Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Transcription

1 Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) How Financial Institutions Can Comply to Data Security Best Practices Vormetric, Inc N. 1st Street, San Jose, CA United States: United Kingdom: South Korea:

2 Page 1 Executive Summary In June 2013, the Monetary Authority of Singapore issued new guidelines concerning technology risk management. These rules took effect on July For financial institutions in Singapore, complying with these guidelines will be a critical endeavour. This white paper looks at the specific guidelines the TRM provides in the area of data security, and it details how the Vormetric Data Security Platform can help address these requirements. Introduction For financial institutions in Singapore, security threats, customer requirements, and technological environments continue to evolve with increasing rapidity. However, in spite of all this change, the fact is that safeguarding customer data and protecting systems and processes from attacks has been and will remain a critical endeavour. To help financial institutions in addressing these objectives, the Monetary Authority of Singapore (MAS) published Technology Risk Management (TRM) Guidelines. These guidelines are intended to help financial firms establish sound technology risk management, strengthen system security, and safeguard sensitive data and transactions. The TRM contains statements of industry best practices that financial institutions conducting business in Singapore are expected to adopt. The MAS makes clear that, while the TRM requirements are not legally binding, they will be a benchmark the MAS uses in assessing the risk of financial institutions. Many of the guidelines from the MAS concern the security of sensitive data and the keys used to encrypt that data. In the following sections, the white paper introduces the Vormetric Data Security Platform. The paper then details the specific TRM requirements that relate to data security, and it reveals how the Vormetric Data Security Platform can help organizations comply with these requirements. Addressing MAS TRM Security Guidelines for Data-at-Rest The Vormetric Data Security Platform makes it efficient to manage data-at-rest security across an entire organization and can help financial institutions satisfy many of the TRM guidelines. The Vormetric Data Security Platform consists of several product offerings that share a common, extensible infrastructure. The solution features capabilities for data-at-rest encryption, key management, privileged user access control, and security intelligence. Through the platform s centralized policy and key management, customers can address security policies and MAS TRM guidelines across databases, files, and big data nodes whether they re located in the cloud or in virtual or traditional infrastructures. With this platform s comprehensive, unified capabilities, a financial institution can reduce their total cost of ownership for deploying and maintaining data-at-rest security. Further, these features enable organizations to deploy and expand quickly, so they can more consistently meet their audit deadlines. Unstructured Files Structured Databases Application- Layer Big Data Security Intelligence Collection Cloud Vormetric Data Security Manager SIEM Integration TDE Key Management Privileged User Access Control KMIP Compliant Keys Certificate Storage

3 Page 2 The Vormetric Data Security Platform features the following products: Vormetric Data Security Manager. Vormetric Data Security Manager offers centralized management of keys and policies for the entire suite of products available within the Vormetric Data Security Platform. The product is available as a physical or virtual appliance. Vormetric Transparent Encryption. This offering leverages an agent that runs in the file system to provide high-performance encryption and least-privileged access controls for files, directories, and volumes. Vormetric Transparent Encryption supports both structured databases and unstructured files. Vormetric Application Encryption. Vormetric Application Encryption employs standards-based APIs to simplify the process of doing column-level encryption in applications. Vormetric Key Management. With this product, administrators can centrally manage keys for Vormetric products, Oracle TDE, Microsoft TDE, and more. In addition, the product securely stores certificates and offers support for the Key Management Interoperability Protocol (KMIP). Vormetric Security Intelligence. Vormetric Security Intelligence can deliver granular file access logs to popular security information and event management (SIEM) systems and be used to support audits. Vormetric Data Security Platform Support for MAS TRM: Sections 8-13 Many of the MAS TRM guidelines offer detailed guidance for how financial institutions should safeguard sensitive assets at rest in different IT systems. The following table looks at many of these guidelines and details how the Vormetric Data Security Platform can be used to satisfy these requirements. Guideline Description The FI should encrypt backup tapes and disks, including USB disks, containing sensitive or confidential information before they are transported offsite for storage Confidential information stored on IT systems, servers and databases should be encrypted and protected through strong access controls, bearing in mind the principle of least privilege c Access control principle The FI should only grant access rights and system privileges based on job responsibility and the necessity to have them to fulfil one's duties. The FI should check that no person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. By encrypting data at the file-system level or at the application layer, Vormetric Data Security Platform can help financial institutions ensure information is secured as it backed up to tapes, disks, and other storage mechanisms. The Vormetric Data Security Platform provides centralized management of encryption keys and policies, which significantly simplifies customer data life cycle management. With Vormetric Transparent Encryption, organizations can employ encryption and privileged user access control to secure confidential customer data wherever it resides including in physical, big data, and cloud environments. Vormetric Transparent Encryption can effectively enforce least-privileged access control with fine-grained security policies. The solution enables administrators to control data access by a range of factors, including user, process, and resources. Vormetric Security Intelligence also provides comprehensive data access logs that can be fed into SIEM solutions for compliance analysis and reporting. With Vormetric Transparent Encryption, security teams can enforce very granular least-privileged user access policies. Granular policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options are very granular; they can be used to control not only permission to access clear-text data, but what file-system commands are available to a user.

