Presentation is loading. Please wait.

Presentation is loading. Please wait.

Property of the University of Notre Dame Copyright David Seidl, Bob Winding, Mike Chapple, Bob Richman, 2008. This work is the intellectual property of.

Published byGloria Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "Property of the University of Notre Dame Copyright David Seidl, Bob Winding, Mike Chapple, Bob Richman, 2008. This work is the intellectual property of."— Presentation transcript:

1 Property of the University of Notre Dame Copyright David Seidl, Bob Winding, Mike Chapple, Bob Richman, 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. 1

2 Property of the University of Notre Dame The Data Center Within A Data Center: Building A Secure Environment For Compliance EDUCAUSE Security Professionals May, 2008

3 Property of the University of Notre Dame Why Are We Here Today? Universities are dealing with increasing compliance burdens. – HIPAA, FERPA, GLBA, PCI DSS, FDA, and more Management is more open to solutions that spend up front money to control staff and infrastructure costs over time. – Simplification of compliance efforts is key. Current technology allows new approaches. – Virtualization and segmentation 3

4 Property of the University of Notre Dame Agenda PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and Decentralized IT 4

5 Property of the University of Notre Dame 5 Payment Card Industry Data Security Standard (PCI DSS) Visa Cardholder Information Security Program (CISP) PCI DSS History Mastercard Site Data Protection Program (SDP) Discover Information Security Compliance Program (DISC) American Express Data Security Standard (DSS)

6 Property of the University of Notre Dame 6 Compliance Requirements: the Digital Dozen Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security

7 Property of the University of Notre Dame 7 Who Must Comply? “Payment Card Industry (PCI) Data Security requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data.” “Additionally, these security requirements apply to all system components which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.” That Probably Means You

8 Property of the University of Notre Dame 8 Merchant Levels Merchant Level Description 1Any merchant who processes over 6,000,000 transactions annually. Any merchant designated Level 1 by Visa 2Any merchant who processes between 1,000,000 and 6,000,000 transactions annually. 3Any merchant who processes between 20,000 and 150,000 e-commerce transactions annually. 4Anyone else

9 Property of the University of Notre Dame 9 Merchant Levels All merchants, regardless of level, must comply with all elements of the PCI DSS standard! Merchants at different levels have different validation requirements – Higher merchant levels cost significantly more to meet validation requirements.

10 Property of the University of Notre Dame 10 Consequences Reputational Risk – What will the impact be on your institution’s brand? – Mandatory involvement of federal law enforcement in investigation Financial Risk – Merchant banks may pass on substantial fines – Up to $500,000 per incident from Visa alone – Civil liability and cost of providing ID theft protection

11 Property of the University of Notre Dame 11 Consequences Compliance Risk – Exposure to Level 1 validation requirements Operational Risk – Visa-imposed operational restrictions – Potential loss of card processing privileges

12 Property of the University of Notre Dame Agenda PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT 12

13 Property of the University of Notre Dame 13 Notre Dame’s Environment, Circa 2006 Over 70 merchant accounts, 15 applications No central oversight One day all of that changed…

14 Property of the University of Notre Dame 14 (Campus payment diagram)

15 Property of the University of Notre Dame 15 Notre Dame’s Approach First, we conducted a risk assessment in conjunction with a PCI consulting firm From that, launched a credit card security program – First Goal: Minimize on-campus card processing – Second Goal: Migrate existing systems to a dedicated, isolated network Then we worked to reduce our footprint and then secure what was left

16 Property of the University of Notre Dame Reducing Our PCI Footprint Identify merchant accounts and payment locations. Assess which systems can be moved to 3 rd party vendors. – Non-specialized systems are the low hanging fruit. Simplify environments where possible. 16

17 Property of the University of Notre Dame Design Concept PCI compliance requirements apply by contagion: anything that touches it becomes infected. Separating using acceptable methods decreases your compliance footprint. VPN, firewalling, and dedicated infrastructure make control simpler. 17

18 Property of the University of Notre Dame Agenda PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT 18

19 Property of the University of Notre Dame The Datacenter Within A Datacenter Identify all services needed for the card processing systems: – Management systems – Infrastructure support – Compliance systems – Monitoring systems Scope and size systems Set standards for those systems 19

20 Property of the University of Notre Dame Design: ND’s PCI Architecture Architecture diagram not included for public release. 20

21 Property of the University of Notre Dame System and Security Components Secure Computing Firewall Cisco VPN Two factor Safeword authentication to infrastructure (VPN) Tripwire server integrity assurance Juniper IDS Qualys vulnerability scanners – inside, campus perspective, and off-campus viewpoints. – PCI compliance module

22 Property of the University of Notre Dame System and Security Components Infrastructure – NTP, AD, ePO AV, monitoring, IP KVM, central logging, update servers, etc. POS clients and servers – Device configuration standards WebInspect HighTower SIM device for log and event analysis and monitoring.

