Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard"

Transcription

1 Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments More information about Coalfire can be found at wwwcoalfirecom S O L U T I O N G U I D E A D D E N D U M 1

2 Table of Contents 1 INTRODUCTION 3 2 CLOUD COMPUTING 8 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS 12 4 VORMETRIC PCI COMPLIANCE SOLUTION 15 5 VORMETRIC PCI REQUIREMENTS MATRIX (OVERVIEW) 16 S O L U T I O N G U I D E A D D E N D U M 2

3 1 Introduction Safeguarding Data with Privileged User Access Controls The Flaw in the System Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their security architecture The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high level computer operator and their data access rights These users have always had access to every aspect of a system software installation, system configuration, user creation, networking, resource allocation and more, as well as access to all the data associated with the system These accounts exist because of the need for system maintenance and management But, as systems have become more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is increased risk from privileged user accounts Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent of new technologies and threats: Rights too broadly assigned - Superuser privileges are often assigned to DBAs, application developers, SysAdmins and others that don t have a real need for this level of access to private and confidential data Sharing of privileged accounts Traditionally, many IT departments allowed unrestricted sharing of privileged user accounts (logins and passwords), leading to a loss of personal accountability Cloud, virtualization and big data expand the threat - With each new technology layer used as part of system deployment and management new privileged user roles are created Advanced Persistent Threat (APT) attacks target privileged accounts Attackers have now found that if you want access to everything, you want to compromise privileged user accounts and their system and data access rights Though they may initially enter through less sensitive accounts privileged user credentials are a primary target S O L U T I O N G U I D E A D D E N D U M 3

4 Figure 1: Vormetric Data Firewall Solution Overview The Solution The Vormetric Data Firewall Allow Privileged Users to manage systems without risk to protected data The tasks performed by privileged users to maintain, repair and initiate systems are not optional these roles exist in order to meet essential requirements for all enterprise environments What s needed is to enable these users to perform their tasks, while removing their ability to access private and confidential data And when a category of account has a legitimate need for access to this sensitive data, to have the information available that allows identification of anomalous usage patterns that may indicate that the account has been compromised Transparent The Vormetric Data Firewall meets these needs with a transparent solution - enabling critical system processes to continue, without exposing data Strong The Vormetric solution firewalls your data using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured or unstructured data process, user, time and other parameters Efficient Vormetric provides a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors Easy Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand S O L U T I O N G U I D E A D D E N D U M 4

5 Meet Critical Enterprise Requirements Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical requirements: Meet Compliance Requirements Prevent Data Breaches Safeguarding Intellectual Property Figure 2: Vormetric Data Firewall for PCI Compliance Access Policies and Privileged User Control Vormetric provides fine-grained, policy-based access controls that restrict access to data ensuring that data is available only for authorized users and processes Encryption and Key Management Vormetric provides the strong, centrally managed, encryption and key management that enables compliance and is transparent to processes, applications and users Security Intelligence Vormetric logs capture all access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify compromised accounts and malicious insiders Automation For fast rollouts and integration with existing infrastructure, both web and command line level APIs provide access to the Vormetric Data Security environment for policy management, deployment and monitoring Multi-Tenancy Secure data in commingled and multi-tenant environments enabling end users to control policies and keys specific to their own data S O L U T I O N G U I D E A D D E N D U M 5

6 VMware s Approach to PCI Compliance Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases These use cases address questions like How to be PCI compliant in a VMware Private Cloud by providing helpful information for VMware architects, the compliance community, and third parties The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vcloud, vcloud Networking and Security, vcenter Operations (vcops) and View These product suites are described in detail in this paper The use case also provides readers with a mapping of the specific PCI controls to VMware s product suite, partner solutions, and organizations involved in PCI Private Clouds While every cloud is unique, VMware and its Partners can provide a solution that addresses over 70% of the PCI DSS requirements Figure 3: PCI Requirements S O L U T I O N G U I D E A D D E N D U M 6

7 Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud S O L U T I O N G U I D E A D D E N D U M 7

8 Figure 5: Help Meet Customers Compliance Requirements to Migrate Business Critical Apps to a VMware vcloud 2 Cloud Computing Cloud computing and virtualization have continued to grow significantly every year There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations VMware defines cloud or utility computing as the following ( Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party The cloud infrastructure may be on-premise or off-premise Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services S O L U T I O N G U I D E A D D E N D U M 8

