Your SlideShare is downloading. ×
0
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Gazzang pci v1[1]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Gazzang pci v1[1]

603

Published on

Essentials of PCI Assessment : …

Essentials of PCI Assessment :
Succeeding with Gazzang

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
603
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • MICHAELWhat GG provides“Multi faceted infrastructure”
  • Transcript

    • 1. Essentials of PCI AssessmentSucceeding with Gazzang<br />Mike Frank, Director of Products, Gazzang<br />
    • 2. Overview<br />Benefits of the Cloud<br />What to expect - preparing for an audit<br />The Gazzang data security solution<br />Mapping into the 12 PCI sections<br />Examples/Ideas before your PCI Audit<br />Q&A<br />7/13/2011<br />
    • 3. Cloud Adoption 101<br />7/13/2011<br />
    • 4. PCI (Payment Card Industry) <br />Created by major credit card issuers to <br />Protect personal information <br />Ensure security when transactions are processed<br /> Members of the payment card industry are<br />financial institutions, credit card companies and merchants<br />Required to comply with these standards<br />Failure to meet compliance standards can result in<br />Fines from credit card companies and banks <br />Loss of the ability to process credit cards.<br />7/13/2011<br />
    • 5. PCI<br />PCI (Payment Card Industry) <br />DSS (Data Security Standard)<br />The PCI assessment process focuses solely on the security of cardholder data<br />Has a company effectively implemented information security policies and processes?<br />Are there adequate security measures that comply with the requirements to protect cardholder data?<br />7/13/2011<br />
    • 6. PCI Assessments<br />Determine if you are employing payment industry best-practices <br />Assessment result in <br />Recommendations & Remediation to<br />Processes <br />Procedures <br />System configurations<br />Vulnerabilities<br /> The “Fixes” needed to comply<br />7/13/2011<br />
    • 7. What is Gazzang’sezNcrypt for MySQL<br /><ul><li>Installed as a Cloud Database Server
    • 8. Sits between the storage engine and file system
    • 9. Encrypts data before it hits the disk.</li></ul>7/13/2011<br />
    • 10. Key Storage System (KSS)<br />Gazzangs KSS “service” runs in the Cloud<br />East and West Currently<br />Highly Available – uses F5<br />Solution for<br />“Where do I store my key?”<br />Multiple layers of security ensure that your key is protected and available when you need it.<br />7/13/2011<br />8<br />
    • 11. PCI Security Problems Gazzang Helps Solve <br />Unauthorized attempts to read data off the database files<br />Theft of the data files <br />Tampering of data<br />Protection of data on tapes and backups<br />Data at Rest - Protecting disks <br />In case physical hardware is stolen or incorrectly disposed<br />Key Protection<br />Automated, Zero Maintenance Key Management<br />Encrypts, Protects and Secures MySQL<br />7/13/2011<br />
    • 12. The PCI “12”<br />Install and maintain a firewall<br />Do not use vendor-supplied defaults for passwords. Develop configuration standards.<br />Protect stored data<br />Encrypt transmission of cardholder data across public networks<br />Use and regularly update anti-virus software<br />Develop and maintain secure systems and applications<br />Restrict access to data by business need-to-know<br />Assign a unique ID to each person with computer access<br />Restrict physical access to cardholder data<br />Track and monitor all access to network resources and cardholder data<br />Systems should be tested to ensure security is maintained over time and through changes<br />Maintain an information security policy<br />7/13/2011<br />
    • 13. 1 Install and maintain a firewall<br />The Auditor will inspect<br />System/Firewall Configurations<br />Your Network Diagram<br />Several options <br />Can be provided by the cloud host<br />Fortinet Firewall <br />Cisco ASA 5510 dedicated hardware firewall<br />7/13/2011<br />
    • 14. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.<br />Gazzang<br />MySQL Linux account has strong initial password<br />Only local mysql root is created<br />Strong Initial Password is enforced<br />Configuration for MySQL is Secured<br />Added Access File Protection<br />The Auditor will<br />Interview staff, review documentation, view setup<br />7/13/2011<br />
    • 15. 3 Protect stored data<br />Gazzang<br />Allows you to: <br /><ul><li>Encrypt the entire database
    • 16. Encrypt individual tables
    • 17. Encrypt related files (log files)
    • 18. Control who can decrypt the data, beyond normal database and file system protections.
    • 19. Manage and secure keys</li></ul>7/13/2011<br />
    • 20. 3 Protect stored data<br />The Auditor will<br />Look at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.<br />You<br />Will need to document explain and show that process to the auditor.<br />For Req 3 Sections 4, 5, and 6 are often the trickiest<br />7/13/2011<br />
    • 21. 3 Protect stored data<br />GazzangezNcrypthelps:<br />Manage access control <br /><ul><li>Only authorized users running authorized applications can decrypt cardholder data. 
