Sensitive Data Management in Financial Systems

1Sensitive Data Management in Financial SystemsMike GurevichPresident and CEOINVENTIGO2•Organizations spend a medium of 6% of their IT budget in security implementations.•The worldwide market for information security services (including consulting, integration, management, and education and training) in 1998 was $4.8 billion. This figure is expected to grow to $16.5 billion by 2004 with security management services expected to be the fastest growing sector.IDC's European Security Services Protecting e-businessIDC's Plugging the holes of e-commerce Spending Profile: Overall3Security budgets are ballooning: •IDC’s research indicates the financial services sector will continue to represent the single-largest source of security spending, growing from $848 million in 2000 to >$2 billion in 2005Why IT security spending is growing?Do Financial Institutions get the expected ROI?Spending Profile: Financial Services4Approach Determines Solutions.Solutions Drive SpendingData in TransitData in ProcessData at RestWhere is the main focus?5Insecurity of IT Environments Drive SolutionsHow secure is data in transit ?•Common practice:SSL (Secure Socket Layer) to encrypt communication links, PKI for authentication, XKMS and SACRED for key exchange.•Security Issue:None, if certificate management and interoperability issues are solved (PKI hygiene).How secure is data in process?•Common practice:Generally not addressed. When “practiced”, is substituted by “access entitlement”provisions. All data is processed in clear.•Security Issue:SSL endpoints create security gaps, data is in the clear at intermediary processing systems (such as credit verification systems). Susceptible to code perversion (viruses and Trojan horses) and insufficient code quality assurance (sensitive data in log files, etc.)How secure is data at rest?•Common practice:secure IT environment but not the data.•Security Issue:External intrusion and attacks by insiders. Vulnerability compounded with storage area networks (SANs), DRP backups, and universal data repositories („wallets‟).Data at rest and data in process is at risk6External and internal attacks pose major threatsWHO: Charles SchwabINCIDENT: Web site had a “cross-site scripting”vulnerability that could allow a hacker to access all of a customer’s account actions. A hacker could buy and sell stocks or transfer funds while the customer was logged on to the account.WHO: Contour SoftwareINCIDENT: A glitch in the software exposed at least 700 loan applications –including social security numbers (SSN –on the Internet. A spokesman blamed a disgruntled former employee for turning off security settings.CSI/FBI 2002 surveyData in TransitData In ProcessData at RestNever Ending Security Threats Drive Spending7Current Focus: Predominantly on Firewalls and IDS*Majority of attacks originate inside the organizationFirewallsHost Based IDSSystems of RecordsNetwork Based IDS*-IDS -Intrusion Detection Systems8Defenses Miss Majority of Attacks AnywayFirewallsHost Based IDSSystems of RecordsNetwork Based IDSIntrusionInsiders“Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack.”"Attacks against a server might be detected, but a complex application-based attack might look like normal behavior." (David Ahmad, Moderator of the Bugtraq mailing list)CSI/FBI 2002 survey reveals the ineffectiveness of the IT perimeter defense investments against external attacks:”Although 89% of respondents have firewalls and 60% use IDS, 40% report system penetration from the outside; and although 90% use anti-virus software, 85% were hit by viruses, worms, etc.”* -IDS -Intrusion Detection SystemDo financial institutions get the expected ROI?9Trend: Transformation Of Security FocusEmerging market for Sensitive Data ManagementFocus on the CoreNew FocusCurrent Focus10•Majority of attacks originate inside the organization•Perimeter defenses miss majority of attacks•Growing complexity of IT environments diminishes ROIThe Need For Transformation:Unsolved IT Risks and diminishing ROISensitive data is at risk despite huge IT investments11The Need For Transformation:Unsolved Business Risks•Risk of loss from unauthorized changes or introductions of false data•Risk of exposure from theft of sensitive information•Pressure for regulatory complianceSensitive data is at risk despite huge IT investments12The Need For Transformation:Regulatory Compliance in Financial IndustryRegulatory compliance with the Financial Services Modernization Act (also known as Gramm-Leach-Bliley Act, or GLB) requires:The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need to be compliant. Regulatory agencies are required to begin audits.•Disclosure of policies and practices regarding disclosure of private financial information•Prohibits the disclosure of private financial information to unaffiliated third parties, unless consumers are provided the right to "opt out" of such disclosure•Requires the establishment of safeguards to protect the security and integrity of private financial information13The Need For Transformation:Regulatory Compliance in Financial Industry (cont’d)Sensitive data is at risk despite pressure for regulatory compliancea)Access rights to customer informationb)Access controls on customer information systems, including controls to authenticate and grant access only to authorized individuals and companiesc)Access restrictions at locations containing customer information, such as buildings, computer facilities, and records storage facilitiesd)Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have accesse)Procedures to confirm that customer information system modifications are consistent with the bank‟s information security