The Payment Card Industry Data Security Standard (PCI DSS) is not new. It has existed for several years and provides security guidelines and best practices for the storage and processing of personal cardholder data. This article takes a look at PCI DSS 3.2 (published in April of 2016) and shows how Identity Management in Red Hat Enterprise Linux (IdM) and related technologies can help customers to address PCI DSS requirements to achieve and stay compliant with the standard. If you need a copy of the PCI DSS document it can be acquired from the document library at the following site: www.pcisecuritystandards.org
In October of 2015 Red Hat published a paper that gives an overview of the PCI DSS standard and shows how Red Hat Satellite and other parts of the Red Hat portfolio can help customers to address their PCI compliance challenges. In this post I would like to expand on this paper and drill down into more detail about
the Identity Management solution Red Hat provides and how it can be leveraged to achieve PCI DSS compliance in conjunction with other technologies as covered in the paper.
Note that this post assumes familiarity with the Red Hat IdM solution. If you're not "up-to-speed" - please review our Identity Management documentation. Also, my previous blog posts provide a good foundation for the problem space and understanding of the solution. Identity Management in Red Hat Enterprise Linux is an open source solution based on the FreeIPA community project. There is a public instance of the FreeIPA server running in the cloud that you can connect to and explore using the following link: http://www.freeipa.org/page/Demo
Since the standard is quite big I will break this article into a series of individual posts - addressing one section at a time. The following table will help in terms of mapping each section of the PCI document to each follow-up post.
Requirement Number | Requirement Description | Link to Blog Post / Reference |
1 | Install and maintain a firewall configuration to protect cardholder data. | PCI Series: Requirement 1 - Install and Maintain a Firewall Configuration to Protect Cardholder Data |
2 | Do not use vendor-supplied defaults for system passwords and other security parameters. | PCI Series: Requirement 2 - Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters |
3 | Protect stored cardholder data. | PCI Series: Requirement 3 - Protect Stored Cardholder Data |
4 | Encrypt transmission of cardholder data across open, public networks. | The same approach as discussed for requirement number two (2) can be employed to meet requirements in this part of the PCI DSS standard. |
5 | Protect all systems against malware and regularly update anti-virus software or programs. | Red Hat Identity Management is not directly related to this section. Reference / review section five (5) of the PCI DSS standard. |
6 | Develop and maintain secure systems and applications. | PCI Series: Requirement 6 - Develop and Maintain Secure Systems and Applications |
7 | Restrict access to cardholder data by business need to know. | PCI Series: Requirement 7 - Restrict Access to Cardholder Data by Business Need to Know |
8 | Identify and authenticate access to system components. | PCI Series: Requirement 8 - Identify and Authenticate Access to System Components |
9 | Restrict physical access to cardholder data. | Red Hat Identity Management is not directly related to this section. Reference / review section nine (9) of the PCI DSS standard. |
10 | Track and monitor all access to network resources and cardholder data. | PCI Series: Requirement 10 - Track and Monitor All Access to Network Resources and Cardholder Data |
11 | Regularly test security systems and processes. |
Requirements 11 and 12 talk about testing of the security controls. This includes scanning and monitoring and best practices around the security policy itself that organizations should create and maintain. Red Hat Identity Management is not directly related to these sections.
|
12 | Maintain a policy that addresses information security for all personnel. |
It's worth mentioning that while this series is focused on IdM and its ecosystem - there are other parts of Red Hat portfolio that would allow for addressing some of the PCI DSS requirements that we did not drill down into here. For example, the OpenSCAP scanner that's integrated into Red Hat Satellite 6 allows for the regular detection of unaddressed CVEs and misconfigurations according to a defined policy. To get more information about these technologies and how they help to address PCI DSS requirements please see the Achieving and Maintaining PCI DSS Compliance with Red Hat paper on the Red Hat site.
In closing - stay tuned for my future posts on PCI DSS. If they're already live - you'll see active links in the table (above). General questions about PCI DSS and IdM? Feel free to reach out using the comments section (below).
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.