View
4
Download
0
Category
Preview:
Citation preview
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Borderless Networks and PCI compliance
Philippe Roggeband - proggeba@cisco.com
Emerging Markets Borderless Networks
One year ago…
In what could be the biggest security incident in history, Heartland Payment Systems announced on Tuesday 20th of January that it was the victim of a data breach that possibly compromised more than 100 million accounts after malicious software was found in its payment processingsystem.
Philippe Roggeband - proggeba@cisco.com
Emerging Markets Borderless Networks team
Borderless Networks and PCI Compliance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 4© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 4
Borderless Networks Security & PCI compliance
Agenda
Cisco’s approach to security
PCI Compliance overview
Cisco’s PCI Compliance solutions
Call to action
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 5© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 5
Cisco Architectural Approach
Security Policy
Borderless Networks
Collaboration Virtualization
Product Portfolio
DesktopVirtualizationMulti-Stream
Video
WAASWireless
Switching
Routing
Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 6© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 6
Anyone
Anywhere
Any Device
Any Resource
A Next Generation Architecture to Deliver the New Workspace Experience
BORDERLESS NETWORKS
The Transformation: The World Is Our New Workspace
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 7© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 7
Changing Environment; Shifting Borders
IT Consumerization
Device Border
Mobile Worker
Location Border
Video/Cloud
IaaS,SaaS
Application Border
External-FacingApps Internal
Apps
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 8© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 8
Securing Borderless Networks
Traditional Bordersare Blurred; Access
From Anywhere
Threats are Constantly Changing—Viruses and
Worms to Malwareto Botnet
Identity - Who Is Accessing the Network
and What TheyCan Do
How to Monitorand Enforce Global
Policies
Business Challenges
Where? What? Who? How?
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 9© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 9
Criminal Specialization Driving More
Sophisticated Attacks
The Evolving Security Threats
Web Ecosystem Becomes Number
one Threat Vector
Criminals Exploit Users Trust, Challenging
Traditional Security Solutions
Creative Methods (Business
Models) Used to Attract Victims
9
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 10© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 10
Building Secure Borderless Networks
Borderless Security Architecture
Network SecurityTrustedClient
Content Security
Appliance Hybrid HostedSecurity ModuleSoftware
Policy and Identity
Defend Extend Protect Comply
Cisco Security Intelligence Operations
Network Infrastructure
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 11© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 11
Cisco Security Product Portfolio
Network SecurityTrustedClient
Content Security
Cisco Security Intelligence Operations
AnyConnect VPN Client
ISR
FWSM
Network AdmissionControl
ACE Web App Firewall
IPS 4200
Cisco Virtual Off ice
Cisco Security Manager
Cisco SecureACS
IronPort Hosted Email Security
IronPort S-Series
IronPort C-Series
Cisco Secure MARS
ASA 5500
IronPort M-Series
Policy and Identity
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 12© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 1212
Cisco Security Intelligence OperationsPowering Cisco Security
SensorBase
700,000+ global sensors over four threat vectors
Historical library of 40,000 threats
500 third-party feeds, 100 news feeds,
open source, and vendor partnerships
Threat Operations Center
Automated tracking of over 200 parameters
SenderBase: categorizes and rates reputation
Global threat correlation
Advanced Protection
Automated rule and/or signature creation
Innovative virus outbreak filters
Fast Accurate Detection,Advanced Mitigations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 13© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 13
Defend
Defend AgainstThreats
Protect
Protect Business Assets
Extend
Secure Enterprise Connectivity
Comply
Achieve Regulatory Compliance
Cisco Solution Examples
Threat Defense Secure Remote Workforce
Data LossPrevention
Solutionfor PCI
Secure Borderless Network
Securing the Borderless NetworkThrough Systems and Solutions
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 14© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 14
Overview of PCI standards
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 15© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 15
Who does what ?