programf)Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer informationg)Contact provisions and oversight mechanisms to protect the security of customer information maintained or processed by service providersh)Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systemsi)Response programs that specify actions to be taken when unauthorized access to customer information systems is suspected or detectedj)Protection against destruction of customer information due to potential physical hazards, such as fire and water damagek)Response programs to preserve the integrity and security of customer information in the event of computer or other technology failure, including, where appropriate, reconstructing lost or damaged customer information14The Need For Transformation:The Trend (focus on the core -sensitive data at rest)Directory Servers•Sun1 Directory Server•CriticalPath Directory Server•Novell eDirectoryDatabases•RDBMSVendorsField-level resource access control and obfuscation toolProprietary and intrusive to the application•RSASecurityEncryption toolkits for some popular databasesLow-level•ProtegritySecurity management tool for databasesEncrypts entire columns of data and supplies an non-reputable audit log. Storage•DecruFile-level encryption. Applicable to SAN and NFS configurations. Transparent to the client.•NeoscaleBlock-level encryption (fundamentally faster than file-level but not as flexible)Applicable to SAN configurations and backup solutions. Transparent to the client.•VormetricFile-level encryption. Applicable to all DAS, NFS, and SAN configurations.Requires modification of the client side OS with proprietary extensions to File IO.15The Need For Transformation:Alternative ApproachesRevolutionaryPervasive practice of Principle of Least Authority (POLA)•Each individual software object should have all the access authority it needs to do its job, but absolutely no more. The access rights must be fully, but absolutely minimally, adequate.•Capability Based Computing•E-LanguagePervasive practice of POLA requires new programming language and/or OS16The Need For Transformation:Alternative ApproachesEvolutionaryApply Principal of Least Authority to Sensitive Data only•Focus on modeling Sensitive Data•Focus on exchange and access to Sensitive Data•Focus on interoperability•New product line•Content aware firewallsApplying POLA to Sensitive Data only requires a new product –content aware firewall17Standard Bodies–Security for data in transit, in process, and at rest–Technology and access method agnostic (CORBA, J2EE, File IO, SQL, XML)–Granularity (field level)–Convenience (non-intrusive, domain specific profiles, easy of management)–Auditability (non-repudiation, digital subpoena)–Verified Domain Specific Usage ProfilesVendors–Integrated/interoperable data firewallsEnterprises, Regulatory Agencies–Drive demand and requirementsThe Need For Transformation:What is Needed18•Transparent for existing applications•Enhanced capabilities of new applications–Granular sensitive data management (modeling, encryption, auditing, etc.).–Key hygiene and interoperability with existing key stores and authentication systems–Convenience (modeling, development, deployment)–Acceptable QoS (speed, etc.)•Interoperability with–Security management echo system (IDS, etc.)–Archiving solutionsRequirementsThe Need For Transformation:What is Needed (cont’d)19Need for Standards: OMG In The LeadApproachFinance DTF –Leading the effort•Core (jointly with Sec SIG)•Infrastructure (jointly with Sec SIG and ADTF)•Domain Specific Profile Definitions and Convenience Interfaces (examples)–Secure DDR–Secure Logging–Digital Subpoena•Deployment and validation20Need for Standards: OMG In The LeadApproachSecurity SIG –Active involvement•Define Common Criteria Protection Profile for–Core–Infrastructure–Profiles of Convenience Interfaces•EndorsementAnalysis and Design PTF –Active involvement•Review Infrastructure–Sensitive Data Management PIM21Need for Standards: OMG In The LeadApproachMiddleware and Related Services PTF –Potential interest (example)•Domain Specific Profile Definitions and Convenience Interfaces–Secure Object Persistence (secure J2EE CMP)•Deployment and validation22Need for Standards: Profile ExampleProfile for “Sensitive Data Exchange”Originator:–Data Elements:produces the Data Element(s) in clear text. Sufficient granularity.–Keys:generates individual Key(s) for each Data Element.–IKRs:acquires IKR(s). Preferably generates IKR(s) locally.–Key Store: stores Key(s) in a Key Store referencable by IKR(s). The Key Store should resolve IKR collisions for locally generated IKRs.–Encryption Keys:Preferably generates Encryption Key(s) locally using the Key(s) as seed(s).–Sensitive Data Elements:individually encrypts the Data Element(s) using the Encryption Key(s).–Message: contains Sensitive Data Element(s) together with (or means for obtaining) the IKR(s).23Need for Standards: Profile Example Cont’dProfile for “Sensitive Data Exchange”Recipient:–Message: receives the Sensitive Data Element(s). Receives/obtains the IKR(s).–Key Store:Retrieves Key(s) from the Key Store via the IKR(s).–Decryption Keys:Preferably generates Decryption Key(s) locally using the retrieved Key(s) from the Key Store.–Data Elements:Decrypts the Data Element(s) using the Decryption Key(s).2425Need for Standards: OMG In The LeadNext StepsRFP “Sensitive Data Management” -completed–Core–Infrastructure–Convenience InterfacesRFC -the goal–MDA-based specification for a “content aware firewall" that governs access to sensitive data•Any access method (SQL, XML, GIOP, etc.)•Any application environment (J2EE, CORBA, Web Services)•Any operating system (Unix, Windows, etc)26Thank Youmikeg@inventigo.com