Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)



Similar documents
Vormetric Encryption Architecture Overview

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Alliance Key Manager Solution Brief

Vormetric Data Security Platform Data Sheet

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Complying with PCI Data Security

How To Use Vormetric.Com To Protect Your Data From Hackers

VORMETRIC DATA SECURITY PLATFORM ARCHITECTURE

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Securing Sensitive Data

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Using Encryption and Access Control for HIPAA Compliance

SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS

BECAUSE DATA CAN T DEFEND ITSELF

SafeNet DataSecure vs. Native Oracle Encryption

Cloud Data Security. Sol Cates

White Paper Big Data Without Big Headaches

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

Key Management Best Practices

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Vormetric and SanDisk : Encryption-at-Rest for Active Data Sets

Vormetric Addendum to VMware Product Applicability Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Protecting Data at Rest with Vormetric Data Security Expert

Data Protection: From PKI to Virtualization & Cloud

A Strategic Approach to Enterprise Key Management

FAMILY BROCHURE Sensitive data is everywhere. So are we.

Alliance Key Manager Cloud HSM Frequently Asked Questions

Securing Sensitive Data within Amazon Web Services EC2 and EBS

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Debunking The Myths of Column-level Encryption

MySQL Security: Best Practices

2014 IBM Corporation

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

HIPAA and HITECH Compliance Simplification. Sol Cates

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

Key Management Interoperability Protocol (KMIP)

Technology Risk Management

SimpliVity OmniStack with Vormetric Transparent Encryption

All Things Oracle Database Encryption

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Windows Least Privilege Management and Beyond

FileCloud Security FAQ

Did you know your security solution can help with PCI compliance too?

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

IBM Tivoli Storage Manager

BANKING SECURITY and COMPLIANCE

Making Data Security The Foundation Of Your Virtualization Infrastructure

Securing and protecting the organization s most sensitive data

Using BroadSAFE TM Technology 07/18/05

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Vodacom Managed Hosted Backups

Applying Cryptography as a Service to Mobile Applications

National Security Agency Perspective on Key Management

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

SecureDoc Disk Encryption Cryptographic Engine

Paxata Security Overview

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

SecureAge SecureDs Data Breach Prevention Solution

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

LogRhythm and PCI Compliance

RSA Digital Certificate Solution

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Acano solution. Security Considerations. August E

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Netop Remote Control Security Server

FIPS Security Policy LogRhythm Log Manager

Odyssey Access Client FIPS Edition

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

Data Sheet: Backup & Recovery Symantec Backup Exec 12.5 for Windows Servers The gold standard in Windows data protection

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Securing Data in Oracle Database 12c

CA Top Secret r15 for z/os

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Crittografia e Enterprise Key Management una sfida possibile da affrontare

Managed Encryption Service

Data-Centric Security vs. Database-Level Security

Online Transaction Processing in SQL Server 2008

With Great Power comes Great Responsibility: Managing Privileged Users

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Cloud Storage Backup for Storage as a Service with AT&T

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Compliance for the Road Ahead

Security Controls for the Autodesk 360 Managed Services

Transcription:

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) How Financial Institutions Can Comply to Data Security Best Practices Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom: +44.118.949.7711 South Korea: +82.2.2190.3830 info@vormetric.com www.vormetric.com

Page 1 Executive Summary In June 2013, the Monetary Authority of Singapore issued new guidelines concerning technology risk management. These rules took effect on July 2014. For financial institutions in Singapore, complying with these guidelines will be a critical endeavour. This white paper looks at the specific guidelines the TRM provides in the area of data security, and it details how the Vormetric Data Security Platform can help address these requirements. Introduction For financial institutions in Singapore, security threats, customer requirements, and technological environments continue to evolve with increasing rapidity. However, in spite of all this change, the fact is that safeguarding customer data and protecting systems and processes from attacks has been and will remain a critical endeavour. To help financial institutions in addressing these objectives, the Monetary Authority of Singapore (MAS) published Technology Risk Management (TRM) Guidelines. These guidelines are intended to help financial firms establish sound technology risk management, strengthen system security, and safeguard sensitive data and transactions. The TRM contains statements of industry best practices that financial institutions conducting business in Singapore are expected to adopt. The MAS makes clear that, while the TRM requirements are not legally binding, they will be a benchmark the MAS uses in assessing the risk of financial institutions. Many of the guidelines from the MAS concern the security of sensitive data and the keys used to encrypt that data. In the following sections, the white paper introduces the Vormetric Data Security Platform. The paper then details the specific TRM requirements that relate to data security, and it reveals how the Vormetric Data Security Platform can help organizations comply with these requirements. Addressing MAS TRM Security Guidelines for Data-at-Rest The Vormetric Data Security Platform makes it efficient to manage data-at-rest security across an entire organization and can help financial institutions satisfy many of the TRM guidelines. The Vormetric Data Security Platform consists of several product offerings that share a common, extensible infrastructure. The solution features capabilities for data-at-rest encryption, key management, privileged user access control, and security intelligence. Through the platform s centralized policy and key management, customers can address security policies and MAS TRM guidelines across databases, files, and big data nodes whether they re located in the cloud or in virtual or traditional infrastructures. With this platform s comprehensive, unified capabilities, a financial institution can reduce their total cost of ownership for deploying and maintaining data-at-rest security. Further, these features enable organizations to deploy and expand quickly, so they can more consistently meet their audit deadlines. Unstructured Files Structured Databases Application- Layer Big Data Security Intelligence Collection Cloud Vormetric Data Security Manager SIEM Integration TDE Key Management Privileged User Access Control KMIP Compliant Keys Certificate Storage