The PCI SSC sets the PCI DSS Standard
Each card Brand has its own program for :
Compliance
Validation Levels
Enforcement
QSA – Qualified Security Assessor
Assess compliance with the PCI DSS
ASV – Approved Scanning Vendor
Validate adherence to the PCI DSS Scan requirements by performingvulnerability scans of Internet-facing environments of merchants and service providers
SAQ – Self Assessment Questionnaire
Validation tool for organizations that are not required to undergo an on-site assessment for PCI DSS compliance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 16© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 16
Card brands websites
American Express:
www.americanexpress.com/datasecurity
Discover Financial Services:
www.discovernetwork.com/fraudsecurity/disc.html
JCB International:
www.jcb-global.com/english/pci/index.html
MasterCard Worldwide:
www.mastercard.com/sdp
Visa Inc:
www.visa.com/cisp
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 17© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 17
The Payment Card Industry (PCI) Data Security Standard
Build and Maintain a
Secure Network
Protect Cardholder Data
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a Vulnerability Management
Program
5. Use and regularly update anti-virus software6. Develop and maintain secure systems and
applications
Implement Strong Access
Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 18© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 18
PCI 1.2 Changes and ImpactNetwork Segmentation
Network Segmentation reduces PCI scope => reduces cost of audit => reduces cost to achieve PCI compliance
Network segmentation now needs to be proven effective
If ineffective, the segmentation does not apply, and the cardholder data environment is now expanded
Network segmentation with VLANs alone is no longer sufficient
Firewalls are necessary to segment wireless LANs out of the cardholder data environment
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 19© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 19
Scoping with Segmentation
Determine Scope
Can scope be reduced with segmentation?
AuditPerformed
Did assessorvalidate segmentation
effectiveness?
IN PLACENOT
IN PLACE
No
Entire network is in scope for PCI DSS review
Yes
Assessor documentssegmentation in place and
effective
Scope limited forPCI DSS review
Entire Network Is in Scope
POSServers
Branch
Server Access
Storage
Data Center
inventoryServers
Server Access
WANAccess
CORE
Headquarters
Warehouse
Wide AreaAccelerated
Network
Only Devices Passing Card Holder Data Is in Scope
POSServers
Branch
Server Access
Storage
Data Center
inventoryServers
Server Access
WANAccess
CORE
Headquarters
Warehouse
Wide AreaAccelerated
Network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 20© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 20
PCI 1.2 Changes and Impact – QSA Audits
PCI Security Standards Council started QSA Quality Assurance Program in November 2008
QSAs (PCI Auditors) - more thorough due diligence during audit, need to provide more details in Report on Compliance (ROC)
Test compensating controls for effectiveness
Test network segmentation for effectiveness
Justify sample size selection
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 21© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 21
PCI 1.2 Major Areas - Wireless
Wireless deadlines – in the cardholder data environment (CDE)
No new WEP installations after 31 March 2009
Existing WEP deployments must be decommissioned by 30 June 2010
Written into the PCI DSS 1.2 standard
Wireless Guidelines & Recommendations Published
Guidelines map to existing PCI DSS 1.2 standard
Recommendations may go above & beyond existing standard (wIPS for example)
Anticipate (but not guarantee) most of the recommendations will be incorporated into the next PCI standard revision
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 22© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 22
Published Deadlines, Fines and Level Validation Changes
MasterCard Global PCI deadline is now Dec 31, 2010 for Level 1, 2, 3 Merchants and Service Providers
Level 1 & 2 merchants must use an external QSA for on-site audits. Level 2 merchants must also still complete and submit a PCI Self-Assessment Questionnaire
Service Provider (banks, payment processors) Tier 1 -transactions reduce from 1 Million transactions to 300,000 transactions
Fines for non-compliance (not breach) per calendar year
•Merchant Level 1 & 2, Service Providers - $25k, $50k, $100k, $200k consecutively
•Level 3 - $10k, $20k, $40k, $80k consecutively
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 23© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 23
MasterCard/VISA PCI Merchant Levels
Level 1 Merchants
Category Criteria
Level 2 Merchants
Level 4 Merchants
One million to six million transactions annually (all channels)
Less than 20,000 e-commerce transactions per annually and all other merchants processing up to one million Visa transactions annually
Requirement
Merchants processing over six million Visa/MC transactions annually (all channels) or global merchants identified as Level 1 by any card brand
Any merchant that has suffered a hack or an attack that resulted in an account data compromise
Level 3 Merchants
20,000 to one million e-commerce transactions annually
Annual on-site audit by Qualified Security Assessor (―QSA‖)
Quarterly network scan by Approved Scan Vendor (―ASV‖)
Attestation of Compliance Form
Annual on-site Audit by QSA
Annual Self-Assessment
Quarterly Network Scan by ASV
Annual SAQ recommended