    • 22. 3.4.1.aIf disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms</li></ul>7/13/2011<br />
    • 23. 3 Protect stored data<br />GazzangezNcrypthelps:<br />Secure key management procedures<br /><ul><li>PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
    • 24. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
    • 25. 3.6.1- The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt</li></ul>7/13/2011<br />
    • 26. 4 Encrypt transmission of cardholder data across public networks<br />You<br />Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks<br />Require SSL Connections in MySQL Access Control Settings for any “remote” User<br />7/13/2011<br />
    • 27. 4 Encrypt transmission of cardholder data across public networks<br />Gazzang<br />Cloud data storage in cloud systems sends data across the network to storage<br />With ezNcrypt your critical data is encrypted before it moves into the physical file system – <br />All data from ezNcrypt is encrypted across the network or through other devices that could be monitored or tapped.<br />7/13/2011<br />
    • 28. 5 Use and regularly update anti-virus software<br />The Auditor will<br />Verify that all OS types commonly affected by malicious software have anti-virus software implemented.<br />You<br />Make sure AV is setup and deployed properly<br />X<br />7/13/2011<br />
    • 29. 6 Develop and maintain secure systems and applications<br />Gazzang<br />Adding a new layer of security<br />As-Is the system is more secure<br />You will be downloading the latest MySQL Version<br />We will secure the configuration and protect the data and logs<br />7/13/2011<br />
    • 30. 7 Restrict access to data by business need-to-know<br />Gazzang<br />Helps meet this by Restricting Access using encryption, key control, and application only access controls<br />Linux Users can’t read the data – only MySQL<br />You<br />Ensure that cloud host allows customers to manage local server credentials themselves<br />7/13/2011<br />
    • 31. 8 Assign a unique ID to each person with computer access<br />You <br />Need to manage your users<br />Create a unique login for each user with access to the server <br />Create unique accounts within MySQL and Linux<br />Limit access to only what the account requires<br />The Auditor will<br />Want reports on each of the systems<br />Want to know who and what authentication methods<br />Verify documentation on processes and procedures<br />7/13/2011<br />
    • 32. 8 Assign a unique ID to each person with computer access<br />8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.<br />You<br />Ensure your cloud host provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs<br />Two-factor - Requiring user/password and certificate<br />7/13/2011<br />
    • 33. 9 Restrict physical access to cardholder data<br />The 3 Gs – Guards, Guns, and Gates<br />Access to physical equipment <br />You <br />Ensure that your cloud host takes security measures to maintain integrity of hardware and facility.<br />Certification<br />Multiple forms of authentication to gain access <br />7/13/2011<br />
    • 34. 10 Track and monitor all access to network resources and cardholder data<br />You<br />Will need to show auditor that you have the process to collect, track, and monitor your environment<br />Ensure that cloud host tracks and monitors up to the customer's environment<br />The Auditor will<br />Inspect all of the above<br />7/13/2011<br />
    • 35. 11 Systems should be tested to ensure security is maintained over time and through changes<br />You<br />Make sure cloud host reviews and updates images regularly<br />Maintaining sever images locally<br />Gazzang<br />Starts from the cloud host image<br />Protects MySQLs files – increasing your security level<br />7/13/2011<br />
    • 36. 12 Maintain an Information Security Policy<br />You<br />Establish, publish, maintain, and disseminate a security policy<br />Auditors<br /> Will examine this information and see that it addresses all of the PCI requirements<br />7/13/2011<br />
    • 37. Have your documentation ready<br />Network Diagram <br />PCI Policies and Standards <br />Documentation<br />Antivirus<br />Internal/External Scans<br />Logging and Monitoring<br />Penetration Test Results<br />System Configurations<br />7/13/2011<br />
    • 38. Design a Secure System andDiagram your Credit Card Dataflow<br />Web Site<br />Consumer<br />Card Processing<br />Merchant Bank<br />Cardholder Bank<br />7/13/2011<br />
    • 39. Potential Components<br /><ul><li>Load Balancers
    • 40. Cloud Servers
    • 41. GazzangezNcrypt for MySQL
    • 42. Dedicated Servers
    • 43. Include GazzangezNcrypt
    • 44. Hardware Firewalls</li></ul>7/13/2011<br />
    • 45. Conclusion<br />There are many steps to PCI Compliance<br />PCI provides the groundwork broader security “best practices”<br />Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution<br />7/13/2011<br />
    • 46. Contact Information / Resources<br />White Paper<br />http://<br />More about Gazzang- www.gazzang.com<br />For more information - info@gazzang.com<br />Contact- mike.frank@gazzang.com<br />7/13/2011<br />

    ×