4 Steps to Financial Data Security Compliance Technologies to Help Your Financial Service Organization Comply with U.S.

Transcription

1 4 Steps to Financial Data Security Compliance Technologies to Help Your Financial Service Organization Comply with U.S. Regulations

2 Introduction Legislation related to data security in financial services and cardholder protection has taken hold fairly quickly in the United States and is still evolving at a rapid pace. Financial service organizations are finding themselves under increasing pressure to modify business processes and IT infrastructure in a fundamental manner to meet compliance challenges. However, these organizations often lack sufficient security-specific technical knowledge and experience to design and deploy robust security solutions at maximum efficiency. Budgets and other resources have been stretched to the limit in the wake of growing internal demands for improved protections for business data and applications, external demands from customers and consumers regarding privacy and financial safety, and legislative pressure for significantly heightened controls and reporting mechanisms. The question is: How can a financial service organization respond to the serious security threats against business systems, and employee and customer data in ways that minimize the costs of data security compliance, ensure the adaptability of security solutions over time, meet all relevant compliance requirements, and adequately reduce exposure to risk? Today s financial service organizations, of all sizes, must incorporate substantial protections across diverse IT systems and business processes, extending IT budgets and personnel to accommodate new security purchases and added security management needs for the entire enterprise infrastructure. This paper examines existing regulations and provides an understanding of the breadth and scope of relevant security technologies that can ensure your organization will be able to make wise, cost-efficient decisions regarding security strategies, policies, and technology implementations. Evolving Data Security Threats Growing Number and Diversity of Attacks Years ago, only the occasional big-time computer hacker made headlines; today, data theft and attempts at data breaches are commonplace. According to the Privacy Rights Clearinghouse, between January 2005 and June 2007 over 155 million individual records in the U.S. were reported compromised through unauthorized access to data systems, insider wrongdoing, administrative incompetence or theft of computers and other storage media. Widely publicized incidents include: A phishing attack that resulted in the illegal sale of customer account information by a bank employee to a business posing as a collection agency may have resulted in the breach of 670,000 customer accounts. An estimated forty million compromised credit cards at outsourcing vendor CardSystems Solutions hacked. Page 1 of 12

3 The loss of unencrypted tapes containing information on 3.9 million customers, followed by the theft of debit card PINs resulted in several hundred fraudulent cash withdrawals in Canada, Russia, and the United Kingdom Finally, the unauthorized intrusion at TJX that lead to the breach of 94.5 million cards 8 class-action lawsuits filed. In total, analysts estimate a $1 billion loss from this breach. Data breach figures swell even further if unreported incidents are also taken into account. Internal and external threats to corporate and personal data include, but are not limited to: Unauthorized access to protected information by outsiders or employees Compromised system security as a result of system access by an unauthorized person Interception of data during transmission Corruption of data or systems Financial Consequences of Data Breaches Although the true costs of data breaches and related problems are hard to quantify precisely, some figures are available, in part due to the growing number of data breach disclosure laws that have been passed by state legislatures. In its 2006 Computer Crime and Security Survey, the Computer Security Institute (CSI), with the participation of the San Francisco FBI Computer Intrusion Squad, stated that virus attacks, unauthorized access to networks, lost and stolen laptops or mobile hardware, and theft of proprietary information or intellectual property account for more than 74 percent of financial loss. The CSI study indicated that the average reported loss for an individual company in 2006 was $167,713. However, since half of the respondents were unable or unwilling to report actual figures, aggregate loss statistics were inconclusive. By contrast, twice as many respondents provided loss figures in 2005, with total costs listed as $130,104,542 for that year. While many categories saw a decrease in reported losses (in part due to missing information from respondents), reported losses from laptop or mobile hardware theft and telecommunication fraud revealed a substantial increase. In fact telecommunication fraud losses rose more than 400 percent compared to The study took care to state that we are suspicious that implicit losses (such as the present value of future lost profits due to diminished reputation in the wake of negative media coverage following a breach) are largely not represented in the loss numbers reported here. (CSI) Page 2 of 12

