PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
46
The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014 Kim Halavakoski
-
Upload
khalavak -
Category
Technology
-
view
135 -
download
2
Transcript of PCI Amsterdam: 27.11.2014: Rocky-Road-to-PCI-Compliance
The Rocky Road to Business As Usual PCI Europe, Amsterdam 27.11.2014Kim Halavakoski
def self.info(Kim Halavakoski)• Security Geek / Nerd
• Chief Security Officer
• 3 kids: 3(♀), 6(♂) and 8(♀) years old, 5 cats
• Hobbies: RC-planes, Quadcopters, Robotics, Photography, Running, Weightlifting…
khalavakoski khalavak
G+ Communities:PCI-JedisSecurity De-Obfuscated
We develop, deliver and manage systems and solutions for the Nordic financial and capital markets.
Our mission is to make it easy and profitable to run a financial businessOur vision is to be our customers most valued partner
We have offices in Mariehamn, Helsinki, Stockholm and Turku
Crosskey Banking Solutions Ab Ltd
We are a PCI-DSS Compliant Level 1 Service Provider
PCI 101Some background to PCI-DSS.. Statistics. Requirements
COMPLIANT
EASY CHEAP
Prevention, Detection & Response
Focus from prevention to a detection and response based event management
249
Focus from prevention to a detection and response based event management
The 5 stages of PCI maturityAs a Service Provider I don’t have to comply
with these requirements!These requirements
are stupid!
If I do these compensating controls
then I can do what I want!
What have I done wrong to
deserve 10.6.1?
OK, we use payment
cards so we need to do this PCI-DSS
thing!
Stakeholder approval
Management approval and buy-in is essential for the success of your PCI efforts
There is no appliance that automagically gets you PCI-DSS compliant
Get a good QSA
Scoping is vital for PCI-DSS success
Scoping, Scoping, Scoping & Scoping
Collaboration
One key to success is effective collaboration
#DevOpsSec#DevOps
Automation & Configuration management
Configuration standards, snowflake servers and cattle
•Cattle are given numbers like vm001.crosskey.fi
•They are almost identical to other cattle•When they get ill, you get another one
•Pets are given names like garfield.crosskey.fi
•They are unique, lovingly hand raised and cared for
•When they get ill, you nurse them back to health
Monitoring, Detection & Response
Focus from prevention to a detection and response based event management
Veriz
on D
BIR
201
3
Veriz
on D
BIR
201
3 Compromise
Veriz
on D
BIR
201
3 Compromise
Discovery
ANTIVIRUSTHE
Log-review
Threat-intelligence
SecurityAnalyst
SIEMLogmanagement
Fraud
monitoring
End-point
protection
Young padawan, don't forget: Lack of focus leads to sloppiness,
sloppiness leads to misconfiguration, and misconfiguration leads to compromise.
— pauldotcom.com security weekly
Business As UsualPCI-DSS has to be integrated into your daily operations in order to succeed
Security
PCI Taskforce
SummaryUNDERSTAND PCI-DSS REQUIREMENTSGet acquainted with the PCI-DSS standard and requirements. Discuss with your ideas and thoughts with your QSA
GET STAKEHOLDER APPROVALPCI-DSS Compliance requires a substantial effort from the organisation in order to succeed. This will require time, money and management sponsorship to reach the whole organisation.
HIRE A GOOD QSAGet a good QSA. There are a lot of QSACs offering their services. Make sure you get a QSA that understands your business and your particular needs. Make sure your QSA is on the same page and that you have respect for each other.
SCOPINGScoping is a hard nut to crack. The standard is “intentionally” not clear on the details on what is in scope and what is not
SummaryAUTOMATION & CONFIGURATION MANAGEMENTAutomation is a really good way to create efficiency in your workflows. Automate all the things that take time to do and focus on the tasks and requirements that is cannot be automated The more smart automation you do, the more time you have to improve and make things more efficient and compliant.
COLLABORATE WITH YOUR TEAMSCollaboration is critical for succeeding with fulfilling all requirements. You can’t do it on your own, you’ll need your Operations Team, Development Team, Security Team and Business Team to make it happen.
INVEST IN MONITORINGMonitoring your environment for malicious activity is difficult. Invest in monitoring, get the team and tools you need to monitor your environment. Outsource if you have to, do it in-house if you can.
IMPLEMENT PCI-DSS INTO YOUR DAY-TO-DAY BUSINESS OPERATIONSThere are a multitude of tasks that needs to be done on a daily, weekly, monthly, quarterly, bi-annual and annual basis in order to stay compliant. These tasks have to become second nature for your organisation and your teams to stay compliant.
