Compliance for the Road Ahead

Transcription

1 THE DATA PROTECTION COMPANY CENTRAL CONTROL A NTROL RBAC UNIVERSAL DATA PROTECTION POLICY ENTERPRISE KEY DIAGRAM MANAGEMENT SECURE KEY STORAGE ENCRYPTION SERVICES LOGGING AUDITING Compliance for the Road Ahead Protect and Control More Data in More Places No Matter What Changes whitepaper For retailers, payment processors, financial institutions, and any other organization managing credit card data, compliance with the Payment Card Industry Data Security Standard (PCI DSS) has been a core responsibility since Executive Summary Regulatory mandates are nothing new, but in most organizations, the pressure, cost, and effort required to sustain compliance are reaching unprecedented levels. Compliance is challenged by evolving mandates, infrastructure changes like data center consolidation, new deployment models like cloud and virtualization, as well as advancing threats to the security of sensitive data itself. As a result, organizations too often embark on compliance projects that patch holes in the system, only to have to start the process all over when the next audit or mandate comes along. A new approach is needed in order to meet compliance obligations in an efficient and cost-effective manner a layered unified approach called the Compliance Infrastructure. This paper discusses the advantages and components of a Compliance Infrastructure, as well as detailing many of the key requirements for a successful approach to compliance. Introduction: New Challenges in Compliance Compliance mandates are nothing new. For retailers, payment processors, financial institutions, and any other organization managing credit card data, compliance with the Payment Card Industry Data Security Standard (PCI DSS) has been a core responsibility since For healthcare institutions, compliance with the Health Insurance Portability and Accountability Act (HIPAA) has been a requirement since For U.S. government agencies, the Federal Information Security Management Act (FISMA) went into effect in For energy companies, compliance with the cyber security standards of the North American Electric Reliability Corporation (NERC) has been a requirement since Data privacy regulations, which first went into effect in California in 2002, are now established in the European Union, Canada, dozens of U.S. states, and many other regions. While regulatory mandates have been around for some time, almost everything about complying with them is new and addressing regulatory mandates has come to represent an increasingly significant portion of the security professional s objectives, responsibilities, and daily work. The reality is that the number of relevant mandates has increased over the past few years, and the guidelines, rules, and interpretations of each regulation continue to evolve. Information Lifecycle Protection Whitepaper 1

2 With a traditional compliance approach, overlapping, disconnected technologies and a patchwork of policies create an environment in which it becomes very difficult to apply protection and enforce policies globally and consistently. Further, the infrastructures and assets that need to be protected and the risks they re exposed to change constantly. Here are just a few of the challenges that result: The scope and complexity of mandates are increasing. Compliance mandates continue to grow in scope and complexity. For example, when first unveiled in 2004, the PCI DSS ran 12 pages. The most recent version of the standard now spans 85 pages and that s not including such supplemental resources as the virtualization guidelines published in June 2011, which are 39 pages long. For healthcare institutions, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 broadened the scope of HIPAA s privacy and security protections and expanded the potential legal liability for non-compliance. Disparate infrastructures drive costs higher, and open security gaps. With more regulations and complexity, it s no surprise that more time and money is being spent on compliance, but often in silos rather than applied consistently across the environment. In most organizations, complexity increases while control decreases, as many compliance initiatives and security deployments are done in an isolated fashion. Heterogeneous technologies and unique policies are often applied in a decentralized manner, which can create redundancy and introduce security gaps. Further, investments are not leveraged across different parts of the organization, or across multiple compliance initiatives. Mandates can slow the implementation of innovation. For many organizations, the obligations of regulatory mandates stand in the way of adoption of such IT innovations as virtualization, software as a service (SaaS), infrastructure as a service (IaaS), and so on. In other cases, many businesses have postponed or halted planned geographic expansion due to regional regulations. Finally, compliance mandates, and the security measures employed to comply with them, can also pose significant challenges as organizations enter into mergers, acquisitions, and other strategic initiatives. Why the Traditional Approach is No Longer Effective When confronted by an audit event or a business change that affects compliance, many organizations address the initiative with a consultant-and-checklist approach. A vendor is brought in, several consultants set up shop on site (often at hundreds of dollars per hour), and the team runs through checklists to make sure that all the controls are in place and all the sensitive data is properly protected. Depending on the organization, this can take weeks or months, and often pulls in-house IT or security resources into the project. At the end of the compliance project, the consultants leave with a completed checklist that allows the organization to pass a particular audit event. The problem then becomes the next compliance event, where the process starts all over again. This narrow outside looking in approach doesn t address compliance initiatives broadly, or seek to change the way data and information gets stored, processed, or filtered in an organization s ecosystem. The consultantand-checklist approach analyzes what an organization already has in place, and aims to patch up any problems and gaps that it finds. This approach creates three main areas of challenge: High cost and operational inefficiencies. The security platforms, processes, and controls implemented for a specific compliance mandate are procured separately, and often deployed and maintained by different groups or business units within the organization. Over time, security mechanisms that are used to address specific mandates, such as encryption platforms, can effectively creep across an organization. It s not uncommon for dozens of similar, overlapping, and redundant technologies from multiple vendors to be deployed. If that happens, organizations pay a premium for upfront expense, longterm maintenance, and assessments. With so many groups managing so many different security domains, organizations are susceptible to having staff waste time, effort, and resources. Information Lifecycle Protection Whitepaper 2

