Does CTERA Support PCI DSS Compliance

Organizations using a CTERA Edge Filer for their local file server, connected to a CTERA Portal have to ensure that both the edge filer and portal are PCI DSS compliance.

PCI DSS Basics and CTERA

The PCI Security Standards Council offers robust and comprehensive standards and supporting materials to enhance payment card data security. The keystone is the PCI Data Security Standard (PCI DSS), which provides guidelines for developing a robust payment card data security process, including prevention, detection, and appropriate reaction to security incidents.

The Payment Card Industry Data Security Standard (PCI DSS) is intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. In addition to site requirements to comply with PCI DSS, such as firewalls to control the transmission of data between an organization’s trusted internal networks and untrusted external networks, as well as traffic between sensitive areas of the internal networks themselves, CTERA Edge Filers and a CTERA Portal have built-in PCI DSS compliance as follows:

Do not use vendor-supplied defaults for system passwords and other security parameters – Authentication credentials such as user names and passwords must not be the defaults supplied by CTERA and should be changed frequently.

Protect stored card holder data – The data should be encrypted on the edge filer within the local network. Without access to the proper cryptographic keys, encrypted data will be unreadable and unusable by criminal hackers, even if they manage to circumvent other security controls. Cryptographic keys should therefore be stored securely and access restricted to the fewest custodians necessary. When setting up volumes in the gateway, you can configure the volume so that the data is encrypted. Volume encryption is fully supported. The encryption method employed is the Advanced Encryption Standard (AES-256 CBC ESSIV).

Encrypt transmission of card holder data across open, public networks – Strong cryptography and security protocols (such as TLS, IPSec, SSH, etc.) should be used to safeguard sensitive card holder data during transmission over open, public networks that could easily be accessed by malicious individuals. With CTERA Portal data in-transit is encrypted and synced to the portal using security protocols such as SSH, HTTPS and TLS.

Protect all systems against malware and regularly update antivirus software – The CTERA Portal can be integrated with the leading antivirus software, such as McAfee VirusScan Enterprise for Storage, Symantec Protection Engine, and ESET Gateway Security. This software should be frequently updated. CTERA Edge Filers come with embedded antivirus software that is automatically updated.

Develop and maintain secure systems and applications – Many security vulnerabilities are fixed by patches issued by software vendors. CTERA has a process to identify security vulnerabilities and rank them according to their level of risk. Relevant security patches are speedily installed to protect against card holder data compromise.

Restrict access to card holder data by business need to know –CTERA Portal users can be restricted to what they can view using roles and permissions built in to the portal architecture to limit access rights to critical data.

Identify and authenticate access to system components – All users must be assigned a unique ID, which must be managed according to specific guidelines. CTERA Portal supports user authentication management such as the use of passwords or smart cards (CAC).

Track and monitor all access to network resources and card holder data –The use of logging mechanisms is critical in preventing, detecting and minimizing the impact of data compromise. CTERA Edge Filers and Portals include sophisticated logging and monitoring, which can be used to identify potential breaches, including secure, controlled audit trails that link all access with individual users and logs their actions.

Managing Access When Using APIs

The CTERA SDK for DevOps allows organizations to deploy and continuously manage file services, making it easy to automate global file system management with Python and Ansible interfaces. The SDK uses Transport Level Security (TLS) 1.2 as default.

Limiting access to portals or edge filers via the CTERA SDK from remote systems on the Internet is not specifically prohibited by a PCI requirement. However, if an organization must have remote access, then it must implement PCI DSS requirement 8.2 and ensure processes enforce strong forms of authentication such as signed Digital Certificates from a Certificate Authority combined with strong two factor authentication and monitoring.

Encrypting Data For PCI DSS Compliance

PCI DSS requires data at rest as well as in transit to be encrypted to provide end-to-end security. CTERA leverages encryption to ensure that information cannot be compromised.

