Upload
btokic
View
219
Download
1
Embed Size (px)
Citation preview
8/13/2019 3.5 Oracle PCI DataSecurity
1/16
Oracle Solutions forPCI-DSS ComplianceChris Pickett
Principal Solution Architect, Enterprise Information Management
Oracle Corporation
8/13/2019 3.5 Oracle PCI DataSecurity
2/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
8/13/2019 3.5 Oracle PCI DataSecurity
3/16
Req 12: Maintain a policy that addresses information securityMaintain an Information
Security Policy
Req 10: Track and monitor all access to network resources and
cardholder data
Req 11: Regularly test security systems and processes
Regularly Monitor and Test
Networks
Req 7: Restrict access to data by business need-to-know
Req 8: Assign a unique ID to each person with computer access
Req 9: Restrict physical access to cardholder data
Implement Strong Access
Control Measures
Req 5: Use and regularly update anti-virus software
Req 6: Develop and maintain secure systems and applications
Maintain a Vulnerability
Management Program
Req 3: Protect Stored Data
Req 4: Encrypt transmission of cardholder data and sensitive
information across public networks
Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect data
Req 2: Do not use vendor-supplied defaults for System Passwordsand Other Security Parameters
Build and Maintain a Secure
Network
PCI Data Security Standard6 Major Control Areas, 12 Requirements
8/13/2019 3.5 Oracle PCI DataSecurity
4/16
Req 12: Maintain a policy that addresses information securityMaintain an Information
Security Policy
Req 10: Track and monitor all access to network resources and
cardholder data
Req 11: Regularly test security systems and processes
Regularly Monitor and Test
Networks
Req 7: Restrict access to data by business need-to-know
Req 8: Assign a unique ID to each person with computer access
Req 9: Restrict physical access to cardholder data
Implement Strong Access
Control Measures
Req 5: Use and regularly update anti-virus software
Req 6: Develop and maintain secure systems and applications
Maintain a Vulnerability
Management Program
Req 3: Protect Stored Data
Req 4: Encrypt transmission of cardholder data and sensitive
information across public networks
Protect Cardholder Data
Req 1: Install and maintain a firewall configuration to protect data
Req 2: Do not use vendor-supplied defaults for System Passwordsand Other Security Parameters
Build and Maintain a Secure
Network
PCI Data Security StandardRequirements Covered Today
8/13/2019 3.5 Oracle PCI DataSecurity
5/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
8/13/2019 3.5 Oracle PCI DataSecurity
6/16
PCI-DSS Compliance - EncryptionReq 3: Protect Stored Data
Application
End-Users
DBA
Sysadmin
Database
Storage
Confidentiality(on-disk
encryption)Oracle
Advanced
Securi ty
Transparently encrypt dataat a column or tablespacelevel
PCI-DSS key managementrequirements supported byOracle Wallet
HSM appliances alsosupported
8/13/2019 3.5 Oracle PCI DataSecurity
7/16
PCI-DSS Compliance SoDReq 7: Restrict access to data by business need-to-know
Application
End-Users
DBA
Sysadmin
Database
Storage
Segregation
of DutiesOracle
Database
Vault
Enforce Segregation ofDuties for DBA and otherhighly-privileged users
Enforce access control atthe database level on anyend-user access attemptsoutside authorisedapplications
8/13/2019 3.5 Oracle PCI DataSecurity
8/16
PCI-DSS Compliance Non-Prod EnvsReq 7: Restrict access to data by business need-to-know
Application
End-Users
DBA
Sysadmin
Database
Storage
Masking Non-
ProductionData
Oracle Data
Masking Pack
Persistently mask cardnumber and any othersensitive information prior
to instantiation inDevelopment or Testdatabases
D/T Database
8/13/2019 3.5 Oracle PCI DataSecurity
9/16
PCI-DSS ComplianceReq 4: Encrypt transmission of cardholder data
Application
End-Users
DBA
Sysadmin
Database
Storage
Confidentiality
(networkencryption)
Oracle
Advanced
Securi ty
Transparently encrypt allnetwork traffic into and outof Oracle Database
D/T Database
8/13/2019 3.5 Oracle PCI DataSecurity
10/16
PCI-DSS Compliance MonitoringReq 10: Track and monitor all access
Application
End-Users
DBA
Sysadmin
Data
Audi to r
Database
Storage
Monitoring ofdata accessOracle Aud i t
Vault
D/T Database
Monitor all data access
attempts (successful orotherwise)
Supports fine-grainedauditing rules (e.g.cardholder access only)
8/13/2019 3.5 Oracle PCI DataSecurity
11/16
PCI-DSS Compliance - TestingReq 11: Regularly test security systems and processes
Application
End-Users
DBA
Sysadmin
Data
Audi to r
Database
PCI-DSS
Audi to r
Tes t Resu lt
Req. 3
Req. 6
etc.
Attestation of
ComplianceOracle
Conf igurat ion
Management
Storage
D/T Database
Test and provecompliance toPCI-DSS
8/13/2019 3.5 Oracle PCI DataSecurity
12/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
8/13/2019 3.5 Oracle PCI DataSecurity
13/16
PCI-DSS Overview
Oracle Solutions
Demonstration
Case Study
Q & A
Agenda
8/13/2019 3.5 Oracle PCI DataSecurity
14/16
Case Study PCI-DSS ComplianceAustralian Insurance Company
Business Challenges
Cardholder information being transmitted andstored
Implementing COTS insurance application
changes to the application difficult/impossible
PCI-DSS audit impending
Solution
Oracle Advanced Security to implement column-based encryption for all cardholder-related columns
No changes to application required
Business Results
Achieved PCI-DSS compliance
No impact to application and minimal impact to
project timelines
8/13/2019 3.5 Oracle PCI DataSecurity
15/16
Questions
8/13/2019 3.5 Oracle PCI DataSecurity
16/16