3 Low visibility and control. The reality for organizations is that sensitive and regulated data resides in a large number of repositories, spanning disparate systems, service providers, and locations. In approaching compliance by the point, organizations lose a central mechanism for setting and enforcing policies across these systems and locations. This is particularly problematic when organizations are audited and have to demonstrate that policies are being enforced. Security gaps. A piecemeal approach creates isolated pockets of workflows and technologies, which makes it difficult, if not impossible, to consistently enforce protection and policies across the enterprise. Consequently, organizations are more likely to experience security gaps and failed audits, and can be more exposed to loss of sensitive data should a security breach occur. Web/App Servers IBM bea JBoss J2EE Sun Oracle Apache Database Servers IBM DB2 Oracle SQL Server Teradata Mainframes IBM z/os File Shares Windows Server Samba Novell Netware Storage NetApp Proprietary Systems Laptops/Desktops Citrix Microsoft Cloud/Virtualization Xen vmware Figure 1. Potential for encryption creep within an enterprise environment. With a traditional compliance approach, overlapping, disconnected technologies and a patchwork of policies create an environment in which it becomes very difficult to apply protection and enforce policies globally and consistently. Gaps can appear even with slight changes to mandates or infrastructure, resulting in loss of control, visibility, and security, as well as extremely inefficient operations. A Forward-Looking Compliance Perspective When organizations look at their compliance process from the other direction the inside looking out one point becomes clear: several core information security principles serve as the foundation of many mandates, even if the objectives of the mandates vary. Core principles for most compliance initiatives are: Ensuring confidentiality of data. This includes keeping confidential data only when needed. It means minimizing the number of places sensitive data is stored, and controlling access to regulated data in order to ensure it is only accessed by authorized users for approved purposes. Information Lifecycle Protection Whitepaper 3

4 Creating a unified Compliance Infrastructure eliminates encryption creep and technology silos, replacing them with a unified and controllable platform for managing and enforcing security and policies across heterogeneous environments. Maintaining the integrity of data. Organizations need to ensure their sensitive information isn t inadvertently or maliciously modified. Enforcing administrator separation of duties on systems with confidential data. To ensure organizations are guarding against abuse by administrators and other privileged users, many compliance mandates require that organizations set up administrative controls, so multiple administrators must participate in order to complete highly sensitive tasks. By doing so, organizations can limit the damage any one rogue administrator can inflict. Maintaining audit and log records of confidential data and activities. In order to ensure that security teams and auditors gain the visibility needed, many mandates require that organizations effectively log and track activities that pertain to sensitive data. This includes tracking when sensitive data is encrypted or decrypted, auditing key management activities, and so on. Taking this perspective, SafeNet s Compliance Infrastructure enables organizations to support, manage, and enforce these commonalities, delivering value beyond simply passing an audit. Creating a unified Compliance Infrastructure eliminates encryption creep and technology silos, replacing them with a unified and controllable platform for managing and enforcing security and policies across heterogeneous environments. This framework reduces the potential for accidentally opening up security and compliance holes during an infrastructure change, and delivers dramatically improved security, visibility, and operational efficiencies. Best practices organizations use this approach to efficiently and effectively comply with evolving regulations, while also delivering consistent protection, organizational agility, and the opportunity to meet the goals of the business as demands change. Core Principles of a Compliance Infrastructure SafeNet s Compliance Infrastructure is based on three core principles, covering the manner in which organizations maintain protection and control of their sensitive data, as well as how to establish their preparedness to adapt to changing infrastructures, deployment models, or new mandate evolutions. Unified Data Protection Foundation: A Compliance Infrastructure addresses the current needs of the organization across a wide set of systems, whether sensitive data resides in physical or virtual data centers, or in structured or unstructured formats. With a unified data protection foundation, organizations establish a common framework for their data protection strategies, and are able to enforce rules and policies consistently, across more data types and in more places. Not only does this lead to greater operational efficiencies but also improved protection of sensitive data and fewer failed audits. Centralized Control and Visibility: A Compliance Infrastructure establishes a central point of control and management, covering encryption technologies, keys, policies, logging, and audits. Access controls are critical to the ability to prove control of your data and policies. This concept is also essential to enforcing separation of duties. Through centralized control mechanisms, organizations gain visibility and operational efficiency, and can standardize and attest to the enforcement of security and policy controls: Across the enterprise with an integrated foundation for managing encryption, tokenization, logging, and auditing, with access controls across the entire infrastructure including application servers, mainframes, databases, laptops, and more. Information Lifecycle Protection Whitepaper 4

