2015 PCI SIG Presentations—Rallying the Vote for Securing Keys and Certificates

October 3, 2014 | Leave a Comment

By Christine Drake, Senior Product Marketing Manager, Venafi

At the 2014 PCI Community Meetings in Orlando, the 2014 PCI Special Interest Groups (SIGs) provided updates on their progress and presentations were given on the 2015 PCI SIG proposals in hopes of getting votes to become 2015 PCI SIG projects. As I’ve mentioned in previous blogs, Venafi has co-submitted a 2015 PCI SIG proposal with SecurityMetrics on Cryptographic Keys and Digital Certificates Security Guidelines. In the 2015 SIG proposal presentations, Kevin Bocek, VP of Security Strategy and Threat Intelligence at Venafi, delivered the presentation for this SIG proposal on securing keys and certificates. Watching the sessions at the PCI Community Meetings, now is the right time for this PCI SIG topic.

kevin_bocek_pci_dss_600x300

In the 2014 PCI Community Meeting keynote from Bob Arno, Adventures of a Thiefhunter, it really called into question our trust of other people. He talked about how teams of pickpockets work together to steal from unsuspecting victims and how they use the stolen credit cards. The pickpockets are successful, because we generally trust the people around us. Keys and certificates also establish trust, but, in both cases, criminals are leveraging this trust to avoid detection while committing their crimes.

Merchants, financial institutions, and payment processors rely on thousands of keys and certificates as the foundation of trust in the cardholder data environments (CDE), protecting cardholder data (CHD) across their websites, virtual machines, mobile devices, and cloud servers. Yet it is this very trust that cybercriminals want to use, not only to evade detection, but to achieve authentication and trusted status that bypasses other security controls and allows their actions to remain hidden. If only one of your critical keys or certificates is compromised, the digital trust you have established is eliminated. And this opens organizations up to PCI DSS audit failures and, more importantly, breaches.

The PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines has already rallied support from Global 100 merchants, PCI Qualified Security Assessors (QSAs), and security experts, and we’re looking for more support from the PCI community.

The 2015 PCI SIG proposals will be presented again at the 2014 PCI Community Meetings in Berlin (Oct 7-9). Then PCI Participating Organizations will vote on the 2015 PCI SIG proposals from October 13-23. After the vote, the PCI Security Standards Council (PCI SSC) will select 2-3 presentations to become 2015 PCI SIG projects. In early November, there will be a call for participation for the selected SIGs and the projects will kick off in January 2015.

Want more information? Want to get involved? Visit the website for the PCI SIG on Cryptographic Keys and Digital Certificates Security Guidelines at www.protecttrust.org.

CSA Congress Recap Roundup

October 1, 2014 | Leave a Comment

Last week the CSA Congress and IAPP Privacy Academy in San Jose, California. It was the Cloud Security Alliance’s first time to partner with IAPP for their respective events. It was a successful event where cloud security and privacy professionals were able to rub elbows and learn best practices that encompass their fields.

During Congress, there were a spectrum of releases, events, awards, speakers, and survey results and encompassed CSA’s endeavors. Below are some links that aggregate some of the activity that occurred during CSA Congress 2014.

Ron Knode Award Winners

Each year at Congress, the CSA recognizes a few of our members around the globe for their excellence in volunteerism. Named in honor of Ron Knode, a member of the CSA family who passed away in 2012, as a means to award and recognize members whose contributions were invaluable. To learn who were the winners of the 2014 Ron Knode Service Awards, please visit – https://cloudsecurityalliance.org/media/news/csa-announces-annual-ron-knode-service-award-recipients/.

Big Data Taxonomy Document

The Cloud Security Alliance’s Big Data Working Group released the Big Data Taxonomy Report, a new guidance report that aims to help decision makers understand and navigate the myriad choices within the big data designation, including data domains, compute and storage infrastructures, data analytics, visualization, security and privacy. For more information on the report, please visit – https://cloudsecurityalliance.org/media/news/csa-releases-new-big-data-taxonomy-report/

CSA Survey Finds IT Professionals Underestimating How Many Cloud Apps Exist in the Business Environment

In what could be called a tale of perception versus reality, the CSA released the results of a new survey that found a significant difference between the number of cloud-based applications IT and security professionals believe to be running in their environments, and the number reported by cloud application vendors. The survey titled, Cloud Usage: Risks and Opportunities was released at CSA Congress 2014. For more information, please visit – https://cloudsecurityalliance.org/media/news/csa-survey-professionals-underestimating-cloud-apps-usage/

Hackathon On! Cloud Security Alliance Challenges Hackers to Break its Software Defined Perimeter (SDP) at CSA Congress 2014

