CloudControl Support for PCI DSS 3.0
|
|
- Russell Chad Tyler
- 8 years ago
- Views:
Transcription
1 HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization vendors are not sufficient to meet PCI DSS requirements HyTrust CloudControlTM supports the broadest range of PCI DSS hypervisor controls for administrator activity and con guration management: -- Twenty-eight requirements for vsphere hypervisors in PCI DSS Sections 2, 6,7, 8 and Eight PCI Council virtualization guidelines and best practices CloudControl is also essential for mixed mode environments that combine PCI and non-pci servers on the same virtual infrastructure CloudControl lowers the cost of PCI compliance with rich, segmented logging and sample size reduction Background: PCI DSS and virtualization The virtualization of PCI in-scope applications is now becoming a broadly accepted deployment model. The earliest versions of the PCI Data Security Standard (DSS) did not address virtualization specifically, leading to differing interpretations and general confusion as to what was permitted under the standard. Recognizing this, the PCI Council launched an initiative to clarify the use of technologies such as VMware vsphere (formerly ESXi ). This resulted in the publishing of the Virtualization Guidelines document in 2011, and new requirements for virtual infrastructure in PCI DSS Versions 2.0 and 3.0. While these documents do not resolve all ambiguity, they do clarify the most important questions, and provide fairly clear guidance for assessors as to how to audit these environments. PCI DSS places and hypervisor in-scope One of the most important additions to the PCI DSS standard in Version 2 was the mandatory inclusion of virtual infrastructure as in-scope for PCI audit. It is worth citing the exact text in the current 3.0 standard, as years of ambiguity and debate were eliminated in just a few sentences: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. Examples of system components include but are not limited to the following: Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. 1 This definition of scope simply means that all DSS Requirements (controls) apply to virtual infrastructure, just as they apply to physical infrastructure supporting the Cardholder Data Environment (CDE). Therefore, vsphere hosts, VMware and Cisco virtual switches, and virtual firewalls all fall under PCI DSS if they host or transmit cardholder data. HyTrust CloudControl PCI DSS controls support HyTrust CloudControl was designed to be the most complete solution available for administrator and configuration controls on VMware vsphere and vcenter infrastructure. PCI DSS mandates controls in many areas, but two of the most important are administrator activity and infrastructure configuration, and these are the two areas CloudControl delivers unmatched capabilities. Specifically, CloudControl supports 28 controls in the following PCI DSS sections 1 PCI DSS 3.0, Scope of PCI DSS Requirements, Page 10
2 Section 2: Vendor Defaults Section 6: Secure Systems Section 7: Restrict Access to Cardholder Data Section 8: Identify and Authenticate Access Section 10: Track and Monitor All Access In addition, CloudControl supports a further six recommendations in the Virtualization Guidelines document, as well as one Best Practice recommendation and one Sampling example. Details of all 36 controls can be found in the appendices. It is not possible to meet all of these requirements with VMware vsphere and vcenter alone. HyTrust is the only vendor that can implement the broad hypervisor controls required by the PCI Data Security Standard. PC Control Area Configuration hardening Authentication controls including password management and two-factor Least privilege role-based access contols Reporting and auditing of administration activity Separation of duties (vnetwork/host; dev/test/prod) Mixed mode administrative segmentation Sampling reduction - Centralized operational processes and controls HyTrust CloudControl Lowering the cost of PCI compliance While passing a PCI audit is clearly the primary objective, close behind is the desire to meet the PCI requirements as easily and efficiently as possible. HyTrust CloudControl was designed to support this objective as well as the actual PCI requirements, freeing up valuable resources for other risk management activities. CloudControl supporting features include: Complete log entries - CloudControl log entries contain all required elements for efficient report creation and indexing, drastically reducing the time required for producing periodic or on-demand reports. Segmentation and reduction of scope - CloudControl can limit the manual movement of in-scope virtual servers to only the intended vsphere hosts, eliminating other hosts from the CDE and hence reducing the number of systems that must be audited. It also assists with the segmentation of the CDE with both vcenter administration controls and configuration hard- ening to lock down non-network communication paths. CDE segmented logging - CloudControl can support logging segmented for the CDE only, eliminating having to parse and dispose of log data irrelevant to the CDE. For example, if only a subset of the vsphere hosts or administrators in a vcenter domain
