CloudControl Support for PCI DSS 3.0

Transcription

1 HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization vendors are not sufficient to meet PCI DSS requirements HyTrust CloudControlTM supports the broadest range of PCI DSS hypervisor controls for administrator activity and con guration management: -- Twenty-eight requirements for vsphere hypervisors in PCI DSS Sections 2, 6,7, 8 and Eight PCI Council virtualization guidelines and best practices CloudControl is also essential for mixed mode environments that combine PCI and non-pci servers on the same virtual infrastructure CloudControl lowers the cost of PCI compliance with rich, segmented logging and sample size reduction Background: PCI DSS and virtualization The virtualization of PCI in-scope applications is now becoming a broadly accepted deployment model. The earliest versions of the PCI Data Security Standard (DSS) did not address virtualization specifically, leading to differing interpretations and general confusion as to what was permitted under the standard. Recognizing this, the PCI Council launched an initiative to clarify the use of technologies such as VMware vsphere (formerly ESXi ). This resulted in the publishing of the Virtualization Guidelines document in 2011, and new requirements for virtual infrastructure in PCI DSS Versions 2.0 and 3.0. While these documents do not resolve all ambiguity, they do clarify the most important questions, and provide fairly clear guidance for assessors as to how to audit these environments. PCI DSS places and hypervisor in-scope One of the most important additions to the PCI DSS standard in Version 2 was the mandatory inclusion of virtual infrastructure as in-scope for PCI audit. It is worth citing the exact text in the current 3.0 standard, as years of ambiguity and debate were eliminated in just a few sentences: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. Examples of system components include but are not limited to the following: Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. 1 This definition of scope simply means that all DSS Requirements (controls) apply to virtual infrastructure, just as they apply to physical infrastructure supporting the Cardholder Data Environment (CDE). Therefore, vsphere hosts, VMware and Cisco virtual switches, and virtual firewalls all fall under PCI DSS if they host or transmit cardholder data. HyTrust CloudControl PCI DSS controls support HyTrust CloudControl was designed to be the most complete solution available for administrator and configuration controls on VMware vsphere and vcenter infrastructure. PCI DSS mandates controls in many areas, but two of the most important are administrator activity and infrastructure configuration, and these are the two areas CloudControl delivers unmatched capabilities. Specifically, CloudControl supports 28 controls in the following PCI DSS sections 1 PCI DSS 3.0, Scope of PCI DSS Requirements, Page 10

2 Section 2: Vendor Defaults Section 6: Secure Systems Section 7: Restrict Access to Cardholder Data Section 8: Identify and Authenticate Access Section 10: Track and Monitor All Access In addition, CloudControl supports a further six recommendations in the Virtualization Guidelines document, as well as one Best Practice recommendation and one Sampling example. Details of all 36 controls can be found in the appendices. It is not possible to meet all of these requirements with VMware vsphere and vcenter alone. HyTrust is the only vendor that can implement the broad hypervisor controls required by the PCI Data Security Standard. PC Control Area Configuration hardening Authentication controls including password management and two-factor Least privilege role-based access contols Reporting and auditing of administration activity Separation of duties (vnetwork/host; dev/test/prod) Mixed mode administrative segmentation Sampling reduction - Centralized operational processes and controls HyTrust CloudControl Lowering the cost of PCI compliance While passing a PCI audit is clearly the primary objective, close behind is the desire to meet the PCI requirements as easily and efficiently as possible. HyTrust CloudControl was designed to support this objective as well as the actual PCI requirements, freeing up valuable resources for other risk management activities. CloudControl supporting features include: Complete log entries - CloudControl log entries contain all required elements for efficient report creation and indexing, drastically reducing the time required for producing periodic or on-demand reports. Segmentation and reduction of scope - CloudControl can limit the manual movement of in-scope virtual servers to only the intended vsphere hosts, eliminating other hosts from the CDE and hence reducing the number of systems that must be audited. It also assists with the segmentation of the CDE with both vcenter administration controls and configuration hard- ening to lock down non-network communication paths. CDE segmented logging - CloudControl can support logging segmented for the CDE only, eliminating having to parse and dispose of log data irrelevant to the CDE. For example, if only a subset of the vsphere hosts or administrators in a vcenter domain