9 Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology This enables data and application portability; for example, cloud bursting for load balancing between clouds With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations) It may be managed by the organizations or a third party, and may exist on-premise or offpremise To learn more about VMware s approach to cloud computing, review the following: - VMware Cloud Computing Overview - VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform PCI does not endorse or prohibit any specific service and deployment model The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform VMware is the market leader in virtualization, the key enabling technology for cloud computing VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment VMware offers free compliance checkers that are based on VMware s vcenter Configuration Manager solution Customers can simply point the checker at a target environment and execute a compliance assessment request The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation To download the free compliance checkers click on the following link: S O L U T I O N G U I D E A D D E N D U M 9

10 Figure 6: Vormetric Data Firewall Blocks Privileged Users For additional information on VMware compliance solutions for PCI, please refer to the VMware Solution Guide for PCI S O L U T I O N G U I D E A D D E N D U M 10

11 Figure 7: VMware Cloud Computing Partner integration S O L U T I O N G U I D E A D D E N D U M 11

12 Figure 8: Vormetric Cloud Computing Integration Achieving PCI compliance is not a simple task It is difficult for many organizations to navigate the current landscape of information systems and adequately fulfill all PCI DSS requirements Vormetric, working with VMware, is continuing its leadership role in the industry by providing data firewall and data security solutions from the data center to the cloud, to help clients meet their compliance needs 3 Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc) The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss S O L U T I O N G U I D E A D D E N D U M 12

13 The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010 These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud Version 20 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ) This was followed by an additional document explaining the intent behind the PCI DSS v20, Navigating PCI DSS These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG) Figure 9: Navigating PCI DSS S O L U T I O N G U I D E A D D E N D U M 13

14 The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions) * VMware solutions are designed to help organizations address various regulatory compliance requirements This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements It is the responsibility of each organization to determine what is required to meet any and all requirements The information contained in this document is for educational and informational purposes only This document is not intended to provide legal advice and is provided AS IS VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel Figure 10: VMware PCI Compliance Products S O L U T I O N G U I D E A D D E N D U M 14

15 4 Vormetric PCI Compliance Solution Vormetric Data Firewall is a comprehensive solution providing privileged user control, centralized key and policy management, encryption of data at rest, and comprehensive security intelligence Vormetric offers strong data security controls that leverage policy-based access controls, separation of duties, and auditing capabilities, all of which can be managed through a centralized management console In addition, in highly virtualized environments Vormetric provides automatic installation, configuration, and dynamic policy enhancements based on real-time threats Vormetric has mapped its products against the PCI standard The table provides a product description of the Vormetric Solutions and how they relate to the PCI standard Table 2: Vormetric Solutions Solution Description Vormetric Data Security Manager Vormetric Data Security Manager integrates key management, data security policy management, and event log collection into a centrally managed cluster that provides high availability and scalability to thousands of Vormetric Agents This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed environments The Data Security Manager stores the data security policies, encryption keys, and audit logs in a hardened appliance that is physically separated from the Agents Security teams can enforce strong separation of duties over management of the Vormetric system by requiring the assignment of key and policy management to more than one data security administrator so that no one person has complete control over the security of data Vormetric Data Firewall Vormetric Data Security Manager is accessed from a secure Web-management console and supports multiple Vormetric Agents As a rack-mountable Federal Information Processing Standard (FIPS) 140-2, the Data Security Manager functions as the central point for creating, distributing, and managing data encryption keys, policies, and host data security configurations Vormetric Agents Vormetric Agents are software agents that insert above the file system logical volume layers The agents evaluate any attempt to access the protected data and apply predetermined policies to either grant or deny such attempts The agents maintain a strong separation of duties on the server by encrypting files and leaving their metadata in the clear so IT administrators can perform their jobs without directly accessing the information The agents perform the encryption, decryption, and access control work locally on the system that is accessing the data at rest in storage This enables encryption to be distributed within the data center and out to remote sites, while being centrally managed via the Data Security Manager cluster Vormetric Agents are installed on each server where data requires protection The agents are specific to the OS platform and transparent to applications, databases (including Oracle, IBM, Microsoft, Sybase, and MySQL) file systems, networks, and storage architecture Current OS support includes Microsoft Windows, Linux, Sun Solaris, IBM AIX, and HP-UX S O L U T I O N G U I D E A D D E N D U M 15