Page 2 The Vormetric Data Security Platform features the following products: Vormetric Data Security Manager. Vormetric Data Security Manager offers centralized management of keys and policies for the entire suite of products available within the Vormetric Data Security Platform. The product is available as a physical or virtual appliance. Vormetric Transparent Encryption. This offering leverages an agent that runs in the file system to provide high-performance encryption and least-privileged access controls for files, directories, and volumes. Vormetric Transparent Encryption supports both structured databases and unstructured files. Vormetric Application Encryption. Vormetric Application Encryption employs standards-based APIs to simplify the process of doing column-level encryption in applications. Vormetric Key Management. With this product, administrators can centrally manage keys for Vormetric products, Oracle TDE, Microsoft TDE, and more. In addition, the product securely stores certificates and offers support for the Key Management Interoperability Protocol (KMIP). Vormetric Security Intelligence. Vormetric Security Intelligence can deliver granular file access logs to popular security information and event management (SIEM) systems and be used to support audits. Vormetric Data Security Platform Support for MAS TRM: Sections 8-13 Many of the MAS TRM guidelines offer detailed guidance for how financial institutions should safeguard sensitive assets at rest in different IT systems. The following table looks at many of these guidelines and details how the Vormetric Data Security Platform can be used to satisfy these requirements. Guideline Description 8.4.4 The FI should encrypt backup tapes and disks, including USB disks, containing sensitive or confidential information before they are transported offsite for storage. 9.1.6 Confidential information stored on IT systems, servers and databases should be encrypted and protected through strong access controls, bearing in mind the principle of least privilege. 11.0.1.c Access control principle The FI should only grant access rights and system privileges based on job responsibility and the necessity to have them to fulfil one's duties. The FI should check that no person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. By encrypting data at the file-system level or at the application layer, Vormetric Data Security Platform can help financial institutions ensure information is secured as it backed up to tapes, disks, and other storage mechanisms. The Vormetric Data Security Platform provides centralized management of encryption keys and policies, which significantly simplifies customer data life cycle management. With Vormetric Transparent Encryption, organizations can employ encryption and privileged user access control to secure confidential customer data wherever it resides including in physical, big data, and cloud environments. Vormetric Transparent Encryption can effectively enforce least-privileged access control with fine-grained security policies. The solution enables administrators to control data access by a range of factors, including user, process, and resources. Vormetric Security Intelligence also provides comprehensive data access logs that can be fed into SIEM solutions for compliance analysis and reporting. With Vormetric Transparent Encryption, security teams can enforce very granular least-privileged user access policies. Granular policies can be applied by user, process, file type, time of day, and other parameters. Enforcement options are very granular; they can be used to control not only permission to access clear-text data, but what file-system commands are available to a user.

