Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

Transcription

1 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888)

2 2 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Contents Executive Summary: 3 Fighting to Maintain Control: Chasing PCI DSS Requirement 1 3 Off the Grid: Why Today s PCI Requirement 1 Initiatives Fall Short 4 Evolving Requirements: Implementing Continuous PCI Validation 5 The Solution: RedSeal Proactive Security Intelligence 7 Conclusions: 8

3 Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 3 Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal Executive Summary: This solution brief examines the numerous benefits and challenges facing today s organizations in achieving continuous compliance with network security requirements of the PCI DSS standard specifically PCI Requirement 1 s directive to implement, track and validate necessary firewall configurations. In addition to outlining common obstacles many practitioners face in maturing PCI initiatives into more proactive and efficient practices those that better support ongoing policy adherence and resulting improvement of network security this paper will highlight the specific manner in which RedSeal s proactive security intelligence solutions facilitate advancement using automation. By maintaining constant visibility into changing conditions and the overall effectiveness of today s IT security infrastructure, and automatically identifying changes in network security over time, RedSeal empowers enterprises with the actionable metrics they need to ensure that PCI compliance initiatives not only satisfy auditors expectations, but also reduce real-world risks. Fighting to Maintain Control: Chasing PCI DSS Requirement 1 Since the Payment Card Industry (PCI) first issued the Data Security Standards in 2004, the practice of achieving, maintaining and validating ongoing compliance with the guidelines has, for many enterprises, evolved into a 24/7 responsibility. Despite the seemingly straightforward nature of PCI Requirement 1, which dictates that organizations implement and sustain basic firewall protection of cardholder data and properly document ongoing modifications made to those systems over time IT security professionals tasked with implementing the process almost uniformly cite the overwhelming difficulty of their efforts. In today s environment of constantly changing network infrastructure driven by powerful catalysts including emerging business models and targeted threats the challenge of maintaining consistent firewall configurations, and tracking their evolution, has developed into a complicated and time consuming effort especially wherever manual processes are employed.

4 4 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance As noted in the Verizon Business 2011 PCI Compliance Report, based on the company s experiences in performing hundreds of PCI compliance assessments for its clients, roughly 50 percent of all organizations that are expected to adhere to Requirement 1 still fall short, based primarily on their inability to account for network change. Further, Verizon also found that even in many cases when security infrastructure has been successfully kept within PCI-specifications, a number of organizations still run a strong risk of failing audits, based on their inability to keep required firewall management documentation up to date. To advance today s PCI DSS Requirement 1 initiatives beyond fragmented, reactive efforts that fail to meet auditors expectations and protect against realworld risks, organizations demand new processes and solutions that leverage automated assessment and trending of security infrastructure performance to confirm compliance, and communicate related intelligence. RedSeal provides continuous monitoring of network security controls, ensuring that network access is compliant with policy. This screen shot demonstrates the state of compliance between the various zones required by PCI DSS. Off the Grid: Why Today s PCI Requirement 1 Initiatives Fall Short According to the 2010 Enterprise Management Associates report Trends and Issues Surrounding Network and Security Monitoring, roughly 81 percent of enterprise professionals feel they still lack sufficient visibility into their networks, despite having made numerous investments in solving that issue over the years. Further, the EMA report, based on a survey of network and security professionals, found that another 80 percent of respondents blame the absence of solutions that offer sufficient visibility into security infrastructure s effectiveness as the biggest contributor to this issue.

5 Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 5 With no evidence to suggest that the rate of change within enterprise security infrastructure will slow any time soon, and plenty of proof to the contrary including weighty drivers such as virtualization, mobility and cloud computing it s clear that traditional assessment methods cannot meet the needs of today s practitioners around PCI DSS Requirement 1. As best evidenced by the sheer volume of data breaches experienced by organizations previously certified as PCI DSS compliant, time-honored methods of security infrastructure assessment have failed for reasons including: Reliance on methodologies that are too narrow in focus and can t determine how access is controlled across all PCI-relevant areas of the network. Too infrequent auditing of network security policy implementation that fails to illustrate or measure how ongoing change is being addressed related to PCI requirements. The inability to demonstrate that all changes to critical data access have been approved, in compliance with mandated PCI change control processes. The fact that so many enterprise security teams have not fully addressed PCI Requirement 1, and that almost 50 percent of those organizations that do achieve adherence often still fail audits, illustrates the demand for new practices that provide the desperately needed visibility into network security. As Gartner notes in Tools for Network-aware Firewall Policy Assessment, available solutions that automate network security analysis and offer new levels of visibility into access, including the specific documentation of PCI compliance, should offer hope to organizations still struggling with common issues of security infrastructure configuration management. Evolving Requirements: Implementing Continuous PCI Validation To address the pervasive issue of infrastructure change and ensure that existing network defenses always implement required policies correctly, organizations must respond by creating the ability to validate their real-world security standing on a near constant basis. In addition to empowering organizations to improve protection and better leverage their PCI compliance investments to inform security management decisions with knowledge of available access, a growing body of evidence suggests that carrying out more frequent self-assessment actually drives down operational spending. According to the 2011 Cost of Compliance report published by researchers Ponemon Institute, organizations that conduct the most internal compliance audits each year also have the lowest per capita compliance cost, while the highest compliance costs were found among organizations that do not conduct any assessments at all.

