Your SlideShare is downloading. ×
Essentials of PCI Assessment
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Essentials of PCI Assessment

595
views

Published on

What to expect - preparing for an audit …

What to expect - preparing for an audit
The GoGrid and Gazzang combined solution
Mapping into the 12 PCI sections
Examples/Ideas before your PCI Audit

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
595
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • MICHAEL
  • MICHAELWhat GG provides“Multi faceted infrastructure”
  • Transcript

    • 1. Essentials of PCI AssessmentSucceeding with GoGrid and Gazzang
      Paul Lancaster, Manager Cloud Ecosystem, GoGrid
      Mike Frank, Director of Products, Gazzang
    • 2. About GoGrid
      A Leader in the IaaS Market
      The #1 “pure-play” IaaS provider in the world
      Strong Track Record of “First-To-Market” Features
      World-class platform for infrastructure management
      Over 10,000 Customers Across All Industries
      GoGrid owns 100% of its IP
      GoGrid is not a reseller
      Extensible IP & Technology Platform
      Lower Cost of Goods – Margin Control
      “Top 10 Best Cloud
      Computing Providers”
      “Market Leader”
      “Visionary”
      Magic Quadrant
      “10 Cloud Computing
      Companies to Watch”
      2
    • 3. GoGrid is Driving Cloud Adoption
      Enabling Cloud Adoption
    • 4. Overview
      What to expect - preparing for an audit
      The GoGrid and Gazzang combined solution
      Mapping into the 12 PCI sections
      Examples/Ideas before your PCI Audit
      Q&A
      6/21/2011
      4
    • 5. PCI (Payment Card Industry)
      Created by major credit card issuers to 
      Protect personal information 
      Ensure security when transactions are processed
       Members of the payment card industry are
      financial institutions, credit card companies and merchants
      Required to comply with these standards
      Failure to meet compliance standards can result in
      Fines from credit card companies and banks
      Loss of the ability to process credit cards.
      6/21/2011
      5
    • 6. PCI
      PCI (Payment Card Industry)
      DSS (Data Security Standard)
      The PCI assessment process focuses solely on the security of cardholder data
      Has a company effectively implemented information security policies and processes?
      Are there adequate security measures that comply with the requirements to protect cardholder data?
      6/21/2011
      6
    • 7. PCI Assessments
      Determine if you are employing payment industry best-practices
      Assessment result in
      Recommendations & Remediation to
      Processes
      Procedures
      System configurations
      Vulnerabilities
      The “Fixes” needed to comply
      6/21/2011
      7
    • 8. What is Gazzang’sezNcrypt for MySQL
      • Installed as a GoGrid Cloud Database Server
      • 9. Sits between the storage engine and file system
      • 10. Encrypts data before it hits the disk.
      6/21/2011
      8
      Gazzang - All rights reserved 2011
    • 11. Key Storage System (KSS)
      Gazzangs KSS “service” runs in the GoGrid Clouds
      East and West Currently
      Highly Available – uses F5
      Solution for
      “Where do I store my key?”
      Multiple layers of security ensure that your key is protected and available when you need it.
      6/21/2011
      9
      © Gazzang, Inc. -- CONFIDENTIAL --
      9
    • 12. PCI Security Problems Gazzang Helps Solve
      Unauthorized attempts to read data off the database files
      Theft of the data files
      Tampering of data
      Protection of data on tapes and backups
      Data at Rest - Protecting disks
      In case physical hardware is stolen or incorrectly disposed
      Key Protection
      Automated, Zero Maintenance Key Management
      Encrypts, Protects and Secures MySQL
      6/21/2011
      Gazzang - All rights reserved 2011
      10
    • 13. The PCI “12”
      Install and maintain a firewall
      Do not use vendor-supplied defaults for passwords. Develop configuration standards.
      Protect stored data
      Encrypt transmission of cardholder data across public networks
      Use and regularly update anti-virus software
      Develop and maintain secure systems and applications
      Restrict access to data by business need-to-know
      Assign a unique ID to each person with computer access
      Restrict physical access to cardholder data
      Track and monitor all access to network resources and cardholder data
      Systems should be tested to ensure security is maintained over time and through changes
      Maintain an information security policy
      6/21/2011
      11
    • 14. 1 Install and maintain a firewall
      GoGrid
      FortinetFirewall
      100,000 concurrent sessions
      Unlimited IP addresses in a trusted interface
      Choice of one VPN: SSL, Site-to-Site or IPSec
      Ability to add additional VPNs at any time
      Cisco ASA 5510 dedicated hardware firewall
      The Auditor will inspect
      System/Firewall Configurations
      Your Network Diagram
      6/21/2011
      12
    • 15. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.
      GoGrid
      Root Account for the cloud server is assigned strong password
      Gazzang
      MySQL Linux account has strong initial password
      Only local mysql root is created
      Strong Initial Password is enforced
      Configuration for MySQL is Secured
      Added Access File Protection
      The Auditor will
      Interview staff, review documentation, view setup
      6/21/2011
      13
    • 16. 3 Protect stored data
      Gazzang
      Allows you to
      • Encrypt the entire database
      • 17. Encrypt individual tables
      • 18. Encrypt related files (log files)
      • 19. Control who can decrypt the data, beyond normal database and file system protections.
      • 20. Manage and secure keys
      6/21/2011
      14
    • 21. 3 Protect stored data
      The Auditor
      For requirement 3 the Auditor is looking at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.
      You
      Will need to document explain and show that process to the auditor.
      For Req 3 Sections 4, 5, and 6 are often the trickiest
      6/21/2011
      Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
      15
    • 22. 3 Protect stored data
      Gazzang ezNcrypthelps