4 Page 3 Guideline Description The FI should only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required. The FI should ensure that the resource owner duly authorises and approves all requests to access IT resources. With the Vormetric Data Security Platform, administrators, by default, must create a strong separation of duties between encryption policy and key administrators, as well as data owners. The Vormetric Data Security Platform encrypts files, while leaving their metadata in the clear. In this way, IT administrators, such as hypervisor, cloud, storage, and system administrators can perform their system administration tasks, without being able to gain access to the sensitive data residing on those systems. For those managing the Vormetric system infrastructure, also have separated role based responsibilities to assure the utmost protection and institution of best data security practices Privileged Access Management d. Grant privileged access on a need-to-have basis e. Maintain audit logging of system activities performed by privileged users f. Disallow privileged users from accessing systems logs in which their activities are being captured. Vormetric Transparent Encryption provides finegrained, policy-based access controls that restrict access to encrypted data. Privileged users whether cloud, virtualization, or storage administrators can manage systems, without gaining access to encrypted data, unless they have expressly been granted permissions to do so. Vormetric logs capture all access attempts to protected data. These security intelligence logs can accelerate detection of advanced persistent threats (APTs) and insider abuse because they offer visibility into file access. Further, these logs provide vital intelligence needed to track and demonstrate compliance. These logs can t be accessed by privileged users and are only accessible by assigned security auditor or security administrators. 13 payment card security (automated teller machines, credit and debit cards). The Vormetric Data Security Platform delivers the data-at-rest security capabilities that your organization needs to safeguard cardholder data, wherever it resides. With broad support of Windows, Linux and UNIX operating systems, a host of platforms can be supported at both the file-system and the application layer. To learn more about Vormetric PCI DSS Support visit: Vormetric Data Security Platform Support for MAS TRM Appendix C: Cryptography The MAS TRM Appendix C offers very specific guidelines for implementing a best-in-class cryptographic solution. Vormetric Data Security meets or exceeds these guidelines as follows: TRMG Section C.2.2. C.2.3. Functions that involved cryptographic algorithms and crypto-key configurations are vetted for deficiencies and loopholes. The choice of ciphers, key sizes, key exchange control protocols, hashing functions and random number generators are evaluated. There is sufficient size and randomness of the seed number to preclude the possibility of optimised brute force attack. Vormetric supports standards based AES256 bit encryption. The policy and key manager is available with FIPS Level 2 and FIPS Level 3 validation. In addition, Vormetric supports NSA Suite B cryptographic algorithms. The Vormetric Data Security Manager supports two factor authentication for administrative access. Vormetric Key Management offers supports encryption algorithms, AES256 bit, which offer the highest levels of protection against brute force attacks. Also supported as part of NSA Suite B cryptographic algorithms: Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures Elliptic Curve Diffie Hellman (ECDH) key agreement Secure Hash Algorithm 2 (SHA-256 and SHA-384) message digest

