Pavan Venkatesh, Sr. Product Manager (DataStax)
Sam Heywood, VP of Product & Marketing (Gazzang)
Don't Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Data with DataStax and Gazzang
2
DataStax: An Overview
• Founded in April 2010
• We drive Apache Cassandra™, the popular open-source NoSQL database
• We provide DataStax Enterprise for enterprise NoSQL implementations
• 400 customers
• 200+ employees
• Home to Apache Cassandra Chair & most committers
• Headquartered in San Francisco Bay area
• Funded by prominent venture firms
Gazzang: An Overview
• Focus on securing sensitive data in cloud and big data environments
• We help customers meet compliance requirements like HIPAA, PCI, FIPS and FERPA
• Satisfy internal security mandates
• Protect valuable client information
• Headquartered in Austin, Texas
4
Today’s speakers
Pavan Venkatesh, Senior Product Manager at DataStaxPavan oversees DataStax Enterprise and OpsCenter products. He has more than seven years of broad database and NoSQL experience. He also has a Master’s degree in Computer Science from Syracuse University.
Sam Heywood, VP of Products and Marketing at GazzangSam drives Gazzang's global product innovation and delivery, corporate marketing and demand generation. A seasoned product and marketing executive with leadership experience at several notable technology startups, Sam is well versed in systems management, online CRM platforms, consumer ecommerce and security technologies.
5
Open Source/Community Enterprise Software
• Apache Cassandra (employ Cassandra chair and 90+% of the committers)
• DataStax Community Edition• DataStax OpsCenter• DataStax DevCenter• DataStax Drivers/Connectors• Online Documentation• Online Training• Mailing lists and forums
• DataStax Enterprise Edition• Certified Cassandra• Built-in Analytics• Built-in Enterprise Search• Enterprise Security
• DataStax OpsCenter • Expert Support• Consultative Help• Professional Training
DataStax supports both the open source community and modern business enterprises.
Why DataStax?
6
What is Apache Cassandra?
• Masterless architecture with read/write anywhere design.• Continuous availability with no single point of failure.• Gold standard in multi-datacenter and cloud availability zone
support.• Flexible data model perfect for time series and other data.• Linear scale performance with online capacity expansion. • Security with authentication and authorization. • Operationally simple.• CQL – SQL-like language.
100,000 txns/sec
200,000 txns/sec
400,000 txns/sec
7
Analyze your hot data
• HDFS storage replaced with Cassandra (Cassandra File System – CFS)
• No single points of failure as in Apache Hadoop distribution
• MapReduce, Hive, Pig, Sqoop, and Mahout support
• Hadoop task tracker started on all nodes
• Able to create multiple CFSs across multiple data centers to segregate Hadoop data and tasks
• Can create multiple job trackers – one for each data center
8
Search your hot data
• Automatic sharing via Cassandra replication
• Search indexes can span multiple data centers (regular Solr cannot)
• Online scalability via adding new nodes
• Built-in failover; continuously available
• CQL extended to support Solr/search queries
• Built on Cassandra
• Very fast performance
• Provides data durability (overcomes Solr’s lack of write-ahead log - if community Solr node goes down, data can be lost)
• Overcomes Solr write bottleneck – can read/write to any Solr node
9
Cassandra/DataStax Users: A Sample
Why securing data is important
The average cost of cybercrime - hacking, phishing, Internet fraud, corporate security breach - to U.S. organizations is nearly $12 million per year.
Attacks get more sophisticated and traditional protections such as firewalls and antivirus are no longer sufficient.
‘Twas the season to be hacked...
11
What is PCI-DSS?
• The Payment Card Industry (PCI) Data Security Standard (DSS) was developed ten years ago to enhance cardholder data security.
• The PCI-DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).
• This council was formed to prevent such identity thefts as described previously.
12
PCI - Who & Why?
• Entities (merchants) involved in payment card processing (debit, credit, pre-paid etc.) have to comply with PCI-DSS standards to help avoid any data breach.
• Compliance with PCI-DSS means that the payment card information (data) is very secure and customers can trust with their sensitive information.
13
PCI & Database
Entities (Merchants) expect the underlying database to be in compliance with PCI-DSS as this sensitive data will eventually be stored in the data store.
14
1. Install and maintain a firewall2. Do not use vendor-supplied defaults for passwords; develop configuration standards 3. Protect stored data4. Encrypt transmission of cardholder data across public networks5. Use and regularly update antivirus software6. Develop and maintain secure systems and applications7. Restrict access to data by business and need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data10. Track and monitor all access to network resources and cardholder data11. Test systems regularly to ensure security is maintained over time and through changes12. Maintain an information security policy
Storage and access to digital, not physical data
15
2.2 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties.