4 According to Darwin Professional Underwriters, key factors that contribute to the high cost of data breaches include investigation, attorney s fees, customer notification, call center support, crisis management consulting, media management, credit monitoring fees where applicable for affected customers, regulatory investigation defense and state and federal fines and fees. Organizations may also incur losses due to successful civil suits. The organization calculates that a single data breach affecting only 1,000 customers averages $166,000, not including liability in civil suits. The Gartner Group estimates that data breaches cost $140 per customer. This figure includes direct costs (e.g., legal fees and notification costs), indirect costs such as loss of employee productivity, and opportunity costs due to loss of customers and recruitment of new ones. Gartner also takes into account fines, exposure to legal action, impact on reputation, shareholder value loss, and diminished goodwill. Data Security Compliance Requirements Government Mandates Federal and state governments have responded to expanding threats to data privacy and integrity with legislation targeting the ways in which private data is held, accessed, transferred and protected. Some new laws also aim to improve protections against fraud and misuse of corporate funds; these laws specify procedures for reporting, audits and so forth, but also include requirements regarding data protection. Bills such as Sarbanes-Oxley and Gramm-Leach-Bliley have substantially increased financial and security-related reporting requirements, and have put pressure on IT organizations to implement effective security solutions on a rapid timetable. Where laws specify the consequences of failing to comply (by not instituting appropriate protections and/or not establishing adequate audit and reporting mechanisms), penalties include sizeable fines, heightened scrutiny, credit downgrading, legal prosecution and even possible imprisonment. In addition, data security laws are constantly evolving, making it essential for organizations to focus on implementing flexible, comprehensive security solutions that can ensure adaptability and compliance over the long term. Data Security Legislation at a Glance A closer look at data security laws themselves reveals that they address diverse data protection issues, ranging from the integrity of data storage media containing personal employee and customer information (such as social Page 3 of 12

5 security numbers) to transactions involving the transmission of private financial information across wide area networks (WANs). Regulations typically require organizations to complete and file regular audits and reports that must meet strict format and content specifications. The most influential laws affecting data security in the U.S. today are outlined in the chart below. Legislation Gramm-Leach Bliley Act (GLB) (U.S. Financial Modernization Act of 1999) California Information Practice Act (SB1386) Impact on Data Security Requires administrative, physical and technical safeguards to protect consumers personal information held by financial institutions. Specifies that financial institutions must: a) Ensure the security and confidentiality of customer records and information b) Protect against any anticipated threats or hazards to the security or integrity of such records c) Prevent unauthorized access to or use of records or information that could result in substantial harm or inconvenience to any customer [15 U.S.C. 6801(b)] Penalties for non-compliance include criminal prosecution, fines and imprisonment. Requires that organizations disclose any breach of security to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Covers any organization or individual that conducts business in California. Organizations that encrypt stored and transmitted customer information is exempt from costly notification procedures in the event of a breach. Has led to breach laws in at least 35 states, per the National Conference of State Legislatures. Page 4 of 12

6 Legislation Sarbanes-Oxley (SOX) (Public Company Accounting Reform and Investor Protection Act of 2002) Payment Card Industry Data Security Standard (PCI DSS) Impact on Data Security Enacted as Federal response to accounting scandals at companies such as Enron, Tyco International, and WorldCom, reforming the way public companies report financial information. Focuses on the effectiveness of a organization s internal controls (Section 404) Although lacking specifics about the IT technologies required, emphasizes the need for systemic solutions such as robust access controls, data encryption, and detailed audit trails. Implies that CEOs and chief financial officers who are signing off on the validity of financial data must be sure that the systems maintaining that data are secure. Developed jointly by major credit card companies (Visa, MasterCard, American Express, Diner s Club, Discover, JCB) to prevent credit card fraud and data breaches. Covers all members, merchants, and vendors who transmit, process, or store cardholder data. Specifies 12 requirements that include building and maintaining a secure network, protecting cardholder data and implementing strong access control measures. Specifies that encryption must be used for the transmission of cardholder data and sensitive information across public networks. Several states are enacting similar laws to protect cardholder data. Page 5 of 12