5 Page 4 TRMG Section C.3.1 Cryptographic key management policy and procedures covering key generation, distribution, installation, renewal, revocation and expiry are established. By leveraging the Vormetric Data Security Manager, security teams can securely manage cryptographic keys throughout their lifecycle. Vormetric Data Security Manager centrally generates and stores cryptographic keys. The actual keys are never visible to anyone, including key custodians or systems administrators. Vormetric also provides extensive audit capabilities that enable reporting on all key operations and activities, including key generation, distribution, installation, renewal, revocation, and expiry. When keys are distributed to agents, they are encrypted with a one-time-use AES-256 master key and sent over a mutually authenticated TLS connection. Cryptographic keys are generated securely. All materials used in the key generation process are destroyed after usage. Vormetric Data Security Manager (DSM) supports C3.2.1 by ensuring cryptographic keys are generated using FIPS certified OpenSSL or an integrated HSM card to generate the seed for key generation. The actual keys are never visible to anyone, including key custodians or systems administrators. The DSM implements separation of duties. Vormetric DSM restricts access to keys and key management activities to security administrators. With these safeguards, security team can ensure that only authorized key custodians gain access to key controls. When we generate a key, the seed is generated by FIPS certified OpenSSL or HSM card, all the factors for the seed are from HSM card hardware; they are random and will not be persistent. C.3.2 C.3.3 No single individual knows any key in its entirety or has access to all the constituents making up the keys. All keys are created, stored, distributed or changed under stringent conditions. Unencrypted symmetric keys are entered into tamper resistant device, such as hardware security module, only in the form of at least two components using the principles of dual control. With Vormetric Data Security Manager, actual keys are never visible to anyone, including key custodians or systems administrators. The product also supports an M-of-N sharing scheme for backing up keys. As a result, a specific number of shares must be provided in order to restore the encrypted contents of a Vormetric Data Security Manager archive in a new or replacement platform. YES. With Vormetric solutions, all key lifecycle management processes can take place on a hardened, FIPS compliant hardware appliance. With Vormetric Key Management, organizations can centralize keys for many different encryption platforms on these secure devices. With the product, administrators can centrally manage and secure keys generated by the Vormetric Data Security Platform, IBM InfoSphere, Guardium Data Encryption, Oracle TDE, Microsoft TDE, and KMIP-compliant encryption products. Symmetric keys stored in the DSM are always encrypted. The master encryption key is stored in the HSM. With Vormetric solutions, the master encryption keys can be stored and secured in a hardware appliance that is FIPS Level 3 validated. Strong separation-of-duties policies can be enforced to ensure that one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the Vormetric Data Security Manager supports two-factor authentication for administrative access.