      Access control
      • Only authorized users running authorized applications can decrypt cardholder data. 
      • 23. 3.4.1.a If disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms
      6/21/2011
      Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
      16
    • 24. 3 Protect stored data
      Gazzang ezNcrypthelps
      Secure key management procedures
      • PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
      • 25. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
      6/21/2011
      Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
      17
      3.6.1 - The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt
    • 26. 4 Encrypt transmission of cardholder data across public networks
      You
      Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks
      Use MySQL SSL
      Require SSL Connections in MySQL Access Control Settings for any “remote” User
      GoGrid
      Provides tools to implement SSL, Site-to-Site or IPSec
      6/21/2011
      18
    • 27. 4 Encrypt transmission of cardholder data across public networks
      Gazzang
      Cloud data storage in cloud systems sends data across the network to storage
      With ezNcrypt your critical data is encrypted before it moves into the physical file system –
      All data from ezNcryptis encrypted across the network or through other devices that could be monitored or tapped.
      6/21/2011
      19
    • 28. 5 Use and regularly update anti-virus software
      The Auditor will
      Verify that all OS types commonly affected by malicious software have anti-virus software implemented.
      You
      Make sure AV is setup and deployed properly
      GoGrid
      Optional Cisco Adaptive Security Appliance Firewall
      Offers Anti-virus protection
      6/21/2011
      20
      X
    • 29. 6 Develop and maintain secure systems and applications
      Gazzang Helps By
      Adding a new layer of security
      As-Is the system is more secure
      You will be downloading the latest MySQL Version
      We will secure the configuration and protect the data and logs
      GoGrid
      The base GoGrid Cloud Server Images are clean
      Free from malware or viruses
      Free from undesirable “products” or “services”
      6/21/2011
      21
    • 30. 7 Restrict access to data by business need-to-know
      Gazzang
      Helps meet this
      By Restricting Access using encryption, key control, and application only access controls
      Linux Users can’t read the data – only MySQL
      GoGrid
      Strong initial root password
      Allows customers to manage local server credentials themselves
      6/21/2011
      22
    • 31. 8 Assign a unique ID to each person with computer access
      You
      Need to manage your users
      Create a unique login for each user with access to the server
      Create unique accounts within MySQL and Linux
      Limit access to only what the account requires
      The Auditor
      Will want reports on each of the systems
      Who, What Authentication methods
      Will verify documentation on processes and procedures
      6/21/2011
      23
    • 32. 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
      GoGrid
      GoGrid provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs
      Two-factor - Requiring user/password and certificate
      6/21/2011
      24
      8 Assign a unique ID to each person with computer access
    • 33. 9 Restrict physical access to cardholder data
      The 3 Gs – Guards, Guns, and Gates
      Access to physical equipment
      GoGrid
      Sets the security bar high in the area
      GoGrid is a SAS70 Type II certified facility
      Physical equipment is monitored by guards
      Access is highly restricted by electronic IDs and other physical means
      Three forms of authentication are required to get access.
      6/21/2011
      25
    • 34. 10 Track and monitor all access to network resources and cardholder data
      You
      Will need to show auditor that you have the process to collect, track, and monitor your environment
      GoGrid
      Tracks and monitors up to the customer's environment
      The Auditor
      Will inspect all of the above
      6/21/2011
      26
    • 35. 11 Systems should be tested to ensure security is maintained over time and through changes
      GoGrid
      Images are reviewed and updated regularly
      GoGrid allows for customers to maintain images of their servers
      Gazzang
      Starts from the GoGrid Image
      Protects MySQLs files – increasing your security level
      6/21/2011
      27
    • 36. 12 Maintain an Information Security Policy
      You
      Establish, publish, maintain, and disseminate a security policy
      Auditors
      Will examine this information and see that it addresses all of the PCI requirements
      6/21/2011
      28
    • 37. Have your documentation ready
      Network Diagram
      PCI Policies and Standards
      Documentation
      Antivirus
      Internal/External Scans
      Logging and Monitoring
      Penetration Test Results
      System Configurations
      6/21/2011
      29
    • 38. Design a Secure System andDiagram your Credit Card Dataflow
      6/21/2011
      30
      Web Site
      Consumer
      Card Processing
      Merchant Bank
      Cardholder Bank
    • 39. GoGrid Components
      • Load Balancers
      • 40. GoGrid F5
      • 41. Cloud Servers
      • 42. GoGrid Web/App Serves
      • 43. Gazzang ezNcrypt for MySQL
      • 44. Dedicated Servers
      • 45. Include Gazzang ezNcrypt
      • 46. Hardware Firewalls
      • 47. GoGridFortinet or Cisco ASA
      6/21/2011
      31
    • 48. Create a List
      6/21/2011
      Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
      32
      Critical Hardware and Software
    • 49. Conclusion
      There are many steps to PCI
      PCI provides the groundwork broader security “best practices”
      Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution
      GoGrid Provides a secure infrastructure for running PCI
      Thanks for your time
      6/21/2011
      33
    • 50. Contact Information / Resources
      White Paper
      http://go.gogrid.com/whitepapers/complying-with-pci
      More about Gazzang- www.gazzang.com
      More About GoGrid - www.gogrid.com
      For more information - info@gazzang.com
      Contact- mike.frank@gazzang.com
      6/21/2011
      34