Your SlideShare is downloading. ×

Gazzang pci v1[1]

591

Published on

Essentials of PCI Assessment : …

Essentials of PCI Assessment :
Succeeding with Gazzang

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
591
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • MICHAELWhat GG provides“Multi faceted infrastructure”
  • Transcript

    • 1. Essentials of PCI AssessmentSucceeding with Gazzang
      Mike Frank, Director of Products, Gazzang
    • 2. Overview
      Benefits of the Cloud
      What to expect - preparing for an audit
      The Gazzang data security solution
      Mapping into the 12 PCI sections
      Examples/Ideas before your PCI Audit
      Q&A
      7/13/2011
    • 3. Cloud Adoption 101
      7/13/2011
    • 4. PCI (Payment Card Industry)
      Created by major credit card issuers to 
      Protect personal information 
      Ensure security when transactions are processed
       Members of the payment card industry are
      financial institutions, credit card companies and merchants
      Required to comply with these standards
      Failure to meet compliance standards can result in
      Fines from credit card companies and banks
      Loss of the ability to process credit cards.
      7/13/2011
    • 5. PCI
      PCI (Payment Card Industry)
      DSS (Data Security Standard)
      The PCI assessment process focuses solely on the security of cardholder data
      Has a company effectively implemented information security policies and processes?
      Are there adequate security measures that comply with the requirements to protect cardholder data?
      7/13/2011
    • 6. PCI Assessments
      Determine if you are employing payment industry best-practices
      Assessment result in
      Recommendations & Remediation to
      Processes
      Procedures
      System configurations
      Vulnerabilities
      The “Fixes” needed to comply
      7/13/2011
    • 7. What is Gazzang’sezNcrypt for MySQL
      • Installed as a Cloud Database Server
      • 8. Sits between the storage engine and file system
      • 9. Encrypts data before it hits the disk.
      7/13/2011
    • 10. Key Storage System (KSS)
      Gazzangs KSS “service” runs in the Cloud
      East and West Currently
      Highly Available – uses F5
      Solution for
      “Where do I store my key?”
      Multiple layers of security ensure that your key is protected and available when you need it.
      7/13/2011
      8
    • 11. PCI Security Problems Gazzang Helps Solve
      Unauthorized attempts to read data off the database files
      Theft of the data files
      Tampering of data
      Protection of data on tapes and backups
      Data at Rest - Protecting disks
      In case physical hardware is stolen or incorrectly disposed
      Key Protection
      Automated, Zero Maintenance Key Management
      Encrypts, Protects and Secures MySQL
      7/13/2011
    • 12. The PCI “12”
      Install and maintain a firewall
      Do not use vendor-supplied defaults for passwords. Develop configuration standards.
      Protect stored data
      Encrypt transmission of cardholder data across public networks
      Use and regularly update anti-virus software
      Develop and maintain secure systems and applications
      Restrict access to data by business need-to-know
      Assign a unique ID to each person with computer access
      Restrict physical access to cardholder data
      Track and monitor all access to network resources and cardholder data
      Systems should be tested to ensure security is maintained over time and through changes
      Maintain an information security policy
      7/13/2011
    • 13. 1 Install and maintain a firewall
      The Auditor will inspect
      System/Firewall Configurations
      Your Network Diagram
      Several options
      Can be provided by the cloud host
      Fortinet Firewall
      Cisco ASA 5510 dedicated hardware firewall
      7/13/2011
    • 14. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.
      Gazzang
      MySQL Linux account has strong initial password
      Only local mysql root is created
      Strong Initial Password is enforced
      Configuration for MySQL is Secured
      Added Access File Protection
      The Auditor will
      Interview staff, review documentation, view setup
      7/13/2011
    • 15. 3 Protect stored data
      Gazzang
      Allows you to:
      • Encrypt the entire database
      • 16. Encrypt individual tables
      • 17. Encrypt related files (log files)
      • 18. Control who can decrypt the data, beyond normal database and file system protections.
      • 19. Manage and secure keys
      7/13/2011
    • 20. 3 Protect stored data
      The Auditor will
      Look at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.
      You
      Will need to document explain and show that process to the auditor.
      For Req 3 Sections 4, 5, and 6 are often the trickiest
      7/13/2011
    • 21. 3 Protect stored data
      GazzangezNcrypthelps:
      Manage access control
      • Only authorized users running authorized applications can decrypt cardholder data. 