The following procedures are used to manage the encryption:

• Encrypting Data on the Edge Filer
• Rotating the Volume Encryption Key on the Edge Filer
• Rotating Data Encryption Keys on the CTERA Portal

Encrypting Data on the Edge Filer

When creating volumes for the CTERA Edge Filer, create the volumes with encryption. You cannot define encryption for a volume that was created without encryption.

To create an encrypted volume:

1. Log on to the edge filer as an administrator.
2. In the Configuration view, select Storage > Volumes in the navigation pane.
   The Volumes page is displayed.
   If a volume was not created when the CTERA Edge Filer was installed, the page is empty.
3. Click New.
   The Specify Volume Details screen is displayed.
4. Set the volume details:
   Storage Device – The array on which to create the volume. The size of each array is shown in brackets.
   Volume Size – You can either drag the slider or enter a number of GB. CTERA recommends that the volume size is set to the maximum available.
   When adding to an existing array, the minimum size displayed is the size of the current volume.
   The volume size cannot be decreased.
   Enforce storage quotas – Check to limit the amount of storage space allocated to each non-administrative volume user. Each non-administrative user can then be allocated a specific storage space quota. If quotas are not enabled, then each user is able to use unlimited space on this volume.
   Default Quotas – The default storage quota in MB, which is allocated to each user.
5. Click Next to encrypt the volume.
   
   Make this volume encrypted – Encrypt the contents of this volume using a passphrase. This option is disabled when editing a volume.
   Passphrase –The passphrase to use to access the volume. The passphrase must be a minimum 7 characters.
   Retype Passphrase – Enter the same passphrase again to confirm it.
   The encryption method employed is the Advanced Encryption Standard (AES-256 CBC ESSIV). Enabling volume encryption may reduce performance.
   Note

   It is important to keep the passphrase in a safe place as there is no way of retrieving it if you lose it. If you reset the CTERA Edge Filer to its default settings, you cannot access the volume without this passphrase.

6. Click Next.
   The Name this Logical Volume window is displayed.
   
7. If the volume is a new volume, enter a name for the volume.
   Note

   You cannot change the name of an existing active volume.

8. Click Next and then click Finish.
   The volume you created is displayed in the Volumes page.
   

Rotating the Volume Encryption Key on the Edge Filer

The passphrase for an encrypted volume must be changed at least once every twelve months to comply with PCI DSS.

To change the passphrase of an encrypted volume:

1. Log on to the edge filer as an administrator.
2. In the Configuration view, select Storage > Volumes in the navigation pane.
   The Volumes page is displayed.
3. Select the encrypted volume and click Next.
   The Volume Encryption window is displayed.
   
   Make this volume encrypted – This option is disabled when editing a volume.
   Passphrase –The new passphrase to use to access the volume. The passphrase must be a minimum 7 characters.
   Retype Passphrase – Enter the same passphrase again to confirm it.
   Note

   It is important to keep the passphrase in a safe place as there is no way of retrieving it if you lose it. If you reset the CTERA Edge Filer to its default settings, you cannot access the volume without this passphrase.

4. Click Next to the end of the wizard and click Finish.

Rotating Data Encryption Keys on the CTERA Portal

The data from the edge filer is encrypted on the portal. Passkeys to this data must be changed at least once every twelve months to be compliant with PCI DSS.

To rotate data encryption keys on the portal:

1. Log on to the team portal as an administrator.

2. Access the portal administration view.

3. Select Folders > Folder Groups in the navigation pane.
   The FOLDER GROUPS page opens, displaying all folder groups.
   

4. Click New Folder Group.
   The New Folder Group window is displayed.
   

5. Complete the fields in the General option.
   Name – A name for the folder group.
   Owner – An owner for the folder group. When editing a folder group, you can click on the owner's name to open the User Account Manager and manage the owner's user account. For information on managing user accounts, see Managing Users.
   Deduplication Method – Whether to use the average block size or a fixed block size for deduplication. The options in the window change depending on what is selected to either Average Block Size or Fixed Block Size. Use Fixed Block Size if many of the folder groups that large files where deduplication is not common, such as media files, or if the global administrator defined direct mode for the storage node.
   Average Block Size/Fixed Block Size – The average block size used by the folder group or the fixed block size used by the folder group. The default value when set to Average Block Size is 512KB and 4MB when set to Fixed Block Size. CTERA Portal deduplication splits each stored file into blocks. Increasing the Average Block Size or Fixed Block Size causes the files to be split into larger chunks before storage, and results in increased read/write throughput at the cost of a reduced deduplication ratio. Increased block size is useful for workloads that require high performance, as well as for those that do not gain greatly from deduplication. For example, where the stored files consist mostly of videos, images, and music files that are not frequently modified. Decreasing the average block size can result in better deduplication, since the portal can better identify finer-grained duplicate data. If the global administrator defined direct mode for the storage node, CTERA recommends keeping the default 4MB fixed block size.
   Average Map File Size – The average map file size used by new folder groups. CTERA Portal uses file maps to keep track of the blocks each file is made of. The Average Map File Size represents the maximum size of file that will be represented using a single file map object. For example, if the average map file size is set to 100MB, files of up to approximately 100MB will have one file map, files of up to approximately 200MB will have two file maps, and so on. Reducing the average map file size causes more file maps to be created per file. This may result in smoother streaming of files; however, it will also result in some extra overhead for creating, indexing, and fetching the additional file maps.
   Storage Class – The storage class where content of the folder group is written.

   Note

   A storage class is a group of one or more storage nodes, defined by the CTERA global administrator, where data is written and saved. When a storage class is defined, you can specify to which group of storage nodes content from the edge filer is written to. You must specify a storage class that is valid for the virtual portal and you need to check with the global administrator for the list of valid storage classes that you can chose from the list.
   After the folder group is created, the storage class cannot be changed.

   Use Data Compression – Data in this folder group will be stored in compressed format. CTERA recommends only unchecking this option after consulting with CTERA support.

   • Compression Method – The compression method to use for file storage:
     • High Compression – gzip compression is used.
     • High Speed (default) – Snappy compression is used.

6. Check Use Encryption so that the data in this folder group is stored in encrypted format.
   Passphrase protected – The folder is passphrase protected.

   • Your New Passphrase and Confirm New Passphrase – A new passphrase.
   • Passphrase Strength – Displays the passphrase's strength.
     Note

     You can only define a passphrase when creating the folder group and when Use Encryption is checked. After the folder group is created with a passphrase, you can change the passphrase, described in Changing a Folder Group Passphrase

   Note

   After creating the folder group the *Name can be changed and the state can be changed from online to offline or offline to online.

7. Click SAVE.

8. Select Folders > Cloud Drive Folders in the navigation pane.
   The CLOUD DRIVE FOLDERS page opens, displaying all cloud drive folders.
   

9. Click New Folder.
   The New Cloud Drive Folder window is displayed.
   

10. Complete the fields:
    Name – A name for the folder.

    Note

    Renaming a nested cloud drive folder makes the folder inaccessible to every edge filer that includes this share.

    Description – A description for the folder.
    Owner – The user to own the folder. The owner controls access to the folder.
    Folder Group – The folder group defined for this folder.
    Use Owner Quota – The storage for this folder is taken from the storage quota of the folder owner.
    Use Folder Quota – The amount of storage for this folder which is taken from the storage quota of the team portal. The value must be an integer value.
    Enable Windows ACLs – Select this option if:

    • You are syncing a gateway share to a CTERA Portal including the NT ACLs and extended attributes on the gateway. The files are saved in the portal using the NT ACL settings defined on the files. For more information, see Maintaining Windows File Server Structure and ACLs in CTERA Portal Folders.
    • You are backing up a gateway share to this folder and the share supports NT ACLs and extended attributes on the gateway. The files are saved in the portal using the NT ACL settings defined on the files. In this case, restoring the files from the portal to a gateway maintains the NT ACL settings.

