IBM DataPower PCI Solutions - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

IBM DataPower PCI Solutions

Description:

IBM DataPower PCI Solutions Steven Cawn WebSphere DataPower World Wide Sales leader scawn_at_us.ibm.com What is PCI DSS? Payment Card Industry Data Security Standard ... – PowerPoint PPT presentation

Number of Views:491
Avg rating:3.0/5.0
Slides: 36
Provided by: Raw60
Category:

less

Transcript and Presenter's Notes

Title: IBM DataPower PCI Solutions


1
IBM DataPowerPCI Solutions
  • Steven Cawn
  • WebSphere DataPower World Wide Sales leader
  • scawn_at_us.ibm.com

2
What is PCI DSS?
  • Payment Card Industry Data Security Standard (PCI
    DSS) is a global security program that was
    created to increase confidence in the payment
    card industry and reduce risks to PCI Members,
    Merchants, Service Providers and Consumers.

3
Payment Card Industry History
Defined by the Payment Card Industry Security
Standards Council, the standard was created to
increase controls around cardholder data to
reduce credit card fraud via its exposure.
Validation of compliance is done annually  by an
external Qualified Security Assessor (QSA) for
organizations handling large volumes of
transactions, or by Self-Assessment Questionnaire
(SAQ) for companies handling smaller volumes.
  • Initial specifications adopted December 2004
  • 1.1 Specifications adopted September 2006
  • 1.2 Specifications adopted October 2008
  • 1.2.1 specifications adopted August 2009
  • 2.0 specifications adopted October 2010
  • As of January 2011, every institution must abide
    by 2.0 specifications

4
To Whom Does PCI DSS Apply?
  • All merchants service providers that store,
    process, use, or transmit cardholder data
  • Retail (e-commerce brick mortar)
  • Hospitality (restaurants, hotels, casinos)
  • Convenience Stores (gas stations, fast food)
  • Transportation (airlines, car rental, travel
    agencies)
  • Financial Services (credit card processors,
    banks, insurance companies)
  • Healthcare/Education (hospitals, universities)
  • Government (where payment cards are accepted)

5
PCI DSS Requirements The Digital Dozen
Build and Maintain a Secure Network Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data sent across open, public networks
Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy Maintain an Information Security Policy
12. Maintain a policy that addresses information security Connected Entities and Contracts
PCI DSS Ver. 1.1
6
PCI Non-Compliance Consequences (Global)
  • If non-compliant and a breach occurs
  • Merchants/Service Providers have liability for
    the acquirer bank's losses, cost of the
    investigations, litigation costs and card
    re-issuance costs
  • Fines per incident from Visa (against acquiring
    bank)
  • Restrictions imposed by card companies
    (prohibiting future credit card processing)
  • Repayment of losses may exceed the ability to pay
    and cause total failure of the organization
  • Other potential consequences
  • Damaged brand reputation
  • Invasive media attention
  • Loss of customers

7
Over to 1,800 worldwide installations and growing
Government
  • Agencies and ministries
  • Defense and security organizations
  • Crown corporations

Banking
  • 80 of top 100 Banks
  • Numerous regional banks and credit unions
  • SaaS providers, ASPs, regulators, etc.

Insurance
  • Used by 95 of top global insurances firms
  • SaaS providers, ASPs, regulators, etc.

Many, many, more
  • Retailers
  • Utilities, Power, Oil and Gas
  • Airlines
  • etc.

