This article is going to tell you how to institute ‘defense in depth’ to ensure PCI compliance on a Linux platform. Before we go ahead with the details, you’ll obviously want to know what defense in depth actually means. Now the entire basis of defense in depth is that your integral server has layer upon layer of security that ensures that intrusion is almost impossible.
There are several possible points of entry into any system. Entry can be physical, by someone actually accessing the hardware of the system. Then, entry could be through the network. Entry can be through a process or through a kernel operation. And finally, entry can be through the file system. Now, instituting defense in depth means that you defend each layer from a possible intrusion.
Your first step is to restrict access to your main server by physical means. What this means basically is that you lock the server into a room that just has one point of entry, and heavy security at this point. No one except authorized personnel can get in or out. You must include powerful forms of physical security here, including a guard or guards, and a fingerprint scanner. Also, and this might be obvious, you might restrict authorized personnel to the very minimum: no more than one to three people at best. Another standard precaution is to ensure that there is closed circuit monitoring of the room and of the entry point all times.