11. Click SAVE.

12. Log on to the edge filer as an administrator.

13. In the Configuration view, select Cloud Drive > Cloud Drive in the navigation pane.
    The Cloud Drive page is displayed.
    

14. Click Refresh Folders from Portal.

15. In the Configuration view, select Shares > Shares in the navigation pane.
    The Shares page is displayed.
    

16. Click New Share.
    The Select a Folder to Share window opens, displaying the volumes and folders on the CTERA Edge Filer.
    

17. Select the encrypted volume on which you want to define the share.

18. Click Next and then assign the network share a name.
    

19. Click Next and choose through which sharing protocols to expose this share.
    
    Windows File Sharing is checked by default and cannot be deselected. From the drop-down, select one of these access levels for the share:

    • Windows ACL Emulation Mode – The share will be a Windows ACL emulation mode share.
      Users access the shared files and folders through standard Windows client computers; for example, using Windows File Explorer through the SMB access provided by the CTERA Edge Filer.
      Windows ACL Emulation Mode also allows you to block users from writing specific file types into the CTERA Edge Filer share or gaining control of the content located on it.
      To copy the files with their ACLs to the CTERA Edge Filer, see Copying Files From an External File Server to the CTERA Edge Filer.
    • Only Authenticated Users – Users will be required to authenticate using their CTERA Edge Filer user name and password, in order to access the network share.
      
      For more information, see Configuring Windows File Sharing.
      Block the following file extensions – Prevent the creation of files with the listed extensions, with each extension separated by a comma (,).
      Client Side Caching – Server files are designated for off-line work so that a copy of the files is cached on the client computer and can be accessed when the client is off line in exactly the same way as if they were stored on the Windows file server.
      • Automatic caching for documents – A copy of the files is cached automatically.
      • Disabled – The client computer cannot cache files locally and the updated copy must be retrieved from the file server.
      • Manual caching for documents – Users must cache files manually.

20. Specify how you want to share the files.
    FTP – Users will be able to access and download files on this share from the FTP site. To configure the FTP server, go to Shares > FTP Server.
    Search – Users will be able to search for files in this share.

21. Click Next.
    The NFS (UNIX File Sharing) window is displayed.
    

    Note

    The NFS mount path for the share, when NFS access is enabled, is displayed.

22. Check the Enable NFS Access option to enable NFS clients to access the share. Both NFS versions 3 and 4 protocols are supported, depending on the protocol used by the client.
    Either, click New to configure each client to which you want to grant access. A row is displayed in the table:

    1. Enter the client's IP address and netmask in the appropriate fields.
    2. Select the permitted level of access to the network share via NFS. Options are None, PreviewOnly, Read Only, or Read/Write. Preview Only permission prevents downloading, copying, or printing the file and content cannot be synchronized for offline access.

    Or,
    Click Remove and then select the client's IP address to remove the client from the list.

    Note

    The NFS mount path for the network share is specified at the top of the window.

23. Click Next and set which users can access this network share.
    

    1. In the Local Users drop-down list, select one of the following:
       Local Users – Search the users defined locally on the CTERA Edge Filer.
       Domain domain Users – Search the users belonging to the domain called domain.
       Local Groups – Search the user groups defined locally on the CTERA Edge Filer.
       Domain domain Groups – Search the user groups belonging to the domain called domain.
    2. In the Quick Search field, type a string that is displayed anywhere within the name of the user or user group you want to add, or click ... to list the users.
       A list of users or user groups matching the search string is displayed.
    3. Select the user or user group in the table.
       The user or user group is added to the list of users and user groups who should have access to the network share.
    4. For each user and user group, click in the Permission field, and then select the access level from the drop-down list.

24. Click Next and then Finish to complete the wizard.

All data written to the share will be now encrypted with a new encryption key. You have now created a system where the data on both the edge filer and portal is PCI DSS compliant.