6 Page 5 TRMG Section C.3.4 C.3.5 C.3.6 C.3.7 The appropriate crypto period for each cryptographic key is considered and decided. The frequency of key changes is determined by the sensitivity of data and operational criticality. Hardware security modules and keying materials are physically and logically protected. Cryptographic keys are not exposed during usage and transmission. When cryptographic keys expired, a secure key destruction method is used to ensure keys could not be recovered by any parties. With the Vormetric Data Security Platform, security teams can centrally manage cryptographic keys for multiple encryption devices; these teams can efficiently and consistently enforce key rotation policies as dictated by data sensitivity levels. With Vormetric Data Security Manager, organizations can manage keys on FIPS level 3 compliant hardware appliances that have been validated to address some of the most stringent demands for physical tamper resistance. Further, the platform offers a range of logical protections, including requiring multi-factor authentication and separation of duties to control administrative access. With the Vormetric Data Security Platform, organizations can leverage robust controls to ensure keys remain secure at all times. With the Vormetric Data Security Manager, cryptographic keys are centrally and securely generated and stored. The actual keys are never visible to anyone, including key custodians or systems administrators. Further, clear text keys never leave the Vormetric Data Security Manager appliance. When keys are distributed to agents, they are encrypted with a one timeuse AES 256 key and sent over a mutually authenticated TLS connection. During usage encryption keys will have to remain in the clear. When not in use they will be obfuscated. With the Vormetric Data Security Manager, administrators can permanently delete keys, and take steps to ensure they can t be recovered. C.3.8 C.3.9 When changing a cryptographic key, a new key is generated independently from the previous key. A backup of cryptographic keys is maintained. The same level of protection as the original cryptographic keys is accorded to backup keys. Compromised keys and all keys encrypted under or derived from compromised keys are immediately revoked, destroyed and replaced. YES. With the Vormetric Data Security Manager, administrators can rotate cryptographic keys according to security requirements and policies. When new keys are generated, they are always completely independent from prior keys. Vormetric Data Security Manager features redundant components and the ability to cluster appliances for fault tolerance and high availability. The product also offers support for manual and automated backups. All the DSM backups are encrypted by AES256 wrapper keys, and the wrapper keys can only be transferred between DSMs using M-of-N sharing scheme. Cryptographic keys can changed by key custodians In the event a key has been weakened or compromised. In addition, once a key has been replaced, the custodian can ensure it is permanently deleted. C.3.10 All parties concerned with the revocation of the compromised keys are informed. Vormetric Security Intelligence provides extensive auditing logs that report on a host of user and administrative activities, including key revocation and other key management tasks. The solution provides extensive audit capabilities that can be used to report on all activities relating to key usage, including key generation, rotation, destruction, import, expiration, and export. Vormetric features security intelligence integration for HP ArcSight, IBM QRadar, McAfee ESM, LogRhythm, and Splunk. Sharing these logs with a SIEM platform helps uncover anomalous patterns that can prompt further investigation, and it can streamline the communications needed to ensure any changes are communicated with the staff necessary.

7 Page 6 Vormetric: Enabling Customer Success for Financial Institutions Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It s the perfect solution for meeting PCI DSS requirements. Daryl Belfry, Director of IT, TAB Bank Vormetric Data Security offered us an easier yet effective method to encrypt our SQL Server databases and comply with PCI DSS encryption and key management requirement. Troy Larson, Vice President, Information Systems, MetaBank Vormetric encryption was easy to implement, scalable for every type of platform and use case, and encrypted the data with controls on the privileged user. An executive with a leading global investment bank. By adopting Vormetric solutions, this organization reduced the the project timeline for their compliance initiative from 24 months to 2.4 months. The Vormetric Data Security Platform support their heterogeneous database environment, which includes Sybase, Oracle, Microsoft SQL Server, Progress, and more. Vormetric is the only solution that can meet our critical timeline, and be able to support the older version of MSSQL database that we have. A manager at an ASEAN bank that has deployed Vormetric solutions to address MAS TRM requirements We have looked at many data encryption solutions and also at options for native database encryption, and the Vormetric solution scored far ahead of these other alternatives. Plus, Vormetric delivered a proof of concept smoothly and within two days. An executive with Singapore-based bank that has acquired Vormetric solutions to support MAS TRM compliance Conclusion To safeguard sensitive customer data and comply with such standards as the MAS TRM guidelines, organizations need to apply consistent, robust, and granular controls. With the Vormetric Data Security Platform, customers can leverage the flexible integration, comprehensive capabilities, and centralized policy and key management they need to efficiently address these rules throughout the organization. About Vormetric Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1,400 customers, including 17 of the Fortune 30 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable Vormetric Data Security Platform protects any file, any database and any application anywhere it resides with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: Copyright 2014 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric.