In the talk we will present a method how to confine your IT infrastructure (at any scale) against the requirements of Payment Card Industry (PCI) Data Security Standard (DSS).
The topics covered within the talk include: * PCI DSS introduction, * language specifications used for automated assessment of security compliance, * details of PCI DSS benchmark implementation in the SCAP Security Guide, * demonstration of manual assessment of single computer using open-source tools from the OpenSCAP ecosystem, * performing corrective operations (remedial action), * presentation of open-source solution to install PCI DSS compliant system from the scratch, * large scale open-source solutions combining systems management with security compliance
In the talk we will present a method how to confine your IT infrastructure (at any scale) against the requirements of Payment Card Industry (PCI) Data Security Standard (DSS).
Starting with brief PCI DSS introduction, we will proceed to consult commonly used language specifications (XCCDF, OVAL) used for automated assessment of security compliance of a computer infrastructure. Having the basic blocks defined, we will present the details of implementation of PCI-DSS security benchmark in the SCAP Security Guide project. Subsequently we will use this benchmark definition in order to demonstrate a manual assessment of a single computer using the open-source tools from the OpenSCAP ecosystem. Being familiar with the basic toolset we will depict how these tools can be used to perform corrective operations (remedial action) in order the system to reach the PCI-DSS requirements / compliance. Later we will present motivation behind ability to install PCI-DSS compliant system right from the scratch, and also introduce a tool to help us with this effort.
Finally we will conclude with detailing how the presented approach for computer system(s)'s assessment can be used at large(r) scale introducing open-source solutions, combining systems management with security compliance. We will illustrate their application to establish a PCI-DSS compliant infrastructure, and also briefly document steps to be taken, when compliance against different security guidance / baseline would be desired. At the end we will sketch where the development in the area of security compliance might be heading in the future.
Speakers: Ján Lieskovský