Tuesday, January 22, 2008

PCI and DLP

How can you use DLP to protect the flow of credit card data outside of your main credit card processing?

Data in Motion should be used to validate that credit card information does not traverse your network in the clear, and should provide audit reports to verify. DIM should also integrate with the data base as well as the web applications such that all flows are understood and mapped. The problem is that over time, tables may contain more information than what is expected, and these tables may be used by applications in ways not fully understood. Data flow mapping is paramount, and in order to do so, content inspection and classification is needed. You should be able to understand the entire lifecycle of the credit card information irrespective of what system it resides on, and if it is within your own organization, or it traverses to a business partner.

Data at Rest should be used to evaluate repositories to ensure that credit card information to and from these are understood, and that retention policies are followed in destruction of credit card data in repositories that contain PCI data that is no longer needed.

Agents should be used on applications and end user systems to ensure that only users entitled to
The information has access, and ensuring that the information is always encrypted. It should also enforce the data retention policies such that when the information is no longer needed, it must be removed. However, you cannot just go and remove information without notifying users, so the solution must take into account how to notify users about expiring material, and the different actions they can take. One way I envision the solution is that users are notified that they must either delete the data, or ask for an exception to be able to keep the information.

This system should be distributed, and should provide compliance metrics and risk management metrics for the organization. It should also be enabled to tie into other security and compliance systems, so the organization has a full view of security issues, compliance and risk being managed.

No comments: