Embed Size (px)
Citation preview
@LiaisonTech
Securing Data Across the Extended Enterprise
@LiaisonTech 2
Salary $75,000 Bonus € 5.000
1029-8400-9300-3010 DL GA 335-245578
SSN 123-12-1234
Maiden Name: Fuller DOB 11/12/1952
5201-0155-9123-9956 Diagnosis: AIDS
Data-Centric Regulatory Pressure
Regulatory Pressure
PCI DSS
HITECH Act
HIPAA
SOX
GLB
...
State Breach
Notification Laws
@LiaisonTech 3
Business Drivers for Data Protection
• Government– Sarbanes Oxley Act (SOX)– Gramm Leach Bliley Act (GLBA)– Healthcare Insurance Portability & Accountability Act (HIPAA)– Federal Information Security Management Act (FISMA) – State Breach Notification Laws (e.g. California State Bill 1386)
• Industry– Payment Card Industry Data Security Standard (PCI DSS)– Healthcare Insurance Portability & Accountability Act (HIPAA)– Health Information Technology for Economic and Clinical
Health Act (HITECH)
• Company– Brand Protection in general– High-wealth individuals, etc..
@LiaisonTech
Common Business Partner Interactions
• EDI documents – either direct connections to trading partners or VAN
• Payroll submissions• Health insurance claims• Check remittances• Product data - data synchronization with partners• Loan – applications, approvals, grants• Credit card transactions
@LiaisonTech
Need for Secure Exchange Methods
• There is lots of information being exchange electronically between business partners – and it is increasing
• Broader adoption of using public Internet instead of private networks
• Government, Industry and Company laws and mandates are driving compliance to security and privacy standards
@LiaisonTech
Day in the Life of Corporate Data
CRM
Corporate
BusinessPartners
Order EntrySystem
DataWarehouse
ConsumersStore / Agents
ConsumerWebsite
B2B Transactions
EmailEmail
FTPFTP
Dial-UpDial-Up
SSLSSL
@LiaisonTech
What’s Required to Secure Information?
• Require secure communication with business partners
• Require encryption of data when stored
• Require reliability & automated recovery of failed transmissions
• Require audit-ability of all transactions & activities
• Require trace-ability of process & procedures including software updates
• Require notification of those affected when breached
@LiaisonTech
Day in the Life of Corporate Data
Dial-UpDial-Up
CRM
Corporate
BusinessPartners
Order EntrySystem
DataWarehouse
ConsumersStore / Agents
ConsumerWebsite
B2B Transactions
AS2AS2
sFTPsFTP
SSLSSL
1. Require secure communication with business partners
2. Require encryption of data when stored
3. Require reliability and automated recovery of failed transmissions
4. Require audit-ability of all transactions and activities
5. Require trace-ability of process and procedures including software updates
6. Require notification of those affected when breached
1
2
34
5
6
12
2
3
4
4
4
4
4
5
5
6
6
6
@LiaisonTech
Make Meeting the Laws and Mandates Part of Your Culture
Both the federal and state governments are fighting against data breaches – and this spells extra work for merchants. Payment Card Industry (PCI) mandates and soon-to-be federal regulations require all major credit holder information is encrypted – and more than 46 states have additional regulations. Stringent fines can be levied for non-compliance.
@LiaisonTech
Train staff about the risks
Employees are a critical part of any data security strategy – the best practice is to define who should have access to sensitive information, and monitor it closely.
@LiaisonTech
Consult and Collaborate With IT
Most merchants and business operations professionals aren’t expected to be up on the latest trends and solutions for keeping data secure. That’s IT’s responsibility. Laying out the operational processes helps IT identify the biggest threats to data security – and build a highly scaleable, integrated security infrastructure that supports the business.
@LiaisonTech
Demand Business Partners Secure Information
• Data security is only as good as the weakest link. If your “house is in order” but your business partners’ is not, then you’re exposed to risk.
• Work with your business partner to secure any information being exchanged with them.
@LiaisonTech
Educate Business Partners About the Risks
If your business partners are aware of the risk to their business, to your business and the relationship between both of you, they will understand the importance of securing data being exchanged with one another.
