SlideShare una empresa de Scribd logo

Gazzang pci v1[1]

Descargar como PPTX, PDF
Gazzang
Gazzang

Essentials of PCI Assessment : Succeeding with Gazzang

Tecnología
1 de 32
Essentials of PCI AssessmentSucceeding with Gazzang Mike Frank, Director of Products, Gazzang
Overview Benefits of the Cloud What to expect - preparing for an audit The Gazzang data security solution Mapping into the 12 PCI sections Examples/Ideas before your PCI Audit Q&A 7/13/2011
Cloud Adoption 101 7/13/2011
PCI (Payment Card Industry) Created by major credit card issuers to  Protect personal information  Ensure security when transactions are processed  Members of the payment card industry are financial institutions, credit card companies and merchants Required to comply with these standards Failure to meet compliance standards can result in Fines from credit card companies and banks Loss of the ability to process credit cards. 7/13/2011
PCI PCI (Payment Card Industry) DSS (Data Security Standard) The PCI assessment process focuses solely on the security of cardholder data Has a company effectively implemented information security policies and processes? Are there adequate security measures that comply with the requirements to protect cardholder data? 7/13/2011
PCI Assessments Determine if you are employing payment industry best-practices Assessment result in Recommendations & Remediation to Processes Procedures System configurations Vulnerabilities The “Fixes” needed to comply 7/13/2011
What is Gazzang’sezNcrypt for MySQL ,[object Object]
Sits between the storage engine and file system
Encrypts data before it hits the disk.7/13/2011
Key Storage System (KSS) Gazzangs KSS “service” runs in the Cloud East and West Currently Highly Available – uses F5 Solution for “Where do I store my key?” Multiple layers of security ensure that your key is protected and available when you need it. 7/13/2011 8
PCI Security Problems Gazzang Helps Solve Unauthorized attempts to read data off the database files Theft of the data files Tampering of data Protection of data on tapes and backups Data at Rest - Protecting disks In case physical hardware is stolen or incorrectly disposed Key Protection Automated, Zero Maintenance Key Management Encrypts, Protects and Secures MySQL 7/13/2011
The PCI “12” Install and maintain a firewall Do not use vendor-supplied defaults for passwords. Develop configuration standards. Protect stored data Encrypt transmission of cardholder data across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Systems should be tested to ensure security is maintained over time and through changes Maintain an information security policy 7/13/2011
1 Install and maintain a firewall The Auditor will inspect System/Firewall Configurations Your Network Diagram Several options Can be provided by the cloud host Fortinet Firewall Cisco ASA 5510 dedicated hardware firewall 7/13/2011
2 Do not use vendor-supplied defaults for passwords. Develop configuration standards. Gazzang MySQL Linux account has strong initial password Only local mysql root is created Strong Initial Password is enforced Configuration for MySQL is Secured Added Access File Protection The Auditor will Interview staff, review documentation, view setup 7/13/2011
3 Protect stored data Gazzang Allows you to: ,[object Object]
Encrypt individual tables
Encrypt related files (log files)
Control who can decrypt the data, beyond normal database and file system protections.
Manage and secure keys7/13/2011
3 Protect stored data The Auditor will Look at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more. You Will need to document explain and show that process to the auditor. For Req 3 Sections 4, 5, and 6 are often the trickiest 7/13/2011
3 Protect stored data GazzangezNcrypthelps: Manage access control ,[object Object]
3.4.1.aIf disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms7/13/2011
3 Protect stored data GazzangezNcrypthelps: Secure key management procedures ,[object Object]
PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
3.6.1- The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt7/13/2011
4 Encrypt transmission of cardholder data across public networks You Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Require SSL Connections in MySQL Access Control Settings for any “remote” User 7/13/2011
4 Encrypt transmission of cardholder data across public networks Gazzang Cloud data storage in cloud systems sends data across the network to storage With ezNcrypt your critical data is encrypted before it moves into the physical file system – All data from ezNcrypt is encrypted across the network or through other devices that could be monitored or tapped. 7/13/2011
5 Use and regularly update anti-virus software The Auditor will Verify that all OS types commonly affected by malicious software have anti-virus software implemented. You Make sure AV is setup and deployed properly X 7/13/2011
6 Develop and maintain secure systems and applications Gazzang Adding a new layer of security As-Is the system is more secure You will be downloading the latest MySQL Version We will secure the configuration and protect the data and logs 7/13/2011
7 Restrict access to data by business need-to-know Gazzang Helps meet this by Restricting Access using encryption, key control, and application only access controls Linux Users can’t read the data – only MySQL You Ensure that cloud host allows customers to manage local server credentials themselves 7/13/2011
8 Assign a unique ID to each person with computer access You Need to manage your users Create a unique login for each user with access to the server Create unique accounts within MySQL and Linux Limit access to only what the account requires The Auditor will Want reports on each of the systems Want to know who and what authentication methods Verify documentation on processes and procedures 7/13/2011
8 Assign a unique ID to each person with computer access 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. You Ensure your cloud host provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs Two-factor - Requiring user/password and certificate 7/13/2011

