Support Questions

Find answers, ask questions, and share your expertise

Do we need any customization in hortonworks to implement PCI compliance? if so could you please share documents related to it

avatar
 
1 ACCEPTED SOLUTION

avatar

@suresh kumar here is our PCI DSS white paper. Following are some key points:

  • Organizations require a number of capabilities to fully comply with various aspects of PCI regulations
  • There is no “silver bullet” or a single vendor or product that can address all 12 requirements of PCI compliance
  • A vendor or product can’t be PCI-compliant or PCI-certified; only a project or deployment can be certified to be PCI compliant

hortonworks-pci-compliance-wp.pdf

View solution in original post

8 REPLIES 8

avatar
Master Mentor
@suresh kumar

HDP is a platform and you have to build/implement your own compliance standards around it.

Ranger for Authorization, Auditing , Centralized admin console to manage policies

Kerberos is MUST - Authentication

Data encryption at rest - TDE or your preferred vendor

You have to implement your own scripts to fullfil following requirements.

Password expiration every xx days and that includes service accounts too.

Auditing and more auditing ..anything that touches any part of the stack needs to be audited (Ranger and HDFS audit log is helpful)

Password complexity

Failed login attempts

Data encryption in motion

Data Retention - Data must expire after specific time otherwise you would have to retain the data for longer time (Falcon can help)

You can read this http://hortonworks.com/blog/hadoop-security-enterprise/

avatar

so does Hortonworks by default provides PCI standards security or do we need third party for implementing them

avatar
Master Mentor

@suresh kumar You have to build/implement your own standards. It's like with any software stack. You have a software install, data is being stored and users accessing it.

HDP is a platform and it comes with security solutions that you can leverage to meet some of security requirements , rest you have to build or rely on 3rd part solutions.

See this

avatar

Thank You , Could you please share any documents for developing standards in general (for reference)

Appreicate your prompt response

avatar
Master Mentor

@suresh kumar You can download the document. See this

If you are looking for technical doc then I am afraid that I don't have any template or generic as it's always customer driven based on the engagement.

avatar

@suresh kumar here is our PCI DSS white paper. Following are some key points:

  • Organizations require a number of capabilities to fully comply with various aspects of PCI regulations
  • There is no “silver bullet” or a single vendor or product that can address all 12 requirements of PCI compliance
  • A vendor or product can’t be PCI-compliant or PCI-certified; only a project or deployment can be certified to be PCI compliant

hortonworks-pci-compliance-wp.pdf

avatar

Thank You Scott

So Ranger,knox , kerbos are the products which are out of box of hortonworks if not , where does the ‘significant custom code’ start? in hortonworks.

from what extent does hortonworks provides out of box for PCI compliance standards , from there we can start our customization to meet PCI compliance or taking third party partners to meet PCI compliance

Appreciate your suggestions

avatar

We provide all the security and governance components around administration (Ranger), authentication (Kerberos), authorization (Ranger), audit (Ranger), and data protection (TDE). It is up to the customer to configure the environment and implement the PCI compliant solutions (encryption, policies, data masking, auditing, etc.). In addition, Apache Knox provides perimeter security and Apache Atlas provides governance. Hope this helps.