0
Essentials of PCI AssessmentSucceeding with GoGrid and Gazzang<br />Paul Lancaster, Manager Cloud Ecosystem, GoGrid<br />M...
About GoGrid<br />A Leader in the IaaS Market <br />The #1 “pure-play” IaaS provider in the world<br />Strong Track Record...
GoGrid is Driving Cloud Adoption<br />Enabling Cloud Adoption <br />
Overview<br />What to expect - preparing for an audit<br />The GoGrid and Gazzang combined solution<br />Mapping into the ...
PCI (Payment Card Industry) <br />Created by major credit card issuers to <br />Protect personal information <br />Ensure ...
PCI<br />PCI (Payment Card Industry) <br />DSS (Data Security Standard)<br />The PCI assessment process focuses solely on ...
PCI Assessments<br />Determine if you are employing payment industry best-practices <br />Assessment result in <br />Recom...
What is Gazzang’sezNcrypt for MySQL<br /><ul><li>Installed as a GoGrid Cloud Database Server
Sits between the storage engine and file system
Encrypts data before it hits the disk.</li></ul>6/21/2011<br />8<br />Gazzang - All rights reserved 2011<br />
Key Storage System (KSS)<br />Gazzangs KSS “service” runs in the GoGrid Clouds<br />East and West Currently<br />Highly Av...
PCI Security Problems Gazzang Helps Solve <br />Unauthorized attempts to read data off the database files<br />Theft of th...
The PCI “12”<br />Install and maintain a firewall<br />Do not use vendor-supplied defaults for passwords. Develop configur...
1 Install and maintain a firewall<br />GoGrid<br />FortinetFirewall <br />100,000 concurrent sessions<br />Unlimited IP ad...
2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.<br />GoGrid<br />Root Account for th...
3 Protect stored data<br />Gazzang<br />Allows you to <br /><ul><li>Encrypt the entire database
Encrypt individual tables
Encrypt related files (log files)
Control who can decrypt the data, beyond normal database and file system protections.
Manage and secure keys</li></ul>6/21/2011<br />14<br />
3 Protect stored data<br />The Auditor<br />For requirement 3 the Auditor is looking at the entire data lifecycle related ...
3 Protect stored data<br />Gazzang ezNcrypthelps<br />Access control <br /><ul><li>Only authorized users running authorize...
3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism th...
3 Protect stored data<br />Gazzang ezNcrypthelps<br />Secure key management procedures<br /><ul><li>PCI 3.5 - Protect cryp...
PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encrypt...
4 Encrypt transmission of cardholder data across public networks<br />You<br />Verify the use of encryption (for example, ...
4 Encrypt transmission of cardholder data across public networks<br />Gazzang <br />Cloud data storage in cloud systems se...
5 Use and regularly update anti-virus software<br />The Auditor will<br />Verify that all OS types commonly affected by ma...
6 Develop and maintain secure systems and applications<br />Gazzang Helps By<br />Adding a new layer of security<br />As-I...
7 Restrict access to data by business need-to-know<br />Gazzang<br />Helps meet this<br />By Restricting Access using encr...
8 Assign a unique ID to each person with computer access<br />You <br />Need to manage your users<br />Create a unique log...
8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) ...
9 Restrict physical access to cardholder data<br />The 3 Gs – Guards, Guns, and Gates<br />Access to physical equipment <b...
10 Track and monitor all access to network resources and cardholder data<br />You<br />Will need to show auditor that you ...
