Data Management Financial by vth77339


More Info
									Sensitive Data Management in
      Financial Systems

           Mike Gurevich
           President and CEO
Spending Profile: Overall
 •   Organizations spend a medium of 6% of their IT budget in
     security implementations.

 •   The worldwide market for information security services
     (including consulting, integration, management, and
     education and training) in 1998 was $4.8 billion. This figure
     is expected to grow to $16.5 billion by 2004 with security
     management services expected to be the fastest growing

                                 IDC's European Security Services Protecting e-business
                                 IDC's Plugging the holes of e-commerce

Spending Profile: Financial Services
 Security budgets are ballooning:
 • IDC’s research indicates the financial services sector will
    continue to represent the single-largest source of security
    spending, growing from $848 million in 2000 to >$2 billion
    in 2005

        Why IT security spending is growing?
    Do Financial Institutions get the expected ROI?
Approach Determines Solutions.
Solutions Drive Spending

               Data at Rest

              Data in Process

              Data in Transit

            Where is the main focus?
Insecurity of IT Environments Drive Solutions
 How secure is data in transit ?
 •   Common practice: SSL (Secure Socket Layer) to encrypt communication links, PKI for
     authentication, XKMS and SACRED for key exchange.
 •   Security Issue: None, if certificate management and interoperability issues are solved (PKI

 How secure is data in process?
 •   Common practice: Generally not addressed. When “practiced”, is substituted by “access
     entitlement” provisions. All data is processed in clear.
 •   Security Issue: SSL endpoints create security gaps, data is in the clear at intermediary
     processing systems (such as credit verification systems). Susceptible to code perversion
     (viruses and Trojan horses) and insufficient code quality assurance (sensitive data in log
     files, etc.)

 How secure is data at rest?
 •   Common practice: secure IT environment but not the data.
 •   Security Issue: External intrusion and attacks by insiders. Vulnerability compounded with
     storage area networks (SANs), DRP backups, and universal data repositories („wallets‟).

           Data at rest and data in process is at risk
Never Ending Security Threats Drive Spending

                          WHO: Charles Schwab
                          INCIDENT: Web site had a “cross-site scripting”
                          vulnerability that could allow a hacker to access
                          all of a customer’s account actions. A hacker
                          could buy and sell stocks or transfer funds while
                          the customer was logged on to the account.

                          WHO: Contour Software
     Data at Rest         INCIDENT: A glitch in the software exposed at
                          least 700 loan applications – including social
                          security numbers (SSN – on the Internet. A
                          spokesman blamed a disgruntled former
    Data In Process       employee for turning off security settings.

                          CSI/FBI 2002 survey
    Data in Transit

   External and internal attacks pose major threats
Current Focus: Predominantly on Firewalls and IDS*

                                       *- IDS - Intrusion Detection Systems

                 Systems of Records

                   Host Based IDS
                  Network Based IDS


  Majority of attacks originate inside the organization
     Defenses Miss Majority of Attacks Anyway
                                       “Intrusion-detection systems only spot known attacks
                                       or behaviors that indicate a certain class of attack.”

                                       "Attacks against a server might be detected, but a
                                       complex application-based attack might look like
                                       normal behavior."
                                       (David Ahmad, Moderator of the Bugtraq mailing list)
          Systems of Records           CSI/FBI 2002 survey reveals the ineffectiveness of the
                                       IT perimeter defense investments against external
             Host Based IDS            ” Although 89% of respondents have firewalls and
            Network Based IDS          60% use IDS, 40% report system penetration from the
                                       outside; and although 90% use anti-virus software,
                Firewalls              85% were hit by viruses, worms, etc.”

* - IDS - Intrusion Detection System

             Do financial institutions get the expected ROI?
Trend: Transformation Of Security Focus

  Current Focus

                  Focus on the Core    New Focus

   Emerging market for Sensitive Data Management
The Need For Transformation:
Unsolved IT Risks and diminishing ROI

 • Majority of attacks originate inside the

 • Perimeter defenses miss majority of attacks

 • Growing complexity of IT environments
   diminishes ROI

  Sensitive data is at risk despite huge IT investments
The Need For Transformation:
Unsolved Business Risks

• Risk of loss from unauthorized changes
  or introductions of false data

• Risk of exposure from theft of sensitive

• Pressure for regulatory compliance

  Sensitive data is at risk despite huge IT investments
The Need For Transformation:
Regulatory Compliance in Financial Industry

Regulatory compliance with the Financial
  Services Modernization Act (also known as
  Gramm-Leach-Bliley Act, or GLB) requires:
• Disclosure of policies and practices regarding disclosure of private financial
• Prohibits the disclosure of private financial information to unaffiliated third
parties, unless consumers are provided the right to "opt out" of such disclosure
• Requires the establishment of safeguards to protect the security and integrity of
private financial information

The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need
  to be compliant. Regulatory agencies are required to
                     begin audits.
The Need For Transformation:
Regulatory Compliance in Financial Industry (cont’d)
a)   Access rights to customer information
b)   Access controls on customer information systems, including controls to authenticate and grant access
     only to authorized individuals and companies
c)   Access restrictions at locations containing customer information, such as buildings, computer facilities,
     and records storage facilities
d)   Encryption of electronic customer information, including while in transit or in storage on networks or
     systems to which unauthorized individuals may have access
e)   Procedures to confirm that customer information system modifications are consistent with the bank‟s
     information security program
f)   Dual control procedures, segregation of duties, and employee background checks for employees with
     responsibilities for or access to customer information
g)   Contact provisions and oversight mechanisms to protect the security of customer information maintained
     or processed by service providers
h)   Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer
     information systems
i)   Response programs that specify actions to be taken when unauthorized access to customer information
     systems is suspected or detected
j)   Protection against destruction of customer information due to potential physical hazards, such as fire and
     water damage
k)   Response programs to preserve the integrity and security of customer information in the event of
     computer or other technology failure, including, where appropriate, reconstructing lost or damaged
     customer information

