1

IBM DataPowerPCI Solutions

Steven Cawn

WebSphere DataPower World Wide Sales leader

scawn@us.ibm.com

2

What is PCI DSS?

• Payment Card Industry Data Security Standard (PCI DSS) is a global security program that was created to increase confidence in the payment card industry and reduce risks to PCI Members, Merchants, Service Providers and Consumers.

3

Payment Card Industry – History

•Initial specifications adopted December 2004•1.1 Specifications adopted September 2006•1.2 Specifications adopted October 2008•1.2.1 specifications adopted August 2009•2.0 specifications adopted October 2010•As of January 2011, every institution must abide by 2.0 specifications

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

4

To Whom Does PCI DSS Apply?

• All merchants & service providers that store, process, use, or transmit cardholder data

• Retail (e-commerce & brick & mortar)• Hospitality (restaurants, hotels, casinos) • Convenience Stores (gas stations, fast food) • Transportation (airlines, car rental, travel agencies) • Financial Services (credit card processors, banks, insurance companies)• Healthcare/Education (hospitals, universities)• Government (where payment cards are accepted)

5

PCI DSS Requirements “The Digital Dozen”Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data3. Protect stored cardholder data4. Encrypt transmission of cardholder data sent across open, public networks Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder dataRegularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processesMaintain an Information Security Policy

12. Maintain a policy that addresses information security – Connected Entities and Contracts

PCI DSS Ver. 1.1

6

PCI Non-Compliance Consequences (Global)• If non-compliant and a breach occurs…

– Merchants/Service Providers have liability for the acquirer bank's losses, cost of the investigations, litigation costs and card re-issuance costs

– Fines per incident from Visa (against acquiring bank)

– Restrictions imposed by card companies (prohibiting future credit card processing)

– Repayment of losses may exceed the ability to pay and cause total failure of the organization

• Other potential consequences:

– Damaged brand reputation

– Invasive media attention

– Loss of customers

7

Over to 1,800 worldwide installations and growing

Used by 95% of top global insurances firms

SaaS providers, ASPs, regulators, etc.

Agencies and ministries

Defense and security organizations

Crown corporations

Insurance

Government

Banking

Retailers

Utilities, Power, Oil and Gas

Airlines

etc.

Many, many, more

80% of top 100 Banks

Numerous regional banks and credit unions

SaaS providers, ASPs, regulators, etc.

What are WebSphere DataPower Appliances?

Business Value

The purpose of WebSphere DataPower Appliances is to take the ‘hard parts’ of SOA deployments (service security, integration, ESB, load distribution, etc.) that are traditionally performed by software

on application servers, yet have nothing to do with Business Logic, and move those ‘hard parts’ into highly efficient hardened

configuration driven devices in the network.

By moving this computationally intensive “grunt work” into the network, your application servers regain cycles to do what you pay

for them to do: Run Business Logic

88

What are WebSphere DataPower Appliances?

Product Value

“Specialized purpose-built hardened embedded network devices that take the “hard parts” of SOA security and integration traditionally requiring complex and costly

software systems and delivers them in a simple “uncrate, rack, configure and deploy” platform.”

Powerful and uniquely efficient message and file oriented configuration-driven Security and Integration platform with the

extremely low operational TCO of a true network device.

99

10

WebSphere DataPower - Use Cases

Internet Trusted DomainBusiness

Consumer

1 B2B Partner Gateway

2 Secure Gateway (Web Services, Web Applications)

3 Intelligent Load Distribution

Application

Application

System z

DMZ

4 Internal Security

5 Light Weight Integration

6 Web Service Management

7 Legacy Integration

8 Run time SOA Governance

HMCHMC

Mobile

11

WebSphere DataPower and the PCI DSS “Digital Dozen”

WebSphere DataPower ideal solution for many requirements:

• Build and Maintain a Secure Network– Requirement 1: Install and maintain a firewall configuration to protect cardholder data– Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data– Requirement 3: Protect stored cardholder data– Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Maintain a Vulnerability Management Program– Requirement 5: Use and regularly update anti-virus software– Requirement 6: Develop and maintain secure systems and applications

• Implement Strong Access Control Measures– Requirement 7: Restrict access to cardholder data by business need-to-know– Requirement 8: Assign a unique ID to each person with computer access– Requirement 9: Restrict physical access to cardholder data

• Regularly Monitor and Test Networks– Requirement 10: Track and monitor all access to network resources and cardholder data– Requirement 11: Regularly test security systems and processes

• Maintain an Information Security Policy– Requirement 12: Maintain a policy that addresses information security

Complete solution

Part of solution

12

Web Services (XML) - Filter on any content, metadata or network variables

Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling

Data Validation - Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed

Field Level Security - WS-Security, encrypt & sign individual fields, non-repudiation

Encryption of transport layer - HTTP, HTTPS, SSL. Anti Virus Protection - messages and attachments checked for viruses; integrates with

corporate virus checking software through ICAP protocol

XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc Management & Logging - manage & track services, logging of all activities, audit.

Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process.