5 Across the lifecycle of regulated data with granular capabilities that security administrators need to enforce data protection controls. For example, with an encryption solution connected directly to each application that connects with sensitive data, customers can encrypt regulated data as soon as it enters business applications, and ensure that data remains encrypted throughout its lifecycle whether it is saved to a database, storage system, or cloud-based archive and can only be decrypted by authorized users for authorized purposes. Across all security activities with an effective management console that can offer centralized visibility, control, management, and enforcement. For example, organizations should employ a key management system that enables central management of cryptographic keys and policies for multiple encryption platforms, including those from multiple vendors. By centralizing policy enforcement and logging, these infrastructures enable security teams to efficiently enforce the requisite levels of control and ownership. Mainframes File Shares Web/App Servers IBM bea JBoss J2EE Sun Oracle Apache Database Servers IBM DB2 Oracle SQL Server Teradata IBM z/os Windows Server Samba Novell Netware Storage NetApp Proprietary Systems Laptops/Desktops Citrix Microsoft Cloud/Virtualization Xen vmware DATA POLICY Figure 2. With a Compliance Infrastructure in place, organizations can apply security policies across widely heterogeneous systems and services. Evolves with Changing Mandates and Infrastructures. A Compliance Infrastructure is able to adapt easily and quickly to both changing mandates and evolving infrastructure technologies, including virtualization, and public, private, and hybrid cloud offerings. By delivering on capabilities such as persistent protection, elastic encryption, anchored identity, and secured communication, a Compliance Infrastructure enables organizations to retain complete control over how data is isolated, protected, and shared, even in multitenant, public cloud environments. Information Lifecycle Protection Whitepaper 5

6 RBAC ACCESS CONTROL CENTRAL CONTROL UNIVERSAL DATA PROTECTION POLICY ENTERPRISE KEY DIAGRAM MANAGEMENT SECURE KEY STORAGE ENCRYPTION SERVICES LOGGING AUDITING The Components of a Compliance Infrastructure SafeNet s Compliance Infrastructure encompasses a range of modular but integrated functions, that work together to address the compliance requirements of today s organizations, as well as evolving mandates and infrastructures. Encryption Services and Related Technologies Many regulations, including PCI DSS, mandate that sensitive data be adequately protected. Safeguarding regulated data in applications, databases, mainframes, storage systems, laptops, and other areas is a critical requirement for security and compliance. With encryption (and related technologies) employed, even if an organization s initial defenses are subverted, they can still guard these critical repositories against theft and manipulation. This will not just meet the demands of regulation but will also protect your business interests. Figure 3. The framework of SafeNet s Compliance Infrastructure. Organizations can leverage encryption solutions that provide granular control over confidential information. Encryption can give security teams an essential means to not only guard against unauthorized access to sensitive records, but to provide the visibility needed to control and track who has accessed or modified sensitive information. With format-preserving tokenization technology, organizations can convert sensitive records, such as social security numbers or credit card numbers, to an encrypted token in the same format. By preserving the format of information, applications and end user transactions can continue to operate seamlessly, while security teams limit access to sensitive assets. Secure Key Storage Securing cryptographic keys provides reliable protection for applications, transactions, and information assets. With keys securely stored in hardware, you can ensure both high performance and the highest security available. With robust HSMs, encryption appliances, and key management solutions, organizations can maximize the security of encryption keys and policies, adding a critical line of defense for confidential information. This approach is also the easiest way for organizations to integrate application security in order to achieve regulatory compliance. Enterprise Key Management A critical requirement for many compliance mandates and security best practices is centralized, efficient, and secure management of cryptographic keys and policies across the key management lifecycle and throughout the enterprise. Some challenges include restricting access to the fewest number of administrators, regular key rotation, separation of duties, and more. Universal Data Protection Policy Policy definition must include the definition of assets, entities and access modes and the relationships between them in a way that makes sense to both the administrator for setup and management, and lower-level key management components for enforcement. The Compliance Infrastructure makes it easy to apply a policy once and have it implemented and enforced across the enterprise. Information Lifecycle Protection Whitepaper 6

