1 Sensitive Data Management in Financial Systems Mike Gurevich President and CEO INVENTIGO.

1

Sensitive Data Management in Sensitive Data Management in Financial SystemsFinancial Systems

Mike GurevichMike GurevichPresident and CEOPresident and CEO

INVENTIGOINVENTIGO

2

• Organizations spend a medium of 6% of their IT budget in security implementations.

• The worldwide market for information security services (including consulting, integration, management, and education and training) in 1998 was $4.8 billion. This figure is expected to grow to $16.5 billion by 2004 with security management services expected to be the fastest growing sector.

IDC's European Security Services Protecting e-businessIDC's Plugging the holes of e-commerce

Spending Profile: OverallSpending Profile: Overall

3

Security budgets are ballooning: • IDC’s research indicates the financial services sector will

continue to represent the single-largest source of security spending, growing from $848 million in 2000 to >$2 billion in 2005

Why IT security spending is growing?Why IT security spending is growing?Do Financial Institutions get the expected ROI?Do Financial Institutions get the expected ROI?

Spending Profile: Financial ServicesSpending Profile: Financial Services

4

Approach Determines Solutions.Approach Determines Solutions.Solutions Drive SpendingSolutions Drive Spending

Data in Transit

Data in Process

Data at Rest

Where is the main focus?Where is the main focus?

5

Insecurity of IT Environments Drive SolutionsInsecurity of IT Environments Drive Solutions

How secure is data in transit ?• Common practice: SSL (Secure Socket Layer) to encrypt communication links, PKI for

authentication, XKMS and SACRED for key exchange.• Security Issue: None, if certificate management and interoperability issues are solved (PKI

hygiene).

How secure is data in process?• Common practice: Generally not addressed. When “practiced”, is substituted by “access

entitlement” provisions. All data is processed in clear.• Security Issue: SSL endpoints create security gaps, data is in the clear at intermediary

processing systems (such as credit verification systems). Susceptible to code perversion (viruses and Trojan horses) and insufficient code quality assurance (sensitive data in log files, etc.)

How secure is data at rest?• Common practice: secure IT environment but not the data.• Security Issue: External intrusion and attacks by insiders. Vulnerability compounded with

storage area networks (SANs), DRP backups, and universal data repositories (‘wallets’).

Data at rest and data in process is at riskData at rest and data in process is at risk

6

External and internal attacks pose major threatsExternal and internal attacks pose major threats

WHO: Charles SchwabINCIDENT: Web site had a “cross-site scripting” vulnerability that could allow a hacker to access all of a customer’s account actions. A hacker could buy and sell stocks or transfer funds while the customer was logged on to the account.

WHO: Contour SoftwareINCIDENT: A glitch in the software exposed at least 700 loan applications – including social security numbers (SSN – on the Internet. A spokesman blamed a disgruntled former employee for turning off security settings.

CSI/FBI 2002 surveyData in Transit

Data In Process

Data at Rest

Never Ending Security Threats Drive SpendingNever Ending Security Threats Drive Spending

7

Current Focus: Predominantly on Firewalls and IDS*Current Focus: Predominantly on Firewalls and IDS*

Majority of attacks originate inside the organizationMajority of attacks originate inside the organization

Firewalls

Host Based IDS

Systems of Records

Network Based IDS

*- IDS - Intrusion Detection Systems

8

Defenses Miss Majority of Attacks AnywayDefenses Miss Majority of Attacks Anyway

Firewalls

Host Based IDS

Systems of Records

Network Based IDS

Intrusion Insi

ders

“Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack.”

"Attacks against a server might be detected, but a complex application-based attack might look like normal behavior." (David Ahmad, Moderator of the Bugtraq mailing list)

CSI/FBI 2002 survey reveals the ineffectiveness of the IT perimeter defense investments against external attacks:” Although 89% of respondents have firewalls and 60% use IDS, 40% report system penetration from the outside; and although 90% use anti-virus software, 85% were hit by viruses, worms, etc.”

* - IDS - Intrusion Detection System

Do financial institutions get the expected ROI?Do financial institutions get the expected ROI?