Easy Configuration & Management - WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)

DataPower - Key Functions for PCI Compliance Easy to Use Appliance Purpose-BuiltEasy to Use Appliance Purpose-Built

for SOA Securityfor SOA Security

Req. 1

Req. 3,4

Req. 5

Req. 7,8,9

Req. 10

Req. 12

13

WebSphere DataPower: Protecting Cardholder Data

Encrypted & digitally signed Message<Credit Card>

<Cust>Brian P. Bell</Cust><Encrypted CCN> ws389maz301</Encrypted CCN><Credit Type>AMEX</Credit Type>……………….

</Credit Card>

Key Functions:Terminate SSL

Defend against XML threatsValidate XML (schema)

AuthenticationAuthorization

Audit/Transaction LoggingFilter data

Encrypt/Decrypt messageDigitally sign message

Mask back-end resourcesRoute based on content

Encrypted XML data is delivered to the database to the encrypted credit card for later use

DatabaseDatabase

Client sends credit card information to be stored in the database though an supported protocol

Response message is sent confirming the insertion of the encrypted credit card number into the database

Response message is received confirming the insertion of the encrypted credit card number into the database

Protocols: HTTP/s, MQ, Tibco, JMS, FTPs, NFS, etc

Direct DB Connect

Incoming Message – data not encrypted<Credit Card>

<Cust>Brian P. Bell</Cust><CreditCardNumber> 3732 955939 395500</CreditCardNumber><Credit Type>AMEX</Credit Type>……………….

</Credit Card>

Requirement 3 Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

14

Access Control & Credential Mapping

1. Client send request to App Server2. Request carry client username & Password3. DataPower will authenticate client4. DataPower will map credentials for unified communication with backend*

* Assuming all authentic users are authorized. Otherwise TAM or similar must be used for Authorization

Requirement 7 Restrict access to cardholder

data by business need-to-know.

Requirement 8 Assign a unique ID to each

person with computer access.

15

DataPower Anti-Virus Protection

• Allows messages and attachments to be checked for viruses

• Integrates with corporate virus checking software through the ICAP protocol

• Anti-Virus Processing Actioneases configuration and use ofthis capability

• Includes pre-configured HostTypes (CLAM, Symantec, Trend, Webwasher) as well as customizability

16

Logging of Transactions Requirement 10Track and monitor all access to network

resources and cardholder data.

DataPower can Log transactions passing through it to:-On-the-box File System-Database-Network File System-MQ queues-FTP Server

DataPower could be integrated with monitoring software viaSNMP protocol (not vendor specific)

DataPower could integrate with Antivirus for attachments scanning

Requirement 5Use and regularly update anti-virus

software

17

Protection against Open Web Application Security Project (OWASP) Top 10 Attacks

 Top 10 Most Critical Web Application

Security Risks

18

Open Web Application Security Project Compliance

Provides Protection

Against 100 % Of OWASP

Top 10 Risks

19

DataPower has deployments cross industry for PCI Compliance

Major Prepaid Wireless carrier

National Uniform Provider

Telecommunication Provider in Australia

Large US based Insurance Provider

Summary: Business Benefits

Key Reusable Core IT Functionality: Solves complex SOA IT service integration and security challenges in a secure, easy to consume and extremely low TCO network device

Configuration Driven: All enforced policies and mediations are configuration driven, not programmed. This significantly simplifies and reduces deployment requirements and cost

Flexibility: Secure, integrate, bridge and version applications without application modification

Reduce Complexity: Do work “in the network” as the data flows over the wire instead of on application servers, reducing infrastructure footprint and freeing up application servers to run more business logic

Reduce Time to Market: Dramatically decrease the “time to deploy” in your environment. Being a configuration-driven platform, most deployments are “uncrate, rack, configure and deploy”

Reduce Risk: Takes the “grunt work” out of SOA application security and integration allowing you to focus on building your business logic. “In the network” platform allows improved security and audit capabilities without application modification

Lower TCO: It’s a network device. Customers’ own data has shown that DataPower appliances can be 7X-8X less expensive to operate in the data center than software alternatives

A New Approach: These are not “software pre-installed on servers”. DataPower applies sophisticated embedded technology to solve complex IT challenges in new and novel ways

20

21

DataPower Product Family Highlights

Integration Appliance XI50B, XI50z, XI52 Hardware ESB “Any-to-Any” Conversion at wire-

speed Bridges multiple protocols Integrated message-level security Network Load Balancing

Service Gateway XG45 Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained Authorization and

Authentication Network Load Balancing

B2B Appliance XB62 B2B Messaging (AS1/AS2/AS3/EDI) Trading Partner Profile Management B2B Transaction Viewer Support for HL7 and EDIfact Industry Pack

22

Additional Information

WebSphere DataPower home page http://www-01.ibm.com/software/integration/datapower

WebSphere DataPower Information Center (online help):– http://pic.dhe.ibm.com/infocenter/wsdatap/v5r0m0/index.jsp

developerWorks– http://www.ibm.com/developerworks/websphere/zones/businessintegration/dp.h

tml WebSphere Education

– http://www.ibm.com/software/websphere/education/ IBM Software Services for WebSphere