7 Covering All Bases The number and diversity of regulations related to data security can be overwhelming. Furthermore, these various laws are written in very different styles and refer to similar data security measures using different language, vary greatly in the extent, to which controls are specified and/or recommended, and can be vague as to the particulars of what exactly constitutes a compliant IT configuration. To make matters even more complicated, most financial service organizations will find themselves subject to several, if not all, data security laws and associated operational and technical mandates listed on the previous page. In addition, most financial service organizations face all types of data security issues, and may not have the luxury of picking and choosing which types of information or data access scenarios to protect. Taking these factors into account the overall vagueness and inconsistency of data security legislation, the broad range of mandates applicable to an individual enterprise, and the diversity of data security scenarios requiring compliant data protection a comprehensive data security policy that addresses the full range of data security issues within a single strategic plan and system is the most robust, efficient, and in the long run most cost-effective response to the compliance challenge. Deploying Data Encryption For Compliance The good news is that comprehensive, yet cost-effective data security technologies are already available to aid financial service organizations in protecting information assets, minimizing business risk and achieving compliance goals. Properly layered and combined, these technologies can satisfy many relevant regulatory requirements simultaneously. Compliance with data security requirements centers on fully protecting data assets while facilitating secure access by authorized people and entities. While many traditional security methods focus on network perimeter protection ( keeping the bad guys out ), comprehensive data security must also protect information at the asset level (the data itself) against both internal and external threats. Encryption is the most robust, comprehensive, and cost effective solution for data privacy. Where data is effectively encrypted, it is useless to unauthorized parties, even if all network perimeter protection fails. Only authorized users with the proper credentials can unlock and use the protected data. A comprehensive encryption policy involves four types of technologies that together protect information and access to information at the data asset level: Data in Motion: Securing data while it is being transmitted over private and public networks Data at Rest: Protecting data in storage on PCs, laptops, and portable devices Page 6 of 12

8 Access Controls: Authenticating people who request access to encrypted data Data Integrity Controls: Protecting the encryption keys used by cryptographic security systems The following section outlines the key criteria for selecting encryption technologies that together create a comprehensive solution that provides robust data security. What to Look for in a Data Security Solution In today s complex IT environments, it is almost impossible to ensure total protection and therefore total compliance without implementing all of these solutions to some degree. For example, no matter how effectively a particular application is protected against unauthorized access, if the application data resides in an unencrypted database or travels over a partially or completely unprotected network, the data itself remains vulnerable. Fortunately, careful selection of appropriate products, tailored to the size and complexity of a particular enterprise infrastructure, can enable efficient and cost-effective compliance, while providing an appropriate balance between an unhindered flow of data between authorized parties and adequate protection of sensitive information. Technologies available to ensure data security compliance include strong authentication solutions, comprehensive disk and file encryption, high-speed encryption for WAN networks, and hardware security modules that provide a flexible, highly reliable solution for maintaining the integrity of data and applications. All of these technologies must also include audit trails and simplified reporting in order to ensure that financial service organizations can clearly demonstrate the effectiveness of their data security solutions to regulatory agencies as well as internal auditors. Step 1 - Secure Data in Motion Protecting data transmitted over high-speed WAN networks Financial service organizations requiring high-performance, low-latency WAN solutions for data transmission over private corporate networks or the public Internet typically use dedicated transmission circuits that are provided by telecom carriers and service providers. The appeal of the high-speed WAN is the volume of data that it can handle (up to 10 Gbps), the Quality of Service levels that service providers offer (99.999% uptime), and the perceived increase in security as compared to a dedicated private circuit that isn t shared with others. However, the privacy of these circuits only extends to dedicated switching or virtual circuit connections, which fails to guarantee data integrity or security. Since many service providers fail to offer guarantees Page 7 of 12

