Published on February 21, 2014
Don't Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang Pavan Venkatesh, Sr. Product Manager (DataStax) Sam Heywood, VP of Product & Marketing (Gazzang)
DataStax: An Overview • Founded in April 2010 • We drive Apache Cassandra™, the popular open-source NoSQL database • We provide DataStax Enterprise for enterprise NoSQL implementations • 400 customers • 200+ employees • Home to Apache Cassandra Chair & most committers • Headquartered in San Francisco Bay area • Funded by prominent venture firms 2
Gazzang: An Overview • Focus on securing sensitive data in cloud and big data environments • We help customers meet compliance requirements like HIPAA, PCI, FIPS and FERPA • Satisfy internal security mandates • Protect valuable client information • Headquartered in Austin, Texas
Today’s speakers Pavan Venkatesh, Senior Product Manager at DataStax Pavan oversees DataStax Enterprise and OpsCenter products. He has more than seven years of broad database and NoSQL experience. He also has a Master’s degree in Computer Science from Syracuse University. Sam Heywood, VP of Products and Marketing at Gazzang Sam drives Gazzang's global product innovation and delivery, corporate marketing and demand generation. A seasoned product and marketing executive with leadership experience at several notable technology startups, Sam is well versed in systems management, online CRM platforms, consumer ecommerce and security technologies. 4
Why DataStax? DataStax supports both the open source community and modern business enterprises. Open Source/Community Enterprise Software • Apache Cassandra (employ Cassandra chair and 90+% of the committers) • DataStax Community Edition • DataStax OpsCenter • DataStax DevCenter • DataStax Drivers/Connectors • Online Documentation • Online Training • Mailing lists and forums • DataStax Enterprise Edition • Certified Cassandra • Built-in Analytics • Built-in Enterprise Search • Enterprise Security • DataStax OpsCenter • Expert Support • Consultative Help • Professional Training 5
What is Apache Cassandra? • Masterless architecture with read/write anywhere design. • Continuous availability with no single point of failure. • Gold standard in multi-datacenter and cloud availability zone support. • Flexible data model perfect for time series and other data. • Linear scale performance with online capacity expansion. • Security with authentication and authorization. • Operationally simple. • CQL – SQL-like language. 100,000 txns/sec 200,000 txns/sec 6 400,000 txns/sec
Analyze your hot data • HDFS storage replaced with Cassandra (Cassandra File System – CFS) • No single points of failure as in Apache Hadoop distribution • MapReduce, Hive, Pig, Sqoop, and Mahout support • Hadoop task tracker started on all nodes • Able to create multiple CFSs across multiple data centers to segregate Hadoop data and tasks • Can create multiple job trackers – one for each data center 7
Search your hot data • Built on Cassandra • Automatic sharing via Cassandra replication • Very fast performance • Search indexes can span multiple data centers (regular Solr cannot) • Provides data durability (overcomes Solr’s lack of write-ahead log - if community Solr node goes down, data can be lost) • Online scalability via adding new nodes • Built-in failover; continuously available • Overcomes Solr write bottleneck – can read/write to any Solr node • CQL extended to support Solr/search queries 8
Cassandra/DataStax Users: A Sample 9
Why securing data is important ‘Twas the season to be hacked... The average cost of cybercrime hacking, phishing, Internet fraud, corporate security breach to U.S. organizations is nearly $12 million per year. Attacks get more sophisticated and traditional protections such as firewalls and antivirus are no longer sufficient.