9

Trend: Transformation Of Security FocusTrend: Transformation Of Security Focus

Emerging market for Sensitive Data ManagementEmerging market for Sensitive Data Management

Focus on the Core New Focus

Current Focus

10

• Majority of attacks originate inside the organization

• Perimeter defenses miss majority of attacks

• Growing complexity of IT environments diminishes ROI

The Need For Transformation:The Need For Transformation:Unsolved IT Risks and diminishing ROIUnsolved IT Risks and diminishing ROI

Sensitive data is at risk despite huge IT investmentsSensitive data is at risk despite huge IT investments

11

The Need For Transformation:The Need For Transformation:Unsolved Business RisksUnsolved Business Risks

• Risk of loss from unauthorized changes or introductions of false data

• Risk of exposure from theft of sensitive information

• Pressure for regulatory compliance

Sensitive data is at risk despite huge IT investmentsSensitive data is at risk despite huge IT investments

12

The Need For Transformation:The Need For Transformation:Regulatory Compliance in Financial IndustryRegulatory Compliance in Financial Industry

Regulatory compliance with the Financial Services Modernization Act (also known as Gramm-Leach-Bliley Act, or GLB) requires:

The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need to be compliant. Regulatory agencies are required to to be compliant. Regulatory agencies are required to

begin audits.begin audits.

• Disclosure of policies and practices regarding disclosure of private financial information• Prohibits the disclosure of private financial information to unaffiliated third parties, unless consumers are provided the right to "opt out" of such disclosure• Requires the establishment of safeguards to protect the security and integrity of private financial information

13

The Need For Transformation:The Need For Transformation:Regulatory Compliance in Financial Industry (cont’d)Regulatory Compliance in Financial Industry (cont’d)

Sensitive data is at risk despite pressure for regulatory Sensitive data is at risk despite pressure for regulatory compliancecompliance

a) Access rights to customer informationb) Access controls on customer information systems, including controls to authenticate and grant access

only to authorized individuals and companiesc) Access restrictions at locations containing customer information, such as buildings, computer facilities,

and records storage facilitiesd) Encryption of electronic customer information, including while in transit or in storage on networks or

systems to which unauthorized individuals may have accesse) Procedures to confirm that customer information system modifications are consistent with the bank’s

information security programf) Dual control procedures, segregation of duties, and employee background checks for employees with

responsibilities for or access to customer informationg) Contact provisions and oversight mechanisms to protect the security of customer information maintained

or processed by service providersh) Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer

information systemsi) Response programs that specify actions to be taken when unauthorized access to customer information

systems is suspected or detectedj) Protection against destruction of customer information due to potential physical hazards, such as fire and

water damagek) Response programs to preserve the integrity and security of customer information in the event of

computer or other technology failure, including, where appropriate, reconstructing lost or damaged customer information

14

The Need For Transformation:The Need For Transformation:The Trend (focus on the core - sensitive data at rest)The Trend (focus on the core - sensitive data at rest)

Directory Servers• Sun1 Directory Server• CriticalPath Directory Server• Novell eDirectory

Databases• RDBMS Vendors

Field-level resource access control and obfuscation toolProprietary and intrusive to the application

• RSA SecurityEncryption toolkits for some popular databases

Low-level

• ProtegritySecurity management tool for databasesEncrypts entire columns of data and supplies an non-reputable audit log.

Storage• Decru

File-level encryption. Applicable to SAN and NFS configurations. Transparent to the client.

• NeoscaleBlock-level encryption (fundamentally faster than file-level but not as flexible)Applicable to SAN configurations and backup solutions. Transparent to the client.

• VormetricFile-level encryption. Applicable to all DAS, NFS, and SAN configurations.Requires modification of the client side OS with proprietary extensions to File IO.

15

The Need For Transformation:The Need For Transformation:Alternative ApproachesAlternative Approaches

RevolutionaryPervasive practice of Principle of Least Authority (POLA)• Each individual software object should have all the access authority it needs

to do its job, but absolutely no more. The access rights must be fully, but absolutely minimally, adequate.

