transfer funds while the customer was logged on to the account.
WHO: Contour SoftwareINCIDENT: A glitch in the software exposed at least 700 loan applications – including social security numbers (SSN – on the Internet. A spokesman blamed a disgruntled former employee for turning off security settings.
CSI/FBI 2002 surveyData in Transit
Data In Process
Data at Rest
Never Ending Security Threats Drive SpendingNever Ending Security Threats Drive Spending
7
Current Focus: Predominantly on Firewalls and IDS*Current Focus: Predominantly on Firewalls and IDS*
Majority of attacks originate inside the organizationMajority of attacks originate inside the organization
Firewalls
Host Based IDS
Systems of Records
Network Based IDS
*- IDS - Intrusion Detection Systems
8
Defenses Miss Majority of Attacks AnywayDefenses Miss Majority of Attacks Anyway
Firewalls
Host Based IDS
Systems of Records
Network Based IDS
Intrusion Insi
ders
“Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack.”
"Attacks against a server might be detected, but a complex application-based attack might look like normal behavior." (David Ahmad, Moderator of the Bugtraq mailing list)
CSI/FBI 2002 survey reveals the ineffectiveness of the IT perimeter defense investments against external attacks:” Although 89% of respondents have firewalls and 60% use IDS, 40% report system penetration from the outside; and although 90% use anti-virus software, 85% were hit by viruses, worms, etc.”
* - IDS - Intrusion Detection System
Do financial institutions get the expected ROI?Do financial institutions get the expected ROI?
9
Trend: Transformation Of Security FocusTrend: Transformation Of Security Focus
Emerging market for Sensitive Data ManagementEmerging market for Sensitive Data Management
Focus on the Core New Focus
Current Focus
10
• Majority of attacks originate inside the organization
• Perimeter defenses miss majority of attacks
• Growing complexity of IT environments diminishes ROI
The Need For Transformation:The Need For Transformation:Unsolved IT Risks and diminishing ROIUnsolved IT Risks and diminishing ROI
Sensitive data is at risk despite huge IT investmentsSensitive data is at risk despite huge IT investments
11
The Need For Transformation:The Need For Transformation:Unsolved Business RisksUnsolved Business Risks
• Risk of loss from unauthorized changes or introductions of false data
• Risk of exposure from theft of sensitive information
• Pressure for regulatory compliance
Sensitive data is at risk despite huge IT investmentsSensitive data is at risk despite huge IT investments
12
The Need For Transformation:The Need For Transformation:Regulatory Compliance in Financial IndustryRegulatory Compliance in Financial Industry
Regulatory compliance with the Financial Services Modernization Act (also known as Gramm-Leach-Bliley Act, or GLB) requires:
The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need to be compliant. Regulatory agencies are required to to be compliant. Regulatory agencies are required to
begin audits.begin audits.
• Disclosure of policies and practices regarding disclosure of private financial information• Prohibits the disclosure of private financial information to unaffiliated third parties, unless consumers are provided the right to "opt out" of such disclosure• Requires the establishment of safeguards to protect the security and integrity of private financial information
13
The Need For Transformation:The Need For Transformation:Regulatory Compliance in Financial Industry (cont’d)Regulatory Compliance in Financial Industry (cont’d)
Sensitive data is at risk despite pressure for regulatory Sensitive data is at risk despite pressure for regulatory compliancecompliance
a) Access rights to customer informationb) Access controls on customer information systems, including controls to authenticate and grant access
only to authorized individuals and companiesc) Access restrictions at locations containing customer information, such as buildings, computer facilities,
and records storage facilitiesd) Encryption of electronic customer information, including while in transit or in storage on networks or
systems to which unauthorized individuals may have accesse) Procedures to confirm that customer information system modifications are consistent with the bank’s
information security programf) Dual control procedures, segregation of duties, and employee background checks for employees with
responsibilities for or access to customer informationg) Contact provisions and oversight mechanisms to protect the security of customer information maintained
or processed by service providersh) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer
information systemsi) Response programs that specify actions to be taken when unauthorized access to customer information
systems is suspected or detectedj) Protection against destruction of customer information due to potential physical hazards, such as fire and
water damagek) Response programs to preserve the integrity and security of customer information in the event of
computer or other technology failure, including, where appropriate, reconstructing lost or damaged customer information
14
The Need For Transformation:The Need For Transformation:The Trend (focus on the core - sensitive data at rest)The Trend (focus on the core - sensitive data at rest)
Directory Servers• Sun1 Directory Server• CriticalPath Directory Server• Novell eDirectory
Databases• RDBMS Vendors
Field-level resource access control and obfuscation toolProprietary and intrusive to the application
• RSA SecurityEncryption toolkits for some popular databases
Low-level
• ProtegritySecurity management tool for databasesEncrypts entire columns of data and supplies an non-reputable audit log.
Storage• Decru
File-level encryption. Applicable to SAN and NFS configurations. Transparent to the client.
• NeoscaleBlock-level encryption (fundamentally faster than file-level but not as flexible)Applicable to SAN configurations and backup solutions. Transparent to the client.