What is PCI-DSS? • The Payment Card Industry (PCI) Data Security Standard (DSS) was developed ten years ago to enhance cardholder data security. • The PCI-DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). • This council was formed to prevent such identity thefts as described previously. 11
PCI - Who & Why? • Entities (merchants) involved in payment card processing (debit, credit, pre-paid etc.) have to comply with PCI-DSS standards to help avoid any data breach. • Compliance with PCI-DSS means that the payment card information (data) is very secure and customers can trust with their sensitive information. 12
PCI & Database Entities (Merchants) expect the underlying database to be in compliance with PCI-DSS as this sensitive data will eventually be stored in the data store. 13
Storage and access to digital, not physical data 1. Install and maintain a firewall 2. Do not use vendor-supplied defaults for passwords; develop configuration standards 3. Protect stored data 4. Encrypt transmission of cardholder data across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business and need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Test systems regularly to ensure security is maintained over time and through changes 12. Maintain an information security policy 14
PCI GUIDELINE #2 Do not use vendor supplied defaults 2.1 Always change vendorsupplied defaults and remove or disable unnecessary default accounts before installing a system on the network. 2.2 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. DataStax Enterprise recommends you change the default password 16
PCI GUIDELINE #3 Protect stored cardholder data 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes 3.2 Do not store sensitive authentication data after authorization (even if encrypted) 3.3 Mask primary account number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed) 3.5 Protect any keys used to secure cardholder data against disclosure and misuse 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN); Truncation …….. 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data 17
WHAT’S NEW In PCI Guideline 3.0? • Subcontrol 3.5.1 covers restricting access to keys to the minimum possible number of people • Subcontrol 3.5.3 requires that keys are stored in as few places as possible • Subcontrols under 3.6 mandate that best practices are followed when replacing keys when they reach the end of their life or are compromised, and that those entrusted with managing keys understand and accept their responsibilities. 18
- Verizon 2014 PCI Compliance Report: An inside look at the business need for protecting payment card information. 19
HOW WE DO IT Transparent data encryption and key management • Protects sensitive data at rest from theft • No changes needed at application level • Keys are encrypted and secured in a software-based vault and wrapped with several policy layers that prevent unauthorized access 20
IN PRACTICE • Encrypt PAN numbers and customer PII for a mobile egifting platform • Protect credit card data and PHI for global health insurance company
PCI GUIDELINE #4 Encrypt transmission of cardholder data across public networks 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC. SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following: • Only trusted keys and certificates are accepted • The protocol in use only supports secure versions or configurations • The encryption strength is appropriate for the encryption methodology in use 4.2 Never send unprotected PANs by end-user messaging technologies such as email, instant messaging or chat 22
HOW WE DO IT Client-to-Node and Node-to-Node Encryption • DSE protects data in flight from client machines to a database cluster Ensures data cannot be captured/stolen in route to a server Establishes a secure channel between the client and the coordinating node • DSE protects data transferred between nodes in a cluster using SSL • SSL keys are secured and managed to ensure only trusted processes can transmit data over the network 23
PCI GUIDELINE #7 Restrict access to data by business and need-to-know 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access 7.2 Establish an access control system for system components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed 24
HOW WE DO IT Internal Authentication • DataStax offers internal authentication using login accounts and passwords for Cassandra and Kerberos authentication for Cassandra, Hadoop and Solr • Provides granular based control over who can add/change/delete/read data • Grants or revokes permissions to access Cassandra data 25
HOW WE DO IT Access Controls • Gazzang offers process-based access controls determine which processes can access encrypted cardholder data Only authorized database accounts with assigned database rights connecting from applications on approved network clients can access cardholder data stored on a server. OS users that do not have a business need to read the data can be prevented from accessing it • Key release policies provide additional means of preventing unauthorized access 26
PCI GUIDELINE #8 Assign unique IDs for access 8.1 Provide each user with an ID that is unique and cannot be shared with anyone 8.2 Identify and authenticate access to system components
HOW WE DO IT Single Sign-On and Super Users • DSE offers external authentication through Kerberos to provide single sign on capability. • DSE also allows super user creation and can authorize other users. 28
PCI GUIDELINE #10 Track and monitor all access to network resources and cardholder data 10.3 Record audit trail entries for all system components for each event
HOW WE DO IT Data Auditing Control • DSE supports data auditing and is being implemented as a log4j-based integration • Granular control to audit only what’s needed 30
PCI Summary • The PCI-DSS is a set of comprehensive requirements for securing payment data. • Complying with PCI ensures the payment card information (sensitive data) is very secure, and customers can trust the complying organization with their sensitive payment card information. • This process can avoid any data breach or hack. • Ensures best practices for the entire infrastructure through access control policies, reporting and monitoring. 31
DataStax in conjunction with Gazzang provides comprehensive features for securing sensitive information stored in the Cassandra database and helps organizations comply with PCI-DSS requirements. 32
Next steps • Links to webinar recording and white paper coming to your inbox soon • Learn more about DataStax Enterprise (DSE):http://www.datastax.com/what-we-offer/productsservices/datastax-enterprise/advantages - navtop • DSE Security: http://www.datastax.com/documentation/datastax_enterprise/3.2/datastax_ enterprise/sec/secDSE.html • Request a demo of Gazzang+DataStax Enterprise: http://www.gazzang.com/products/zncrypt/datastaxenterprise 33
Thank you – Questions? We power the big data apps that transform business.
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
... Don't get caught in a PCI pickle: Meet compliance and protect payment card data ... and Gazzang can put you on course for compliance. ...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang; ... Meet Compliance and Protect Payment Card ...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang
... Don't Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax ... Gazzang can put you on course for compliance. ...
Payment Card Data PCI Training Program Brochure 01 ... on Aug 07, 2015. Report Category: Documents
Don’t Get Caught In A Mortgage Scam !. The Perfect Situation for Scammers. ... System is processing data Please download to view Download 1