Recomendados

Securing Open Source Databases
Securing Open Source DatabasesSecuring Open Source Databases
Securing Open Source DatabasesGazzang
 
CIO Cloud Security Checklist
CIO Cloud Security ChecklistCIO Cloud Security Checklist
CIO Cloud Security ChecklistDruva
 
Our Software
Our SoftwareOur Software
Our SoftwareAssurance Screening
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
Oracle database 12c security and compliance
Oracle database 12c security and complianceOracle database 12c security and compliance
Oracle database 12c security and complianceFITSFSd
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteEdgar Alejandro Villegas
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 

Recomendados

Securing Open Source Databases
Securing Open Source DatabasesSecuring Open Source Databases
Securing Open Source DatabasesGazzang
 
CIO Cloud Security Checklist
CIO Cloud Security ChecklistCIO Cloud Security Checklist
CIO Cloud Security ChecklistDruva
 
Our Software
Our SoftwareOur Software
Our SoftwareAssurance Screening
 
SGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securitySGSB Webcast 2 : Smart grid and data security
SGSB Webcast 2 : Smart grid and data securityAndy Bochman
 
Oracle database 12c security and compliance
Oracle database 12c security and complianceOracle database 12c security and compliance
Oracle database 12c security and complianceFITSFSd
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Oracle BH
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteOracle Database 11g Security and Compliance Solutions - By Tom Kyte
Oracle Database 11g Security and Compliance Solutions - By Tom KyteEdgar Alejandro Villegas
 
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...
Database & Technology 1 _ Barbara Rabinowicz _ Database Security Methoda and ...InSync2011
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalWave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalQuek Lilian
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction swAlienVault
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
Database security
Database securityDatabase security
Database securityArpana shree
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health MonitorNagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health MonitorNagios
 
Database security issues
Database security issuesDatabase security issues
Database security issuesn|u - The Open Security Community
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
SIEM
SIEMSIEM
SIEMNapier University
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Windows 7 by microsoft
Windows 7 by microsoft Windows 7 by microsoft
Windows 7 by microsoft Kenneth Endfinger
 
Database security
Database securityDatabase security
Database securitySoftware Engineering
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and complianceActian Corporation
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardmanojghimiray
 

Más contenido relacionado

La actualidad más candente

PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalWave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalQuek Lilian
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction swAlienVault
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health MonitorNagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health MonitorNagios
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVaultAlienVault
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsImperva
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security IssuesHTS Hosting
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Securityamiable_indian
 

La actualidad más candente (20)

PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance Evolved
 
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra RizalWave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Otx introduction sw
Otx introduction swOtx introduction sw
Otx introduction sw
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security Introduction
 
Database security
Database securityDatabase security
Database security
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health MonitorNagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
Nagios Conference 2014 - Sean Falzon - Nagios as a PC Health Monitor
 
Database security issues
Database security issuesDatabase security issues
Database security issues
 
Configuring Data Sources in AlienVault
Configuring Data Sources in AlienVaultConfiguring Data Sources in AlienVault
Configuring Data Sources in AlienVault
 
SIEM
SIEMSIEM
SIEM
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Windows 7 by microsoft
Windows 7 by microsoft Windows 7 by microsoft
Windows 7 by microsoft
 
Database security
Database securityDatabase security
Database security
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
The Top Cloud Security Issues
The Top Cloud Security IssuesThe Top Cloud Security Issues
The Top Cloud Security Issues
 
