Webinar slides: How to Achieve PCI Compliance for MySQL & MariaDB with ClusterControl

1. January 30, 2018 How to achieve PCI compliance for MySQL & MariaDB with ClusterControl Laurent Blume & Vinay Joosery Presenters

2. Copyright 2017 Severalnines AB I'm Jean-Jérôme from the Severalnines Team and I'm your host for today's webinar! Feel free to ask any questions in the Questions section of this application or via the Chat box. You can also contact me directly via the chat box or via email: jj@severalnines.com during or after the webinar. Your host & some logistics

5. What Problems do we Address? Copyright 2017 Severalnines AB Deploy Deploy MySQL, Postgres or MongoDB - single instances or entire clusters Monitor Get a unified view of all clusters across all your data centers Scale Add/remove nodes, resize instances & clone your production clusters Manage Automatically repair & recover broken nodes or clusters. Test & automate upgrades

6. ClusterControl Platform Copyright 2017 Severalnines AB ClusterControl CC Clients Notifications Email PagerDuty VictorOps OpsGenie Slack TeleGram Webhooks Web UI S9s CLI JSON RPC Support 24/7 KeepAlived HAProxy ProxySQL MaxScale Galera MariaDb Percona Replication MariaDb Percona MongoDb MongoDb Inc Percona PostgreSql PgSQL Codership Cloud Backup

7. Deployment Features in ClusterControl Copyright 2017 Severalnines AB ● Each Cluster can be deployed and existing Clusters can be imported. ● Web UI ○ Deployment Wizard ● CLI ○ Allows easy integration with e.g Ansible s9s cluster --create --cluster-type=galera --nodes='10.10.10.26;10.10.10.27;10.10.10.28' --vendor=percona --cluster-name=PXC_CENTOS7 --provider-version=5.7 --os-user=vagrant --wait ● Supports multiple NICs and templated configurations.

8. Monitoring Features in ClusterControl Copyright 2017 Severalnines AB ● Database specific stats and Health status ○ Graphs and Dashboards ● Host statistics ○ E.g Predictive disk space usage monitoring ● Query Monitoring ○ E.g Top Queries, Outlier detection ● Advisors ○ Developer Studio with JS like syntax ● Notifications ○ Email, Pagerduty, VictorOps etc ● Operational Reports

9. Management Features in ClusterControl Copyright 2017 Severalnines AB ● Availability ○ Node/Cluster Recovery ● Backup and Restore ○ MySQL: mysqldump, xtrabackup ○ Postgres: pg_dump, pg_basebackup ○ MongoDb: Mongodump, MongoDb Consistent Backup ● Configuration ● Upgrades ● Loadbalancer ○ HAProxy, ProxySQL, MaxScale ○ KeepAlived

13. Today’s topics Copyright 2017 Severalnines AB ● Introduction to the PCI-DSS standard ● The impact of PCI on database management ● Meeting PCI requirements for MySQL / MariaDB with ClusterControl ● Conclusion ● Q&A

17. What is PCI-DSS ? Copyright 2017 Severalnines AB ● Managed by the PCI Security Standard Council, which was founded by major payment card companies ● Set of technical & operational requirements to protect cardholder data ● Governs all merchants and organizations that store/process/transmits this data

18. What isn’t PCI-DSS ? Copyright 2017 Severalnines AB ● Not set in stone ○ Version 3.2 (April 2016) currently in force ● Not a goal that can be reached then forgotten ○ Yearly reviews and audits ● Not a governmental regulation ○ Those also need to be respected (GDPR, …)

19. Applicable Data Copyright 2017 Severalnines AB ● All revolves around the card number, aka the PAN ○ You can store it after a transaction, but it needs protection ● Other elements used during the transaction must never be stored (PIN, CVV, …) Ref: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

20. Why comply? Copyright 2017 Severalnines AB ● Required in order to accept credit cards ● A security breach has serious consequences ○ Regulatory notification ○ Fines ○ Litigation ○ Impacts your customers and reputation

21. Compliance Checks Copyright 2017 Severalnines AB ● The same rules apply to every company handling card information ● Merchant levels define how the compliance is checked ○ Minimum: an annual Self Assessment Questionnaire and network scan ○ Maximum: an annual audit by a Qualified Security Assessor https://pci.qualys.com/static/help/merchant/getting_started/pci_merchant_levels.htm

23. Cardholder Data Environment (CDE) Copyright 2017 Severalnines AB ● PCI-DSS applies to every single component inside the CDE ● That CDE must be precisely defined ● An isolated network can reduce the scope

25. Cardholder Data Environment (CDE) Copyright 2017 Severalnines AB ● The database often is the central element of the CDE ○ It contains sensitive data that must be protected ○ It sends and receives fresh data ○ It must be reachable, but only by authorized parties (load balancers, application servers, …)

27. Procedures and Provability: Making it easier Copyright 2017 Severalnines AB ● Automation: ○ It takes time to set it up, then it saves time ○ It helps making sure an action made once will not be forgotten next time ○ It helps proving what you’ve been doing since the last time you saw the auditor

28. Database environment is distributed Copyright 2017 Severalnines AB ● You process card numbers? ● You need security ● It’s likely you also need reliability ○ Multiple servers ○ Multiple data centers

