Essentials of PCI Assessment
Upcoming SlideShare
Loading in...5
×
 

Essentials of PCI Assessment

on

  • 757 views

What to expect - preparing for an audit

What to expect - preparing for an audit
The GoGrid and Gazzang combined solution
Mapping into the 12 PCI sections
Examples/Ideas before your PCI Audit

Statistics

Views

Total Views
757
Views on SlideShare
757
Embed Views
0

Actions

Likes
1
Downloads
30
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • MICHAEL
  • MICHAELWhat GG provides“Multi faceted infrastructure”

Essentials of PCI AssessmentEssentials of PCI Assessment Presentation Transcript

  • Essentials of PCI AssessmentSucceeding with GoGrid and Gazzang
    Paul Lancaster, Manager Cloud Ecosystem, GoGrid
    Mike Frank, Director of Products, Gazzang
  • About GoGrid
    A Leader in the IaaS Market
    The #1 “pure-play” IaaS provider in the world
    Strong Track Record of “First-To-Market” Features
    World-class platform for infrastructure management
    Over 10,000 Customers Across All Industries
    GoGrid owns 100% of its IP
    GoGrid is not a reseller
    Extensible IP & Technology Platform
    Lower Cost of Goods – Margin Control
    “Top 10 Best Cloud
    Computing Providers”
    “Market Leader”
    “Visionary”
    Magic Quadrant
    “10 Cloud Computing
    Companies to Watch”
    2
  • GoGrid is Driving Cloud Adoption
    Enabling Cloud Adoption
  • Overview
    What to expect - preparing for an audit
    The GoGrid and Gazzang combined solution
    Mapping into the 12 PCI sections
    Examples/Ideas before your PCI Audit
    Q&A
    6/21/2011
    4
  • PCI (Payment Card Industry)
    Created by major credit card issuers to 
    Protect personal information 
    Ensure security when transactions are processed
     Members of the payment card industry are
    financial institutions, credit card companies and merchants
    Required to comply with these standards
    Failure to meet compliance standards can result in
    Fines from credit card companies and banks
    Loss of the ability to process credit cards.
    6/21/2011
    5
  • PCI
    PCI (Payment Card Industry)
    DSS (Data Security Standard)
    The PCI assessment process focuses solely on the security of cardholder data
    Has a company effectively implemented information security policies and processes?
    Are there adequate security measures that comply with the requirements to protect cardholder data?
    6/21/2011
    6
  • PCI Assessments
    Determine if you are employing payment industry best-practices
    Assessment result in
    Recommendations & Remediation to
    Processes
    Procedures
    System configurations
    Vulnerabilities
    The “Fixes” needed to comply
    6/21/2011
    7
  • What is Gazzang’sezNcrypt for MySQL
    • Installed as a GoGrid Cloud Database Server
    • Sits between the storage engine and file system
    • Encrypts data before it hits the disk.
    6/21/2011
    8
    Gazzang - All rights reserved 2011
  • Key Storage System (KSS)
    Gazzangs KSS “service” runs in the GoGrid Clouds
    East and West Currently
    Highly Available – uses F5
    Solution for
    “Where do I store my key?”
    Multiple layers of security ensure that your key is protected and available when you need it.
    6/21/2011
    9
    © Gazzang, Inc. -- CONFIDENTIAL --
    9
  • PCI Security Problems Gazzang Helps Solve
    Unauthorized attempts to read data off the database files
    Theft of the data files
    Tampering of data
    Protection of data on tapes and backups
    Data at Rest - Protecting disks
    In case physical hardware is stolen or incorrectly disposed
    Key Protection
    Automated, Zero Maintenance Key Management
    Encrypts, Protects and Secures MySQL
    6/21/2011
    Gazzang - All rights reserved 2011
    10
  • The PCI “12”
    Install and maintain a firewall
    Do not use vendor-supplied defaults for passwords. Develop configuration standards.
    Protect stored data
    Encrypt transmission of cardholder data across public networks
    Use and regularly update anti-virus software
    Develop and maintain secure systems and applications
    Restrict access to data by business need-to-know
    Assign a unique ID to each person with computer access
    Restrict physical access to cardholder data
    Track and monitor all access to network resources and cardholder data
    Systems should be tested to ensure security is maintained over time and through changes
    Maintain an information security policy
    6/21/2011
    11
  • 1 Install and maintain a firewall
    GoGrid
    FortinetFirewall
    100,000 concurrent sessions
    Unlimited IP addresses in a trusted interface
    Choice of one VPN: SSL, Site-to-Site or IPSec
    Ability to add additional VPNs at any time
    Cisco ASA 5510 dedicated hardware firewall
    The Auditor will inspect
    System/Firewall Configurations
    Your Network Diagram
    6/21/2011
    12
  • 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.
    GoGrid
    Root Account for the cloud server is assigned strong password
    Gazzang
    MySQL Linux account has strong initial password
    Only local mysql root is created
    Strong Initial Password is enforced
    Configuration for MySQL is Secured
    Added Access File Protection
    The Auditor will
    Interview staff, review documentation, view setup
    6/21/2011
    13
  • 3 Protect stored data
    Gazzang
    Allows you to
    • Encrypt the entire database
    • Encrypt individual tables
    • Encrypt related files (log files)
    • Control who can decrypt the data, beyond normal database and file system protections.
    • Manage and secure keys
    6/21/2011
    14
  • 3 Protect stored data
    The Auditor
    For requirement 3 the Auditor is looking at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.
    You
    Will need to document explain and show that process to the auditor.
    For Req 3 Sections 4, 5, and 6 are often the trickiest
    6/21/2011
    Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