16 5 Vormetric PCI Requirements Matrix (Overview) Vormetric s PCI DSS Compliance Solution includes extensive data security and firewalling technology When properly deployed and configured the Vormetric solution either fully meets or augments the following PCI DSS requirements: Table 3: Vormetric PCI DSS Requirements Matrix PCI DSS REQUIREM ENT NUMB ER OF PCI REQUIREMENT S NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict Access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Requirement A1: Shared hosting providers must protect the cardholder data environment TOTAL S O L U T I O N G U I D E A D D E N D U M 16

17 Vormetric Data Firewall The following matrix maps the PCI DSS controls to the functionality of the Vormetric Data Firewall Vormetric provides an enterprise class platform that provides privileges user control, strong encryption, centralized key management, and comprehensive auditing In addition, automation and multi-tenant capabilities are designed into the platform It is designed to address an ever-changing landscape of threats and challenges, with a full suite of capabilities Vormetric provides solutions to support or meet PCI DSS controls Additional policy, process or technologies may be needed to be used in conjunction with Vormetric s solutions to fully comply with PCI DSS Table 4: Applicability of PCI Controls to Vormetric Data Firewall PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESSED N/A DESCRIPTION No controls in this PCI requirement are addressed by the Vormetric solution Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data N/A 34, 341, 351, 352, 36, 361, 362, 363, 364, 365, 366, 367, 368 No controls in this PCI requirement are addressed by the Vormetric solution Vormetric meets or augments the following specific controls: Vormetric directly supports testing procedure 34 by protecting stored data by encrypting and controlling access to the files or volumes where PANs reside Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in audit files or in databases Additionally, Vormetric offers Backup Encryption Expert to secure backup media Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128- and 256 bit lengths) PANs are protected using policy-based encryption so that only authorized users and services can encrypt and decrypt the protected files Vormetric directly supports testing procedure 341 by using file-level and volume-level encryption, not disk encryption Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key S O L U T I O N G U I D E A D D E N D U M 17

18 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric directly supports testing procedure 35X by ensuring encryption keys are securely stored on a FIPS- 140 Level 2 validated security server (hardware appliance) Level 3 is available with the HSM The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators Vormetric directly supports testing procedure 351 by ensuring cryptographic keys are centrally generated and stored by the Data Security Manager cluster Best practice also dictates that custodians store cryptographic keys off-site When cryptographic keys are backed-up for off-site storage, the Data Security Manager encrypts them with a split wrapping key Vormetric directly supported testing procedure 352 by ensuring that all data encryption keys are stored encrypted within the Data Security Manager Vormetric directly supports testing procedure 36 through an architecture where the Data Security Manager is the central repository for cryptographic keys and policies managed via a secure web management console, a command line interface over SSH, or a direct console connection Keys never leave the Data Security Manager in the clear Custodians can create keys, but do not have direct access to key material Vormetric directly supports testing of procedure 361 by ensuring cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards Vormetric directly supports testing of procedure 362 by ensuring data encryption keys are wrapped and then securely distributed via HTTPS to Vormetric agents configured to protect the PANs residing on file, app, or database servers Vormetric directly supports testing of procedure 363 by ensuring cryptographic keys are centrally stored within the Data Security Manager Customers have the option to store cryptographic keys on the host server Vormetric s highly secure agents protect these keys from unauthorized access, even from root administrators Vormetric directly supports testing of procedure 364 by providing facilities for changing both Data Security Manager master keys and data encryption keys as defined by the organization s S O L U T I O N G U I D E A D D E N D U M 18

19 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION security policy Vormetric directly supports testing of procedure 365 with the Data Security Manager as the central repository for cryptographic keys When a key is retired by a custodian it can either be permanently deleted or made available only for decryption operations Vormetric directly supports testing of procedure 366 by following a no knowledge approach in which the keys never leave the Data Security Manager in the clear Custodians can create keys, but do not have access to the key material The Data Security Manager supports an n of m sharing scheme A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager Vormetric directly supports testing of procedure 367 through cryptographic key policy and usage defined and managed by the custodian of the Data Security Manager, thereby prohibiting unauthorized substitution of cryptographic keys by developers, database administrators, or any other unauthorized users Further, the Vormetric solution provides robust separation of duties, such that one administrator may create a key but a separate administrator must activate or apply that key to protect data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update antivirus software or programs Requirement 6: Develop and maintain secure systems and applications N/A N/A N/A Vormetric directly supports testing of procedure 368 with the Data Security Manager as the key central repository for cryptographic keys, and forms can be distributed easily to the Data Security Manager custodians No controls in this PCI requirement are addressed by the Vormetric solution No controls in this PCI requirement are addressed by the Vormetric solution No controls in this PCI requirement are addressed by the Vormetric solution S O L U T I O N G U I D E A D D E N D U M 19