@LiaisonTech
Point Solutions by User
14
@LiaisonTech 15
What are the Common Solutions?
• Secure Transport• SMTP• HTTPs• FTPs• SFTP
• Secure Payload• PGP• S/MIME• PKZip• AS1, 2, or 3 (and transport)
• Deployment Model• Direct Connect• Internal Transfer• Value Added Network (VAN) Services• Hybrid
@LiaisonTech
MFT and B2B Gateway
16
Firewall
MFT and B2B Gateway
@LiaisonTech
Value Added Network – Partner Management
17
Value Added Network
@LiaisonTech
Hybrid Model
18
Value Added Network
@LiaisonTech
What Security Features Do We Need?
19
Security
Confidentiality Integrity
AuthenticationNon-
repudiation
• Encrypting the data so that it remains secret to the parties involved.
• Guarantee that the original data is not altered.
• Allows you to be sure that the document came from the party you think it came from.
• Verification by receiver.
• Allows a sender to prove that the document was delivered intact to the intended recipient.
• Verification by sender.
@LiaisonTech
How Do We Apply These Services?
• Secure Transport– Secures the pipe that the data travels on.– Security services are not application-to-application and are lost
past the transmission.– Doesn’t provide document authentication or non-repudiation.
• Secure Payload – securing document for transmission– Services can be applied close to the application.– Doesn’t limit the choice of transports.– Security services such as authentication can be verified long
after the document has been transported.
@LiaisonTech
What Are the Common Options?
• Secure Transport• SMTP• HTTPs (SOAP and Web-services)• FTPs• sFTP (SSH)
• Secure Payload• PGP• S/MIME• PKZIP w/ encryption• AS1, AS2 and AS3 (including SMTP)
@LiaisonTech
SMTPs HTTPs FTPs SFTP
Secure Transport: Secure SMTP
• What is SMTP• Transport protocol for email
• Security Services• None
22
@LiaisonTech
SMTPs HTTPs FTPs SFTP
Secure Transport: Secure SMTP
23
• Pervasiveness of e-mail• Simple implementation• Choice of vendors
• Push only• e-mail only• No large files
Benefits
Drawbacks
@LiaisonTech
Secure Transport: HTTPs
• What is secure HTTP?• HTTP using SSL/TLS.• HTTP is the transport for services such as SOAP, Web
Services and AS2.
• Security Services• Similar to FTPs.• Services like SOAP have extensions to include digital
signatures.• Web Services has WS-Security.
24
SMTPs HTTPs FTPs SFTP
@LiaisonTech
Secure Transport: HTTPs
25
SMTPs HTTPs FTPs SFTP
• Better for direct connect• Request / response model• Easy to connect through firewalls• MIME based• Canonical data requirements
• Complicated set-up• No built-in file management• Server always up & connected
Benefits
Drawbacks
@LiaisonTech 26
Secure Transport: FTPs
• What is secure FTP? • FTPs is not the same as sFTP. • FTPs uses SSL/TLS.• sFTP is FTP using SSH
• Security Services:• Confidentiality ensured because the pipe is encrypted.• Authentication through either client-side authentication and/or
user id/password.• Integrity limited to features guaranteed by underlying TCP/IP
protocol.• No support for non-repudiation.• Security features not tied to the document.
SMTPs HTTPs FTPs SFTP
@LiaisonTech
Secure Transport: FTPs
27
SMTPs HTTPs FTPs SFTP
• High adoption• Built in file management• Good in a hosted model• Transfer recovery supported
• No content validation• Inefficient for large numbers of
small transactions• File content in the clear
Benefits
Drawbacks
@LiaisonTech
Secure Transport: SFTP
• What is SFTP?• FTP using Secure Shell – originated as a secure alternative for
the UNIX commands rlogin, rsh, and rcp• Secures a tunnel through which remote users can telnet, run
commands and perform file management• Provides session level encryption• File copy services include sFTP (SSH 2) and sCopy
• Security Services• Provided by Secure Shell (SSH)
28
SMTPs HTTPs FTPs SFTP
@LiaisonTech
Secure Transport: SFTP
29
SMTPs HTTPs FTPs SFTP
• Protection against IP spoofing• Key based authentication• A UNIX favorite• Single connection easy
firewall routing
• More than just transfer• System profiles• Difficult to nail down restrictions • Lack of platform pervasiveness
Benefits
Drawbacks
@LiaisonTech 30
Secure Payload: PGP
• What is PGP?• Pretty Good Privacy.• PKI-based crypto application.• Widely available, commonly used in financial institutions.
