Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Table of Contents

Table  of  Contents  .................................................................................................................................................................  2  Overview  ..........................................................................................................................................................................................................  3  PIN  Transaction  Security  Requirements  ................................................................................................................................  3  Payment  Application  Data  Security  Standard  (PA-­‐DSS)  ..................................................................................................  3  Payment  Card  Industry  Security  Standard  (PCI  DSS)  .......................................................................................................  3  

Target  Market  and  Customers  ...............................................................................................................................................................  3  Goals  and  Objectives  ...................................................................................................................................................................................  3  Levels  of  Compliance  and  Types  ............................................................................................................................................................  3  PCI  DSS  Requirements  ...............................................................................................................................................................................  5  What  DataStax  Enterprise  Offers  .........................................................................................................................................................  5  DataStax  and  Vormetric  Partnership  .................................................................................................................................................  6  The  Vormetric  Solution  .............................................................................................................................................................................  6  How  DSE  and  Vormetric  Address  PCI  Requirements  ...................................................................................................................  7  Limitations  .....................................................................................................................................................................................................  8  Conclusion  .......................................................................................................................................................................................................  9  About  DataStax  ............................................................................................................................................................................................  9  About  Vormetric  ...........................................................................................................................................................................................  9  

Overview Securing data is a requirement for any organization – large or small – that handles debit, credit and pre-paid cards, otherwise known as payment cards. These institutions must comply with the security standards to help avoid a data breach, as they deal with sensitive customer information, including name, address and account number as well as the three-digit security number on the payment card. In order to protect this data, major payment card brands (Visa, MasterCard, American Express, Discover and JCB) founded the PCI Security Standards Council (PCI SSC) to facilitate the broad adoption of consistent data security measures on a global basis. Payment card industry security standards comprise the following three categories:

Reference:

https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf

PIN Transaction Security Requirements These security requirements, referred to as PCI PTS (formerly PCI PED), focus on companies that makes devices or components that accept PIN numbers as part of a transaction and for other payment processing related activities.

Payment Application Data Security Standard (PA-DSS) PA-DSS applies to vendors and other software developers who implement payment applications that store, process, or transmit cardholder data as part of authorization or settlement, where these payment applications are sold, distributed, or licensed to third parties.

Payment Card Industry Security Standard (PCI DSS) PCI DSS is a set of requirements designed to ensure companies have a highly secure environment while facilitating the broad adoption of

consistent data security (in-house). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data with an emphasis on general IT security & controls. The PCI DSS is administered and managed by the PCI SSC. Compliance means that the payment card information (data) is very secure, and customers can trust the complying organization with their sensitive payment card information. Not being compliant can lead to data being compromised (due to a hack or other various reasons). This could ultimately result in irreparable brand damage, loss of sales/customers and may also include lawsuits, fines and account cancellation.

Target Market and Customers PCI DSS applies to organizations or merchants that store, accept, processes or transmit any cardholder data. This includes web and e-commerce companies, banks and other retail and financial institutions.

Goals and Objectives Merchants and organizations expect the underlying database to be highly secure and in compliance, as sensitive cardholder data will eventually be kept in the data store. DataStax, the company driving Apache Cassandra provides enterprise-class security features that businesses need to protect key data assets. DataStax is focused on providing customers a secure, scalable, high-performance NoSQL database that puts organizations on the path of managing modern data and meeting PCI compliance initiatives.

Levels of Compliance and Types Merchants or organizations may fall into any of the following four “levels” depending on the transaction volume per year and five “types” depending upon the way they handle and process cardholder data.

To determine their standing as it relates to PCI compliance, organizations can complete a self-assessment questionnaire; and/or have a regular network or website scan performed by an “Approved

Scanning Vendor” and a report from a “Quality Security Assessor”. The organization can also choose to complete an “Attestation of Compliance” form.

Reference: http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Merchant level definitions by payment brands and transaction volume Reference: (http://information.rapid7.com/rs/rapid7/images/pci-dss-2-0-guide.pdf)

The above charts (levels) describe number of transactions processed annually. This is independently defined by each payment brand. “Types” determine relevant sections & requirements of PCI DSS and are related to the self-assessment

questionnaire as mentioned above. Unlike “levels”, “types” have been collectively defined by all brands. There are five types namely: A, B, C-VT, C and D.

Reference:(http://information.rapid7.com/rs/rapid7/Demystifying-pci-guide.pdf)

PCI DSS Requirements The grid below highlights the 12 security requirements for networks, servers, databases and applications.