20 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT Requirement 7: Restrict access to cardholder data by business need to know CONTROLS ADDRESSED 711, 712, 713, 714, 721, 722, 723 DESCRIPTION Vormetric meets or augments the following specific controls: Vormetric directly supports testing procedure 71X by adding a layer of access control on top of the native operating system access control It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data Vormetric directly supports testing of procedure 711 by ensuring that data cannot be viewed by system administrators who do not have a need to know, while simultaneously ensuring that there is no interruption to data backup processes By leaving metadata in the clear, but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself Vormetric directly supports testing of procedure 712 by enforcing policies that ensure individuals, applications and processes are provided access to the cardholder data based on their classification and functions, thereby restricting access based on need to know Vormetric directly supports testing of procedure 713 by providing audit records to assist with the monitoring of privileges Any change made to the access control policies is always audited Any changes to authorizations can be reviewed Vormetric directly supports testing of procedure 714 by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data Available rights for Vormetric policies include release of encrypted contents for backup, decryption of contents based on need to know, and control of writes to the data file Vormetric directly supports testing of procedure 72X by setting access control policies that define a list of authorized users and applications Only users and applications that are part of this list can access the data in clear text (Administrators are given access to the cardholder data, but data is not decrypted for them) Vormetric directly supports testing of procedure 721 by protecting the cardholder data at rest anywhere on the server Vormetric directly supports testing of procedure 722 by enforcing policies help enforce policies that ensure individuals, applications and processes are provided access to the cardholder data S O L U T I O N G U I D E A D D E N D U M 20

21 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION based on their classification and functions, thereby restricting access based on need to know Requirement 8: Assign a unique ID to each person with computer access Vormetric directly supports testing of procedure 723 through default settings as deny-all for all access control policies 84, 8516 Vormetric meets or augments the following specific controls: Vormetric augments testing procedure 84 by providing the ability to ensure that all passwords can be encrypted during storage Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and cardholder data N/A 101, 1021, 1022, 1023, 1024, 1026, 1027, 1031, 1032, 1033, 1034, 1035, 1036, 1041, 1051, 1052, 1053, 1055 Vormetric directly supports testing procedure 8516 by preventing privileged user access from the operating system from access information stored in databases No controls in this PCI requirement are addressed by the Vormetric solution Vormetric meets or augments the following specific controls: Vormetric directly supports testing of procedure 101 by providing a detailed auditing at the File System level Any read/write request for sensitive data can be audited and the trails contain information to track access back to a specific user, application and time Vormetric directly supports testing of procedure 102X by providing logging and flexible policy options to audit access and changes to Vormetric infrastructure and protected resources Vormetric directly supports testing of procedure 1021 by including flexible policy options to audit access and changes to protected resources Policies can be constructed to monitor individual access to cardholder data Vormetric directly supports testing of procedure 1022 by constructing policies to monitor individual access to cardholder data Policies can also prevent privileged users from accessing data in the clear without interfering with their ability to perform their day-to-day administrative duties Both failed and successful attempts to view card data are logged Vormetric directly supports testing of procedure 1023 by enabling administrators of the Data Security Manager that are assigned the role of audit officer to access audit trails, which are centrally stored Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric All access and access attempts to Vormetric logs are audited S O L U T I O N G U I D E A D D E N D U M 21

22 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric directly supports testing of procedure 1024 through configuration to audit all denied access requests Vormetric directly supports testing of procedure 1026 by logging the initialization of Vormetric logs Vormetric directly supports testing of procedure 1027 by logging all custodian activity Vormetric directly supports testing of procedure 1031 by generating audit entries that include the username and group membership Vormetric directly supports testing of procedure 1032 by generating audit entries that include the type of event Vormetric directly supports testing of procedure 1033 by generating audit entries that include the date and time Vormetric directly supports testing of procedure 1034 by generating audit entries that include a success or failure indication In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data Vormetric directly supports testing of procedure 1035 by generating audit entries that note the origination of the event Vormetric directly supports testing of procedure 1036 by generating audit entries that include the host and the full path to the file that was the target of the access request Vormetric directly supports testing of procedure 1041 through synchronization with an NTP server Vormetric directly supports testing of procedure 1051 by limiting the viewing of audit trails to those individuals with job-related need Vormetric directly supports testing of procedure 1052 by ensuring that audit trails cannot be modified while they reside on the Vormetric Data Security Manager If log and audit files are sent to a centralized log server, this external log repository can be protected and safeguarded with S O L U T I O N G U I D E A D D E N D U M 22

