Upload
justine-gilmore
View
13
Download
0
Embed Size (px)
DESCRIPTION
The Regulation Zoo: Dealing With Compliance Within The Firewall World. Avishai Wool CTO & Co-Founder, AlgoSec. Agenda. Introduction Relevant Regulations Common Themes Demo. The Regulations Zoo. Sarbanes Oxley Act (SOX) Japanese Financial Instruments (JSOX) - PowerPoint PPT Presentation
Citation preview
AlgoSec Inc. 1
The Regulation Zoo: Dealing With Compliance Within The Firewall World
Avishai WoolCTO & Co-Founder, AlgoSec
AlgoSec Inc. 2
Agenda
Introduction
Relevant Regulations
Common Themes
Demo
AlgoSec Inc. 3
The Regulations Zoo
Sarbanes Oxley Act (SOX) • Japanese Financial Instruments (JSOX)• Euro-SOX – Company Law Directive 8 - Coming soon (?)
PCI DSS – Payment Card Industry Data Security Standard
ISO27001 FISMA – US federal agencies HIPAA – US Healthcare Industry Basel-II – Banking
Confidential
AlgoSec Inc. 4
Sarbanes Oxley Act (SOX)
Goal: Protect Accuracy of Financial Data Background: Financial scandals (Enron, …) Affects public companies on US stock exchange,
multinational corporations
Financial data is on computers, … Computers are on networks
• … Firewalls enforce access to networks
… Firewalls become regulated
Confidential
AlgoSec Inc. 5
Working with SOX
Law is very “high-level” (10,000 meter altitude…)• Very hard to act based on it
COSO framework : 6 major “Components”• More grounded than law (5,000 meter…)
CobiT framework: 34 “Control Objectives”• Almost something you can work with (2,000 meter…)
Confidential
AlgoSec Inc. 6
SOX “cousins and relatives”
Japan (J-SOX) : “Japanese Financial Instruments Law”• Equivalent to SOX + COSO, but in Japanese• Seems to accept CobiT framework
EU: “Company Law Directive 8”• Approved by EU institutes (very high level)• Implementation Framework ?• Sent to member countries for implementation guidelines• Coming soon ?
Confidential
AlgoSec Inc. 7
PCI DSS – Payment Card Industry
Goal: Protect credit card information Background: Credit Card fraud / theft Affects any organization that handle credit cards
(in stages, from large down to small) Enforced aggressively by credit card companies
Credit card data is on computers, … Computers are on networks
• … Firewalls enforce access to networks
… Firewalls become regulated
Confidential
AlgoSec Inc. 8
Working with PCI DSS
Includes very specific “commandments” for firewalls:
1.Thou shall have a DMZ on your firewall
2.Thou shall NOT allow services other than HTTP, SSL, SSH and VPN through the firewall (without convincing documentation)
3.Thou shall use NAT and avoid routable addresses
4.Thou shall have a connectivity diagram of Firewall
5.Thou shall Assess / Scan your firewalls quarterly
Etc etc.
Confidential
AlgoSec Inc. 9
ISO 27001
General Standard – for any Information Security Management System (ISMS).
Voluntary compliance – but wide-spread in Europe
British standard BS 7799 ISO 17799 ISO 27001/2
Moto: Plan / Do / Check / Act [PDCA]
Firewalls are clearly part of any ISMS,
… Firewalls become regulated
Confidential
AlgoSec Inc. 10
More Regulations:
HIPAA• Goal: Control privacy of personal medical information• Affects any US organization in healthcare industry
(hospitals, clinics, insurance companies, pharmaceutical)
Basel-II• Goal: Control banking (and inter-banking) data• Affects any bank (that wants to do business with other
banks)
FISMA• Affects US federal agencies
Confidential
AlgoSec Inc. 11
Common Themes – for Firewalls
1. Control the Risk
2. Control the Changes
3. Control the Infrastructure
4. Compliance Reporting
Confidential
AlgoSec Inc. 12
Control the Risk
Define a Security Policy• Or use industry best practices as your policy
Review your rule-base for security policy violation• Periodic• Internal / External audit• Software systems• Scan (PCI mandates scan by a “QSA”)
Avoid high risks • PCI, FISMA give specific requirements about risky services
Confidential
AlgoSec Inc. 13
Control the Changes
Have a firewall rule change process• Request / Plan / Implement / Validate
Track firewall changes• At least: Who did What, Where, When• Better: also Why
Confidential
AlgoSec Inc. 14
Control the Changes – Cont.
Alerting / Monitoring• Set up e-mail / syslog / snmp • Send alerts when changes are detected• Better: integrate with SIM system
Audit• Keep change records for a long time
Confidential
AlgoSec Inc. 15
Control the Infrastructure
Connectivity Diagram• Maintain an up-to-date diagram
Firewall Management• Avoid Default Passwords• Avoid Default Settings
Confidential
AlgoSec Inc. 16
Compliance Reporting
Each regulation has its own reporting requirement
Lengthy forms, require a long time to complete
Confidential
AlgoSec Inc. 17
The AlgoSec Firewall AnalyzerLive demo – Compliance
Confidential