8
What are WebSphere DataPower Appliances?
Business Value The purpose of WebSphere
DataPower Appliances is to take the hard parts
of SOA deployments (service security,
integration, ESB, load distribution, etc.) that
are traditionally performed by software on
application servers, yet have nothing to do with
Business Logic, and move those hard parts into
highly efficient hardened configuration driven
devices in the network. By moving this
computationally intensive grunt work into the
network, your application servers regain cycles
to do what you pay for them to do Run Business
Logic
8
8
9
What are WebSphere DataPower Appliances?
Product Value Specialized purpose-built
hardened embedded network devices that take the
hard parts of SOA security and integration
traditionally requiring complex and costly
software systems and delivers them in a simple
uncrate, rack, configure and deploy platform.
Powerful and uniquely efficient message and file
oriented configuration-driven Security and
Integration platform with the extremely low
operational TCO of a true network device.
9
9
10
WebSphere DataPower - Use Cases
Internet
DMZ
Trusted Domain
Application
Business
1 B2B Partner Gateway
Application
2 Secure Gateway (Web Services, Web
Applications) 3 Intelligent Load
Distribution
4 Internal Security 5 Light Weight Integration 6
Web Service Management 7 Legacy Integration 8
Run time SOA Governance
Consumer
Mobile
System z
11
WebSphere DataPower and the PCI DSS Digital
Dozen
Complete solution
  • WebSphere DataPower ideal solution for many
    requirements
  • Build and Maintain a Secure Network
  • Requirement 1 Install and maintain a firewall
    configuration to protect cardholder data
  • Requirement 2 Do not use vendor-supplied
    defaults for system passwords and other security
    parameters
  • Protect Cardholder Data
  • Requirement 3 Protect stored cardholder data
  • Requirement 4 Encrypt transmission of cardholder
    data across open, public networks
  • Maintain a Vulnerability Management Program
  • Requirement 5 Use and regularly update
    anti-virus software
  • Requirement 6 Develop and maintain secure
    systems and applications
  • Implement Strong Access Control Measures
  • Requirement 7 Restrict access to cardholder data
    by business need-to-know
  • Requirement 8 Assign a unique ID to each person
    with computer access
  • Requirement 9 Restrict physical access to
    cardholder data

Part of solution
12
DataPower - Key Functions for PCI Compliance
Easy to Use Appliance Purpose-Built for SOA
Security
Req. 1
  • Web Services (XML) - Filter on any content,
    metadata or network variables
  • Web Application Firewall - HTTP Protocol
    Filtering, Threat Protection, Cookie Handling
  • Data Validation - Approve incoming/outgoing Web
    traffic, Web Services, XML at wirespeed
  • Field Level Security - WS-Security, encrypt
    sign individual fields, non-repudiation
  • Encryption of transport layer - HTTP, HTTPS, SSL.
  • Anti Virus Protection - messages and attachments
    checked for viruses integrates with corporate
    virus checking software through ICAP protocol
  • XML Web Services Access Control/AAA - SAML,
    LDAP, RADIUS, etc
  • Management Logging - manage track services,
    logging of all activities, audit.
  • Security Policy Management - security policies
    universally understood by multiple software
    solutions, eases PCI certification process.
  • Easy Configuration Management - WebGUI, CLI,
    IDE and Eclipse Configuration to address broad
    organizational needs (Architects, Developers,
    Network Operations, Security)

Req. 3,4
Req. 5
Req. 7,8,9
Req. 10
Req. 12
13
WebSphere DataPower Protecting Cardholder Data
Encrypted digitally signed Message ltCredit
Cardgt ltCustgtBrian P. Belllt/Custgt ltEncrypted CCNgt
ws389maz301lt/Encrypted CCNgt ltCredit
TypegtAMEXlt/Credit Typegt . lt/Credit Cardgt
Incoming Message data not encrypted ltCredit
Cardgt ltCustgtBrian P. Belllt/Custgt ltCreditCardNumber
gt 3732 955939 395500lt/CreditCardNumbergt ltCredit
TypegtAMEXlt/Credit Typegt . lt/Credit Cardgt
Encrypted XML data is delivered to the database
to the encrypted credit card for later use
Client sends credit card information to be stored
in the database though an supported protocol
Protocols HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc
Database
Direct DB Connect
Response message is sent confirming the insertion
of the encrypted credit card number into the
database
Response message is received confirming the
insertion of the encrypted credit card number
into the database
Key Functions Terminate SSL Defend against XML
threats Validate XML (schema) Authentication Autho
rization Audit/Transaction Logging Filter
data Encrypt/Decrypt message Digitally sign
message Mask back-end resources Route based on
content
Requirement 3 Protect stored cardholder
data. Requirement 4 Encrypt transmission of
cardholder data across open, public networks.
14
Access Control Credential Mapping
Requirement 7 Restrict access to cardholder data
by business need-to-know. Requirement 8 Assign a
unique ID to each person with computer access.
  1. Client send request to App Server
  2. Request carry client username Password
  3. DataPower will authenticate client
  4. DataPower will map credentials for unified
    communication with backend