23 PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric encryption and access control Vormetric directly supports testing of procedure 1053 by providing an extensive set of log and audit capabilities to track and monitor access to cardholder data These files can be sent to a customer s centralized log server or event management solution via syslog In addition, this external log repository can be protected and safeguarded with the Vormetric solution Vormetric directly supports testing of procedure 1055 by ensuring log files cannot be modified while they reside on the Vormetric Data Security Manager Further, customers may use the Vormetric solution to block or monitor changes to log files and other audit trails Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Vormetric augments testing of procedure 106 by generating log reports for monitoring of daily activity 115 Vormetric meets or augments the following specific controls: N/A Vormetric augments testing of procedure 115 by generating audit information for unintended direct access to card data and can be configured to generate alerts No controls in this PCI requirement are addressed by the Vormetric solution Requirement A1: Shared hosting providers must protect the cardholder data environment N/A No controls in this PCI requirement are addressed by the Vormetric solution S O L U T I O N G U I D E A D D E N D U M 23

24 Acknowledgements: VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program VMware would also like to recognize the Coalfire VMware Team wwwcoalfirecom/partners/vmware for their industry guidance Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v 20 and the Reference Architecture described herein The information provided by Coalfire and contained in this document is for educational and informational purposes only Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein About Coalfire Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, DC, and completes thousands of projects annually in retail, financial services, healthcare, government and utilities Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP For more information, visit wwwcoalfirecom S O L U T I O N G U I D E A D D E N D U M 24

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

Vormetric Addendum to VMware Product Applicability Guide

Vormetric Addendum to VMware Product Applicability Guide Vormetric Data Security Platform Applicability Guide F O R P A Y M E N T C A R D I N D U S T R Y ( P C I ) P A R T N E R A D D E N D U M Vormetric Addendum to VMware Product Applicability Guide FOR PAYMENT

More information

Vormetric Encryption Architecture Overview

Vormetric Encryption Architecture Overview Vormetric Encryption Architecture Overview Protecting Enterprise Data at Rest with Encryption, Access Controls and Auditing Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732

More information

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER A COALFIRE WHITE PAPER Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Implementing the Vormetric Data Security Platform in a Payment Card Environment running in Amazon Web Service

More information

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3. Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 April 2015 v1.0 Product Applicability Guide Table of Contents INTRODUCTION...

More information

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0 Tenable Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data

More information

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3

VMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3 VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Securing and protecting the organization s most sensitive data

Securing and protecting the organization s most sensitive data Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered

More information

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5

More information

Virtualization Impact on Compliance and Audit

Virtualization Impact on Compliance and Audit 2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance

More information

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Teleran PCI Customer Case Study

Teleran PCI Customer Case Study Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data

More information

With Great Power comes Great Responsibility: Managing Privileged Users

With Great Power comes Great Responsibility: Managing Privileged Users With Great Power comes Great Responsibility: Managing Privileged Users Darren Harmer Senior Systems Engineer Agenda What is a Privileged User Privileged User Why is it important? Security Intelligence

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,

More information

Alliance Key Manager Solution Brief

Alliance Key Manager Solution Brief Alliance Key Manager Solution Brief KEY MANAGEMENT Enterprise Encryption Key Management On the road to protecting sensitive data assets, data encryption remains one of the most difficult goals. A major

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application

More information

Windows Least Privilege Management and Beyond

Windows Least Privilege Management and Beyond CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has

More information

Using Encryption and Access Control for HIPAA Compliance

Using Encryption and Access Control for HIPAA Compliance A Fortrex Using Encryption and Access Control for HIPAA Compliance Page 1 Introduction On January 25, 2013, the final HIPAA Omnibus Rule was published. It expanded to business associates the obligation

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

PCI DSS COMPLIANCE DATA

PCI DSS COMPLIANCE DATA PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

Protecting Data at Rest with Vormetric Data Security Expert

Protecting Data at Rest with Vormetric Data Security Expert V O R M E T R I C W H I T E P A P E R Protecting Data at Rest with Vormetric Data Security Expert Deploying Encryption and Access Control to Protect Stored Data Across the Enterprise Enterprise Information

More information

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric Table of Contents Table of Contents... 2 Overview... 3 PIN Transaction Security Requirements... 3 Payment Application

More information

Effective End-to-End Cloud Security

Effective End-to-End Cloud Security Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

Navigate Your Way to PCI DSS Compliance

Navigate Your Way to PCI DSS Compliance Whitepaper Navigate Your Way to PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) is a series of IT security standards that credit card companies must employ to protect cardholder

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory

More information

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS) How Financial Institutions Can Comply to Data Security Best Practices Vormetric, Inc. 2545 N. 1st Street,

More information

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...