Page 3 Guideline Description 11.1.1 The FI should only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required. The FI should ensure that the resource owner duly authorises and approves all requests to access IT resources. With the Vormetric Data Security Platform, administrators, by default, must create a strong separation of duties between encryption policy and key administrators, as well as data owners. The Vormetric Data Security Platform encrypts files, while leaving their metadata in the clear. In this way, IT administrators, such as hypervisor, cloud, storage, and system administrators can perform their system administration tasks, without being able to gain access to the sensitive data residing on those systems. For those managing the Vormetric system infrastructure, also have separated role based responsibilities to assure the utmost protection and institution of best data security practices. 11.2 Privileged Access Management. 11.2.3.d. Grant privileged access on a need-to-have basis. 11.2.3.e. Maintain audit logging of system activities performed by privileged users. 11.2.3.f. Disallow privileged users from accessing systems logs in which their activities are being captured. Vormetric Transparent Encryption provides finegrained, policy-based access controls that restrict access to encrypted data. Privileged users whether cloud, virtualization, or storage administrators can manage systems, without gaining access to encrypted data, unless they have expressly been granted permissions to do so. Vormetric logs capture all access attempts to protected data. These security intelligence logs can accelerate detection of advanced persistent threats (APTs) and insider abuse because they offer visibility into file access. Further, these logs provide vital intelligence needed to track and demonstrate compliance. These logs can t be accessed by privileged users and are only accessible by assigned security auditor or security administrators. 13 payment card security (automated teller machines, credit and debit cards). The Vormetric Data Security Platform delivers the data-at-rest security capabilities that your organization needs to safeguard cardholder data, wherever it resides. With broad support of Windows, Linux and UNIX operating systems, a host of platforms can be supported at both the file-system and the application layer. To learn more about Vormetric PCI DSS Support visit: www.vormetric.com/compliance/pci-dss Vormetric Data Security Platform Support for MAS TRM Appendix C: Cryptography The MAS TRM Appendix C offers very specific guidelines for implementing a best-in-class cryptographic solution. Vormetric Data Security meets or exceeds these guidelines as follows: TRMG Section C.2.2. C.2.3. Functions that involved cryptographic algorithms and crypto-key configurations are vetted for deficiencies and loopholes. The choice of ciphers, key sizes, key exchange control protocols, hashing functions and random number generators are evaluated. There is sufficient size and randomness of the seed number to preclude the possibility of optimised brute force attack. Vormetric supports standards based AES256 bit encryption. The policy and key manager is available with FIPS 140-2 Level 2 and FIPS 140-2 Level 3 validation. In addition, Vormetric supports NSA Suite B cryptographic algorithms. The Vormetric Data Security Manager supports two factor authentication for administrative access. Vormetric Key Management offers supports encryption algorithms, AES256 bit, which offer the highest levels of protection against brute force attacks. Also supported as part of NSA Suite B cryptographic algorithms: Elliptic Curve Digital Signature Algorithm (ECDSA) digital signatures Elliptic Curve Diffie Hellman (ECDH) key agreement Secure Hash Algorithm 2 (SHA-256 and SHA-384) message digest

Page 4 TRMG Section C.3.1 Cryptographic key management policy and procedures covering key generation, distribution, installation, renewal, revocation and expiry are established. By leveraging the Vormetric Data Security Manager, security teams can securely manage cryptographic keys throughout their lifecycle. Vormetric Data Security Manager centrally generates and stores cryptographic keys. The actual keys are never visible to anyone, including key custodians or systems administrators. Vormetric also provides extensive audit capabilities that enable reporting on all key operations and activities, including key generation, distribution, installation, renewal, revocation, and expiry. When keys are distributed to agents, they are encrypted with a one-time-use AES-256 master key and sent over a mutually authenticated TLS connection. Cryptographic keys are generated securely. All materials used in the key generation process are destroyed after usage. Vormetric Data Security Manager (DSM) supports C3.2.1 by ensuring cryptographic keys are generated using FIPS certified OpenSSL or an integrated HSM card to generate the seed for key generation. The actual keys are never visible to anyone, including key custodians or systems administrators. The DSM implements separation of duties. Vormetric DSM restricts access to keys and key management activities to security administrators. With these safeguards, security team can ensure that only authorized key custodians gain access to key controls. When we generate a key, the seed is generated by FIPS certified OpenSSL or HSM card, all the factors for the seed are from HSM card hardware; they are random and will not be persistent. C.3.2 C.3.3 No single individual knows any key in its entirety or has access to all the constituents making up the keys. All keys are created, stored, distributed or changed under stringent conditions. Unencrypted symmetric keys are entered into tamper resistant device, such as hardware security module, only in the form of at least two components using the principles of dual control. With Vormetric Data Security Manager, actual keys are never visible to anyone, including key custodians or systems administrators. The product also supports an M-of-N sharing scheme for backing up keys. As a result, a specific number of shares must be provided in order to restore the encrypted contents of a Vormetric Data Security Manager archive in a new or replacement platform. YES. With Vormetric solutions, all key lifecycle management processes can take place on a hardened, FIPS compliant hardware appliance. With Vormetric Key Management, organizations can centralize keys for many different encryption platforms on these secure devices. With the product, administrators can centrally manage and secure keys generated by the Vormetric Data Security Platform, IBM InfoSphere, Guardium Data Encryption, Oracle TDE, Microsoft TDE, and KMIP-compliant encryption products. Symmetric keys stored in the DSM are always encrypted. The master encryption key is stored in the HSM. With Vormetric solutions, the master encryption keys can be stored and secured in a hardware appliance that is FIPS 140-2 Level 3 validated. Strong separation-of-duties policies can be enforced to ensure that one administrator does not have complete control over data security activities, encryption keys, or administration. In addition, the Vormetric Data Security Manager supports two-factor authentication for administrative access.