What DataStax Enterprise Offers DataStax Enterprise (DSE) includes enterprise-ready Cassandra, the ability to run analytics on Cassandra data with Apache Spark or Hadoop, and the capability of performing enterprise search operations on Cassandra data with Apache Solr. DataStax Enterprise also provides the following robust enterprise security features:

• Internal authentication using login accounts and passwords for Cassandra, Hadoop and Spark clusters in DSE.

• Object permission management based on the GRANT/REVOKE paradigm for keyspaces or tables.

• Client to node encryption using SSL for data

going from the client to the Cassandra/Hadoop/Spark/Solr clusters in DSE.

• LDAP and Active Directory integration: a standardized way of storing security credentials in a centralized repository for a company’s applications. Allows various users to be created in DSE while directory servers handle password management. Supports authentication for Cassandra, Spark, Hadoop and Solr clusters in DSE.

• Kerberos authentication: a network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets. Supports authentication for Cassandra, Spark, Hadoop & Solr clusters in DSE.

Transparent data encryption: the encoding of data flushed from the memtable in system memory to the SSTables on disk (at rest data) to be unreadable to unauthorized users. Encryption of data is done through Java Cryptography Extension (JCE). Encryption and decryption occurs without user intervention. The DSE encryption certificates are stored locally. As part of enhanced data security, DSE supports off server key encryption management using Key Management Interoperability Protocol (KMIP) to protect the data at rest.

• Data auditing: the administrator capability to

create detailed audit trails of cluster activity. • The inter-node gossip protocol and node to

node communication is protected using SSL.

• DataStax OpsCenter can use SSL to encrypt the communication protocol and authenticate traffic between OpsCenter agents and the main OpsCenter daemon. It provides an option to use https as well.

• OpsCenter can connect to DSE clusters with Kerberos enabled.

• OpsCenter 5.1 and beyond comes with built-in granular security controls to manage cluster operations.

Additional Resources [1] Security management [2] Configuring role based security

DataStax and Vormetric Partnership Vormetric is the industry leader in data security solutions that span physical, virtual, cloud and big data environments from both internal and external threats. The company’s scalable, high performance Vormetric Data Security Platform protects any file or database — anywhere it resides — with application transparent encryption, privileged user access controls, and security intelligence logging. Vormetric and DataStax enable complete data-at-rest security for DataStax Enterprise. Vormetric enhances the existing enterprise-class security features already available from DataStax’s massively scalable distributed database technology with protection for data-at-rest that includes encryption, enhanced access controls and key management.

The Vormetric Solution With the Vormetric Data Security Platform organizations maintain compliance and safely use sensitive data within the DataStax platform with protection for data stores, system logs, configurations, etc at the file system level, as well as within the data store at the field or column level. In addition, the Vormetric Data Security Platform can secure source data sets as well as the resulting analytics. This end-to-end approach of centrally managing data encryption and access policies across the organizations infrastructure simplifies security and reduces total cost of ownership. Vormetric Data Security Platform offers:

• A single console for managing all data-at-rest security policies • Protection of data sources, DSE environment and analytic reports through data at rest encryption, least

privileged user access policies and security intelligence logs that support PCI DSS Requirement 7 guidelines

• Enterprise-class architecture, scale and performance • Security and compliance across all server environments: physical, virtual, cloud, big data, and hybrid

environments • Pre-defined dashboards and reports with popular SIEMs and other log collection tools to produce reports

for auditors and to identify abnormal file data access behaviors in support of PCI DSS Requirement 10 guidelines

• Transparent data security for no application changes and fast deployment that support PCI DSS Requirement 3 guidelines

• Application-layer data encryption to protect specific database columns that support PCI DSS Requirement 3 guidelines

• Policy and Encryption Key Management that is available in FIPS 140-2 compliant or virtual appliance form factors that support PCI DSS Requirement 3.5 guidelines

How DSE and Vormetric Address PCI Requirements

# Requirement DSE Vormetric Explanation 1 Use firewall to protect data Handled by the network.

2 Do not use vendor supplied defaults

Yes Yes DSE and OpsCenter recommends changing the default “password. Vormetric components will not allow implementation with default or weak passwords.

3 Protect stored cardholder data Yes Yes DSE offers transparent data encryption that secures cardholder data against disclosure and misuse. Vormetric protects cardholder data by encrypting it at the file/volume level and then by decrypting based on a pre-defined usage policy. This ensures that all data is rendered unread-able anywhere it is stored. Integrated key management makes the process seamless and meets these requirements.

