Download as PDF, PPTX
Uploaded byRommel Garcia
PCI Compliane With Hadoop
The document discusses PCI compliance in Hadoop environments, emphasizing the importance of encryption and tokenization to manage sensitive data and reduce compliance scope. It outlines key guidelines, such as strong encryption protocols, two-factor authentication, and proper key management. Additionally, it highlights potential risks and best practices for maintaining security while using Hadoop technologies.
More Related Content
Similar to PCI Compliane With Hadoop
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
PCI Compliane With Hadoop
- 1. PCI Compliance WithHadoop
- 2. Rommel Garcia Currently GlobalSecurity SME @ Hortonworks Was Tokenization Solutions Engineer @ Liaison Technologies
- 3. PCI Focus Hadoop environment Thisis what we will cover Business process Let’s leave this to business folks
- 4. PCI In ANutshell
- 5. Level of Paranoia PCIExtra Measures Cybersecurity
- 6. PCI Compliance Guideline Transmissionof identity must be encrypted Two factor authentication Key management location encryption expiration of keys/tokens Management of user access to resources Services Data Geography
- 7. PCI Compliance Guideline Strongencryption protocols at rest (AES-256, etc.) and in motion (latest TLS/SSL) No passwords in the clear System audit information based on resource, time, client info, userid and function Prove “Chain of Custody” No sensitive data stored in logs
- 8. PCI Scope De-scope usingTokenization 100% in-scope using Encryption
- 9. De-Scoping Through Tokenization Reduce sensitivedata footprint
- 10. What is tokenization? Processof turning sensitive data into a value with no meaning, called token i.e. 1234-567890-12345 => $^hAt_786Ab}+=-12345 If token is compromised, there’s zero risk Recipient of token is out-of-scope for PCI compliance
- 11. De-scoping Tokenization App keys tokens/ encrypted data lookuptoken Hadoop Environments batch/realtime data sourcescreate token Non-Hadoop Environments tokens/non-sensitivedata = in scope
- 12. Sample De-Scoping Architecturev1 Data Sources CDC Kafka NiFi HBase HDFS API Tokenization App
- 13. Sample De-Scoping Architecturev2 Data Sources CDC Kafka NiFi HBase HDFS API Tokenization App
- 14. Compliance Thru Encryption 100%In-Scope
- 15.
- 16. Encryption Scope Network links Datastreams Local storage HDFS In-Motion At-Rest
- 17. At-Rest Encryption Data Sources CDC KafkaNiFi HBase HDFS API 1 1 32334 1 2 3 4 HDFS TDE EncryptContent Processor or LUKS LUKS LUKS / Encryption Appliance / Native Encryption
- 18. In-Motion Encryption Data Sources CDC KafkaNiFi HBase HDFS API 7 5 64321 1 2 3 4 FTPS / SFTP / HTTPS / JDBC, ODBC over SSL SSL SSL TLS/SSL 5 6 7 SSL TLS/SSL RPC / DTP / SSL
- 19. Secure DR Link DCDR 1 distcp (mapred over ssl) 2 vpn (guaranteed) 2 SSL
- 20. Separation Of Concerns Admins Operators Developers Analyst DataScientist InfoSec Infrastructure Engineer
- 21. What To WatchOut For Kerberos is a MUST If using Tokenization App, choose with NoSQL Backend (HBase, Redis, etc.) No RC4 or MD5 Use TLSv1.2 or newer Use key length greater than 128 bits All passwords must be encrypted No super user - root & hdfs has access to encryption keys
- 22. What To WatchOut For Do not delete encryption keys/rolled over keys LDAPS is a MUST If operators, not admins, has access to machines at OS level, LUKS won’t work. Lock down permissions to OS security config files Use CA Certs if possible Only open ports you will use Guarantee “ordered” processing from a batch source