Database Systems Security
Database Systems SecurityDatabase Systems Security
Database Systems Security
 

Similar a Gazzang pci v1[1]

Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardmanojghimiray
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment QuestionnairePriyanka Aash
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxMohammad512578
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysisCARMEN ALCIVAR
 
Taking the Pain out of PCI Compliance
Taking the Pain out of PCI ComplianceTaking the Pain out of PCI Compliance
Taking the Pain out of PCI ComplianceTripwire
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Mukesh Chinta
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014Luong Trung Thanh
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
Microsoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And ControlMicrosoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And ControlMicrosoft TechNet
 

Similar a Gazzang pci v1[1] (20)

Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire3rd Party Outsourcing Information Security Assessment Questionnaire
3rd Party Outsourcing Information Security Assessment Questionnaire
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security Enhancements
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
 
CSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptxCSE_Instructor_Materials_Chapter7.pptx
CSE_Instructor_Materials_Chapter7.pptx
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
 
Taking the Pain out of PCI Compliance
Taking the Pain out of PCI ComplianceTaking the Pain out of PCI Compliance
Taking the Pain out of PCI Compliance
 
Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2Cisco cybersecurity essentials chapter - 2
Cisco cybersecurity essentials chapter - 2
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
PCI-DSS Experience- Phan Canh Nhat Present on 13/11/2014
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
Microsoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And ControlMicrosoft Windows 7 Enhanced Security And Control
Microsoft Windows 7 Enhanced Security And Control
 

Último

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Último (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Gazzang pci v1[1]