• Capability Based Computing• E-Language

Pervasive practice of POLA requires new programming Pervasive practice of POLA requires new programming language and/or OSlanguage and/or OS

16

The Need For Transformation:The Need For Transformation:Alternative ApproachesAlternative Approaches

EvolutionaryApply Principal of Least Authority to Sensitive Data only• Focus on modeling Sensitive Data• Focus on exchange and access to Sensitive Data• Focus on interoperability

• New product line• Content aware firewalls

Applying POLA to Sensitive Data only requires a new Applying POLA to Sensitive Data only requires a new product – content aware firewallproduct – content aware firewall

17

Standard Bodies– Security for data in transit, in process, and at rest– Technology and access method agnostic (CORBA, J2EE, File IO,

SQL, XML)– Granularity (field level)– Convenience (non-intrusive, domain specific profiles, easy of

management)– Auditability (non-repudiation, digital subpoena)

– Verified Domain Specific Usage Profiles

Vendors– Integrated/interoperable data firewalls

Enterprises, Regulatory Agencies– Drive demand and requirements

The Need For Transformation:The Need For Transformation:What is NeededWhat is Needed

18

• Transparent for existing applications• Enhanced capabilities of new applications

– Granular sensitive data management (modeling, encryption, auditing, etc.).

– Key hygiene and interoperability with existing key stores and authentication systems

– Convenience (modeling, development, deployment)– Acceptable QoS (speed, etc.)

• Interoperability with– Security management echo system (IDS, etc.)– Archiving solutions

Requirements

The Need For Transformation:The Need For Transformation:What is Needed (cont’d)What is Needed (cont’d)

19

Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead

Approach

Finance DTF – Leading the effort• Core (jointly with Sec SIG)

• Infrastructure (jointly with Sec SIG and ADTF)

• Domain Specific Profile Definitions and Convenience Interfaces (examples)

– Secure DDR

– Secure Logging

– Digital Subpoena

• Deployment and validation

20

Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead

Approach

Security SIG – Active involvement• Define Common Criteria Protection Profile for

– Core

– Infrastructure

– Profiles of Convenience Interfaces

• Endorsement

Analysis and Design PTF – Active involvement

• Review Infrastructure

– Sensitive Data Management PIM

21

Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead

Approach

Middleware and Related Services PTF – Potential interest (example)

• Domain Specific Profile Definitions and Convenience Interfaces

– Secure Object Persistence (secure J2EE CMP)

• Deployment and validation

22

Need for Standards: Profile ExampleNeed for Standards: Profile Example

Profile for “Sensitive Data Exchange”

Originator:– Data Elements: produces the Data Element(s) in clear text.

Sufficient granularity.

– Keys: generates individual Key(s) for each Data Element.

– IKRs: acquires IKR(s). Preferably generates IKR(s) locally.

– Key Store: stores Key(s) in a Key Store referencable by IKR(s). The Key Store should resolve IKR collisions for locally generated IKRs.

– Encryption Keys: Preferably generates Encryption Key(s) locally using the Key(s) as seed(s).

– Sensitive Data Elements: individually encrypts the Data Element(s) using the Encryption Key(s).

– Message: contains Sensitive Data Element(s) together with (or means for obtaining) the IKR(s).

23

Need for Standards: Profile Example Cont’dNeed for Standards: Profile Example Cont’d

Profile for “Sensitive Data Exchange”

Recipient:– Message: receives the Sensitive Data Element(s).

Receives/obtains the IKR(s).

– Key Store: Retrieves Key(s) from the Key Store via the IKR(s).

– Decryption Keys: Preferably generates Decryption Key(s) locally using the retrieved Key(s) from the Key Store.

– Data Elements: Decrypts the Data Element(s) using the Decryption Key(s).

24

Figure 2. Example of Instantiated Conceptual Model

RDBMS Engine

IKS

File IO SD Facade

DAS, NAS, SAN Backup Media

SQL SD Facade

SDE (SQL)

SDE (RS)

SDE (SQL)

SDE (RS)

CDE (SQL)

CDE (RS)

SDE

SD Model

PKS

Backup ADP

Modeling Tool

SD Model

Modeling Tool

SDE

SDE (content) CDE (Dir)

SDP

SQL SDP Component

SQL SD Proxy File IO SD Proxy

File IO SDP Component

SDE (SQL) SDE (RS)

CDE

25

Need for Standards: OMG In The LeadNeed for Standards: OMG In The Lead

Next Steps

RFP “Sensitive Data Management” - completed– Core

– Infrastructure

– Convenience Interfaces

RFC - the goal– MDA-based specification for a “content aware firewall" that

governs access to sensitive data

• Any access method (SQL, XML, GIOP, etc.)

• Any application environment (J2EE, CORBA, Web Services)

• Any operating system (Unix, Windows, etc)

26

Thank You

[email protected]@inventigo.com