Upcoming SlideShare
Loading in...5
×

Essentials of PCI Assessment

633

Published on

What to expect - preparing for an audit
The GoGrid and Gazzang combined solution
Mapping into the 12 PCI sections
Examples/Ideas before your PCI Audit

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
633
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • MICHAEL
  • MICHAELWhat GG provides“Multi faceted infrastructure”
  • Transcript of "Essentials of PCI Assessment "

    1. 1. Essentials of PCI AssessmentSucceeding with GoGrid and Gazzang<br />Paul Lancaster, Manager Cloud Ecosystem, GoGrid<br />Mike Frank, Director of Products, Gazzang<br />
    2. 2. About GoGrid<br />A Leader in the IaaS Market <br />The #1 “pure-play” IaaS provider in the world<br />Strong Track Record of “First-To-Market” Features<br />World-class platform for infrastructure management<br />Over 10,000 Customers Across All Industries<br />GoGrid owns 100% of its IP<br />GoGrid is not a reseller <br />Extensible IP & Technology Platform<br />Lower Cost of Goods – Margin Control<br />“Top 10 Best Cloud <br />Computing Providers”<br />“Market Leader”<br />“Visionary”<br />Magic Quadrant <br />“10 Cloud Computing <br />Companies to Watch”<br />2<br />
    3. 3. GoGrid is Driving Cloud Adoption<br />Enabling Cloud Adoption <br />
    4. 4. Overview<br />What to expect - preparing for an audit<br />The GoGrid and Gazzang combined solution<br />Mapping into the 12 PCI sections<br />Examples/Ideas before your PCI Audit<br />Q&A<br />6/21/2011<br />4<br />
    5. 5. PCI (Payment Card Industry) <br />Created by major credit card issuers to <br />Protect personal information <br />Ensure security when transactions are processed<br /> Members of the payment card industry are<br />financial institutions, credit card companies and merchants<br />Required to comply with these standards<br />Failure to meet compliance standards can result in<br />Fines from credit card companies and banks <br />Loss of the ability to process credit cards.<br />6/21/2011<br />5<br />
    6. 6. PCI<br />PCI (Payment Card Industry) <br />DSS (Data Security Standard)<br />The PCI assessment process focuses solely on the security of cardholder data<br />Has a company effectively implemented information security policies and processes?<br />Are there adequate security measures that comply with the requirements to protect cardholder data?<br />6/21/2011<br />6<br />
    7. 7. PCI Assessments<br />Determine if you are employing payment industry best-practices <br />Assessment result in <br />Recommendations & Remediation to<br />Processes <br />Procedures <br />System configurations<br />Vulnerabilities<br /> The “Fixes” needed to comply<br />6/21/2011<br />7<br />
    8. 8. What is Gazzang’sezNcrypt for MySQL<br /><ul><li>Installed as a GoGrid Cloud Database Server
    9. 9. Sits between the storage engine and file system
    10. 10. Encrypts data before it hits the disk.</li></ul>6/21/2011<br />8<br />Gazzang - All rights reserved 2011<br />
    11. 11. Key Storage System (KSS)<br />Gazzangs KSS “service” runs in the GoGrid Clouds<br />East and West Currently<br />Highly Available – uses F5<br />Solution for<br />“Where do I store my key?”<br />Multiple layers of security ensure that your key is protected and available when you need it.<br />6/21/2011<br />9<br />© Gazzang, Inc. -- CONFIDENTIAL --<br />9<br />
    12. 12. PCI Security Problems Gazzang Helps Solve <br />Unauthorized attempts to read data off the database files<br />Theft of the data files <br />Tampering of data<br />Protection of data on tapes and backups<br />Data at Rest - Protecting disks <br />In case physical hardware is stolen or incorrectly disposed<br />Key Protection<br />Automated, Zero Maintenance Key Management<br />Encrypts, Protects and Secures MySQL<br />6/21/2011<br />Gazzang - All rights reserved 2011<br />10<br />
    13. 13. The PCI “12”<br />Install and maintain a firewall<br />Do not use vendor-supplied defaults for passwords. Develop configuration standards.<br />Protect stored data<br />Encrypt transmission of cardholder data across public networks<br />Use and regularly update anti-virus software<br />Develop and maintain secure systems and applications<br />Restrict access to data by business need-to-know<br />Assign a unique ID to each person with computer access<br />Restrict physical access to cardholder data<br />Track and monitor all access to network resources and cardholder data<br />Systems should be tested to ensure security is maintained over time and through changes<br />Maintain an information security policy<br />6/21/2011<br />11<br />
