Unsolved
This post is more than 5 years old
9 Posts
0
2906
Centera for PCI DSS complliance
Does any one know of any whitepapers where the use of a Centera (with documentum) has been used for the storage of documents/pdf/other items and deemed to still be PCI DSS compliant?
Gq15Ssx2wt12372
16 Posts
0
July 15th, 2010 07:00
Hi,
I am not sure if this will help, but try going though the link.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1098097,00.html
Apex_Ops
89 Posts
0
July 29th, 2010 04:00
Hi David,
Did you get your answer to your question?
Rgds
Ronan
qzc21f
9 Posts
0
July 29th, 2010 12:00
No not really. I've spoken to a QSA and get the impression that no it isn't.
While it may be difficult to read from a centera (clip browser etc), when it comes down to it, if I take the drive out of the centera and plug it into a machine, can i scan with for credit card type text strings? The short answer is yes, and as far and i can ascertain the drives are not internally encrypted.
Now unless someone from EMC wants to correct me, this is the assumption that some of the PCI companies seem to take.
Apex_Ops
89 Posts
1
July 30th, 2010 01:00
Hi David,
All information sent to a centera by an application is processed by an MD5 message-digest (or "hashing") algorithim. This algorithim processes a digital object of any size at the binary level to produce a fixed-length (128 bit) "fingerprint" of the object.
So even if you take a centera disk and mount it on a different node chassy, you are not able to read the information or scan for credit card text strings. All the data is encrypted on the drives.
Let me know if you have any further questions/queries,
Rgds
Ronan
qzc21f
9 Posts
0
July 30th, 2010 16:00
Is this documented somewhere that I could produce to show a QSA? A centera technical specification or some such?
There's nothing listed on Power Link about the centeras and PCI Compliance (that I could find).
holgerjakob_c0722c
337 Posts
0
August 3rd, 2010 00:00
Hi
I would have thought the MD5 processing is to calculate the Object Reference and not to store the object in an encrypted way.
Are you sure Centera is storing the object encrypted?
If yes please point to the documentation confirming this. It would help a lot if that really is the case. Many discussions about remote access and much more could profit from that.
Thanks, Holger
Apex_Ops
89 Posts
0
August 3rd, 2010 06:00
Hi,
Apologies, I mis-interpreted the question been asked. In regards to the statement:
If I take the drive out of the centera and plug it into a machine, can I scan with for credit card type text strings?
I would recommend that:
1 - All your centera cluster's are locked down in a secure and safe environment.
2 - Authorized personnel are only allowed to physically access the centera.
3 - Authorized personnel are only given the centera password's
4 - Any defective hardware is taken away by EMC personnel
Rgds
Ronan
qzc21f
9 Posts
0
August 3rd, 2010 13:00
From a PCI standpoint, "authorised personnel only" is not a good enough answer.
At the moment we are looking at having to implemented an encryption server between Documentum and the Centera to encrypt the data before it's stored, as allowing authorised personnel access to the machine is a potential risk (yes I know in practice that's pretty unlikely, but these are the rules).
Thanks anyway for your answers.
Jill2_8753ee
1 Message
0
July 25th, 2012 06:00
Did you ever get an answer saying "Yes, it's PCI Compliant". If so, I really need that paper also.
Thanks so much!
qzc21f
9 Posts
0
July 25th, 2012 12:00
No you'll see by the answers I didn't get a definitive yes it is compliant.
You have to ensure you have compensating controls (physical and logical) to deal with the centera almost like a regular SAN