    15
  • 3 Protect stored data
    Gazzang ezNcrypthelps
    Access control
    • Only authorized users running authorized applications can decrypt cardholder data. 
    • 3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms
    6/21/2011
    Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
    16
  • 3 Protect stored data
    Gazzang ezNcrypthelps
    Secure key management procedures
    • PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
    • PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
    6/21/2011
    Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
    17
    3.6.1 - The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt
  • 4 Encrypt transmission of cardholder data across public networks
    You
    Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks
    Use MySQL SSL
    Require SSL Connections in MySQL Access Control Settings for any “remote” User
    GoGrid
    Provides tools to implement SSL, Site-to-Site or IPSec
    6/21/2011
    18
  • 4 Encrypt transmission of cardholder data across public networks
    Gazzang
    Cloud data storage in cloud systems sends data across the network to storage
    With ezNcrypt your critical data is encrypted before it moves into the physical file system –
    All data from ezNcryptis encrypted across the network or through other devices that could be monitored or tapped.
    6/21/2011
    19
  • 5 Use and regularly update anti-virus software
    The Auditor will
    Verify that all OS types commonly affected by malicious software have anti-virus software implemented.
    You
    Make sure AV is setup and deployed properly
    GoGrid
    Optional Cisco Adaptive Security Appliance Firewall
    Offers Anti-virus protection
    6/21/2011
    20
    X
  • 6 Develop and maintain secure systems and applications
    Gazzang Helps By
    Adding a new layer of security
    As-Is the system is more secure
    You will be downloading the latest MySQL Version
    We will secure the configuration and protect the data and logs
    GoGrid
    The base GoGrid Cloud Server Images are clean
    Free from malware or viruses
    Free from undesirable “products” or “services”
    6/21/2011
    21
  • 7 Restrict access to data by business need-to-know
    Gazzang
    Helps meet this
    By Restricting Access using encryption, key control, and application only access controls
    Linux Users can’t read the data – only MySQL
    GoGrid
    Strong initial root password
    Allows customers to manage local server credentials themselves
    6/21/2011
    22
  • 8 Assign a unique ID to each person with computer access
    You
    Need to manage your users
    Create a unique login for each user with access to the server
    Create unique accounts within MySQL and Linux
    Limit access to only what the account requires
    The Auditor
    Will want reports on each of the systems
    Who, What Authentication methods
    Will verify documentation on processes and procedures
    6/21/2011
    23
  • 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
    GoGrid
    GoGrid provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs
    Two-factor - Requiring user/password and certificate
    6/21/2011
    24
    8 Assign a unique ID to each person with computer access
  • 9 Restrict physical access to cardholder data
    The 3 Gs – Guards, Guns, and Gates
    Access to physical equipment
    GoGrid
    Sets the security bar high in the area
    GoGrid is a SAS70 Type II certified facility
    Physical equipment is monitored by guards
    Access is highly restricted by electronic IDs and other physical means
    Three forms of authentication are required to get access.
    6/21/2011
    25
  • 10 Track and monitor all access to network resources and cardholder data
    You
    Will need to show auditor that you have the process to collect, track, and monitor your environment
    GoGrid
    Tracks and monitors up to the customer's environment
    The Auditor
    Will inspect all of the above
    6/21/2011
    26
  • 11 Systems should be tested to ensure security is maintained over time and through changes
    GoGrid
    Images are reviewed and updated regularly
    GoGrid allows for customers to maintain images of their servers
    Gazzang
    Starts from the GoGrid Image
    Protects MySQLs files – increasing your security level
    6/21/2011
    27
  • 12 Maintain an Information Security Policy
    You
    Establish, publish, maintain, and disseminate a security policy
    Auditors
    Will examine this information and see that it addresses all of the PCI requirements
    6/21/2011
    28
  • Have your documentation ready
    Network Diagram
    PCI Policies and Standards
    Documentation
    Antivirus
    Internal/External Scans
    Logging and Monitoring
    Penetration Test Results
    System Configurations
    6/21/2011
    29
  • Design a Secure System andDiagram your Credit Card Dataflow
    6/21/2011
    30
    Web Site
    Consumer
    Card Processing
    Merchant Bank
    Cardholder Bank
  • GoGrid Components
    • Load Balancers
    • GoGrid F5
    • Cloud Servers
    • GoGrid Web/App Serves
    • Gazzang ezNcrypt for MySQL
    • Dedicated Servers
    • Include Gazzang ezNcrypt
    • Hardware Firewalls
    • GoGridFortinet or Cisco ASA
    6/21/2011
    31
  • Create a List
    6/21/2011
    Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
    32
    Critical Hardware and Software
  • Conclusion
    There are many steps to PCI
    PCI provides the groundwork broader security “best practices”
    Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution
    GoGrid Provides a secure infrastructure for running PCI
    Thanks for your time
    6/21/2011
    33
  • Contact Information / Resources
    White Paper
    http://go.gogrid.com/whitepapers/complying-with-pci
    More about Gazzang- www.gazzang.com
    More About GoGrid - www.gogrid.com
    For more information - info@gazzang.com
    Contact- mike.frank@gazzang.com
    6/21/2011
    34