• Two models for securing data using PGP• Conventional password-based encryption. • PGP/MIME – uses PGP keys.• Confidentiality, integrity and authentication services.
PGP S/MIME PKZIP ASx
@LiaisonTech 31
Secure Payload: PGP
• Tried and true• Vendor options• Transport independent
• No non-repudiation• Key Management can be difficult
Benefits
Drawbacks
31
PGP S/MIME PKZIP ASx31
@LiaisonTech
Secure Payload: S/MIME
• What is S/MIME?• Secure Multi-purpose Internet Mail Extensions – initially
targeted at mail users, but expanded to cover many transports• General specification behind EDI-INT (EDI over the Internet)• Public Key Infrastructure (PKI) and X.509 Certificates.• Full range of security features including non-repudiation.
32
PGP S/MIME PKZIP ASx
@LiaisonTech
Secure Payload: S/MIME
33
• Included functions• MDN defined error reporting• Compression
• Complex partner setup• Key management and exchange
Benefits
Drawbacks
PGP S/MIME PKZIP ASx
33
@LiaisonTech
Secure Payload: PKZip with Encryption
• What is PKZip with Encryption?• Compression tool that has password-based encryption function• Not commonly used in B2B scenarios
34
PGP S/MIME PKZIP ASx
@LiaisonTech
Secure Payload: PKZip
35
• Compression• PKZip Premium
• Weak encryption
Benefits
Drawbacks
PGP S/MIME PKZIP ASx
35
@LiaisonTech
AS1, AS2, AS3
Protocol Transport Method
AS1 SMTP (email) Extended S/MIME + document management services over SMTP.
AS2 HTTP Extended S/MIME + document management services over HTTP.
AS3 FTP Extended S/MIME + document management services over FTP.
36
• Transport-dependant implementations of S/MIME and PGP/MIME
PGP S/MIME PKZIP ASx
36
@LiaisonTech
Transport-dependent Secure Payload: AS1
37
• East peer-to-peer & firewall set-up
• Easy to configure• Easy to monitor• Automatic re-try
• Size restrictions• Susceptible to SPAM blockers
Benefits
Drawbacks
PGP S/MIME PKZIP ASx
37
@LiaisonTech
Transport-dependent Secure Payload: AS2
38
• Peer-to-peer• Document turn-around• Instant receipt• No size restrictions• Single port connection
• Another server in the mix• High availability expected
Benefits
Drawbacks
PGP S/MIME PKZIP ASx
38
@LiaisonTech
Transport-dependent Secure Payload: AS3
39
• Great for server side• No size restrictions
• Requires another server in the mix
• High availability expected• FTP firewall
Benefits
Drawbacks
PGP S/MIME PKZIP ASx
39
@LiaisonTech
Summary
Protocol FTPFTPS (FTP with SSL)
SFTP (FTP with SSH) HTTPS AS1 AS2 AS3
Transport Method FTP FTP FTP HTTP SMTP HTTP FTP
Transport Security / Encryption
- SSL / TLS SSH SSL / TLS - SSL / TLS SSL / TLS
Payload Security / Encryption
- - - - S/MIME S/MIME S/MIME
Real-time Transport - - - ✓ - ✓ -
Confidentiality - Transport only
Transport only
Transport only
✓ ✓ ✓
Integrity - Transport only
Transport only
Transport only
✓ ✓ ✓
Authentication - Transport only
Transport only
Transport only
✓ ✓ ✓
Non-repudiation - Transport only
Transport only
Transport only
✓ ✓ ✓
@LiaisonTech
Solutions
• Data Integration• Data Management • Data Security
Multinational
• Global headquarters in Atlanta• European offices in Finland,
Netherlands, Sweden, UK• More than 7000 customers
worldwide in over 46 countries
For more presentations:
Liaison Webinars
AB
OU
T L
IAIS
ON
41
Additional Resources