PCI GUIDELINE #2
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
Do not use vendor supplied defaults
DataStax Enterprise recommends you change the default password
16
3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
PCI GUIDELINE #3
3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes
3.2 Do not store sensitive authentication data after authorization (even if encrypted)
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: One-way hashes based on strong cryptography (hash must be of the entire PAN); Truncation ……..3.3 Mask primary account
number (PAN) when displayed (the first six and last four digits are the maximum number of digits to be displayed)
3.5 Protect any keys used to secure cardholder data against disclosure and misuse
Protect stored cardholder data
17
• Subcontrol 3.5.1 covers restricting access to keys to the minimum possible number of people
• Subcontrol 3.5.3 requires that keys are stored in as few places as possible
• Subcontrols under 3.6 mandate that best practices are followed when replacing keys when they reach the end of their life or are compromised, and that those entrusted with managing keys understand and accept their responsibilities.
WHAT’S NEW
In PCI Guideline 3.0?
18
- Verizon 2014 PCI Compliance Report: An inside look at the business need for protecting payment card information.
19
20
Transparent data encryption and key management
• Protects sensitive data at rest from theft
• No changes needed at application level
• Keys are encrypted and secured in a software-based vault and wrapped with several policy layers that prevent unauthorized access
HOW WE DO IT
• Encrypt PAN numbers and customer PII for a mobile e-gifting platform
• Protect credit card data and PHI for global health insurance company
IN PRACTICE
PCI GUIDELINE #4Encrypt transmission of cardholder data across public networks
4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC. SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including the following:• Only trusted keys and certificates are
accepted• The protocol in use only supports
secure versions or configurations• The encryption strength is
appropriate for the encryption methodology in use
4.2 Never send unprotected PANs by end-user messaging technologies such as email, instant messaging or chat
22
23
Client-to-Node and Node-to-Node Encryption
• DSE protects data in flight from client machines to a database cluster Ensures data cannot be captured/stolen in route to a server Establishes a secure channel between the client and the
coordinating node
• DSE protects data transferred between nodes in a cluster using
SSL
• SSL keys are secured and managed to ensure only trusted
processes can transmit data over the network
HOW WE DO IT
PCI GUIDELINE #7Restrict access to data by business and need-to-know
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access
7.2 Establish an access control system for system components with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
24
25
Internal Authentication
• DataStax offers internal authentication using login accounts and passwords for Cassandra and Kerberos authentication for Cassandra, Hadoop and Solr
• Provides granular based control over who can add/change/delete/read data
• Grants or revokes permissions to access Cassandra data
HOW WE DO IT
26
Access Controls
• Gazzang offers process-based access controls determine which
processes can access encrypted cardholder data
Only authorized database accounts with assigned database
rights connecting from applications on approved network
clients can access cardholder data stored on a server.
OS users that do not have a business need to read the data
can be prevented from accessing it
• Key release policies provide additional means of preventing
unauthorized access
HOW WE DO IT
PCI GUIDELINE #8Assign unique IDs for access
8.2 Identify and authenticate access to system components
8.1 Provide each user with an ID that is unique and cannot be shared with anyone
28
Single Sign-On and Super Users
• DSE offers external authentication through
Kerberos to provide single sign on capability.
• DSE also allows super user creation and can
authorize other users.
HOW WE DO IT
PCI GUIDELINE #10
10.3 Record audit trail entries for all system components for each event
Track and monitor all access to network resources and cardholder data
30
Data Auditing Control
• DSE supports data auditing and is being implemented as a log4j-based integration
• Granular control to audit only what’s needed
HOW WE DO IT
31
PCI Summary
• The PCI-DSS is a set of comprehensive requirements for securing
payment data.
• Complying with PCI ensures the payment card information
(sensitive data) is very secure, and customers can trust the
complying organization with their sensitive payment card
information.
• This process can avoid any data breach or hack.
• Ensures best practices for the entire infrastructure through
access control policies, reporting and monitoring.
32
DataStax in conjunction with Gazzang provides comprehensive features for
securing sensitive information stored in the Cassandra database
and helps organizations comply with PCI-DSS requirements.
Next steps
• Links to webinar recording and white paper coming to your inbox soon
• Learn more about DataStax Enterprise (DSE):http://www.datastax.com/what-we-offer/products-services/datastax-enterprise/advantages - navtop
• DSE Security:http://www.datastax.com/documentation/datastax_enterprise/3.2/datastax_enterprise/sec/secDSE.html
• Request a demo of Gazzang+DataStax Enterprise: http://www.gazzang.com/products/zncrypt/datastax-enterprise
33
Thank you – Questions?
We power the big data apps that transform business.
Top Related