7 Role-based Access Control Making sure only the right people can access private information in today s high-risk environments is a critical need if organizations are going to meet their customer and partner expectations. This is also a vital requirement for addressing a range of regulations. Layering access control with both strong, multi-factor authentication solutions and hardware security modules (HSMs) ensures only authorized individuals can access regulated information. Logging and Auditing To be effective, the Compliance Infrastructure must deliver capabilities for centrally, comprehensively, and efficiently tracking the activities relating to regulated data. For example, authentication management platforms should enable organizations to centrally manage authentication devices and policies across an enterprise. This management platform must also provide a centralized, efficient way to track and report on authentication-related activities. In addition, encryption appliances should maintain an extensive set of log files that can be used to track administrator and user activities. Central Control As mentioned previously, a Compliance Infrastructure provides an integrated foundation for managing security controls across the entire infrastructure, which is critical for an effective approach to compliance. In addition, centralized security mechanisms can enforce separation of duties. For example, encryption appliances can be configured to require that multiple administrators approve sensitive actions, such as cryptographic key creation or deletion. SafeNet Authentication CONTROL CENTRAL DATASECURE & SAM KEYSECURE DIAGRAM HARDWARE SECURITY MODULES AES, 3DES, DES, RSA, DATA TOKENIZATION, ETC. All SafeNet Systems SafeNet s Modular Compliance Infrastructure Solutions SafeNet delivers a broad, robust, and flexible set of solutions that allow organizations to move away from a disjointed compliance approach and toward a unified and controllable Compliance Infrastructure, which allows them to fully protect sensitive data across heterogeneous environments; centrally control, manage, and enforce policies; and maintain compliance no matter what changes flexibly adapting to new mandates and rapidly evolving infrastructures. SafeNet helps some of the world s largest and most well-known organizations efficiently and effectively comply with their evolving regulations; delivering consistent protection, agility, and the opportunity to easily and cost-effectively meet their business goals as demands and landscapes change. Figure 4. SafeNet provides a complete set of solutions supporting the Compliance Infrastructure. ProtectApp ProtectDB ProtectZ StorageSecure ProtectV Instance ProtectV Volume KIMP/SOA APIs Extensible Information Lifecycle Protection Whitepaper 7

8 Category SafeNet Products Table 1. SafeNet provides a complete set of solutions supporting the Compliance Infrastructure. Encryption Services (and related technologies) ProtectdB: Encryption for structured data ProtectFile: Encryption for file servers and unstructured data ProtectApp: Encryption for application data ProtectZ: Encryption for z/os mainframes Tokenization Manager: Reducing audit scope for compliance Secure Key Storage HSM: Securing of keys and certificates in hardware KeySecure: Hardware-based key and policy management Enterprise Key Management HSM: Securing of keys and certificates in hardware KeySecure: Hardware-based key and policy management Universal Data Protection Policy Enforcement SAM: Centralized identity and authentication management Logging and Auditing All SafeNet Products Role-based Access Control SAM: Centralized identity and authentication management Central Control Information Lifecycle Protection Whitepaper 8

9 Conclusion As organizations face ongoing audits, new or evolving regulations, infrastructure changes, and compliance in virtual environments, a new approach to compliance is required one that can unify data protection technologies and strategies, centralize critical control and visibility, and do it all with the agility that today s constantly changing environment demands. SafeNet s Compliance Infrastructure helps organizations around the world persistently protect their sensitive data, rapidly address new mandates, increase operational efficiencies, drive out cost, and gain full control over compliance, even as infrastructures and compliance mandates evolve. About SafeNet Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit Follow Us: SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) Information Lifecycle Protection Whitepaper 9