Compliance validation requirements set by acquirer
Annual Self-Assessment (SAQ)
Quarterly Network Scan by ASV
Source: http://usa.visa.com/download/merchants/cisp-bulletin-visa-pci-dss-framework-111808.pdf
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 24© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 24
PCI Security Standards Council Board of Advisors – Cisco Member
Bank of America Exxon Mobil
Corporation
National Australia Bank
Banrisul S.A. First Data PayPal
Barclaycard Global Payments Inc Royal Bank of Scotland
Group
Chase Paymentech
Solutions Inc
JPMorgan Chase & Co Tesco Stores Ltd
Cisco Lufthansa Systems
Passenger Services
TSYS Acquiring
Solutions
Citrix Systems, Inc McDonald’s Corporation VeriFone
European Payments
Council
MICROS Systems, Inc Wal-Mart Stores, Inc
2- year commitment (May 2009 – April 2011)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 25© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 25
ISR Series
IP Video
Email Security
ASA 5500
IPS 4200
NAC Appliance
Firewall
VPN
IPS
NAC
Video Monitor
Email Security
Cisco Security for PCI
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 26© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 26
Cisco Wireless Security for PCI
Mobility Services Engine802.11n Wireless Access
Points
Wireless LAN Controller
WPA/WPA2
Scan/monitor
wIPS
Device location
Device hardening
ISR Series with Wireless
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 27© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 27
Cisco Data Center for PCI
Storage
Virtualization
FW
VPN
IPS
MDS Storage
Encryption
Nexus & UCS
WAN Storage
Encryption
ASA 5500
IPS 4200
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 28© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 28
Cisco VLANs for PCI
ISR Series
802.11n Wireless Access
Points
Catalyst Switches
VLANs
Wireless VLANs
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 29© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 29
Cisco Management for PCI
ACS – Access Control System Cisco Security Manager
(Provisioning)
Wireless Control System
(Provisioning)
AAA
Rule based Access
Centralized Provisioning
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 30© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 30
Cisco Unified Customer Voice PortalSecurity for PCI
ASA 5500 ISR Series
Voice Self Service
Firewall
VPN
Application
Security
Catalyst Switches
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 31© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 31
Cisco Validated Design Includes:
Cisco PCI Validated Architectures
Recommended architectures for networks, payment data at rest, and data in-transit
Tested in a simulated retail enterprise
Configuration, monitoring, and authentication management systems
Architectural design guidance and audit review provided by PCI audit and remediation partners
PCI Audit Partner
Retail Solution Partners
Validated DesignSmall Retail Store
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 32© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 32
IdentitySecurity
Intelligence
IPS with Global
Correlation
Web
Security
Router
SecurityVPN
First to develop
and bring NAC
technology to
the market
Cisco TrustSec
delivers
security group
tagging for
RBAC
Simplifies
802.1x
deployments
with ―Open
Mode‖ and
―Flexible
Authentication‖
SenderBase®
Network the
world's first and
largest
reputation
database
SensorBase®
largest historical
vulnerability and
live network
security threat
feed
Virus Outbreak
Filters to detect
zero-day threats
First to
implement IPS
in modular
format in
switches/routers
First to use
global reputation
in threat analysis
Patented Risk
Rating system
Web Usage
Controls:
First to create
Dynamic
Vectoring and
Streaming
(DVS) for anti-
malware
defense
First to create
Dynamic
Content
Analysis (DCA)
to evaluate and
categorize web
content (even
hidden)
First to use
DTLS that
optimizes
connections for
latency-
sensitive traffic
First offer client
VPN on
Windows
Mobile Phones
First VPN
solution to
support the
iPhone
• Industry-leading
integration of
VPN, routing,
and QoS:
DMVPN, GET
VPN, SSL VPN,
and Easy VPN
• Embedded
security:
application
firewall, IPS,
and URL
filtering
• One-touch
lockdown and
security audit
Cisco Security Innovations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 33© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 33
$100M spent on dynamic research and development
250 certifications, 1000s publications, 25 books authored, and 100 security patents
80+ PhDs, CCIEs, CISSPs, MSCEs
Merging Innovative Security Technology with More Than 25 Years of Networking Expertise to Redefine Network Security
Investment Market
Solution Threat Intelligence
Over 20 million security appliances and 100+ million clients deployed
#1 enterprise security revenue over $2B
#1 in network security appliances: firewall, email security, NAC, router security
Comprehensive solutions: Layer 2 to purpose-built proxies
Validated industry solutions: PCI, SAFE Data Center, UC
Flexible delivery options: Appliances, security modules, cloud
Threat operations team: 500 analysts, five global locations
Largest sensor network: Millions of sensors
Broadest data footprint: Network and application level
LEADERSHIP
Cisco Security Market Leadership
© 2009 Cisco Systems, Inc. All rights reserved. Cisco public
Cisco Expo
Bratislava 34© 2009 Cisco Systems, Inc. All rights reserved. Cisco publicD 34
ExpectGet
Save
MOREBorderless Network
From Your
Increase Productivity
Focus on Strategic IT
Superior Customer Experience
Optimize Costs
Single Point of Service
Recommended