3 Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from outof-scope components in a virtual environment. PCI Council - Virtualization Guidelines If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample [of in-scope components] can be smaller than if there are no standard processes/controls in place. PCI DSS 3.0, Page 15 In a mixed-mode configuration, the hypervisor plays a critical role in enforcing process isolation between the in-scope and out-of-scope systems. PCI Council - Virtualization Guidelines are used for PCI, CloudControl can provide logging for only those in-scope assets or people. Not only does this reduce the effort of implementing the PCI controls, it reduces the load (and therefore cost) of the logging and reporting system. Sample size reduction via centralized and standardized procedures - PCI DSS 3.0 notes that assessors can reduce the sample size of their audit if centralized and standardized procedures are in place. As CloudControl centralizes vsphere configuration and imposes standard procedures for administration, the organization can reasonably request a more limited sample size, significantly reducing the cost of the audit. Mixed mode More aggressive organizations are considering combining PCI and non-pci virtual servers on a single hypervisor, in order to use hardware as efficiently as possible. This deployment model, known as Mixed Mode is not prohibited by the PCI DSS. However, the Virtualization Guidelines make it clear that this model will be held to an even higher standard during an assessment, because of the risk of attacks being launched from the non-pci workloads. It also puts more pressure on the proper administration of the hypervisor to ensure that strong segmentation of the PCI CDE is maintained. And finally, this mode has the potential to drive up the costs of compliance, because logging of the PCI and non-pci workloads and administration may become co-mingled. HyTrust CloudControl fully supports mixed-mode PCI deployments, and in fact it will be difficult to pass a PCI audit without implementing the controls CloudControl provides. Broadly speaking, CloudControl supports these four mixed-mode controls and functions for both administrative and logical segmentation: Enforced workload (VM) placement - Ensures both PCI and non-pci VMs are placed only on authorized servers Configuration hardening - Eliminates possible segmentation violations via hypervisor mis- configuration Administrator role separation - Allows different people to operate the non-pci workloads, moving their activities out of scope Independent logging of PCI workloads - Minimizes cost and effort of compliance controls and reporting Summary PCI DSS 3.0 identifies the critical role of virtual infrastructure in protecting cardholder data. While no single product or solution can meet all the PCI requirement on all in-scope components, HyTrust CloudControl offers a deeper level of support for administrator and configuration audit controls on virtual infrastructure than any other solution. It also is designed to help reduce the scope of the audit, segment the CDE, and implement the controls as efficiently as possible. It should therefore be considered for all VMware environments supporting critical applications and data, including those subject to PCI DSS audit. HyTrust - Cloud Under Control W. El Camino Real, Suite 203 Mountain View, CA 94040, USA Phone: International: HyTrust, Inc. All rights reserved. HyTrust, and the HyTrust logo are trademarks and/or registered trademarks of HyTrust, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are properties of their respective owners.

4 Appendix 1 Appendix 1: Hytrust CloudControl - PCI control support details HyTrust CloudControl supports all of the following PCI DSS 3.0 requirements for VMware vsphere hypervisors, as well as a subset of controls for Cisco NX-OS physical and virtual network infrastructure. PCI DSS Requirement Section Requirements 2: Vendor defaults 6: Secure systems 6.4.1, : Restrict access to cardholder data 8: Identify and authenticate access 10: Track and monitor all access 2.1, 2.2, 2.2.1, 2.2.4, 2.2.5, 2.4, 2.5, , 7.1.1, 7.1.2, 7.1.3, 7.2, 7.2.1, 7.2.2, , 8.2, 8.3, , , , , 10.3, 10.6 Multiple controls including configuration hardening (default elimination and service removal), password vaulting, tag-based placement policies for CDE isolation, server and virtual network admin separation of duties, inventory report Administration separation of duties for CDE/Non-CDE; Dev&Test/ Production. Two-person rule for adding assets to CDE. Label-based Access Control authorizations based on need-to- know, with default deny (no rights); authorizations based on admin role, activity function, and target asset Multiple controls including two- factor for all admin access; root password vaulting with temporary check-out support; enforcing complex passwords; five-day password rotation Multiple logging controls including all admin activities for inscope systems; failed logins include origination; changes to authentication; creation/ deletion of system level objects. All 10.3 log entry requirements met, plus additional entries for faster event reconciliation. Secured audit trail. Log review scope reduction: limit the volume of logs that need to be reviewed by enforcing least privilege and need to know to decrease overall log entry volume.

5 Appendix 2 Appendix 2: Hytrust CloudControl - PCI best practices and guidelines HyTrust CloudControl supports the following PCI DSS 3.0 best practices, and the guidelines published by the Council in the Virtualization Guidelines document. These are in addition to the core PCI DSS requirements (See Appendix 1). PCI DSS Guidance Section Best practices/bau (DSS page 13) Sampling (DSS page 15) Example 3 - Review environment changes prior to execution. If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/ controls in place. Two-person rules for sensitive changes to in-scope assets. By standardizing and centralizing consistent controls on HyTrust, the auditor can reduce the sample size for the audit. Virtualization Guidelines - Section Guidelines 4,1: General 4.1.6, 4.1.8, , : Mixed Mode Environments 4.4: Guidance for Assessing Risks in Virtual Environments Multiple controls including 2-factor authentication; role-based control by function and by asset (separation of admin duties); twoperson authorizations; logs sent off-server. Hypervisor configuration hardening. Virtual networking controls (vswitch or NS-OS). Enables log monitoring for breach in the integrity of segmentation, security controls, or communication channels between workloads. Two-factor authentication, asset- based authorization to maintain isolation between CDE and non-cde components at the hypervisor level. Detailed logging of all hypervisor administration activity. Hypervisor configuration hardening (to eliminate possible technical breakdown of CDE isolation). Role based authorization (to meet defined roles and permissions requirement)