Embed Size (px)
DESCRIPTION
What to expect - preparing for an auditThe GoGrid and Gazzang combined solutionMapping into the 12 PCI sectionsExamples/Ideas before your PCI Audit
Citation preview
Essentials of PCI AssessmentSucceeding with GoGrid and GazzangPaul Lancaster, Manager Cloud Ecosystem, GoGridMike Frank, Director of Products, Gazzang
The #1 “pure-play” IaaS provider in the worldStrong Track Record of “First-To-Market” FeaturesWorld-class platform for infrastructure managementOver 10,000 Customers Across All IndustriesGoGrid owns 100% of its IP
– GoGrid is not a reseller – Extensible IP & Technology Platform– Lower Cost of Goods – Margin Control
A Leader in the IaaS Market
About GoGrid
2
“10 Cloud Computing Companies to Watch”
“Visionary”Magic Quadrant
“Market Leader”
“Top 10 Best Cloud Computing Providers”
GoGrid is Driving Cloud Adoption
Public Cloud•Cloud servers
•f5 load balancers•Cloud Storage
•CDN•Firewalls
Hosted Private Cloud•A dedicated non-shared GoGrid instance
Hybrid•Dedicated
•Cloud•Private Network
•Single Control Panel
Dedicated •Standard & custom dedicated servers
•Firewalls
Enabling Cloud Adoption
04/12/2023
4
Overview
• What to expect - preparing for an audit• The GoGrid and Gazzang combined solution• Mapping into the 12 PCI sections• Examples/Ideas before your PCI Audit• Q&A
04/12/2023
5
PCI (Payment Card Industry)
• Created by major credit card issuers to – Protect personal information – Ensure security when transactions are processed
• Members of the payment card industry are– financial institutions, credit card companies and merchants– Required to comply with these standards
• Failure to meet compliance standards can result in– Fines from credit card companies and banks – Loss of the ability to process credit cards.
04/12/2023
6
PCI
• PCI (Payment Card Industry) – DSS (Data Security Standard)
• The PCI assessment process focuses solely on the security of cardholder data– Has a company effectively implemented information
security policies and processes?– Are there adequate security measures that comply with the
requirements to protect cardholder data?
04/12/2023
7
PCI Assessments
• Determine if you are employing payment industry best-practices
• Assessment result in – Recommendations & Remediation to
• Processes • Procedures • System configurations• Vulnerabilities
The “Fixes” needed to comply
Gazzang - All rights reserved 2011
What is Gazzang’s ezNcrypt for MySQL
• Installed as a GoGrid Cloud Database Server• Sits between the storage engine and file system • Encrypts data before it hits the disk.
04/12/2023
8
Key Storage System (KSS)
04/12/2023 9© Gazzang, Inc. -- CONFIDENTIAL -- 9
• Gazzangs KSS “service” runs in the GoGrid Clouds– East and West Currently– Highly Available – uses F5
• Solution for– “Where do I store my key?”
• Multiple layers of security ensure that your key is protected and available when you need it.
PCI Security Problems Gazzang Helps Solve
• Unauthorized attempts to read data off the database files• Theft of the data files • Tampering of data• Protection of data on tapes and backups• Data at Rest - Protecting disks
– In case physical hardware is stolen or incorrectly disposed• Key Protection
– Automated, Zero Maintenance Key Management• Encrypts, Protects and Secures MySQL
04/12/2023
Gazzang - All rights reserved 2011 10
04/12/2023
11
The PCI “12”
1. Install and maintain a firewall2. Do not use vendor-supplied defaults for passwords. Develop configuration
standards.3. Protect stored data4. Encrypt transmission of cardholder data across public networks5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data10.Track and monitor all access to network resources and cardholder data11.Systems should be tested to ensure security is maintained over time and
through changes12.Maintain an information security policy
04/12/2023
12
1 Install and maintain a firewall
GoGridFortinet Firewall – 100,000 concurrent sessions– Unlimited IP addresses in a trusted interface– Choice of one VPN: SSL, Site-to-Site or IPSec– Ability to add additional VPNs at any timeCisco ASA 5510 dedicated hardware firewall
The Auditor will inspect• System/Firewall Configurations• Your Network Diagram
04/12/2023
13
2 Do not use vendor-supplied defaults for passwords. Develop configuration standards.
• GoGrid– Root Account for the cloud server is assigned strong
password• Gazzang
– MySQL Linux account has strong initial password– Only local mysql root is created– Strong Initial Password is enforced– Configuration for MySQL is Secured– Added Access File Protection
• The Auditor will– Interview staff, review documentation, view setup
04/12/2023
14
3 Protect stored data
GazzangAllows you to • Encrypt the entire database• Encrypt individual tables• Encrypt related files (log files) • Control who can decrypt the
data, beyond normal database and file system protections.
• Manage and secure keys
04/12/2023
15
3 Protect stored data
The Auditor• For requirement 3 the Auditor is looking at the entire data
lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more.
