AlgoSec Inc. 1

The Regulation Zoo: Dealing With Compliance Within The Firewall World

Avishai WoolCTO & Co-Founder, AlgoSec

AlgoSec Inc. 2

Agenda

Introduction

Relevant Regulations

Common Themes

Demo

AlgoSec Inc. 3

The Regulations Zoo

Sarbanes Oxley Act (SOX) • Japanese Financial Instruments (JSOX)• Euro-SOX – Company Law Directive 8 - Coming soon (?)

PCI DSS – Payment Card Industry Data Security Standard

ISO27001 FISMA – US federal agencies HIPAA – US Healthcare Industry Basel-II – Banking

Confidential

AlgoSec Inc. 4

Sarbanes Oxley Act (SOX)

Goal: Protect Accuracy of Financial Data Background: Financial scandals (Enron, …) Affects public companies on US stock exchange,

multinational corporations

Financial data is on computers, … Computers are on networks

• … Firewalls enforce access to networks

… Firewalls become regulated

Confidential

AlgoSec Inc. 5

Working with SOX

Law is very “high-level” (10,000 meter altitude…)• Very hard to act based on it

COSO framework : 6 major “Components”• More grounded than law (5,000 meter…)

CobiT framework: 34 “Control Objectives”• Almost something you can work with (2,000 meter…)

Confidential

AlgoSec Inc. 6

SOX “cousins and relatives”

Japan (J-SOX) : “Japanese Financial Instruments Law”• Equivalent to SOX + COSO, but in Japanese• Seems to accept CobiT framework

EU: “Company Law Directive 8”• Approved by EU institutes (very high level)• Implementation Framework ?• Sent to member countries for implementation guidelines• Coming soon ?

Confidential

AlgoSec Inc. 7

PCI DSS – Payment Card Industry

Goal: Protect credit card information Background: Credit Card fraud / theft Affects any organization that handle credit cards

(in stages, from large down to small) Enforced aggressively by credit card companies

Credit card data is on computers, … Computers are on networks

• … Firewalls enforce access to networks

… Firewalls become regulated

Confidential

AlgoSec Inc. 8

Working with PCI DSS

Includes very specific “commandments” for firewalls:

1.Thou shall have a DMZ on your firewall

2.Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation)

3.Thou shall use NAT and avoid routable addresses

4.Thou shall have a connectivity diagram of Firewall

5.Thou shall Assess / Scan your firewalls quarterly

Etc etc.

Confidential

AlgoSec Inc. 9

ISO 27001

General Standard – for any Information Security Management System (ISMS).

Voluntary compliance – but wide-spread in Europe

British standard BS 7799 ISO 17799 ISO 27001/2

Moto: Plan / Do / Check / Act [PDCA]

Firewalls are clearly part of any ISMS,

… Firewalls become regulated

Confidential

AlgoSec Inc. 10

More Regulations:

HIPAA• Goal: Control privacy of personal medical information• Affects any US organization in healthcare industry

(hospitals, clinics, insurance companies, pharmaceutical)

Basel-II• Goal: Control banking (and inter-banking) data• Affects any bank (that wants to do business with other

banks)

FISMA• Affects US federal agencies

Confidential

AlgoSec Inc. 11

Common Themes – for Firewalls

1. Control the Risk

2. Control the Changes

3. Control the Infrastructure

4. Compliance Reporting

Confidential

AlgoSec Inc. 12

Control the Risk

Define a Security Policy• Or use industry best practices as your policy

Review your rule-base for security policy violation• Periodic• Internal / External audit• Software systems• Scan (PCI mandates scan by a “QSA”)

Avoid high risks • PCI, FISMA give specific requirements about risky services

Confidential

AlgoSec Inc. 13

Control the Changes

Have a firewall rule change process• Request / Plan / Implement / Validate

Track firewall changes• At least: Who did What, Where, When• Better: also Why

Confidential

AlgoSec Inc. 14

Control the Changes – Cont.

Alerting / Monitoring• Set up e-mail / syslog / snmp • Send alerts when changes are detected• Better: integrate with SIM system

Audit• Keep change records for a long time

Confidential

AlgoSec Inc. 15

Control the Infrastructure

Connectivity Diagram• Maintain an up-to-date diagram

Firewall Management• Avoid Default Passwords• Avoid Default Settings

Confidential

AlgoSec Inc. 16

Compliance Reporting

Each regulation has its own reporting requirement

Lengthy forms, require a long time to complete

Confidential

AlgoSec Inc. 17

The AlgoSec Firewall AnalyzerLive demo – Compliance

Confidential

AlgoSec Inc. 18

Questions?

E-mail:• yash@eng.tau.ac.il• avishai.wool@algosec.com• http://www.algosec.com