Encryption Business Discussion Pages
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Encryption Business Discussion Pages as PDF for free.
More details
- Words: 918
- Pages: 2
IT AUDIT CHECKLIST: PCI
it? Currently we are at a stage of the SKMS’ evoluHowever, while EKMI may smooth some of the technical path to encryption, process and people hurdles tion, just as DNS and RDBMS [relational database may prove more persistent. Trying to convince C-level management systems] were at their inception. business executives to support encryption by quoting Before the creation of these “abstraction” technologies, applications had to resolve hostname-IP DSS subrequirements such as “Split knowledge and addresses and perform data management on their establishment of dual control of keys” or debating the own. As DNS and RDBMS protocols and APIs definition of “secure key distribution” is likely to draw became standards, application developers abanlimited success. A stronger case can be made by explaining the business value of EKMI from the mundane doned their proprietary implementations to adopt perspective of key rotation (testing procedure 3.6.4 industry standards–the monetary benefits were and 3.6.8). Your PCI auditor is likely to ask for evitoo good to ignore. It is anticipated that SKSML dence that you have rotated encryption keys at least [Symmetric Key Services Markup Language] will be adopted faster than DNS annually. Furthermore, the standard requires managers and the RDBMS, because of the same benefits that would to be able to quickly change The labor cost of annually accrue to independent software “known or suspected compromised keys” enterprise-wide. vendors, and also due to the and manually replacing keys regulatory and TCO [total cost The labor cost of annually throughout a distributed and manually replacing keys of ownership] pressures on IT organizations.14 throughout a distributed POS quickly adds up to POS quickly adds up to more Another obstacle that arises in more than the cost of than the cost of deploying an EKMI implementation is protectEKMI solution, such as the deploying an EKMI solution. ing digital certificates at client open source StrongKey. machines (POS registers and in-store servers). Typically this process involves using Management should be aware, however, that commercial off-the-shelf POS software is not likely to a hardware security model (HSM), which is expensive, or a USB dongle,15 which can be inconvenient. Over be plug-and-play when it comes to EKMI. Bought the long term, this issue will go away, as hardware applications must be modified by their vendors to that POS software runs on is refreshed and the new integrate the key-management system’s API and accommodate encrypted data and a Global Key-ID(GKID). hardware is shipped with a trusted platform module According to EKMI co-chair Arshad Noor: (TPM) chip on the motherboard. It is expected that the widespread proliferation of TPM chips over the How does one use the SKMS [symmetric key mannext five years will be a crucial and potent enabler of agement system] if a specific COTS [commercial the uptake of EKMI in POS environments. off-the-shelf software] at a site does not support
www.ITCinstitute.com
14
Noor, Arshad. Symmetric Key Management Systems. http://www.oasis-open. org/committees/download.php/22096/Noor_Symmetric%20Key%20Management %20Systems-1.pdf ISSA Journal. Feb 2007
15
http://en.wikipedia.org/wiki/Dongle
17
IT AUDIT CHECKLIST: PCI
In the short term, best practices for advancing EKMI(and thereby promoting an easier tomorrow) include: • If you use a vendor-developed POS system, start urging the vendor to investigate the EKMI standardization project at OASIS. • If you participate in an “enterprisewide encryption project committee,” or other encryption management effort, champion an enterprisewide key-management project that can accommodate multiple encryption engines suited to various applications deployed throughout the enterprise. • Urge internal development groups to integrate the royalty-free SKCL (Symmetric Key Call Library) with internal applications. Programs written in C/C++ can use a Java Native Interface ( JNI). AS/400 must be integrated to an RPG Native Interface (RPGNI).16
PAN storage (DSS section 3.1) The requirement to render stored PANs unreadable has probably generated more strategy meetings than any other requirement. This is because concealing PANs involves encryption, a process that can disquiet even experienced IT managers. Not only does encryption involve cryptography (read: math), but it also has significant implications for existing IT systems. As a specific challenge, cryptographic key management is a wholly new field for most IT managers, and even PCI compliance managers. 16
Before you rush headlong into an encryption and key management, first investigate whether it would be possible to eliminate PAN repositories within your company. In most cases, the business value of keeping PANs is less than the cost of precautions necessary to secure them. In many cases, marketing departments provide the strongest objections to eliminating PANS. Marketing departments use PANs as unique identifiers that link customer buying patterns, and in marketing-driven companies this can be particularly hard dependency to break. One solution is hashing card numbers to create a different unique identifier that marketing can use. Or the merchant can keep multiple databases—one with complete PANs on a secure server and another production database with hashed numbers. When a new PAN enters the system, two copies of the information are made: one is hashed and entered into the production database; the other is copied into the secure “archive” which is itself protected with wholedisk encryption. The archive’s purpose is protective and preventative, in case a valid business reason arises for accessing PANs. Masking the stored PANs (replacing some numbers with a “mask” value, such as “x”), is also an option, but is impractical for most merchants. Note that masking stored PANs is different than the masking requirement listed in DSS section 3.3, which refers to conditionally masking on the fly, when the PAN is displayed.