More information

MySQL Security: Best Practices

MySQL Security: Best Practices MySQL Security: Best Practices Sastry Vedantam sastry.vedantam@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes

More information

SafeNet DataSecure vs. Native Oracle Encryption

SafeNet DataSecure vs. Native Oracle Encryption SafeNet vs. Native Encryption Executive Summary Given the vital records databases hold, these systems often represent one of the most critical areas of exposure for an enterprise. Consequently, as enterprises

More information

Account Information Security. Merchant Guide

Account Information Security. Merchant Guide Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer

More information

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation

IBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing

More information

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals

More information

2013 AWS Worldwide Public Sector Summit Washington, D.C.

2013 AWS Worldwide Public Sector Summit Washington, D.C. Washington, D.C. Next Generation Privileged Identity Management Control and Audit Privileged Access Across Hybrid Cloud Environments Ken Ammon, Chief Strategy Officer Who We Are Security software company

More information

Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP

Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP 1 P a g e Table of Contents Executive Summary... 3 The Payment Card Industry Data Security Standard... 3 PCI

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

The Comprehensive Guide to PCI Security Standards Compliance

The Comprehensive Guide to PCI Security Standards Compliance The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,

More information

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access edmz Introduces Achieving PCI Compliance for: & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC February 2010 C o p y r ig h t 2 0 1 0 e - D M Z S e c u r i t y, LL C. A l l

More information

SecureGRC TM - Cloud based SaaS

SecureGRC TM - Cloud based SaaS - Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries

More information

PowerBroker for Windows

PowerBroker for Windows PowerBroker for Windows Desktop and Server Use Cases February 2014 1 Table of Contents Introduction... 4 Least-Privilege Objectives... 4 Least-Privilege Implementations... 5 Sample Regulatory Requirements...

More information

Securing Sensitive Data

Securing Sensitive Data Securing Sensitive Data A Comprehensive Guide to Encryption Technology Approaches Vormetric, Inc. 888.267.3732 408.433.6000 sales@vormetric.com www.vormetric.com Page 1 Executive Summary Enterprises can

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise InterSect Alliance International Pty Ltd Page 1 of 9 About this document The PCI/DSS documentation provides guidance on a set of baseline security measures

More information

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV Nadav Elkabets Presale Consultant Protecting Your Data Encrypt Your Data 1 ProtectFile StorageSecure ProtectDB ProtectV Databases File

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,

More information

The Sumo Logic Solution: Security and Compliance

The Sumo Logic Solution: Security and Compliance The Sumo Logic Solution: Security and Compliance Introduction With the number of security threats on the rise and the sophistication of attacks evolving, the inability to analyze terabytes of logs using

More information

CorreLog Alignment to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents

More information

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service

More information

Security Overview Enterprise-Class Secure Mobile File Sharing

Security Overview Enterprise-Class Secure Mobile File Sharing Security Overview Enterprise-Class Secure Mobile File Sharing Accellion, Inc. 1 Overview 3 End to End Security 4 File Sharing Security Features 5 Storage 7 Encryption 8 Audit Trail 9 Accellion Public Cloud

More information

PCI DSS 3.0 Compliance

PCI DSS 3.0 Compliance A Trend Micro White Paper April 2014 PCI DSS 3.0 Compliance How Trend Micro Cloud and Data Center Security Solutions Can Help INTRODUCTION Merchants and service providers that process credit card payments

More information

PROTECTING DATA IN MULTI-TENANT CLOUDS

PROTECTING DATA IN MULTI-TENANT CLOUDS 1 Introduction Today's business environment requires organizations of all types to reduce costs and create flexible business processes to compete effectively in an ever-changing marketplace. The pace of

More information

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard Partner Addendum Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware certified

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Cyber-Ark Software and the PCI Data Security Standard

Cyber-Ark Software and the PCI Data Security Standard Cyber-Ark Software and the PCI Data Security Standard INTER-BUSINESS VAULT (IBV) The PCI DSS Cyber-Ark s View The Payment Card Industry Data Security Standard (PCI DSS) defines security measures to protect

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

Need to be PCI DSS compliant and reduce the risk of fraud?