  • 1. Essentials of PCI AssessmentSucceeding with Gazzang Mike Frank, Director of Products, Gazzang
  • 2. Overview Benefits of the Cloud What to expect - preparing for an audit The Gazzang data security solution Mapping into the 12 PCI sections Examples/Ideas before your PCI Audit Q&A 7/13/2011
  • 3. Cloud Adoption 101 7/13/2011
  • 4. PCI (Payment Card Industry) Created by major credit card issuers to  Protect personal information  Ensure security when transactions are processed  Members of the payment card industry are financial institutions, credit card companies and merchants Required to comply with these standards Failure to meet compliance standards can result in Fines from credit card companies and banks Loss of the ability to process credit cards. 7/13/2011
  • 5. PCI PCI (Payment Card Industry) DSS (Data Security Standard) The PCI assessment process focuses solely on the security of cardholder data Has a company effectively implemented information security policies and processes? Are there adequate security measures that comply with the requirements to protect cardholder data? 7/13/2011
  • 6. PCI Assessments Determine if you are employing payment industry best-practices Assessment result in Recommendations & Remediation to Processes Procedures System configurations Vulnerabilities The “Fixes” needed to comply 7/13/2011
  • 7.
  • 8. Sits between the storage engine and file system
  • 9. Encrypts data before it hits the disk.7/13/2011
  • 10. Key Storage System (KSS) Gazzangs KSS “service” runs in the Cloud East and West Currently Highly Available – uses F5 Solution for “Where do I store my key?” Multiple layers of security ensure that your key is protected and available when you need it. 7/13/2011 8
  • 11. PCI Security Problems Gazzang Helps Solve Unauthorized attempts to read data off the database files Theft of the data files Tampering of data Protection of data on tapes and backups Data at Rest - Protecting disks In case physical hardware is stolen or incorrectly disposed Key Protection Automated, Zero Maintenance Key Management Encrypts, Protects and Secures MySQL 7/13/2011
  • 12. The PCI “12” Install and maintain a firewall Do not use vendor-supplied defaults for passwords. Develop configuration standards. Protect stored data Encrypt transmission of cardholder data across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Systems should be tested to ensure security is maintained over time and through changes Maintain an information security policy 7/13/2011
  • 13. 1 Install and maintain a firewall The Auditor will inspect System/Firewall Configurations Your Network Diagram Several options Can be provided by the cloud host Fortinet Firewall Cisco ASA 5510 dedicated hardware firewall 7/13/2011
  • 14. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards. Gazzang MySQL Linux account has strong initial password Only local mysql root is created Strong Initial Password is enforced Configuration for MySQL is Secured Added Access File Protection The Auditor will Interview staff, review documentation, view setup 7/13/2011
  • 15.
  • 17. Encrypt related files (log files)
  • 18. Control who can decrypt the data, beyond normal database and file system protections.
  • 19. Manage and secure keys7/13/2011
  • 20. 3 Protect stored data The Auditor will Look at the entire data lifecycle related to Card Data, Authentication Data, Key Management Protecting Data, Verification Codes and much more. You Will need to document explain and show that process to the auditor. For Req 3 Sections 4, 5, and 6 are often the trickiest 7/13/2011
  • 21.
  • 22. 3.4.1.aIf disk encryption is used, verify that logical access to encrypted file systems is implemented via a mechanism that is separate from the native OS mechanisms7/13/2011
  • 23.
  • 24. PCI 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
  • 25. 3.6.1- The auditor can verify that procedures are implemented that require automated generation of strong keys using ezNcrypt7/13/2011
  • 26. 4 Encrypt transmission of cardholder data across public networks You Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Require SSL Connections in MySQL Access Control Settings for any “remote” User 7/13/2011
  • 27. 4 Encrypt transmission of cardholder data across public networks Gazzang Cloud data storage in cloud systems sends data across the network to storage With ezNcrypt your critical data is encrypted before it moves into the physical file system – All data from ezNcrypt is encrypted across the network or through other devices that could be monitored or tapped. 7/13/2011
  • 28. 5 Use and regularly update anti-virus software The Auditor will Verify that all OS types commonly affected by malicious software have anti-virus software implemented. You Make sure AV is setup and deployed properly X 7/13/2011
  • 29. 6 Develop and maintain secure systems and applications Gazzang Adding a new layer of security As-Is the system is more secure You will be downloading the latest MySQL Version We will secure the configuration and protect the data and logs 7/13/2011
  • 30. 7 Restrict access to data by business need-to-know Gazzang Helps meet this by Restricting Access using encryption, key control, and application only access controls Linux Users can’t read the data – only MySQL You Ensure that cloud host allows customers to manage local server credentials themselves 7/13/2011
  • 31. 8 Assign a unique ID to each person with computer access You Need to manage your users Create a unique login for each user with access to the server Create unique accounts within MySQL and Linux Limit access to only what the account requires The Auditor will Want reports on each of the systems Want to know who and what authentication methods Verify documentation on processes and procedures 7/13/2011
  • 32. 8 Assign a unique ID to each person with computer access 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. You Ensure your cloud host provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs Two-factor - Requiring user/password and certificate 7/13/2011
  • 33. 9 Restrict physical access to cardholder data The 3 Gs – Guards, Guns, and Gates Access to physical equipment You Ensure that your cloud host takes security measures to maintain integrity of hardware and facility. Certification Multiple forms of authentication to gain access 7/13/2011
  • 34. 10 Track and monitor all access to network resources and cardholder data You Will need to show auditor that you have the process to collect, track, and monitor your environment Ensure that cloud host tracks and monitors up to the customer's environment The Auditor will Inspect all of the above 7/13/2011
  • 35. 11 Systems should be tested to ensure security is maintained over time and through changes You Make sure cloud host reviews and updates images regularly Maintaining sever images locally Gazzang Starts from the cloud host image Protects MySQLs files – increasing your security level 7/13/2011
  • 36. 12 Maintain an Information Security Policy You Establish, publish, maintain, and disseminate a security policy Auditors Will examine this information and see that it addresses all of the PCI requirements 7/13/2011
  • 37. Have your documentation ready Network Diagram PCI Policies and Standards Documentation Antivirus Internal/External Scans Logging and Monitoring Penetration Test Results System Configurations 7/13/2011
  • 38. Design a Secure System andDiagram your Credit Card Dataflow Web Site Consumer Card Processing Merchant Bank Cardholder Bank 7/13/2011
  • 39.
  • 45. Conclusion There are many steps to PCI Compliance PCI provides the groundwork broader security “best practices” Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution 7/13/2011
  • 46. Contact Information / Resources White Paper http:// More about Gazzang- www.gazzang.com For more information - info@gazzang.com Contact- mike.frank@gazzang.com 7/13/2011

Notas del editor

  1. MICHAELWhat GG provides“Multi faceted infrastructure”