23 Property of the University of Notre Dame Firewall and IDS design Firewall isolates all PCI traffic Single external physical interface Single internal interface with multiple VLANs Zones organized by function Some special zones for campus systems Remote Sites connected through VPN concentrator Passive IDS (tried IPS) monitors all internal traffic

24 Property of the University of Notre Dame Sidewinder Firewall Application proxy firewall Default deny inbound and outbound Group based VPN, access restricted by job function Least privilege rule base All access explicitly controlled

25 Property of the University of Notre Dame Key Internal Zones

26 Property of the University of Notre Dame Key Internal Zones

27 Property of the University of Notre Dame Key Internal Zones

28 Property of the University of Notre Dame Isolating Systems Diagram not provided for public release.

29 Property of the University of Notre Dame Isolating Systems

30 Property of the University of Notre Dame Agenda PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT 30

31 Property of the University of Notre Dame Network Design From the PCI Standards Document: 1.Encryption of data over open, public networks 2.Follow change control procedures 3.Review logs for all system components daily

32 Property of the University of Notre Dame Challenges Encryption of data over open, public networks. Required over ‘secure’ vlans?

33 Property of the University of Notre Dame Challenges Follow change control procedures. – Initial design thoughts incorporated ‘secure’ vlans that we present at each endpoint on campus. – This would have involved implementing change control on more than 150 network devices, including access layer switches. Review logs for all system components daily. – Workload for 150 devices would have been high

34 Property of the University of Notre Dame Devices requiring change control with ‘secure’ vlan

35 Property of the University of Notre Dame Our solution: Remote site VPNs Utilizes Cisco 3015 VPN concentrator with Cisco 851 VPN routers for endpoints. Extends the PCI network where we need it. We provide user subnet space based on customer need: – Stand-alone credit card terminals – POS devices – Single use computers

36 Property of the University of Notre Dame Additional Benefits of VPN The VPN tunnel provides a secure method of managing network devices. Provides a means of remote access for system administrators Fewer devices to manage. Provides for easier additions to the PCI network.

37 Property of the University of Notre Dame Agenda PCI DSS Background Notre Dame’s Environment Payment Card Environment Design Networking Infrastructure Deployment: Departments and decentralized IT 37

38 Property of the University of Notre Dame Deployment: Departments and Decentralized IT 38

39 Property of the University of Notre Dame Two Types of Support Central IT – Fewer technical users. – Existing payment solutions are often inherited. – Responsibility for payment system is often not clearly defined. Departmental IT – Internal processes and procedures. – Often very small staff, broad responsibilities. – Payment solutions are often provided by external vendors. – Responsibility for payment system is often inherited. 39

40 Property of the University of Notre Dame Existing systems Food Services – Many terminals – Other services blended in: vending machines, food service displays, and campus “Domer Dollars” – Many locations – Blend of commercial and custom software – Departmental IT Theater Ticketing and Events – Single location – Mobile and static workstations – Web driven – Single commercial software package – Only standard transactions – Central IT 40

41 Property of the University of Notre Dame Deployment Steps Review existing architecture Design solution Build required resources Test Migrate into production – Often in phases – Often unexpected hurdles due to legacy systems and applications 41

42 Property of the University of Notre Dame Challenges Process: creating a controlled system for adding new systems and handling changes. Lack of vendor documentation of protocols – many large high port groupings, reliance local broadcast for discovery, etc. Split system administration DR for systems designed without DR capabilities. 42

43 Property of the University of Notre Dame Lessons Learned Review vendor documentation and current implementation. – Historic designs are often still in use. Dataflow diagrams are crucial. Provide a fast troubleshooting process and a defined support team. Provide a single point of responsibility with backup for migrations. 43

44 Property of the University of Notre Dame Questions 44

Download ppt "Property of the University of Notre Dame Copyright David Seidl, Bob Winding, Mike Chapple, Bob Richman, 2008. This work is the intellectual property of."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor 2007. This work is the intellectual property of the author. Permission.

PCI Compliance in the University Setting Copyright Sandie Rosko, John Chapman, Jay Maylor This work is the intellectual property of the author. Permission.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright.

Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright.

Similar presentations

Ads by Google