Sensitive data is at risk despite pressure for regulatory
The Need For Transformation:
The Trend (focus on the core - sensitive data at rest)
Directory Servers
    •     Sun1 Directory Server
    •     CriticalPath Directory Server
    •     Novell eDirectory
    •     RDBMS Vendors
        Field-level resource access control and obfuscation tool
        Proprietary and intrusive to the application
    •     RSA Security
        Encryption toolkits for some popular databases
    •     Protegrity
          Security management tool for databases
          Encrypts entire columns of data and supplies an non-reputable audit log.
    •     Decru
        File-level encryption. Applicable to SAN and NFS configurations. Transparent to the client.
    •     Neoscale
        Block-level encryption (fundamentally faster than file-level but not as flexible)
        Applicable to SAN configurations and backup solutions. Transparent to the client.
    •     Vormetric
          File-level encryption. Applicable to all DAS, NFS, and SAN configurations.
          Requires modification of the client side OS with proprietary extensions to File IO.
The Need For Transformation:
Alternative Approaches
Pervasive practice of Principle of Least Authority (POLA)
•     Each individual software object should have all the access authority it needs
      to do its job, but absolutely no more. The access rights must be fully, but
      absolutely minimally, adequate.

•     Capability Based Computing
      •  E-Language

    Pervasive practice of POLA requires new programming
                     language and/or OS
The Need For Transformation:
Alternative Approaches
Apply Principal of Least Authority to Sensitive Data only
•    Focus on modeling Sensitive Data
•    Focus on exchange and access to Sensitive Data
•    Focus on interoperability

•    New product line
     •  Content aware firewalls

    Applying POLA to Sensitive Data only requires a new
              product – content aware firewall
The Need For Transformation:
What is Needed
Standard Bodies
– Security for data in transit, in process, and at rest
– Technology and access method agnostic (CORBA, J2EE, File IO,
– Granularity (field level)
– Convenience (non-intrusive, domain specific profiles, easy of
– Auditability (non-repudiation, digital subpoena)
– Verified Domain Specific Usage Profiles
– Integrated/interoperable data firewalls
Enterprises, Regulatory Agencies
– Drive demand and requirements

The Need For Transformation:
What is Needed (cont’d)

     • Transparent for existing applications
     • Enhanced capabilities of new applications
         – Granular sensitive data management (modeling,
           encryption, auditing, etc.).
         – Key hygiene and interoperability with existing key
           stores and authentication systems
         – Convenience (modeling, development, deployment)
         – Acceptable QoS (speed, etc.)
     • Interoperability with
         – Security management echo system (IDS, etc.)
         – Archiving solutions

Need for Standards: OMG In The Lead
    Finance DTF – Leading the effort
    •   Core (jointly with Sec SIG)
    •   Infrastructure (jointly with Sec SIG and ADTF)
    •   Domain Specific Profile Definitions and
        Convenience Interfaces (examples)
         – Secure DDR
         – Secure Logging
         – Digital Subpoena
    •   Deployment and validation

Need for Standards: OMG In The Lead
    Security SIG – Active involvement
    •   Define Common Criteria Protection Profile for
         – Core
         – Infrastructure
         – Profiles of Convenience Interfaces
    •   Endorsement

    Analysis and Design PTF – Active
    •   Review Infrastructure
         – Sensitive Data Management PIM

Need for Standards: OMG In The Lead
    Middleware and Related Services PTF
      – Potential interest (example)
    •   Domain Specific Profile Definitions and
        Convenience Interfaces
         – Secure Object Persistence (secure J2EE
    •   Deployment and validation

Need for Standards: Profile Example
Profile for “Sensitive Data Exchange”
      – Data Elements: produces the Data Element(s) in clear text.
        Sufficient granularity.
      – Keys: generates individual Key(s) for each Data Element.
      – IKRs: acquires IKR(s). Preferably generates IKR(s) locally.
      – Key Store: stores Key(s) in a Key Store referencable by IKR(s).
        The Key Store should resolve IKR collisions for locally
        generated IKRs.
      – Encryption Keys: Preferably generates Encryption Key(s)
        locally using the Key(s) as seed(s).
      – Sensitive Data Elements: individually encrypts the Data
        Element(s) using the Encryption Key(s).
      – Message: contains Sensitive Data Element(s) together with (or
        means for obtaining) the IKR(s).
Need for Standards: Profile Example Cont’d
Profile for “Sensitive Data Exchange”

       – Message: receives the Sensitive Data Element(s).
         Receives/obtains the IKR(s).
       – Key Store: Retrieves Key(s) from the Key Store via the IKR(s).
       – Decryption Keys: Preferably generates Decryption Key(s)
         locally using the retrieved Key(s) from the Key Store.
       – Data Elements: Decrypts the Data Element(s) using the
         Decryption Key(s).

Need for Standards: OMG In The Lead
Next Steps
      RFP “Sensitive Data Management” - completed
       – Core
       – Infrastructure
       – Convenience Interfaces

       RFC - the goal
       – MDA-based specification for a “content aware firewall" that
         governs access to sensitive data
          • Any access method (SQL, XML, GIOP, etc.)
          • Any application environment (J2EE, CORBA, Web Services)
          • Any operating system (Unix, Windows, etc)

                      Thank You

To top