Assuming all authentic users are authorized.
Otherwise TAM or similar must be used for
Authorization
15
DataPower Anti-Virus Protection
  • Allows messages and attachments to be checked for
    viruses
  • Integrates with corporate virus checking software
    through the ICAP protocol
  • Anti-Virus Processing Actioneases configuration
    and use ofthis capability
  • Includes pre-configured HostTypes (CLAM,
    Symantec, Trend, Webwasher) as well as
    customizability

16
Logging of Transactions
Requirement 10 Track and monitor all access to
network resources and cardholder data.
  • DataPower can Log transactions passing through it
    to
  • On-the-box File System
  • Database
  • Network File System
  • MQ queues
  • FTP Server
  • DataPower could be integrated with monitoring
    software via
  • SNMP protocol (not vendor specific)
  • DataPower could integrate with Antivirus for
    attachments scanning

Requirement 5 Use and regularly update anti-virus
software
17
Protection against Open Web Application Security
Project (OWASP) Top 10 Attacks
 Top 10 Most Critical Web Application Security
Risks
18
Open Web Application Security Project Compliance
Provides Protection Against 100 Of OWASP Top
10 Risks
19
DataPower has deployments cross industry for PCI
Compliance


National Uniform Provider
Major Prepaid Wireless carrier
Large US based Insurance Provider
Telecommunication Provider in Australia
20
Summary Business Benefits
  • Key Reusable Core IT Functionality Solves
    complex SOA IT service integration and security
    challenges in a secure, easy to consume and
    extremely low TCO network device
  • Configuration Driven All enforced policies and
    mediations are configuration driven, not
    programmed. This significantly simplifies and
    reduces deployment requirements and cost
  • Flexibility Secure, integrate, bridge and
    version applications without application
    modification
  • Reduce Complexity Do work in the network as
    the data flows over the wire instead of on
    application servers, reducing infrastructure
    footprint and freeing up application servers to
    run more business logic
  • Reduce Time to Market Dramatically decrease the
    time to deploy in your environment. Being a
    configuration-driven platform, most deployments
    are uncrate, rack, configure and deploy
  • Reduce Risk Takes the grunt work out of SOA
    application security and integration allowing you
    to focus on building your business logic. In the
    network platform allows improved security and
    audit capabilities without application
    modification
  • Lower TCO Its a network device. Customers own
    data has shown that DataPower appliances can be
    7X-8X less expensive to operate in the data
    center than software alternatives
  • A New Approach These are not software
    pre-installed on servers. DataPower applies
    sophisticated embedded technology to solve
    complex IT challenges in new and novel ways

20
21
DataPower Product Family Highlights
  • B2B Appliance XB62
  • B2B Messaging (AS1/AS2/AS3/EDI)
  • Trading Partner Profile Management
  • B2B Transaction Viewer
  • Support for HL7 and EDIfact Industry Pack
  • Integration Appliance XI50B, XI50z, XI52
  • Hardware ESB
  • Any-to-Any Conversion at wire-speed
  • Bridges multiple protocols
  • Integrated message-level security
  • Network Load Balancing
  • Service Gateway XG45
  • Enhanced Security Capabilities
  • Centralized Policy Enforcement
  • Fine-grained Authorization and Authentication
  • Network Load Balancing