Need to be PCI DSS compliant and reduce the risk of fraud? Need to be PCI DSS compliant and reduce the risk of fraud? NCR Security lessens your PCI compliance burden and protects the integrity of your network An NCR White Paper Experience a new world of interaction

More information

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction

More information

Thoughts on PCI DSS 3.0. September, 2014

Thoughts on PCI DSS 3.0. September, 2014 Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology

More information

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation

Securing the Cloud with IBM Security Systems. IBM Security Systems. 2012 IBM Corporation. 2012 2012 IBM IBM Corporation Corporation Securing the Cloud with IBM Security Systems 1 2012 2012 IBM IBM Corporation Corporation IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project

More information

Cloud Data Security. Sol Cates CSO @solcates scates@vormetric.com

Cloud Data Security. Sol Cates CSO @solcates scates@vormetric.com Cloud Data Security Sol Cates CSO @solcates scates@vormetric.com Agenda The Cloud Securing your data, in someone else s house Explore IT s Dirty Little Secret Why is Data so Vulnerable? A bit about Vormetric

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing

More information

How Reflection Software Facilitates PCI DSS Compliance

How Reflection Software Facilitates PCI DSS Compliance Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit

More information

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud How Privileged Identity Management Evolved to a Service Platform Managing Privileged Identities in the Cloud Contents Overview...3 Management Issues...3 Real-World

More information

Information Sheet. PCI DSS Overview

Information Sheet. PCI DSS Overview The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council. Compliance with PCI standards is mandatory. It is enforced by the major payment card

More information

Securing Sensitive Data within Amazon Web Services EC2 and EBS

Securing Sensitive Data within Amazon Web Services EC2 and EBS Page 1 Securing Sensitive Data within Amazon Web Services EC2 and EBS Challenges and Solutions to Protecting Data within the AWS Cloud Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States:

More information

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

www.clickndecide.com Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on! Business Application Intelligence White Paper The V ersatile BI S o l uti on! Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas December 1, 2009 Sales Office: 98, route de la Reine - 92100

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

Making Data Security The Foundation Of Your Virtualization Infrastructure

Making Data Security The Foundation Of Your Virtualization Infrastructure Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges

More information

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)

More information

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide

More information

PCI Compliance in Multi-Site Retail Environments

PCI Compliance in Multi-Site Retail Environments TECHNICAL ASSESSMENT WHITE PAPER PCI Compliance in Multi-Site Retail Environments Executive Summary As an independent auditor, Coalfire seeks to be a trusted advisor to our clients. Our role is to help

More information

SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS

SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS The Challenges and the Solutions Vormetric, Inc. 2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom: +44.118.949.7711

More information

Feature. Log Management: A Pragmatic Approach to PCI DSS

Feature. Log Management: A Pragmatic Approach to PCI DSS Feature Prakhar Srivastava is a senior consultant with Infosys Technologies Ltd. and is part of the Infrastructure Transformation Services Group. Srivastava is a solutions-oriented IT professional who

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. CONTENTS 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4. Conclusion 1. EXECUTIVE SUMMARY The advantages of networked data storage technologies such

More information

Alliance Key Manager Cloud HSM Frequently Asked Questions

Alliance Key Manager Cloud HSM Frequently Asked Questions Key Management Alliance Key Manager Cloud HSM Frequently Asked Questions FAQ INDEX This document contains a collection of the answers to the most common questions people ask about Alliance Key Manager

More information

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption Whitepaper What You Need to Know About Infrastructure as a Service (IaaS) Encryption What You Need to Know about IaaS Encryption What You Need to Know About IaaS Encryption Executive Summary In this paper,

More information

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Publication Date: March 17, 2015 Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker delivers business critical software and services that transform high-volume

More information

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12

More information

Managing Cloud Computing Risk

Managing Cloud Computing Risk Managing Cloud Computing Risk Presented By: Dan Desko; Manager, Internal IT Audit & Risk Advisory Services Schneider Downs & Co. Inc. ddesko@schneiderdowns.com Learning Objectives Understand how to identify

More information