6 6 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Confronted with this evidence and the recognition that PCI DSS compliance is a challenge that will likely never go away, many organizations are seeking better methods of meeting Requirement 1 directives that also facilitate improvement of overall network security performance, including: Solutions that deliver continuous visibility into the current implementation of network security controls and provide network-wide validation of underlying processes. Processes that lower the amount of time and investment necessary to demonstrate ongoing compliance, and documentation of processes effectiveness to external auditors. Systems that generate meaningful, data-backed conclusions about program efficiency and the ROI of involved solutions to help drive future budgets and planning. According to Gartner s June 2011 report Tools for Network-aware Firewall Policy Assessment and Operational Support, solutions that automate security rules management offer important productivity benefits by continuously confirming necessary enforcement and trending security infrastructure effectiveness. By providing constant visibility into their success in adapting network defenses to changing conditions, and generating quantitative metrics that prove their ability to maintain PCI compliance on an ongoing basis, enterprises are moving quickly to adopt strategies and solutions that evolve today s insufficient processes into more advanced security monitoring. RedSeal provides an interactive network security visualization that displays network access across the enterprise. This example shows which networks have access to cardholder systems, providing continuous visibility into the effectiveness of security controls at protecting cardholder systems.

7 Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 7 The Solution: RedSeal Proactive Security Intelligence RedSeal s proactive security intelligence solutions are the only products on the market today that allow organizations to automate continuous compliance with PCI DSS Requirement 1 and provide them with the visibility necessary to understand whenever policy violations occur. With RedSeal, organizations can evolve PCI DSS compliance from a time-consuming battery of manual firewall reviews into a process of continuous monitoring one that informs management and operations when changes to infrastructure result in policy issues that represent risks. By allowing IT security management to define complex policies and analyze infrastructure s overall adherence on an ongoing, network-wide basis, RedSeal provides you with the in-depth visibility into current protection needed to: Confirm that controls are in place and functioning to enforce zone relationships within the specific parameters that are required. Supply auditors with detailed proof that demonstrates how policy compliance is being maintained and validated continuously. Documented justification for changes to access and details of any policy exceptions, including information on who requested the modifications, when they were granted, and why. To ensure proper implementation of PCI DSS policies, communicate more effectively with auditors, avoid failed assessments and translate requirements into larger improvements in network security, RedSeal delivers the powerful automation necessary to evolve compliance into real-world success. Using RedSeal, enterprises can collect and analyze key metrics that highlight the overall performance of compliance processes and solutions, prove ongoing diligence to external compliance auditors, and drive more efficient allocation of valuable staff and resources over time. RedSeal provides the necessary documentation for demonstrating compliance with auditors. This screen shot is of the PCI report that comes standard with RedSeal, demonstrating the status of compliance for each requirement.

8 8 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Conclusions: With the growing recognition that despite years of ongoing investment into PCI compliance initiatives, many organizations still lack the visibility necessary to ensure policy enforcement as dictated by Requirement 1, or communicate the information needed to demonstrate their ability to do so, enterprise security management is actively seeking new methods to tackle these long-standing conundrums. According to the 2011 Gartner Survey, Challenged U.S. Firms Seek Alternative PCI-Compliance Solutions, improving the effective enforcement of network segmentation as dictated by PCI DSS Requirement 1 stands as the top technical priority today among companies working to comply with the standards, yet no single model for better addressing the challenge has emerged. RedSeal s proactive security intelligence solutions are the only products on the market that ensure continuous implementation of the PCI DSS Requirement 1 network security requirements, more effective communication of risk to auditors and the ability to successfully translate the involved compliance requirements into larger improvements in their overall security standing. About RedSeal: RedSeal Networks develops proactive security intelligence software that enterprise organizations depend on to visualize the effectiveness of security infrastructure, maintain continuous policy compliance and protect their most critical business assets and data. Unlike systems that measure the impact of attacks after they transpire or address individual elements of network protection, RedSeal analyzes the cumulative ability of defenses to control access and mitigate vulnerability exposure across the entire enterprise, providing the critical metrics necessary to trend performance and isolates gaps before they can be discovered by hackers. For more information on RedSeal products please visit the company s web site at or contact RedSeal representatives directly at (888)

9 Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 9

10 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888) Copyright 2011 RedSeal Networks, Inc. All rights reserved. RedSeal and the RedSeal logo are trademarks of RedSeal Networks, Inc.