22
Additional Information
  • WebSphere DataPower home page
  • http//www-01.ibm.com/software/integration/datapow
    er
  • WebSphere DataPower Information Center (online
    help)
  • http//pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/i
    ndex.jsp
  • developerWorks
  • http//www.ibm.com/developerworks/websphere/zones/
    businessintegration/dp.html
  • WebSphere Education
  • http//www.ibm.com/software/websphere/education/
  • IBM Software Services for WebSphere
  • http//www.ibm.com/developerworks/websphere/servic
    es/
  • IBM WebSphere DataPower SOA Appliance Handbook
  • http//www.ibmpressbooks.com/bookstore/product.asp
    ?isbn9780137148196
  • DataPower SOA Appliance Customer Forum
  • http//www.ibm.com/developerworks/forums/forum.jsp
    a?forumID1198

23
Additional Information
  • Global WebSphere Community
  • http//www.websphereusergroup.org/datapower
  • Technotes
  • http//www.ibm.com/search/csass/search?qsnspel
    angenfiltercollectionstgsysx,dblue,ic,pubs,dev
    rel1prodU692969C82819Q63
  • DataPower Redbooks
  • http//www.redbooks.ibm.com/cgi-bin/searchsite.cgi
    ?querydatapower
  • DataPower on YouTube
  • http//www.youtube.com/watch?vLRy0twFpmUQ
  • zEnterprise and PCI-DSS compliance
  • http//www.businesswire.com/news/home/201003080066
    57/en/atsec-Publishes-Payment-Card-Industry-Compli
    ance-Large
  • Certification Whitepaper regarding PCI Compliance
  • http//www.atsec.com/downloads/white-papers/PCI_Co
    mpliance_for_LCS.pdf
  • DataPower OWASP White Paper
  • ftp//submit.boulder.ibm.com/sales/ssi/ecm/en/wsw1
    4196usen/WSW14196USEN.PDF

24

Thank You
25
OWASP DataPower Compliance Details
26
Threat A1- Injection
  • Threat description
  • Injection flaws, such as SQL, Command shell, or
    LDAP injection, occur when untrusted data is sent
    to an interpreter as part of a command or query.
    The attackers hostile data can trick the
    interpreter into executing unintended commands,
    or accessing unauthorized data.
  • DataPower mitigation
  • Data type checking for invalid input
  • XML Threat protection setting for XPath injection
  • SQL injection filter configuration rejects SQL
    injections
  • Regular-expression filters used as a catch-all
    for shell injections, LDAP calls, PHP code, or
    any other programming language

27
Threat A2 - Cross-Site Scripting (XSS)
  • Threat description
  • XSS flaws occur whenever an application takes
    untrusted data and sends it to a web browser
    without proper validation and escaping. XSS
    allows attackers to execute scripts in the
    victims browser which can hijack user sessions,
    deface web sites, or redirect the user to
    malicious sites.
  • DataPower mitigation
  • Native XSS filter configuration for rejecting
    incoming/outgoing traffic that contains XSS
    content

28
Threat A3 - Broken Authentication and Session
Management
  • Threat description
  • Application functions related to authentication
    and session management are often not implemented
    correctly, allowing attackers to compromise
    passwords, keys, session tokens, or exploit other
    implementation flaws to assume other users
    identities.
  • DataPower mitigation
  • Broad security standards support, i.e.
    WS-Security, XACML, SAML, SSL/TLS
  • Out-of-the-box integration with many
    industry-leading PDP solutions, such as Tivoli
    Access Manager, Active Directory, LDAP,
    SiteMinder, etc.
  • Centralized platform for Security governance
  • Tools for configurable AAA and Crypto processing,
    as well as key protection

29
Threat A4 - Insecure Direct Object References
  • Threat description
  • A direct object reference occurs when a developer
    exposes a reference to an internal implementation
    object, such as a file, directory, or database
    key. Without an access control check or other
    protection, attackers can manipulate these
    references to access unauthorized data.
  • DataPower mitigation
  • Enforces security decisions based on properly
    classified users authorized to specific resources
    and actions in a policy.
  • Transforms and exposes indirect object
    identifiers that are mapped to direct object
    identifiers at the application, such as
    references to a SSN or an Account number.