Page 5 TRMG Section C.3.4 C.3.5 C.3.6 C.3.7 The appropriate crypto period for each cryptographic key is considered and decided. The frequency of key changes is determined by the sensitivity of data and operational criticality. Hardware security modules and keying materials are physically and logically protected. Cryptographic keys are not exposed during usage and transmission. When cryptographic keys expired, a secure key destruction method is used to ensure keys could not be recovered by any parties. With the Vormetric Data Security Platform, security teams can centrally manage cryptographic keys for multiple encryption devices; these teams can efficiently and consistently enforce key rotation policies as dictated by data sensitivity levels. With Vormetric Data Security Manager, organizations can manage keys on FIPS 140-2 level 3 compliant hardware appliances that have been validated to address some of the most stringent demands for physical tamper resistance. Further, the platform offers a range of logical protections, including requiring multi-factor authentication and separation of duties to control administrative access. With the Vormetric Data Security Platform, organizations can leverage robust controls to ensure keys remain secure at all times. With the Vormetric Data Security Manager, cryptographic keys are centrally and securely generated and stored. The actual keys are never visible to anyone, including key custodians or systems administrators. Further, clear text keys never leave the Vormetric Data Security Manager appliance. When keys are distributed to agents, they are encrypted with a one timeuse AES 256 key and sent over a mutually authenticated TLS connection. During usage encryption keys will have to remain in the clear. When not in use they will be obfuscated. With the Vormetric Data Security Manager, administrators can permanently delete keys, and take steps to ensure they can t be recovered. C.3.8 C.3.9 When changing a cryptographic key, a new key is generated independently from the previous key. A backup of cryptographic keys is maintained. The same level of protection as the original cryptographic keys is accorded to backup keys. Compromised keys and all keys encrypted under or derived from compromised keys are immediately revoked, destroyed and replaced. YES. With the Vormetric Data Security Manager, administrators can rotate cryptographic keys according to security requirements and policies. When new keys are generated, they are always completely independent from prior keys. Vormetric Data Security Manager features redundant components and the ability to cluster appliances for fault tolerance and high availability. The product also offers support for manual and automated backups. All the DSM backups are encrypted by AES256 wrapper keys, and the wrapper keys can only be transferred between DSMs using M-of-N sharing scheme. Cryptographic keys can changed by key custodians In the event a key has been weakened or compromised. In addition, once a key has been replaced, the custodian can ensure it is permanently deleted. C.3.10 All parties concerned with the revocation of the compromised keys are informed. Vormetric Security Intelligence provides extensive auditing logs that report on a host of user and administrative activities, including key revocation and other key management tasks. The solution provides extensive audit capabilities that can be used to report on all activities relating to key usage, including key generation, rotation, destruction, import, expiration, and export. Vormetric features security intelligence integration for HP ArcSight, IBM QRadar, McAfee ESM, LogRhythm, and Splunk. Sharing these logs with a SIEM platform helps uncover anomalous patterns that can prompt further investigation, and it can streamline the communications needed to ensure any changes are communicated with the staff necessary.

Page 6 Vormetric: Enabling Customer Success for Financial Institutions Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It s the perfect solution for meeting PCI DSS requirements. Daryl Belfry, Director of IT, TAB Bank Vormetric Data Security offered us an easier yet effective method to encrypt our SQL Server databases and comply with PCI DSS encryption and key management requirement. Troy Larson, Vice President, Information Systems, MetaBank Vormetric encryption was easy to implement, scalable for every type of platform and use case, and encrypted the data with controls on the privileged user. An executive with a leading global investment bank. By adopting Vormetric solutions, this organization reduced the the project timeline for their compliance initiative from 24 months to 2.4 months. The Vormetric Data Security Platform support their heterogeneous database environment, which includes Sybase, Oracle, Microsoft SQL Server, Progress, and more. Vormetric is the only solution that can meet our critical timeline, and be able to support the older version of MSSQL database that we have. A manager at an ASEAN bank that has deployed Vormetric solutions to address MAS TRM requirements We have looked at many data encryption solutions and also at options for native database encryption, and the Vormetric solution scored far ahead of these other alternatives. Plus, Vormetric delivered a proof of concept smoothly and within two days. An executive with Singapore-based bank that has acquired Vormetric solutions to support MAS TRM compliance Conclusion To safeguard sensitive customer data and comply with such standards as the MAS TRM guidelines, organizations need to apply consistent, robust, and granular controls. With the Vormetric Data Security Platform, customers can leverage the flexible integration, comprehensive capabilities, and centralized policy and key management they need to efficiently address these rules throughout the organization. About Vormetric Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1,400 customers, including 17 of the Fortune 30 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable Vormetric Data Security Platform protects any file, any database and any application anywhere it resides with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: www.vormetric.com. Copyright 2014 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information