Java Reference
In-Depth Information
8.2.5 Security Compliance and Cryptography
Compliance requirements are one of the major inluencing factors for the implementation of strong
cryptography and data protection techniques. Certain compliance standards are not prescriptive
and do not speciically mandate encryption for sensitive data. hese compliance standards usu-
ally require the security controls to be derived from a risk assessment, and if encryption imple-
mentation is identiied as one of the controls for sensitive information, then cryptography is also
included in the security program.
here are certain standards that prescribe cryptography as one of the measures of data protec-
tion and certain standards that impose certain penalties for organizations storing or transmitting
unencrypted sensitive information. Let us explore some of the speciic compliance requirements
for encryption and key management:
◾
PCI Standards
◾
SB 1386
8.2.5.1 PCI Standards
Let us briely recapitulate our learning of the PCI Standards. PCI-DSS is one of the most important
security compliance standards in the current day. Any organization storing, processing, or trans-
mitting cardholder information is required to comply with this standard. his includes merchants
and service providers, such as credit card processing companies, as well as their partners with whom
cardholder information is shared. he PCI Standard is a set of 12 requirements, encompassing all
spheres of information security including physical security, network security, host security, and
application security. Requirement 3 of the standard deals with the protection of stored cardholder
data, and Requirement 4 of the standard deals with the protection of cardholder information dur-
ing transmission. Let us explore some speciic requirements of the standard with respect to data
security and cryptography:
◾
Requirement 3.4 states that the PAN (16-digit card number) needs to be rendered unread-
able by either strong encryption routines, usage of strong one-way hash functions, trunca-
tion, or index tokens or pads. he PCI-DSS only allows the PAN, cardholder name, and
expiration date to be stored by the entity.
Encryption is one of the most popular methods of protecting stored cardholder infor-
−
mation. When cardholder information is encrypted, it must be kept in mind that
strong encryption algorithms should be used. he NIST SP 800-57 (
Recommendation of
Encryption Key Management
) in its Table 4 provides a number of encryption algorithms
that are secure. Any encryption algorithm that is considered through the year 2030 or
beyond is considered secure for protection of cardholder information. Triple DES (112
bits) and AES (128, 192, and 256 bits) are the algorithms mentioned in Table 4 of NIST
SP 800-57 as algorithms that are secure beyond the year 2030.
Requirement 3.4.1 requires separate logical access control, aside from the operating system
◾
access control to be implemented in case data are stored using full-disk encryption.
Full-disk encryption is a common cryptographic implementation, where the entire disk
−
storing certain sensitive information is encrypted. In certain cases, the logical access
control to access the encrypted information on a hard disk is the same as the logical
access control for the operating system on the said machine. his practice is disallowed
Search WWH ::
Custom Search