    14. 14. 1 Install and maintain a firewall<br />GoGrid<br />FortinetFirewall <br />100,000 concurrent sessions<br />Unlimited IP addresses in a trusted interface<br />Choice of one VPN: SSL, Site-to-Site or IPSec<br />Ability to add additional VPNs at any time<br />Cisco ASA 5510 dedicated hardware firewall<br />The Auditor will inspect<br />System/Firewall Configurations<br />Your Network Diagram<br />6/21/2011<br />12<br />
    15. 15. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.<br />GoGrid<br />Root Account for the cloud server is assigned strong password<br />Gazzang<br />MySQL Linux account has strong initial password<br />Only local mysql root is created<br />Strong Initial Password is enforced<br />Configuration for MySQL is Secured<br />Added Access File Protection<br />The Auditor will<br />Interview staff, review documentation, view setup<br />6/21/2011<br />13<br />
    16. 16. 3 Protect stored data<br />Gazzang<br />Allows you to <br /><ul><li>Encrypt the entire database
    17. 17. Encrypt individual tables
    18. 18. Encrypt related files (log files)
    19. 19. Control who can decrypt the data, beyond normal database and file system protections.
    20. 20. Manage and secure keys</li></ul>6/21/2011<br />14<br />
    21. 21. 3 Protect stored data<br />The Auditor<br />For requirement 3 the Auditor is looking at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.<br />You<br />Will need to document explain and show that process to the auditor.<br />For Req 3 Sections 4, 5, and 6 are often the trickiest<br />6/21/2011<br />Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL<br />15<br />
    22. 22. 3 Protect stored data<br />Gazzang ezNcrypthelps<br />Access control <br /><ul><li>Only authorized users running authorized applications can decrypt cardholder data. 
    23. 23. 3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms</li></ul>6/21/2011<br />Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL<br />16<br />
    24. 24. 3 Protect stored data<br />Gazzang ezNcrypthelps<br />Secure key management procedures<br /><ul><li>PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
    25. 25. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data</li></ul>6/21/2011<br />Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL<br />17<br />3.6.1 - The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt<br />
    26. 26. 4 Encrypt transmission of cardholder data across public networks<br />You<br />Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks<br />Use MySQL SSL<br />Require SSL Connections in MySQL Access Control Settings for any “remote” User<br />GoGrid<br />Provides tools to implement SSL, Site-to-Site or IPSec<br />6/21/2011<br />18<br />
    27. 27. 4 Encrypt transmission of cardholder data across public networks<br />Gazzang <br />Cloud data storage in cloud systems sends data across the network to storage<br />With ezNcrypt your critical data is encrypted before it moves into the physical file system – <br />All data from ezNcryptis encrypted across the network or through other devices that could be monitored or tapped.<br />6/21/2011<br />19<br />
    28. 28. 5 Use and regularly update anti-virus software<br />The Auditor will<br />Verify that all OS types commonly affected by malicious software have anti-virus software implemented.<br />You<br />Make sure AV is setup and deployed properly<br />GoGrid<br />Optional Cisco Adaptive Security Appliance Firewall <br />Offers Anti-virus protection<br />6/21/2011<br />20<br />X<br />
    29. 29. 6 Develop and maintain secure systems and applications<br />Gazzang Helps By<br />Adding a new layer of security<br />As-Is the system is more secure<br />You will be downloading the latest MySQL Version<br />We will secure the configuration and protect the data and logs<br />GoGrid<br />The base GoGrid Cloud Server Images are clean<br />Free from malware or viruses<br />Free from undesirable “products” or “services”<br />6/21/2011<br />21<br />
