1. 1 Sensitive Data Management in Financial Systems Mike Gurevich President and CEO INVENTIGO

2. 2 Organizations spend a medium of 6% of their IT budget in security implementations. The worldwide market for information security services (including consulting, integration, management, and education and training) in 1998 was $4.8 billion. This figure is expected to grow to $16.5 billion by 2004 with security management services expected to be the fastest growing sector. IDC's European Security Services Protecting e-business IDC's Plugging the holes of e-commerce Spending Profile: Overall

3. 3 Security budgets are ballooning: IDCs research indicates the financial services sector will continue to represent the single-largest source of security spending, growing from $848 million in 2000 to >$2 billion in 2005 Why IT security spending is growing? Do Financial Institutions get the expected ROI? Spending Profile: Financial Services

4. 4 Approach Determines Solutions. Solutions Drive Spending Data in Transit Data in Process Data at Rest Where is the main focus?

5. 5 Insecurity of IT Environments Drive Solutions How secure is data in transit ? Common practice: SSL (Secure Socket Layer) to encrypt communication links, PKI for authentication, XKMS and SACRED for key exchange. Security Issue: None, if certificate management and interoperability issues are solved (PKI hygiene). How secure is data in process? Common practice: Generally not addressed. When practiced, is substituted by access entitlement provisions. All data is processed in clear. Security Issue: SSL endpoints create security gaps, data is in the clear at intermediary processing systems (such as credit verification systems). Susceptible to code perversion (viruses and Trojan horses) and insufficient code quality assurance (sensitive data in log files, etc.) How secure is data at rest? Common practice: secure IT environment but not the data. Security Issue: External intrusion and attacks by insiders. Vulnerability compounded with storage area networks (SANs), DRP backups, and universal data repositories ( wallets ). Data at rest and data in process is at risk

6. 6 External and internal attacks pose major threats WHO: Charles Schwab INCIDENT: Web site had a cross-site scripting vulnerability that could allow a hacker to access all of a customer s account actions. A hacker could buy and sell stocks or transfer funds while the customer was logged on to the account. WHO: Contour Software INCIDENT: A glitch in the software exposed at least 700 loan applications – including social security numbers (SSN – on the Internet. A spokesman blamed a disgruntled former employee for turning off security settings. CSI/FBI 2002 survey Data in Transit Data In Process Data at Rest Never Ending Security Threats Drive Spending

7. 7 Current Focus: Predominantly on Firewalls and IDS* Majority of attacks originate inside the organization Firewalls Host Based IDS Systems of Records Network Based IDS *- IDS - Intrusion Detection Systems

8. 8 Defenses Miss Majority of Attacks Anyway Firewalls Host Based IDS Systems of Records Network Based IDS Intrusion Insiders Intrusion-detection systems only spot known attacks or behaviors that indicate a certain class of attack. "Attacks against a server might be detected, but a complex application-based attack might look like normal behavior." (David Ahmad, Moderator of the Bugtraq mailing list) CSI/FBI 2002 survey reveals the ineffectiveness of the IT perimeter defense investments against external attacks: Although 89% of respondents have firewalls and 60% use IDS, 40% report system penetration from the outside; and although 90% use anti-virus software, 85% were hit by viruses, worms, etc. * - IDS - Intrusion Detection System Do financial institutions get the expected ROI?

9. 9 Trend: Transformation Of Security Focus Emerging market for Sensitive Data Management Focus on the Core New Focus Current Focus

10. 10 Majority of attacks originate inside the organization Perimeter defenses miss majority of attacks Growing complexity of IT environments diminishes ROI The Need For Transformation: Unsolved IT Risks and diminishing ROI Sensitive data is at risk despite huge IT investments

11. 11 The Need For Transformation: Unsolved Business Risks Risk of loss from unauthorized changes or introductions of false data Risk of exposure from theft of sensitive information Pressure for regulatory compliance Sensitive data is at risk despite huge IT investments

12. 12 The Need For Transformation: Regulatory Compliance in Financial Industry Regulatory compliance with the Financial Services Modernization Act (also known as Gramm-Leach-Bliley Act, or GLB) requires: The FRB, FDIC, OCC, OTS, NCUA, SEC, and FTC all need to be compliant. Regulatory agencies are required to begin audits. Disclosure of policies and practices regarding disclosure of private financial information Prohibits the disclosure of private financial information to unaffiliated third parties, unless consumers are provided the right to "opt out" of such disclosure Requires the establishment of safeguards to protect the security and integrity of private financial information

13. 13 The Need For Transformation: Regulatory Compliance in Financial Industry (contd) Sensitive data is at risk despite pressure for regulatory compliance a)Access rights to customer information b)Access controls on customer information systems, including controls to authenticate and grant access only to authorized individuals and companies c)Access restrictions at locations containing customer information, such as buildings, computer facilities, and records storage facilities d)Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access e)Procedures to confirm that customer information system modifications are consistent with the banks information security program f)Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information g)Contact provisions and oversight mechanisms to protect the security of customer information maintained or processed by service providers h)Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems i)Response programs that specify actions to be taken when unauthorized access to customer information systems is suspected or detected j)Protection against destruction of customer information due to potential physical hazards, such as fire and water damage k)Response programs to preserve the integrity and security of customer information in the event of computer or other technology failure, including, where appropriate, reconstructing lost or damaged customer information

