Implementing and Auditing Modern PCI Cryptosystems (I21c)
Underlying most modern security systems that protect confidentiality and integrity is the fundamental concept of cryptography; and powering every cryptographic system is the often overlooked presumption of a solid cryptosystem and sound key management. As the service-based ecosystem grows, providers are relying increasingly on point-to-point encryption, transport encryption, and negotiated key agreement across untrusted network connections—but in implementing and maintaining these technologies, they may be making the dangerous assumption that encryption always equals security. Insider threats are on the rise, and weaknesses in cryptographic design are accounting for a growing number of data exfiltration events. For management, internal audit, and compliance teams tasked with providing oversight to the development and operation of cryptographic engineering and key management teams, it can be a challenge to understand what questions to ask, which processes to oversee, and what constitutes effective policy documentation and processes.
In this session, PCI P2PE QSA Bryan Bell will provide a management-level overview of effective cryptographic engineering with a focus on how weaknesses in implementation and procedural controls have contributed to recent high-profile data breaches. Assuming the manager’s view of enterprise risk and governance, Bryan will provide practical guidance for implementing and auditing cryptosystem design, monitoring processes, and assessing compliance against common PCI standards. Finally, attendees will learn how to better discuss the importance of these controls to minimize risk and prevent the next wave of insider attacks and design weaknesses on sensitive user and enterprise data.