4 Encrypt across open, public networks

Yes DSE offers authentication & client to node SSL support

5 Use anti-virus programs Handled by the server.

6 Develop & maintain secure systems & applications

Follow best practices and apply latest patches & protect your code.

7 Restrict access to cardholder data

Yes Yes Through internal authentication and object permission management provided by DSE. Vormetric enforces a least-privilege model, which denies any data access activity that has not been expressly permitted by policy.

8 Identify and authenticate access to systems components

Yes Yes External authentication allows DSE to provide single sign on capability. DSE allows super user creation and can authorize other users. Internal authentication stores user names and bcrypt-hashed passwords in the system_auth.credentials table. OpsCenter allows user creation and role assignments for managing and operating database clusters. Vormetric integrates with existing directory services to authenticate user IDs. All transmission of Vormetric authentication and key material takes place over a mutually authenticated TLS channel. Vormetric provides direct access to data and database queries can be limited to only database administrators. When a database is

protected, all access to the data must come from the database process. All other sources can be denied access.

9 Restrict physical access to data Handled through company policy (log visitors, make sure physical media is secured etc.).

10 Regularly monitor and test networks including cardholder data

Yes Yes DSE supports data auditing via log4j-based integration or storing the events in a Cassandra table. Vormetric provides logging of access at the File Systems level. All read/write requests to sensitive data is tracked with PCI compliant audit records. User controlled policies allow for monitoring of all access to sensitive data, including access by privileged users.

11 Regularly test security systems & processes

System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Use network intrusion detection system to monitor traffic.

12 Maintain an information security policy

Company should develop daily usage policy & operational security procedures.

Limitations Assuming you configure security features, this table describes exactly which data is secured (or not) based on the workload type: real-time Cassandra

(DSE/Cassandra), analytics (Spark/Hadoop), and DSE/Search (Solr).

[1] Permissions to access objects stored in Cassandra are checked. The Solr cache and indexes and the DSE Hadoop cache as well as Spark caches are not under the control of Cassandra, and therefore not checked. You may, however, set up permission checks to occur on tables that store DSE Hadoop or Solr data.

[2] The inter-node gossip protocol is protected using SSL.

[3] The Thrift interface between DSE Hadoop and the Cassandra File System (CFS) is SSL-protected. Inter-tracker communication is Kerberos authenticated, but not SSL secured. Hadoop access to Cassandra is SSL- and Kerberos-protected. Spark Integration supports SSL for Akka and HTTP (for broadcast and file server) protocols.

[4] HTTP access to the DSE Search/Solr data is protected using SSL. Node-to-node encryption using SSL protects internal Solr communication.

[5] The inter-node gossip protocol is not authenticated using Kerberos. Node-to-node encryption using SSL can be used.

[6] Cassandra commit log data and memtable data is not encrypted, only at rest data is encrypted.

[7] Data in DSE/Search Solr tables is encrypted with Cassandra. Encryption has a slight performance impact, but ensures the encryption of original documents after Cassandra permanently stores the documents on disk. However, Solr cache data and Solr index data is not encrypted.

[8] DSE Hadoop and Spark data auditing is done at the Cassandra access level, so requests to access Cassandra data is audited.

[9] Password authentication pertains to connecting Spark to Cassandra, not authenticating Spark components between each other, and authenticating changes to the Shark configuration.

[10] Password authentication pertains to connecting Hadoop to Cassandra, not authenticating Hadoop components between each other.

[11] Applicable to communication with C* only. Not supported within the Spark/Shark ecosystem itself.

Conclusion DataStax Enterprise in conjunction with Vormetric offers a comprehensive data security solution for the data stored in Cassandra and helps organizations comply with PCI-DSS requirements.

About DataStax DataStax provides a massively scalable enterprise NoSQL platform to run modern online applications for some of the world’s most innovative and data-intensive enterprises. Powered by the open source Apache Cassandra™ database, DataStax delivers a fully distributed, continuously available platform that is faster to deploy and less expensive to maintain than other database platforms. DataStax has more than 500 customers in 38 countries including leaders such as Netflix, Rackspace, Pearson Education, and Constant Contact, and spans verticals including web, financial services, telecommunications, logistics, and government. Based in San Mateo, Calif., DataStax is backed by industry-leading investors including Lightspeed Venture Partners, Meritech Capital, and Crosslink Capital.

About Vormetric Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit: www.vormetric.com.