14. 14 The Need For Transformation: The Trend (focus on the core - sensitive data at rest) Directory Servers Sun1 Directory Server CriticalPath Directory Server Novell eDirectory Databases RDBMS Vendors Field-level resource access control and obfuscation tool Proprietary and intrusive to the application RSA Security Encryption toolkits for some popular databases Low-level Protegrity Security management tool for databases Encrypts entire columns of data and supplies an non-reputable audit log. Storage Decru File-level encryption. Applicable to SAN and NFS configurations. Transparent to the client. Neoscale Block-level encryption (fundamentally faster than file-level but not as flexible) Applicable to SAN configurations and backup solutions. Transparent to the client. Vormetric File-level encryption. Applicable to all DAS, NFS, and SAN configurations. Requires modification of the client side OS with proprietary extensions to File IO.

15. 15 The Need For Transformation: Alternative Approaches Revolutionary Pervasive practice of Principle of Least Authority (POLA) Each individual software object should have all the access authority it needs to do its job, but absolutely no more. The access rights must be fully, but absolutely minimally, adequate. Capability Based Computing E-Language Pervasive practice of POLA requires new programming language and/or OS

16. 16 The Need For Transformation: Alternative Approaches Evolutionary Apply Principal of Least Authority to Sensitive Data only Focus on modeling Sensitive Data Focus on exchange and access to Sensitive Data Focus on interoperability New product line Content aware firewalls Applying POLA to Sensitive Data only requires a new product – content aware firewall

17. 17 Standard Bodies –Security for data in transit, in process, and at rest –Technology and access method agnostic (CORBA, J2EE, File IO, SQL, XML) –Granularity (field level) –Convenience (non-intrusive, domain specific profiles, easy of management) –Auditability (non-repudiation, digital subpoena) –Verified Domain Specific Usage Profiles Vendors –Integrated/interoperable data firewalls Enterprises, Regulatory Agencies –Drive demand and requirements The Need For Transformation: What is Needed

18. 18 Transparent for existing applications Enhanced capabilities of new applications –Granular sensitive data management (modeling, encryption, auditing, etc.). –Key hygiene and interoperability with existing key stores and authentication systems –Convenience (modeling, development, deployment) –Acceptable QoS (speed, etc.) Interoperability with –Security management echo system (IDS, etc.) –Archiving solutions Requirements The Need For Transformation: What is Needed (contd)

19. 19 Need for Standards: OMG In The Lead Approach Finance DTF – Leading the effort Core (jointly with Sec SIG) Infrastructure (jointly with Sec SIG and ADTF) Domain Specific Profile Definitions and Convenience Interfaces (examples) –Secure DDR –Secure Logging –Digital Subpoena Deployment and validation

20. 20 Need for Standards: OMG In The Lead Approach Security SIG – Active involvement Define Common Criteria Protection Profile for –Core –Infrastructure –Profiles of Convenience Interfaces Endorsement Analysis and Design PTF – Active involvement Review Infrastructure –Sensitive Data Management PIM

21. 21 Need for Standards: OMG In The Lead Approach Middleware and Related Services PTF – Potential interest (example) Domain Specific Profile Definitions and Convenience Interfaces –Secure Object Persistence (secure J2EE CMP) Deployment and validation

22. 22 Need for Standards: Profile Example Profile for Sensitive Data Exchange Originator: –Data Elements: produces the Data Element(s) in clear text. Sufficient granularity. –Keys: generates individual Key(s) for each Data Element. –IKRs: acquires IKR(s). Preferably generates IKR(s) locally. –Key Store: stores Key(s) in a Key Store referencable by IKR(s). The Key Store should resolve IKR collisions for locally generated IKRs. –Encryption Keys: Preferably generates Encryption Key(s) locally using the Key(s) as seed(s). –Sensitive Data Elements: individually encrypts the Data Element(s) using the Encryption Key(s). –Message: contains Sensitive Data Element(s) together with (or means for obtaining) the IKR(s).

23. 23 Need for Standards: Profile Example Contd Profile for Sensitive Data Exchange Recipient: –Message: receives the Sensitive Data Element(s). Receives/obtains the IKR(s). –Key Store: Retrieves Key(s) from the Key Store via the IKR(s). –Decryption Keys: Preferably generates Decryption Key(s) locally using the retrieved Key(s) from the Key Store. –Data Elements: Decrypts the Data Element(s) using the Decryption Key(s).

24. 24

25. 25 Need for Standards: OMG In The Lead Next Steps RFP Sensitive Data Management - completed –Core –Infrastructure –Convenience Interfaces RFC - the goal –MDA-based specification for a content aware firewall" that governs access to sensitive data Any access method (SQL, XML, GIOP, etc.) Any application environment (J2EE, CORBA, Web Services) Any operating system (Unix, Windows, etc)

26. 26 Thank You mikeg@inventigo.com