The CSA launched its second Hackathon at the CSA Congress, to validate the CSA Software Defined Perimeter (SDP) Specification to protect application resources distributed across multiple public clouds. In a twist from its last event (where no one was able to hack the SDP), the CSA is inviting Congress participants, along with hackers from all over the world to attempt to access a file server in a public cloud, which is protected by the SDP via a different public cloud. The first participant to successfully capture the target information on the protected file server will receive $10,000. Additionally, all participants will be entered into a random drawing to win $500. For more information, please visit – https://blog.cloudsecurityalliance.org/2014/09/18/csa-hackathon-on-launches-today-at-csa-congress-2014/

To participate in Hackathon, visit – https://hacksdp.com/

The Shared Burden of Cloud Data Security & Compliance

October 1, 2014 | Leave a Comment

By Gerry Grealish, Chief Marketing Officer, Perspecsys

cloud-security2_COMPRESSEDData security remains a top concern for enterprises deploying popular cloud applications. While most will instinctively think of cloud data security and compliance as being handled only by IT departments, many enterprises are realizing that all aspects of security – from selecting a cloud service provider (CSP) to monitoring cloud use over time – requires involvement across the organization.

 

 

Cloud Data Security & Compliance Begins with Vetting Providers
There are key areas of due diligence for an enterprise depending on its industry, but all share common security requirements when selecting a CSP. Perhaps, as TechTarget recently suggested, FedRamp Standards will regulate security outside the government as well, but for now enterprises must have their own standards for evaluating a CSP.  An excellent existing resource is the Security, Trust and Assurance Registry (STAR) Program supported by the Cloud Security Alliance iso(CSA). This public registry provides a comprehensive set of offerings for CSP trust. The CSA’s Cloud Controls Matrix (CCM) includes a framework of cloud security standards and their Consensus Assessments Initiative Questionnaire (CAIQ) offers questions an enterprise should ask any CSP under consideration. CSPs should also be able to provide details on any third party security certifications they have obtained. I.e. the ISO/IEC 27001 standards for information security management systems (ISMS).

Questions for the CSP frequently begin with specifics on strategies used – such as encryption for data protection and multifactor user authentication for cloud access. It is also important to know who will have access to data, how often audits are conducted and what if any security incident have occurred in the past and, if there has been a security incident, how cloud  customers were notified and how quickly. Having representation from across the enterprise involved in the vetting of a CSP is critical – not only IT – but also Security, Data Privacy & Governance and End Users can help ensure all relevant questions are answered and that necessary security protocols are implemented. The standard language used in the FedRamp contract example is one place to start for any enterprise signing on with a new CSP.

Internal Security Standards
Security and compliance of sensitive corporate data going to the cloud falls primarily on the enterprise itself. Despite any guarantees in contracts with CSPs, when a security breach occurs it is the enterprise that experiences the consequences and many would say holds the most interest in minimizing damages for the enterprise and/or customers. If there is a security incident, clients and customers will certainly look at the enterprise itself to protect their data.

Internal security standards begin with adherence to well-defined protocols and security strategies established and agreed to by – again – not just IT, but representatives from Legal, Security, Governance and End Users. Questions to be answered include what data will actually be allowed to leave the physical premises of the enterprise and in what form. Industry and regulatory penalties compel most industries to have clear security standards in place. In some cases, security incidents have brought on class-action lawsuits against the enterprise. Strict internal security standards are one way to further protect the enterprise and its customers from having to go that route.

Employee Buy-In is Key
With the proliferation of mobile computing and bring your own device (BYOD), it is essential that employees are brought in to participate, understand and agree to the security policies established for the enterprise. This includes employees throughout the organization – the time, resources, or money it takes to establish this buy-in through training, policy communication and proper monitoring or support is well worth it when compared to damages organizations experience from careless BYOD policies.

Security Strategies – Encryption and tokenization
Encryption and tokenization are two data security methods that many enterprises are utilizing strengthen the enterprise’s cloud security strategy while maintaining control of their cloud data. Both methods can be used to safeguard sensitive information in public networks, the Internet, and in mobile devices. These powerful and interoperable solutions are being used by leading organizations to also ensure compliance with sector specific requirements such as HIPAA, PCI DSS, GLBA, and CJIS.

While hacking and data attacks continue to occur, an enterprise with proven security strategies in place minimizes the impact for itself and its customers. An enterprise with security responsibility held by not just IT, but other departments as well, including end-users, puts itself in the best possible situation to avoid major data breaches and be prepared to deal with one should it occur. See this infographic on how to respond to a cloud security breach, should one occur.

About the Author
Gerry Grealish is the Chief Marketing Officer at Perspecsys and is responsible for defining and executing the marketing and product vision. Previously, Gerry ran Product Marketing for the TNS Payments Division, helping create and execute the marketing and product strategy for its payment gateway and tokenization/encryption security solutions.