TeamStation AI System Report LATAM IT Salaries 2024
PCI Compliance with GoGrid and Gazzang
1. Essentials of PCI AssessmentSucceeding with GoGrid and Gazzang Paul Lancaster, Manager Cloud Ecosystem, GoGrid Mike Frank, Director of Products, Gazzang
2. About GoGrid A Leader in the IaaS Market The #1 “pure-play” IaaS provider in the world Strong Track Record of “First-To-Market” Features World-class platform for infrastructure management Over 10,000 Customers Across All Industries GoGrid owns 100% of its IP GoGrid is not a reseller Extensible IP & Technology Platform Lower Cost of Goods – Margin Control “Top 10 Best Cloud Computing Providers” “Market Leader” “Visionary” Magic Quadrant “10 Cloud Computing Companies to Watch” 2
4. Overview What to expect - preparing for an audit The GoGrid and Gazzang combined solution Mapping into the 12 PCI sections Examples/Ideas before your PCI Audit Q&A 6/21/2011 4
5. PCI (Payment Card Industry) Created by major credit card issuers to Protect personal information Ensure security when transactions are processed Members of the payment card industry are financial institutions, credit card companies and merchants Required to comply with these standards Failure to meet compliance standards can result in Fines from credit card companies and banks Loss of the ability to process credit cards. 6/21/2011 5
6. PCI PCI (Payment Card Industry) DSS (Data Security Standard) The PCI assessment process focuses solely on the security of cardholder data Has a company effectively implemented information security policies and processes? Are there adequate security measures that comply with the requirements to protect cardholder data? 6/21/2011 6
7. PCI Assessments Determine if you are employing payment industry best-practices Assessment result in Recommendations & Remediation to Processes Procedures System configurations Vulnerabilities The “Fixes” needed to comply 6/21/2011 7
12. PCI Security Problems Gazzang Helps Solve Unauthorized attempts to read data off the database files Theft of the data files Tampering of data Protection of data on tapes and backups Data at Rest - Protecting disks In case physical hardware is stolen or incorrectly disposed Key Protection Automated, Zero Maintenance Key Management Encrypts, Protects and Secures MySQL 6/21/2011 Gazzang - All rights reserved 2011 10
13. The PCI “12” Install and maintain a firewall Do not use vendor-supplied defaults for passwords. Develop configuration standards. Protect stored data Encrypt transmission of cardholder data across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Systems should be tested to ensure security is maintained over time and through changes Maintain an information security policy 6/21/2011 11
14. 1 Install and maintain a firewall GoGrid FortinetFirewall 100,000 concurrent sessions Unlimited IP addresses in a trusted interface Choice of one VPN: SSL, Site-to-Site or IPSec Ability to add additional VPNs at any time Cisco ASA 5510 dedicated hardware firewall The Auditor will inspect System/Firewall Configurations Your Network Diagram 6/21/2011 12
15. 2 Do not use vendor-supplied defaults for passwords. Develop configuration standards. GoGrid Root Account for the cloud server is assigned strong password Gazzang MySQL Linux account has strong initial password Only local mysql root is created Strong Initial Password is enforced Configuration for MySQL is Secured Added Access File Protection The Auditor will Interview staff, review documentation, view setup 6/21/2011 13
26. 4 Encrypt transmission of cardholder data across public networks You Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks Use MySQL SSL Require SSL Connections in MySQL Access Control Settings for any “remote” User GoGrid Provides tools to implement SSL, Site-to-Site or IPSec 6/21/2011 18
27. 4 Encrypt transmission of cardholder data across public networks Gazzang Cloud data storage in cloud systems sends data across the network to storage With ezNcrypt your critical data is encrypted before it moves into the physical file system – All data from ezNcryptis encrypted across the network or through other devices that could be monitored or tapped. 6/21/2011 19
28. 5 Use and regularly update anti-virus software The Auditor will Verify that all OS types commonly affected by malicious software have anti-virus software implemented. You Make sure AV is setup and deployed properly GoGrid Optional Cisco Adaptive Security Appliance Firewall Offers Anti-virus protection 6/21/2011 20 X
29. 6 Develop and maintain secure systems and applications Gazzang Helps By Adding a new layer of security As-Is the system is more secure You will be downloading the latest MySQL Version We will secure the configuration and protect the data and logs GoGrid The base GoGrid Cloud Server Images are clean Free from malware or viruses Free from undesirable “products” or “services” 6/21/2011 21
30. 7 Restrict access to data by business need-to-know Gazzang Helps meet this By Restricting Access using encryption, key control, and application only access controls Linux Users can’t read the data – only MySQL GoGrid Strong initial root password Allows customers to manage local server credentials themselves 6/21/2011 22
31. 8 Assign a unique ID to each person with computer access You Need to manage your users Create a unique login for each user with access to the server Create unique accounts within MySQL and Linux Limit access to only what the account requires The Auditor Will want reports on each of the systems Who, What Authentication methods Will verify documentation on processes and procedures 6/21/2011 23
32. 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. GoGrid GoGrid provides hardware firewalls that allow for the implementation of site-to-site, or IPSec VPNs Two-factor - Requiring user/password and certificate 6/21/2011 24 8 Assign a unique ID to each person with computer access
33. 9 Restrict physical access to cardholder data The 3 Gs – Guards, Guns, and Gates Access to physical equipment GoGrid Sets the security bar high in the area GoGrid is a SAS70 Type II certified facility Physical equipment is monitored by guards Access is highly restricted by electronic IDs and other physical means Three forms of authentication are required to get access. 6/21/2011 25
34. 10 Track and monitor all access to network resources and cardholder data You Will need to show auditor that you have the process to collect, track, and monitor your environment GoGrid Tracks and monitors up to the customer's environment The Auditor Will inspect all of the above 6/21/2011 26
35. 11 Systems should be tested to ensure security is maintained over time and through changes GoGrid Images are reviewed and updated regularly GoGrid allows for customers to maintain images of their servers Gazzang Starts from the GoGrid Image Protects MySQLs files – increasing your security level 6/21/2011 27
36. 12 Maintain an Information Security Policy You Establish, publish, maintain, and disseminate a security policy Auditors Will examine this information and see that it addresses all of the PCI requirements 6/21/2011 28
37. Have your documentation ready Network Diagram PCI Policies and Standards Documentation Antivirus Internal/External Scans Logging and Monitoring Penetration Test Results System Configurations 6/21/2011 29
38. Design a Secure System andDiagram your Credit Card Dataflow 6/21/2011 30 Web Site Consumer Card Processing Merchant Bank Cardholder Bank
49. Conclusion There are many steps to PCI PCI provides the groundwork broader security “best practices” Gazzang’s ezNcrypt helps solve some of the more daunting challenges with an easy to implement robust solution GoGrid Provides a secure infrastructure for running PCI Thanks for your time 6/21/2011 33
50. Contact Information / Resources White Paper http://go.gogrid.com/whitepapers/complying-with-pci More about Gazzang- www.gazzang.com More About GoGrid - www.gogrid.com For more information - info@gazzang.com Contact- mike.frank@gazzang.com 6/21/2011 34