• VormetricFile-level encryption. Applicable to all DAS, NFS, and SAN configurations.Requires modification of the client side OS with proprietary extensions to File IO.
15
The Need For Transformation:The Need For Transformation:Alternative ApproachesAlternative Approaches
RevolutionaryPervasive practice of Principle of Least Authority (POLA)• Each individual software object should have all the access authority it needs
to do its job, but absolutely no more. The access rights must be fully, but absolutely minimally, adequate.
• Capability Based Computing• E-Language
Pervasive practice of POLA requires new programming Pervasive practice of POLA requires new programming language and/or OSlanguage and/or OS
16
The Need For Transformation:The Need For Transformation:Alternative ApproachesAlternative Approaches
EvolutionaryApply Principal of Least Authority to Sensitive Data only• Focus on modeling Sensitive Data• Focus on exchange and access to Sensitive Data• Focus on interoperability
• New product line• Content aware firewalls
Applying POLA to Sensitive Data only requires a new Applying POLA to Sensitive Data only requires a new product – content aware firewallproduct – content aware firewall
17
Standard Bodies– Security for data in transit, in process, and at rest– Technology and access method agnostic (CORBA, J2EE, File IO,
SQL, XML)– Granularity (field level)– Convenience (non-intrusive, domain specific profiles, easy of
management)– Auditability (non-repudiation, digital subpoena)
– Verified Domain Specific Usage Profiles
Vendors– Integrated/interoperable data firewalls
Enterprises, Regulatory Agencies– Drive demand and requirements
The Need For Transformation:The Need For Transformation:What is NeededWhat is Needed
18
• Transparent for existing applications• Enhanced capabilities of new applications
– Granular sensitive data management (modeling, encryption, auditing, etc.).
– Key hygiene and interoperability with existing key stores and authentication systems
– Convenience (modeling, development, deployment)– Acceptable QoS (speed, etc.)
• Interoperability with– Security management echo system (IDS, etc.)– Archiving solutions
Requirements
The Need For Transformation:The Need For Transformation:What is Needed (cont’d)What is Needed (cont’d)
19
Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead
Approach
Finance DTF – Leading the effort• Core (jointly with Sec SIG)
• Infrastructure (jointly with Sec SIG and ADTF)
• Domain Specific Profile Definitions and Convenience Interfaces (examples)
– Secure DDR
– Secure Logging
– Digital Subpoena
• Deployment and validation
20
Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead
Approach
Security SIG – Active involvement• Define Common Criteria Protection Profile for
– Core
– Infrastructure
– Profiles of Convenience Interfaces
• Endorsement
Analysis and Design PTF – Active involvement
• Review Infrastructure
– Sensitive Data Management PIM
21
Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead
Approach
Middleware and Related Services PTF – Potential interest (example)
• Domain Specific Profile Definitions and Convenience Interfaces
– Secure Object Persistence (secure J2EE CMP)
• Deployment and validation
22
Need for Standards: Profile ExampleNeed for Standards: Profile Example
Profile for “Sensitive Data Exchange”
Originator:– Data Elements: produces the Data Element(s) in clear text.
Sufficient granularity.
– Keys: generates individual Key(s) for each Data Element.
– IKRs: acquires IKR(s). Preferably generates IKR(s) locally.
– Key Store: stores Key(s) in a Key Store referencable by IKR(s). The Key Store should resolve IKR collisions for locally generated IKRs.
– Encryption Keys: Preferably generates Encryption Key(s) locally using the Key(s) as seed(s).
– Sensitive Data Elements: individually encrypts the Data Element(s) using the Encryption Key(s).
– Message: contains Sensitive Data Element(s) together with (or means for obtaining) the IKR(s).
23
Need for Standards: Profile Example Cont’dNeed for Standards: Profile Example Cont’d
Profile for “Sensitive Data Exchange”
Recipient:– Message: receives the Sensitive Data Element(s).
Receives/obtains the IKR(s).
– Key Store: Retrieves Key(s) from the Key Store via the IKR(s).
– Decryption Keys: Preferably generates Decryption Key(s) locally using the retrieved Key(s) from the Key Store.
– Data Elements: Decrypts the Data Element(s) using the Decryption Key(s).
24
Figure 2. Example of Instantiated Conceptual Model
RDBMS Engine
IKS
File IO SD Facade
DAS, NAS, SAN Backup Media
SQL SD Facade
SDE (SQL)
SDE (RS)
SDE (SQL)
SDE (RS)
CDE (SQL)
CDE (RS)
SDE
SD Model
PKS
Backup ADP
Modeling Tool
SD Model
Modeling Tool
SDE
SDE (content) CDE (Dir)
SDP
SQL SDP Component
SQL SD Proxy File IO SD Proxy
File IO SDP Component
SDE (SQL) SDE (RS)
CDE
25
Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead
Next Steps
RFP “Sensitive Data Management” - completed– Core
– Infrastructure
– Convenience Interfaces
RFC - the goal– MDA-based specification for a “content aware firewall" that
governs access to sensitive data
• Any access method (SQL, XML, GIOP, etc.)
• Any application environment (J2EE, CORBA, Web Services)
• Any operating system (Unix, Windows, etc)