      • 22. 3.4.1.aIf disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms
      7/13/2011
    • 23. 3 Protect stored data
      GazzangezNcrypthelps:
      Secure key management procedures
      • PCI 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
      • 24. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
      • 25. 3.6.1- The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt
      7/13/2011
    • 26. 4 Encrypt transmission of cardholder data across public networks
      You
      Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks
      Require SSL Connections in MySQL Access Control Settings for any “remote” User
      7/13/2011
    • 27. 4 Encrypt transmission of cardholder data across public networks
      Gazzang
      Cloud data storage in cloud systems sends data across the network to storage
      With ezNcrypt your critical data is encrypted before it moves into the physical file system –
      All data from ezNcrypt is encrypted across the network or through other devices that could be monitored or tapped.
      7/13/2011
    • 28. 5 Use and regularly update anti-virus software
      The Auditor will
      Verify that all OS types commonly affected by malicious software have anti-virus software implemented.
      You
      Make sure AV is setup and deployed properly
      X
      7/13/2011
    • 29. 6 Develop and maintain secure systems and applications
      Gazzang
      Adding a new layer of security
      As-Is the system is more secure
      You will be downloading the latest MySQL Version
      We will secure the configuration and protect the data and logs
      7/13/2011
    • 30. 7 Restrict access to data by business need-to-know
      Gazzang
      Helps meet this by Restricting Access using encryption, key control, and application only access controls
      Linux Users can’t read the data – only MySQL
      You
      Ensure that cloud host allows customers to manage local server credentials themselves
      7/13/2011
    • 31. 8 Assign a unique ID to each person with computer access
      You
      Need to manage your users
      Create a unique login for each user with access to the server
      Create unique accounts within MySQL and Linux
      Limit access to only what the account requires
      The Auditor will
      Want reports on each of the systems
      Want to know who and what authentication methods
      Verify documentation on processes and procedures
      7/13/2011
    • 32. 8 Assign a unique ID to each person with computer access
      8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
      You
      Ensure your cloud host provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs
      Two-factor - Requiring user/password and certificate
      7/13/2011
    • 33. 9 Restrict physical access to cardholder data
      The 3 Gs – Guards, Guns, and Gates
      Access to physical equipment
      You
      Ensure that your cloud host takes security measures to maintain integrity of hardware and facility.
      Certification
      Multiple forms of authentication to gain access
      7/13/2011
    • 34. 10 Track and monitor all access to network resources and cardholder data
      You
      Will need to show auditor that you have the process to collect, track, and monitor your environment
      Ensure that cloud host tracks and monitors up to the customer's environment
      The Auditor will
      Inspect all of the above
      7/13/2011
    • 35. 11 Systems should be tested to ensure security is maintained over time and through changes
      You
      Make sure cloud host reviews and updates images regularly
      Maintaining sever images locally
      Gazzang
      Starts from the cloud host image
      Protects MySQLs files – increasing your security level
      7/13/2011
    • 36. 12 Maintain an Information Security Policy
      You
      Establish, publish, maintain, and disseminate a security policy
      Auditors
      Will examine this information and see that it addresses all of the PCI requirements
      7/13/2011
    • 37. Have your documentation ready
      Network Diagram
      PCI Policies and Standards
      Documentation
      Antivirus
      Internal/External Scans
      Logging and Monitoring
      Penetration Test Results
      System Configurations
      7/13/2011
    • 38. Design a Secure System andDiagram your Credit Card Dataflow
      Web Site
      Consumer
      Card Processing
      Merchant Bank
      Cardholder Bank
      7/13/2011
    • 39. Potential Components
      • Load Balancers
      • 40. Cloud Servers
      • 41. GazzangezNcrypt for MySQL
      • 42. Dedicated Servers
      • 43. Include GazzangezNcrypt
      • 44. Hardware Firewalls
      7/13/2011
    • 45. Conclusion
      There are many steps to PCI Compliance
      PCI provides the groundwork broader security “best practices”
      Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution
      7/13/2011
    • 46. Contact Information / Resources
      White Paper
      http://
      More about Gazzang- www.gazzang.com
      For more information - info@gazzang.com
      Contact- mike.frank@gazzang.com
      7/13/2011

    ×