PCI compliance is all about protecting your core servers, and you can't be careful enough when you go about this. Protecting your servers is all about guarding key components from the rest of your online systems, and most important of all, perhaps, is isolating the server that you use for crucial credit card data from the rest of the systems on your network. This is really the heart and soul of PCI compliance. Now I'm sure that the team you have in charge of security and PCI compliance has set up a Linux based system for your core servers. However, it's very unlikely that every system on your network uses Linux. Under such circumstances, every system that does not use Linux is a potential threat to the security of your network and to integrity of your PCI compliance.
So how do you go about plugging these gaps? Well, we'll go into that in a little more detail a little later, but first let's talk about what PCI compliance demands from your core systems themselves. Remember, the highest security policies for PCI compliance are usually required to be implemented mainly on systems that hold crucial data. Other systems on the network, however, can comply with lower standards of PCI compliance.
How Isolating key systems can aid PCI compliance:
Isolating Linux based systems from other systems on the network can be a tremendous advantage when you're going for PCI compliance. For example, I'm sure that you already have a firewall on your core servers, but if you've isolated those core servers from other systems on your network, especially those systems that are not running Linux, then you can be absolutely sure that your firewall is foolproof. Remember that if you fail to do this, each non-Linux system on your network can be a possible means of penetrating your core system's firewall, which can obviously lead to a disastrous security breach.
But there is a more serious reason why isolating your core system from the rest of the systems on your network is important. Now many people think that isolating a server means isolating it from unauthorized access from outside your company's systems, but no, what I call isolating a server is isolating it not only from systems outside your company's network, but also from systems within your company's networks.
Because if you don't do this, you could have an attack on your system from inside your company. A disgruntled employee or tech person could possibly use weaknesses in the company's internal network to access the data on your core system and steal information. Yes, this is something that people don't always consider, that an attack need not come from the outside, but also from the inside. Sharing operating systems on your network, that is, having systems on your network that use Linux and other operating systems together increases the chance of weaknesses being exploited by interested parties.
Other advantages of isolating your key Linux systems:
There are also financial reasons for isolating your core systems. The smaller the core system that is isolated, the less an audit and testing of that system costs. This ensures that testing your crucial and more sensitive systems costs your company the very minimum, and causes the minimum drain on your financial resources.
Now as we know it's inevitable, despite all the isolation, that certain data might need to be transmitted between different systems on your network. So what if you have one Linux server, upon which your core data is located, and another server run by some other operating system, which, however, does not store such crucial information? There might be no direct link between these two, but you might want to keep a channel open for communication, for example. Now, I recommend against it, actually, but if you must to keep such a channel open, then the data that passes between these two systems needs to be completely encrypted with a sufficiently powerful encrypting algorithm. Another thing that you could do is to increase the level of your security protocols. Don't rely on user authentication. No, go for machine authentication. IPSec is an excellent method of doing this - IPSec is perfect for encrypting network communication, and it's a considerable enhancement to security. Best of all, it's fully supported by Linux. Yes, the whole key to running a multi-operating-system network is to effectively encrypt any data stream that passes between the systems and to limit access to the primary systems.
By Terry Newbury
PCI Compliance Expert