You• Will need to document explain and show that
process to the auditor.– For Req 3 Sections 4, 5, and 6 are often the trickiest
Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
04/12/2023
16
3 Protect stored data
Gazzang ezNcrypt helpsAccess control • Only authorized users running authorized
applications can decrypt cardholder data. • 3.4.1.a If disk encryption is used, verify
that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms
Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
04/12/2023
17
3 Protect stored data
Gazzang ezNcrypt helpsSecure key management procedures• PCI 3.5 - Protect cryptographic keys used for
encryption of cardholder data against both disclosure and misuse:
• PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
3.6.1 - The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt
04/12/2023
18
4 Encrypt transmission of cardholder data across public networks
• You– Verify the use of encryption (for example, SSL/TLS or IPSEC)
wherever cardholder data is transmitted or received over open, public networks
– Use MySQL SSL– Require SSL Connections in MySQL Access Control Settings
for any “remote” User• GoGrid
– Provides tools to implement SSL, Site-to-Site or IPSec
04/12/2023
19
4 Encrypt transmission of cardholder data across public networks
Gazzang • Cloud data storage in cloud systems sends data across
the network to storage• With ezNcrypt your critical data is encrypted before it
moves into the physical file system – – All data from ezNcrypt is encrypted across the network or
through other devices that could be monitored or tapped.
04/12/2023
20
5 Use and regularly update anti-virus software
The Auditor will• Verify that all OS types commonly affected by
malicious software have anti-virus software implemented.
You• Make sure AV is setup and deployed properlyGoGrid• Optional Cisco Adaptive Security Appliance
Firewall – Offers Anti-virus protection
X
04/12/2023
21
6 Develop and maintain secure systems and applications
• Gazzang Helps By– Adding a new layer of security– As-Is the system is more secure– You will be downloading the latest MySQL Version– We will secure the configuration and protect the data and
logs• GoGrid
– The base GoGrid Cloud Server Images are clean– Free from malware or viruses– Free from undesirable “products” or “services”
04/12/2023
22
7 Restrict access to data by business need-to-know
• Gazzang– Helps meet this– By Restricting Access using encryption, key control, and
application only access controls– Linux Users can’t read the data – only MySQL
• GoGrid– Strong initial root password– Allows customers to manage local server credentials
themselves
04/12/2023
23
8 Assign a unique ID to each person with computer access
• You – Need to manage your users– Create a unique login for each user with access to the
server – Create unique accounts within MySQL and Linux– Limit access to only what the account requires
• The Auditor– Will want reports on each of the systems– Who, What Authentication methods– Will verify documentation on processes and procedures
04/12/2023
24
• 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
• GoGrid– GoGrid provides hardware firewalls that allow for the
implementation of site-to-site, or IPSec VPNs• Two-factor - Requiring user/password and certificate
8 Assign a unique ID to each person with computer access
04/12/2023
25
9 Restrict physical access to cardholder data
• The 3 Gs – Guards, Guns, and Gates– Access to physical equipment
• GoGrid – Sets the security bar high in the area – GoGrid is a SAS70 Type II certified facility– Physical equipment is monitored by guards– Access is highly restricted by electronic IDs and other
physical means• Three forms of authentication are required to get access.
04/12/2023
26
10 Track and monitor all access to network resources and cardholder data
• You– Will need to show auditor that you have the process to
collect, track, and monitor your environment• GoGrid
– Tracks and monitors up to the customer's environment• The Auditor
– Will inspect all of the above
04/12/2023
27
11 Systems should be tested to ensure security is maintained over time and through changes
• GoGrid– Images are reviewed and updated regularly– GoGrid allows for customers to maintain images of their
servers• Gazzang
– Starts from the GoGrid Image– Protects MySQLs files – increasing your security level
04/12/2023
28
12 Maintain an Information Security Policy
• You– Establish, publish, maintain, and disseminate a security
policy• Auditors
– Will examine this information and see that it addresses all of the PCI requirements
04/12/2023
29
Have your documentation ready
• Network Diagram • PCI Policies and Standards • Documentation
– Antivirus– Internal/External Scans– Logging and Monitoring– Penetration Test Results– System Configurations
04/12/2023
30
Design a Secure System andDiagram your Credit Card Dataflow
Consumer
Web Site
Card ProcessingMerchant Bank Cardholder Bank
04/12/2023
31
GoGrid Components
• Load Balancers• GoGrid F5
• Cloud Servers• GoGrid Web/App Serves• Gazzang ezNcrypt for MySQL
• Dedicated Servers• Include Gazzang ezNcrypt
• Hardware Firewalls• GoGrid Fortinet or Cisco ASA
04/12/2023
32
Create a List
Product Name Model and Version Function/Use
Fortinet x.y Firewall
Ubuntu 10.10 Operating System
… … …
MySQL Server 5.5.6 Database
Gazzang ezNcrypt 1.8.2 Database Encryption and Protection
Copyright © 2009 Anue Systems, Inc. -- CONFIDENTIAL
Critical Hardware and Software
04/12/2023
33
Conclusion
• There are many steps to PCI• PCI provides the groundwork broader security “best
practices”• Gazzang’s ezNcrypt helps solve some of the more
daunting challenges with an easy to implement robust solution
• GoGrid Provides a secure infrastructure for running PCI
Thanks for your time
04/12/2023
34
Contact Information / Resources
White Paperhttp://go.gogrid.com/whitepapers/complying-with-pci
More about Gazzang - www.gazzang.comMore About GoGrid - www.gogrid.com
For more information - [email protected] - [email protected]