9 regarding data integrity for high-speed networking, there is no outside accountability relating to the security of data in transit. Thus, these organizations must implement their own network security solutions, even for dedicated WAN circuits. High-speed encryption of network traffic is the most effective method for protecting sensitive data traveling over WANs. High-speed encryption fully satisfies companies security needs for data in motion while meeting the requirements of multiple security mandates simultaneously. For example, both HIPAA and PCI DSS specifically target encryption as the technology of choice for protecting data that travels across public networks. High-speed encryption is a highly effective approach that satisfies a range of regulatory requirements at reasonable cost. What to look for: Easy integration: Versatile, standards-based HSE solutions permit network administrators to integrate high-speed encryption without having to alter the existing network infrastructure. Efficient bandwidth use: Cost-effective high-speed encryptors will use bandwidth very efficiently, providing high performance at lower cost. Administrative ease of use: High-speed HSE solutions should be fast and easy to implement without disrupting operations. With the right management tools, an HSE solution can be remotely configured, monitored and updated. Audit trail: A complete data security audit trail is a must, since this is usually a mandatory reporting requirement. Step 2 - Secure Data at Rest Protecting data stored on PCs, laptops, and portable devices Mobile computing devices such as laptops and USB drives are quickly emerging as the industry standard for increasing user productivity and efficiency. The portable nature of these devices increases the possibility of loss or theft. Without strong data protection, sensitive data is at risk from corporate espionage, accidental loss, or theft, potentially resulting in significant financial loss, legal ramifications, and brand damage. Incidents of this type also jeopardize compliance with industry and legislative mandates and can trigger penalties. Full disk encryption is the most effective method available for protecting sensitive data on servers, workstations, laptops and removable media devices such as flash drives, memory cards, and CDs. It usually satisfies multiple regulations simultaneously, thereby lowering compliance costs. Disk encryption is also highly reliable; even in a situation where a hacker manages to penetrate other layers of enterprise security, sophisticated encryption algorithms ensure that stored data remains secure. Page 8 of 12

10 What to look for: Robust Security: Look for disk encryption solutions that meet the most stringent security standards including FIPS 140-2, Level 2, Common Criteria (CC) EAL2/EAL4. Manageability: To maximize flexibility and achieve lowest total cost of ownership, look for solutions that integrate into existing management platforms such as Active Directory which allows administrators to centrally assign security policies, deploy software, and apply critical updates to an entire organization, saving time, resources and manpower. Step 3 Provide Access Controls Authenticating people who request access to sensitive data By encrypting data at rest and data in motion, financial service organizations go only half the way toward fully protecting sensitive data and thereby meeting legislative demands. The reason for the shortfall is that security systems must also ensure that only authorized users properly identified and admitted can access and use encrypted information. Authentication is based on a digital identity, which consists of who one is (the identity) and the credentials that one holds (attributes of that identity). Credentials can include passwords, keys, digital certificates, and biometrics (such as a fingerprint or retinal scan). The use of a single credential only generally a password is considered a weak authentication methodology, and is one of the main causes for security breaches because passwords are often easily obtained. Strong authentication (or multifactor authentication) requires the use of more than one credential. Strong hardware-based authentication is the most direct and cost-effective way to ensure that any user attempting to access sensitive applications and data is an authorized party with appropriate permissions to view, copy, and modify that data. Authentication hardware includes security tokens and smart cards, which are small, secure physical devices that hold users credentials, with data access protected by two-factor authentication. Flexibility is another major factor in a comprehensive authentication solution. Authentication methodologies must be flexible enough to ensure that data is immediately and easily available to the authorized users who need it, while also preventing access by those without proper identification. Page 9 of 12