Noor, Ashad. Enterprise Key Management Infrastructure (EKMI) (2006). http:// www.oasis-open.org/events/adoptionforum2006/slides/noor.pdf
www.ITCinstitute.com
18
it? Currently we are at a stage of the SKMS’ evoluHowever, while EKMI may smooth some of the technical path to encryption, process and people hurdles tion, just as DNS and RDBMS [relational database may prove more persistent. Trying to convince C-level management systems] were at their inception. business executives to support encryption by quoting Before the creation of these “abstraction” technologies, applications had to resolve hostname-IP DSS subrequirements such as “Split knowledge and addresses and perform data management on their establishment of dual control of keys” or debating the own. As DNS and RDBMS protocols and APIs definition of “secure key distribution” is likely to draw became standards, application developers abanlimited success. A stronger case can be made by explaining the business value of EKMI from the mundane doned their proprietary implementations to adopt perspective of key rotation (testing procedure 3.6.4 industry standards–the monetary benefits were and 3.6.8). Your PCI auditor is likely to ask for evitoo good to ignore. It is anticipated that SKSML dence that you have rotated encryption keys at least [Symmetric Key Services Markup Language] will be adopted faster than DNS annually. Furthermore, the standard requires managers and the RDBMS, because of the same benefits that would to be able to quickly change The labor cost of annually accrue to independent software “known or suspected compromised keys” enterprise-wide. vendors, and also due to the and manually replacing keys regulatory and TCO [total cost The labor cost of annually throughout a distributed and manually replacing keys of ownership] pressures on IT organizations.14 throughout a distributed POS quickly adds up to POS quickly adds up to more Another obstacle that arises in more than the cost of than the cost of deploying an EKMI implementation is protectEKMI solution, such as the deploying an EKMI solution. ing digital certificates at client open source StrongKey. machines (POS registers and in-store servers). Typically this process involves using Management should be aware, however, that commercial off-the-shelf POS software is not likely to a hardware security model (HSM), which is expensive, or a USB dongle,15 which can be inconvenient. Over be plug-and-play when it comes to EKMI. Bought the long term, this issue will go away, as hardware applications must be modified by their vendors to that POS software runs on is refreshed and the new integrate the key-management system’s API and accommodate encrypted data and a Global Key-ID(GKID). hardware is shipped with a trusted platform module According to EKMI co-chair Arshad Noor: (TPM) chip on the motherboard. It is expected that the widespread proliferation of TPM chips over the How does one use the SKMS [symmetric key mannext five years will be a crucial and potent enabler of agement system] if a specific COTS [commercial the uptake of EKMI in POS environments. off-the-shelf software] at a site does not support
www.ITCinstitute.com
14
Noor, Arshad. Symmetric Key Management Systems. http://www.oasis-open. org/committees/download.php/22096/Noor_Symmetric%20Key%20Management %20Systems-1.pdf ISSA Journal. Feb 2007
15
http://en.wikipedia.org/wiki/Dongle
17
IT AUDIT CHECKLIST: PCI
In the short term, best practices for advancing EKMI(and thereby promoting an easier tomorrow) include: • If you use a vendor-developed POS system, start urging the vendor to investigate the EKMI standardization project at OASIS. • If you participate in an “enterprisewide encryption project committee,” or other encryption management effort, champion an enterprisewide key-management project that can accommodate multiple encryption engines suited to various applications deployed throughout the enterprise. • Urge internal development groups to integrate the royalty-free SKCL (Symmetric Key Call Library) with internal applications. Programs written in C/C++ can use a Java Native Interface ( JNI). AS/400 must be integrated to an RPG Native Interface (RPGNI).16
PAN storage (DSS section 3.1) The requirement to render stored PANs unreadable has probably generated more strategy meetings than any other requirement. This is because concealing PANs involves encryption, a process that can disquiet even experienced IT managers. Not only does encryption involve cryptography (read: math), but it also has significant implications for existing IT systems. As a specific challenge, cryptographic key management is a wholly new field for most IT managers, and even PCI compliance managers. 16
Before you rush headlong into an encryption and key management, first investigate whether it would be possible to eliminate PAN repositories within your company. In most cases, the business value of keeping PANs is less than the cost of precautions necessary to secure them. In many cases, marketing departments provide the strongest objections to eliminating PANS. Marketing departments use PANs as unique identifiers that link customer buying patterns, and in marketing-driven companies this can be particularly hard dependency to break. One solution is hashing card numbers to create a different unique identifier that marketing can use. Or the merchant can keep multiple databases—one with complete PANs on a secure server and another production database with hashed numbers. When a new PAN enters the system, two copies of the information are made: one is hashed and entered into the production database; the other is copied into the secure “archive” which is itself protected with wholedisk encryption. The archive’s purpose is protective and preventative, in case a valid business reason arises for accessing PANs. Masking the stored PANs (replacing some numbers with a “mask” value, such as “x”), is also an option, but is impractical for most merchants. Note that masking stored PANs is different than the masking requirement listed in DSS section 3.3, which refers to conditionally masking on the fly, when the PAN is displayed.
Noor, Ashad. Enterprise Key Management Infrastructure (EKMI) (2006). http:// www.oasis-open.org/events/adoptionforum2006/slides/noor.pdf
www.ITCinstitute.com
18
Related Documents
Encryption Business Discussion Pages
December 2019 5
Compliance Business Discussion - Introduction Pages
December 2019 7
Encryption
May 2020 27
Encryption
May 2020 14
Encryption
November 2019 31