29. Single view/control of distributed environment Copyright 2017 Severalnines AB ● In short, you need a cluster ○ Distributed database of identical nodes ○ Load balancers manage access to those nodes ○ Application clients use one connection string ○ Single view: all nodes as a single entity facilitates compliance

32. 2. Do not use vendor-supplied defaults for system passwords & other security parameters Copyright 2017 Severalnines AB ● Set root password, disable remote root login ● Remove anonymous users/test database ● Automated via ClusterControl ○ Easily audited in the UI ● … more in our ‘10 Security Tips’ blog* * https://severalnines.com/blog/ten-tips-how-achieve-mysql-and-mariadb-security

33. 3. Protect stored cardholder data Copyright 2017 Severalnines AB ● Some fields must not be stored in any form ○ PIN, CVV2 ● A stored PAN must be masked or encrypted ○ MySQL encryption functions ○ Transparent Data Encryption ● Ensure logs do not contain sensitive data ● ClusterControl ○ Helps understanding the database structure ○ Allows to check its logs

34. 4. Encrypt transmission of cardholder data across open, public networks Copyright 2017 Severalnines AB ● Setup TLS between database nodes ○ Replication traffic ● Setup TLS from application to database ● ClusterControl can set up the TLS connections between nodes and for database users

36. 6. Develop & maintain secure systems & applications Copyright 2017 Severalnines AB ● Track ○ what is running in production ○ vulnerabilities and current risk level ● Patch ○ any critical vulnerability within a month ○ non-critical ones within 3 months ● Separate dev and staging environments

37. Upgrade Report from ClusterControl

38. Automate upgrades via ClusterControl Copyright 2017 Severalnines AB ● Makes database upgrades simpler: ○ Each node is upgraded in turn without service interruption ○ After the database version is upgraded, the schema is updated by the script ● Makes system upgrades simpler ○ After the OS is updated (yum upgrade, …), each node can be rebooted in sequence ● No service interruption during upgrades

40. ClusterControl built on standard bricks Copyright 2017 Severalnines AB ● ClusterControl uses Apache, PHP, ssh, from standard Linux distributions ● Easier for Severalnines developers to follow industry Best Practices ● Easier for end-users to deploy and manage using standard tools

41. 7. Restrict access to cardholder data by business need to know Copyright 2017 Severalnines AB ● Root account accessed from localhost ● Administrator manages the DB but does not access the content ● Developer account defines DB structure ● Service accounts to access content, used only by application and limited to its needs ● Least privilege model ● Accounts and privileges can be audited in ClusterControl in different environments: development, staging, production

42. 8. Identify & authenticate access to system components Copyright 2017 Severalnines AB ● View of all granted users + permissions ● Control addition/deletion of user IDs ● No shared ID rule ● ClusterControl ○ shows all database user accounts at a glance ○ can use LDAP for its own access control

44. 10. Track & monitor all access to network resources & cardholder data Copyright 2017 Severalnines AB ● ClusterControl keeps ○ an audit trail for management access ○ logs to remote syslog server ● Audit plugins from MariaDB and Percona

48. 1. Install & maintain a firewall configuration to protect cardholder data Copyright 2017 Severalnines AB ● Different flows of data either allowed or blocked ● Limit incoming/outgoing connections to what is absolutely needed

49. 5. Protect all systems against malware & regularly update anti-virus software or programmes Copyright 2017 Severalnines AB ● Understand impact on database performance ● Can create false positives on certain file formats ● ClusterControl can’t help with that :)

51. 11. Regularly test security systems and processes Copyright 2017 Severalnines AB ● ClusterControl will be itself scanned ● It works as for any other web application without adding an additional burden ● It helps keep the database part up to date

52. 12. Maintain an information security policy for all personnel Copyright 2017 Severalnines AB ● Last but not least, and often overlooked: technology matters, but people stay in charge ● Streamline the management of the database environment via ClusterControl ● Management actions performed via UI

54. An ongoing process Copyright 2017 Severalnines AB ● Payment card security not a fixed goal ● PCI Standard is upgraded every year ○ Announced last week: PCI SPoC* ● Environments must evolve with the changes * https://www.pcisecuritystandards.org/pdfs/SPOC_Press_Release_24_Jan.pdf

55. Making Compliance less time consuming Copyright 2017 Severalnines AB ● MySQL/MariaDB not designed for modern security ● Reaching compliance for an existing environment can be overwhelming ● Leverage reliable database tools to ease out crucial parts ● Automate and manage your MySQL & MariaDB databases with ClusterControl

58. Additional Resources Copyright 2017 Severalnines AB ● White paper: How to achieve PCI compliance for MySQL & MariaDB with ClusterControl ● ClusterControl in Financial Technology ● Download ClusterControl ● Contact us: info@severalnines.com

Webinar slides: How to Achieve PCI Compliance for MySQL & MariaDB with ClusterControl

You are reading a preview.

Check these out next

Webinar slides: How to Achieve PCI Compliance for MySQL & MariaDB with ClusterControl

More Related Content

Similar to Webinar slides: How to Achieve PCI Compliance for MySQL & MariaDB with ClusterControl (20)

More from Severalnines (20)

Recently uploaded (20)