– http://www.ibm.com/developerworks/websphere/services/ IBM WebSphere DataPower SOA Appliance Handbook

– http://www.ibmpressbooks.com/bookstore/product.asp?isbn=9780137148196 DataPower SOA Appliance Customer Forum

– http://www.ibm.com/developerworks/forums/forum.jspa?forumID=1198

23

Additional Information

Global WebSphere Community– http://www.websphereusergroup.org/datapower

Technotes– http://www.ibm.com/search/csass/search?q=&sn=spe&lang=en&filter=collection:stgsysx,db

lue,ic,pubs,devrel1&prod=U692969C82819Q63

• DataPower Redbooks– http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower

DataPower on YouTube - http://www.youtube.com/watch?v=LRy0twFpmUQ

zEnterprise and PCI-DSS compliance– http://www.businesswire.com/news/home/20100308006657/en/atsec-Publishes-Payment-

Card-Industry-Compliance-Large• Certification Whitepaper regarding PCI Compliance

– http://www.atsec.com/downloads/white-papers/PCI_Compliance_for_LCS.pdf• DataPower OWASP White Paper

– ftp://submit.boulder.ibm.com/sales/ssi/ecm/en/wsw14196usen/WSW14196USEN.PDF

24

Thank You

25

OWASP DataPower Compliance Details

26

Threat: A1- Injection

• Threat description– Injection flaws, such as SQL, Command shell, or LDAP injection, occur

when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands, or accessing unauthorized data.

• DataPower mitigation–Data type checking for invalid input–XML Threat protection setting for XPath injection –SQL injection filter configuration rejects SQL injections–Regular-expression filters used as a “catch-all” for shell injections, LDAP

calls, PHP code, or any other programming language

27

Threat: A2 - Cross-Site Scripting (XSS)

• Threat description–XSS flaws occur whenever an application takes untrusted data

and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

• DataPower mitigation–Native XSS filter configuration for rejecting incoming/outgoing

traffic that contains XSS content

28

Threat: A3 - Broken Authentication and Session Management

• Threat description– Application functions related to authentication and session management are

often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.

• DataPower mitigation– Broad security standards support, i.e. WS-Security, XACML, SAML, SSL/TLS– “Out-of-the-box” integration with many industry-leading PDP solutions, such

as Tivoli Access Manager, Active Directory, LDAP, SiteMinder, etc. – Centralized platform for Security governance – Tools for configurable AAA and Crypto processing, as well as key protection

29

Threat: A4 - Insecure Direct Object References• Threat description

–A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

• DataPower mitigation–Enforces security decisions based on properly classified users

authorized to specific resources and actions in a policy. –Transforms and exposes indirect object identifiers that are mapped to

direct object identifiers at the application, such as references to a SSN or an Account number.

30

Threat: A5 - Cross-Site Request Forgery (CSRF)• Threat description

– A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

• DataPower mitigation– Provides several building blocks to prevent such attacks:

• Creation, or checking Nonce values• Generation, or validation Digital Signatures on each request• Creation, or confirmation for Hash values • Injection, or parsing of secondary session cookies present in hidden HTTP fields

31

Threat: A6 - Security Misconfiguration• Threat description

– Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. The system could be completely compromised without one knowing it. Causing all data to be stolen, or modified slowly over time.

• DataPower’s mitigation– DataPower can't solve this problem alone, but it can significantly reduce the scope of

what must be configured, or programmed– By pulling security policies and functions away from application servers and

centralizing them on DataPower, the chance of security misconfiguration is reduced because the number of systems that contain security processing code is also reduced.

– Additionally, centralizing corporate wide security policies on a common gateway means that services that trust the gateway are all configured to share a consistent security policy among them.

32

Threat: A7 - Insecure Cryptographic Storage• Threat description

– Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes

• DataPower mitigation– Standards based cryptographic processing, such as encryption and hash

operations– Secured key material stored in the encrypted part of the file system– Encrypts sensitive data and stores it in a database. Providing authorized

applications to access confidential data through DataPower – in essence functioning as a Data-as-a-Service (DaaS) provider

33

Threat: A8 - Failure to Restrict URL Access

• Threat description– Many web applications check URL access rights before rendering

protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway.

• DataPower mitigation– Leverage DataPower’s explicit white-list policy model using Matching rules

– Enforces per-request authentication and resource-based authorization based on the AAA framework

– URL-Rewrites to hide the original URL of the backend application

34

Threat: A9 - Insufficient Transport Layer Protection• Threat description

– Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly.

• DataPower mitigation– SSL Proxy configuration secures traffic using SSL/TLS– Strong SSL Cipher suite is available and enabled by default– Clients can be trusted using mutual authentication– CRL and OCSP support ensures certificates are valid and trusted– The key material is stored securely in an encrypted portion of the flash memory

35

Threat: A10 - Invalid Redirects and Forwards• Threat description

–Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

• DataPower mitigation–Applications not expecting Re-directs can be configured to reject

HTTP 302–HTTP Front-side handler, User-Agent and URL Re-write configurations

can be used to flag and reject these requests as potential threats