3 Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from outof-scope components in a virtual environment. PCI Council - Virtualization Guidelines If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample [of in-scope components] can be smaller than if there are no standard processes/controls in place. PCI DSS 3.0, Page 15 In a mixed-mode configuration, the hypervisor plays a critical role in enforcing process isolation between the in-scope and out-of-scope systems. PCI Council - Virtualization Guidelines are used for PCI, CloudControl can provide logging for only those in-scope assets or people. Not only does this reduce the effort of implementing the PCI controls, it reduces the load (and therefore cost) of the logging and reporting system. Sample size reduction via centralized and standardized procedures - PCI DSS 3.0 notes that assessors can reduce the sample size of their audit if centralized and standardized procedures are in place. As CloudControl centralizes vsphere configuration and imposes standard procedures for administration, the organization can reasonably request a more limited sample size, significantly reducing the cost of the audit. Mixed mode More aggressive organizations are considering combining PCI and non-pci virtual servers on a single hypervisor, in order to use hardware as efficiently as possible. This deployment model, known as Mixed Mode is not prohibited by the PCI DSS. However, the Virtualization Guidelines make it clear that this model will be held to an even higher standard during an assessment, because of the risk of attacks being launched from the non-pci workloads. It also puts more pressure on the proper administration of the hypervisor to ensure that strong segmentation of the PCI CDE is maintained. And finally, this mode has the potential to drive up the costs of compliance, because logging of the PCI and non-pci workloads and administration may become co-mingled. HyTrust CloudControl fully supports mixed-mode PCI deployments, and in fact it will be difficult to pass a PCI audit without implementing the controls CloudControl provides. Broadly speaking, CloudControl supports these four mixed-mode controls and functions for both administrative and logical segmentation: Enforced workload (VM) placement - Ensures both PCI and non-pci VMs are placed only on authorized servers Configuration hardening - Eliminates possible segmentation violations via hypervisor mis- configuration Administrator role separation - Allows different people to operate the non-pci workloads, moving their activities out of scope Independent logging of PCI workloads - Minimizes cost and effort of compliance controls and reporting Summary PCI DSS 3.0 identifies the critical role of virtual infrastructure in protecting cardholder data. While no single product or solution can meet all the PCI requirement on all in-scope components, HyTrust CloudControl offers a deeper level of support for administrator and configuration audit controls on virtual infrastructure than any other solution. It also is designed to help reduce the scope of the audit, segment the CDE, and implement the controls as efficiently as possible. It should therefore be considered for all VMware environments supporting critical applications and data, including those subject to PCI DSS audit. HyTrust - Cloud Under Control W. El Camino Real, Suite 203 Mountain View, CA 94040, USA Phone: International: HyTrust, Inc. All rights reserved. HyTrust, and the HyTrust logo are trademarks and/or registered trademarks of HyTrust, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are properties of their respective owners.
4 Appendix 1 Appendix 1: Hytrust CloudControl - PCI control support details HyTrust CloudControl supports all of the following PCI DSS 3.0 requirements for VMware vsphere hypervisors, as well as a subset of controls for Cisco NX-OS physical and virtual network infrastructure. PCI DSS Requirement Section Requirements 2: Vendor defaults 6: Secure systems 6.4.1, : Restrict access to cardholder data 8: Identify and authenticate access 10: Track and monitor all access 2.1, 2.2, 2.2.1, 2.2.4, 2.2.5, 2.4, 2.5, , 7.1.1, 7.1.2, 7.1.3, 7.2, 7.2.1, 7.2.2, , 8.2, 8.3, , , , , 10.3, 10.6 Multiple controls including configuration hardening (default elimination and service removal), password vaulting, tag-based placement policies for CDE isolation, server and virtual network admin separation of duties, inventory report Administration separation of duties for CDE/Non-CDE; Dev&Test/ Production. Two-person rule for adding assets to CDE. Label-based Access Control authorizations based on need-to- know, with default deny (no rights); authorizations based on admin role, activity function, and target asset Multiple controls including two- factor for all admin access; root password vaulting with temporary check-out support; enforcing complex passwords; five-day password rotation Multiple logging controls including all admin activities for inscope systems; failed logins include origination; changes to authentication; creation/ deletion of system level objects. All 10.3 log entry requirements met, plus additional entries for faster event reconciliation. Secured audit trail. Log review scope reduction: limit the volume of logs that need to be reviewed by enforcing least privilege and need to know to decrease overall log entry volume.
