Implementing and Auditing Modern PCI Cryptosystems (I21c)
Underlying most modern security systems that protect confidentiality and integrity is the fundamental concept of cryptography; and powering every cryptographic system is the oft-overlooked presumption of a solid cryptosystem and sound key management. As the service-based ecosystem grows, providers are relying increasingly on end-to-end encryption, transport encryption, and negotiated key agreement across untrusted network connections—but in implementing and maintaining these technologies, they may be making the dangerous assumption that encryption always equals security. Insider threats are on the rise, accounting for a growing number of data exfiltration events. For management, internal audit, and compliance teams tasked with providing oversight to development and operations of cryptographic engineering and key management teams, it can be a challenge to understand what questions to ask, which processes to oversee, and what constitutes effective policy documentation and processes.
In this session, PCI QSA, QSA(P2PE), QPA, SSF, and PA-QSA cryptography assessor Sam Pfanstiel will provide a management-level overview of effective cryptographic engineering with a focus on how weaknesses in implementation and procedural controls have contributed to recent high-profile data breaches. Assuming the manager’s view of enterprise risk and governance, Sam will also leverage his extensive background with compliance standards such as PCI DSS, P2PE, PCI PIN, PA-DSS, SSF, ANSI X9.24, NIST SP 800-57 and SP 800-130, and ISO 11770 to provide practical guidance that addresses the challenges associated with implementing and monitoring security controls for key management and cryptosystem design. Finally, attendees will learn how to better discuss the importance of these controls to minimize risk and prevent the next wave of insider attacks on sensitive user and enterprise data.
Discussion of cryptography technologies will include basics of symmetric key management and distribution; asymmetric key agreement and management; designing cryptosystems for authentication, key conveyance, and sensitive data encryption; principles of split knowledge and dual control, and why they still matter today; use of secure cryptographic devices, cloud-based key management services, and electronic key management systems; how to evaluate weak links in the engineering of a cryptosystem; and communicating the importance of these controls to address specific enterprise risks.