30
Threat A5 - Cross-Site Request Forgery (CSRF)
  • Threat description
  • A CSRF attack forces a logged-on victims browser
    to send a forged HTTP request, including the
    victims session cookie and any other
    automatically included authentication
    information, to a vulnerable web application.
    This allows the attacker to force the victims
    browser to generate requests the vulnerable
    application thinks are legitimate requests from
    the victim.
  • DataPower mitigation
  • Provides several building blocks to prevent such
    attacks
  • Creation, or checking Nonce values
  • Generation, or validation Digital Signatures on
    each request
  • Creation, or confirmation for Hash values
  • Injection, or parsing of secondary session
    cookies present in hidden HTTP fields

31
Threat A6 - Security Misconfiguration
  • Threat description
  • Security misconfiguration can happen at any level
    of an application stack, including the platform,
    web server, application server, framework, and
    custom code. The system could be completely
    compromised without one knowing it. Causing all
    data to be stolen, or modified slowly over time.
  • DataPowers mitigation
  • DataPower can't solve this problem alone, but it
    can significantly reduce the scope of what must
    be configured, or programmed
  • By pulling security policies and functions away
    from application servers and centralizing them on
    DataPower, the chance of security
    misconfiguration is reduced because the number of
    systems that contain security processing code is
    also reduced.
  • Additionally, centralizing corporate wide
    security policies on a common gateway means that
    services that trust the gateway are all
    configured to share a consistent security policy
    among them.

32
Threat A7 - Insecure Cryptographic Storage
  • Threat description
  • Many web applications do not properly protect
    sensitive data, such as credit cards, SSNs, and
    authentication credentials, with appropriate
    encryption or hashing. Attackers may steal or
    modify such weakly protected data to conduct
    identity theft, credit card fraud, or other
    crimes
  • DataPower mitigation
  • Standards based cryptographic processing, such as
    encryption and hash operations
  • Secured key material stored in the encrypted part
    of the file system
  • Encrypts sensitive data and stores it in a
    database. Providing authorized applications to
    access confidential data through DataPower in
    essence functioning as a Data-as-a-Service (DaaS)
    provider

33
Threat A8 - Failure to Restrict URL Access
  • Threat description
  • Many web applications check URL access rights
    before rendering protected links and buttons.
    However, applications need to perform similar
    access control checks each time these pages are
    accessed, or attackers will be able to forge URLs
    to access these hidden pages anyway.
  • DataPower mitigation
  • Leverage DataPowers explicit white-list policy
    model using Matching rules
  • Enforces per-request authentication and
    resource-based authorization based on the AAA
    framework
  • URL-Rewrites to hide the original URL of the
    backend application

34
Threat A9 - Insufficient Transport Layer
Protection
  • Threat description
  • Applications frequently fail to authenticate,
    encrypt, and protect the confidentiality and
    integrity of sensitive network traffic. When they
    do, they sometimes support weak algorithms, use
    expired or invalid certificates, or do not use
    them correctly.
  • DataPower mitigation
  • SSL Proxy configuration secures traffic using
    SSL/TLS
  • Strong SSL Cipher suite is available and enabled
    by default
  • Clients can be trusted using mutual
    authentication
  • CRL and OCSP support ensures certificates are
    valid and trusted
  • The key material is stored securely in an
    encrypted portion of the flash memory

35
Threat A10 - Invalid Redirects and Forwards
  • Threat description
  • Web applications frequently redirect and forward
    users to other pages and websites, and use
    untrusted data to determine the destination
    pages. Without proper validation, attackers can
    redirect victims to phishing or malware sites, or
    use forwards to access unauthorized pages.
  • DataPower mitigation
  • Applications not expecting Re-directs can be
    configured to reject HTTP 302
  • HTTP Front-side handler, User-Agent and URL
    Re-write configurations can be used to flag and
    reject these requests as potential threats
Write a Comment
User Comments (0)
About PowerShow.com