    30. 30. 7 Restrict access to data by business need-to-know<br />Gazzang<br />Helps meet this<br />By Restricting Access using encryption, key control, and application only access controls<br />Linux Users can’t read the data – only MySQL<br />GoGrid<br />Strong initial root password<br />Allows customers to manage local server credentials themselves<br />6/21/2011<br />22<br />
    31. 31. 8 Assign a unique ID to each person with computer access<br />You <br />Need to manage your users<br />Create a unique login for each user with access to the server <br />Create unique accounts within MySQL and Linux<br />Limit access to only what the account requires<br />The Auditor<br />Will want reports on each of the systems<br />Who, What Authentication methods<br />Will verify documentation on processes and procedures<br />6/21/2011<br />23<br />
    32. 32. 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.<br />GoGrid<br />GoGrid provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs<br />Two-factor - Requiring user/password and certificate<br />6/21/2011<br />24<br />8 Assign a unique ID to each person with computer access<br />
    33. 33. 9 Restrict physical access to cardholder data<br />The 3 Gs – Guards, Guns, and Gates<br />Access to physical equipment <br />GoGrid<br />Sets the security bar high in the area <br />GoGrid is a SAS70 Type II certified facility<br />Physical equipment is monitored by guards<br />Access is highly restricted by electronic IDs and other physical means<br />Three forms of authentication are required to get access. <br />6/21/2011<br />25<br />
    34. 34. 10 Track and monitor all access to network resources and cardholder data<br />You<br />Will need to show auditor that you have the process to collect, track, and monitor your environment<br />GoGrid<br />Tracks and monitors up to the customer's environment<br />The Auditor<br />Will inspect all of the above<br />6/21/2011<br />26<br />
    35. 35. 11 Systems should be tested to ensure security is maintained over time and through changes<br />GoGrid<br />Images are reviewed and updated regularly<br />GoGrid allows for customers to maintain images of their servers<br />Gazzang<br />Starts from the GoGrid Image<br />Protects MySQLs files – increasing your security level<br />6/21/2011<br />27<br />
    36. 36. 12 Maintain an Information Security Policy<br />You<br />Establish, publish, maintain, and disseminate a security policy<br />Auditors<br /> Will examine this information and see that it addresses all of the PCI requirements<br />6/21/2011<br />28<br />
    37. 37. Have your documentation ready<br />Network Diagram <br />PCI Policies and Standards <br />Documentation<br />Antivirus<br />Internal/External Scans<br />Logging and Monitoring<br />Penetration Test Results<br />System Configurations<br />6/21/2011<br />29<br />
    38. 38. Design a Secure System andDiagram your Credit Card Dataflow<br />6/21/2011<br />30<br />Web Site<br />Consumer<br />Card Processing<br />Merchant Bank<br />Cardholder Bank<br />
    39. 39. GoGrid Components<br /><ul><li>Load Balancers
    40. 40. GoGrid F5
    41. 41. Cloud Servers
    42. 42. GoGrid Web/App Serves
    43. 43. Gazzang ezNcrypt for MySQL
    44. 44. Dedicated Servers
    45. 45. Include Gazzang ezNcrypt
    46. 46. Hardware Firewalls
    47. 47. GoGridFortinet or Cisco ASA</li></ul>6/21/2011<br />31<br />
    48. 48. Create a List<br />6/21/2011<br />Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL<br />32<br />Critical Hardware and Software<br />
    49. 49. Conclusion<br />There are many steps to PCI<br />PCI provides the groundwork broader security “best practices”<br />Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution<br />GoGrid Provides a secure infrastructure for running PCI<br />Thanks for your time<br />6/21/2011<br />33<br />
    50. 50. Contact Information / Resources<br />White Paper<br />http://go.gogrid.com/whitepapers/complying-with-pci<br />More about Gazzang- www.gazzang.com<br />More About GoGrid - www.gogrid.com<br />For more information - info@gazzang.com<br />Contact- mike.frank@gazzang.com<br />6/21/2011<br />34<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×