11 What to look for: Integration and interoperability: Devices built on an open, standards based platform permit seamless interoperation with applications and products from leading authentication and information security companies. Customization: Token and smart card solutions should be highly flexible and allow for easy configurability, so that they can easily support application-specific requirements. Proven performance: Well-tested solutions keep administrative costs under control and ensure the reliability of security procedures. Highest security: To ensure the highest levels of protection and security, look for token and smart card solutions that have gone through stringent FIPS and other regulatory testing. Step 4 Provide Data Integrity Controls Protecting the cryptographic keys used by the security systems At the heart of any data security solution are the secret cryptographic keys used for encrypting and decrypting sensitive data. If a cryptographic key gets into the wrong hands, the entire data security infrastructure no matter how costly or sophisticated will be rendered useless. For this reason, protection of encryption keys can be considered an essential part of the compliance program. Maintaining the secrecy of cryptographic keys often poses a complex challenge. Hardware security modules (HSMs) are special hardware devices designed to securely generate, store and protect sensitive encryption keys. They also provide the audit trail necessary for critical material. HSMs provide a highly flexible solution that can be implemented for a broad range of applications in almost any industry. They offer compliance benefits across diverse regulations, providing affordable, highly secure options that meet diverse regulatory requirements. The two most typical categories of HSM-based applications are public key infrastructure (PKI) certification authorities and electronic funds transfer (EFT). PKI is a system devised for the deployment and management of digital identities. A public key is used to encrypt information before transmission, while a corresponding private key is used to decrypt the information upon arrival. Public keys are published; private keys remain secret. EFT is a system for securing sensitive financial transactions and protecting digital identities across networks. Page 10 of 12

12 signing, database encryption, smart card issuance, bank PIN management, time stamping, e-passports, online banking, database encryption, and many others. What to look for: Keys in hardware: The HSM should allow all keys to be stored and algorithms to be performed within the hardware confines of the HSM. Since keys never leave the hardware module, they are much harder to compromise. Audit trail: A comprehensive audit trail should fully support tracking and reporting for compliance purposes. Administrative ease of use: Desirable features include simplified installation and integration, a broad range of API s, flexible configuration, easy remote administration, and centralized key management. Performance and scalability: A proven platform that can support the highest number of key operations per second ensures high-availability and continued reliability of an enterprise security environment. Highest security: To ensure the highest levels of protection and security, look for HSM solutions that have gone through stringent FIPS, Common Criteria, and other testing. Putting it all together The easiest way to ensure total compliance and complete security of your data is to entrust your needs with a single company that can handle all four steps of data security. Used by companies worldwide, SafeNet's enterprise products form a comprehensive security solution that secures communications, transactions, data, and identities. Data security solutions from SafeNet include: High-speed encryptors that provide the fastest and easiest way to integrate robust FIPS-certified network security to protect mission-critical data for enterprise and government agencies. Disk and file/folder encryption solutions that provide robust data-at-rest security with easy management and lower cost of ownership for medium to large organizations. Smart Cards and ikey USB authentication tokens that provide strong, two-factor authentication for both physical and logical access. Designed with the most advanced level of encryption, our authentication devices support authentication and encryption, digital signatures, remote access, and more. Hardware Security Modules (HSMs) the fastest, most secure, and easiest to integrate application security solution for enterprise organizations. Page 11 of 12

13 Summary The compliance maze may appear to be complex and expensive to navigate, but careful selection of comprehensive encryption technologies can simplify the compliance process and substantially reduce financial, operational and business risk. These data security solutions deliver solid protection across a wide range of threats while providing an easily managed, scalable and adaptable platform for meeting legislative requirements. A strategic approach to data security within the context of expanding governmental mandates not only keeps enterprise security costs under control but also provides robust protections for employees, customers and consumers. About SafeNet and Aladdin Knowledge Systems In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the technology sector. Vector Capital acquired Aladdin in March of 2009, and placed it under common management with SafeNet. Together, these global leading companies are the third largest information security company in the world, which brings to market integrated solutions required to solve customers increasing security challenges. SafeNet s encryption technology solutions protect communications, intellectual property and digital identities for enterprises and government organizations. Aladdin s software protection, licensing and authentication solutions protect companies information, assets and employees from piracy and fraud. Together, SafeNet and Aladdin have a combined history of more than 50 years of security expertise in more than 100 countries around the globe. Aladdin is expected to be fully integrated into SafeNet in the future. For more information, visit or Page 12 of 12