5 Appendix 2 Appendix 2: Hytrust CloudControl - PCI best practices and guidelines HyTrust CloudControl supports the following PCI DSS 3.0 best practices, and the guidelines published by the Council in the Virtualization Guidelines document. These are in addition to the core PCI DSS requirements (See Appendix 1). PCI DSS Guidance Section Best practices/bau (DSS page 13) Sampling (DSS page 15) Example 3 - Review environment changes prior to execution. If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/ controls in place. Two-person rules for sensitive changes to in-scope assets. By standardizing and centralizing consistent controls on HyTrust, the auditor can reduce the sample size for the audit. Virtualization Guidelines - Section Guidelines 4,1: General 4.1.6, 4.1.8, , : Mixed Mode Environments 4.4: Guidance for Assessing Risks in Virtual Environments Multiple controls including 2-factor authentication; role-based control by function and by asset (separation of admin duties); twoperson authorizations; logs sent off-server. Hypervisor configuration hardening. Virtual networking controls (vswitch or NS-OS). Enables log monitoring for breach in the integrity of segmentation, security controls, or communication channels between workloads. Two-factor authentication, asset- based authorization to maintain isolation between CDE and non-cde components at the hypervisor level. Detailed logging of all hypervisor administration activity. Hypervisor configuration hardening (to eliminate possible technical breakdown of CDE isolation). Role based authorization (to meet defined roles and permissions requirement)
Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.
Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines
More informationCan You be HIPAA/HITECH Compliant in the Cloud?
Can You be HIPAA/HITECH Compliant in the Cloud? Background For the first 10 years of its existence, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was a toothless tiger. Although
More informationH Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments
H Y T RUST: S OLUTION B RIEF Solve the Nosy Neighbor Problem in Multi-Tenant Environments Summary A private cloud with multiple tenants such as business units of an enterprise or customers of a cloud service
More informationHow to Achieve Operational Assurance in Your Private Cloud
How to Achieve Operational Assurance in Your Private Cloud As enterprises implement private cloud and next-generation data centers to achieve cost efficiencies and support business agility, operational
More informationPICO Compliance Audit - A Quick Guide to Virtualization
WHITE PAPER August 2011 Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security HYTRUST AND TREND MICRO DEEP SECURITY TOC Contents Virtualization
More informationDrawbacks to Traditional Approaches When Securing Cloud Environments
WHITE PAPER Drawbacks to Traditional Approaches When Securing Cloud Environments Drawbacks to Traditional Approaches When Securing Cloud Environments Exec Summary Exec Summary Securing the VMware vsphere
More informationHyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps
WHITE PAPER HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps Summary Summary Compliance with PCI, HIPAA, FISMA, EU, and other regulations is as critical in virtualized
More informationVMware Solution Guide for. Payment Card Industry (PCI) September 2012. v1.3
VMware Solution Guide for Payment Card Industry (PCI) September 2012 v1.3 VALIDATION DO CU MENT Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 GUIDANCE
More informationCase 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879. Appendix A
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
More informationThe Top 8 Questions to ask about Virtualization in a PCI Environment
A COALFIRE WHITE PAPER The Top 8 Questions to ask about Virtualization in a PCI Environment DALLAS DENVER LOS ANGELES NEW YORK SEATTLE 877.224.8077 info@coalfire.com www.coalfire.com This paper provides
More informationVCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard
March 2013 Solution Guide for Payment Card Industry (PCI) Partner Addendum VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard VCE Vblock Systems The findings and recommendations
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationQTS Leverages HyTrust to Build a FedRAMP Compliant Cloud
CASE STUD QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud The technology and expertise provided by HyTrust dramatically simplified the process of preparing for our FedRAMP certification. HyTrust
More informationARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
More informationLearn the essentials of virtualization security
Learn the essentials of virtualization security White Paper Table of Contents 3 Introduction 4 Hypervisor connectivity and risks 4 Multi-tenancy risks 5 Management and operational network risks 5 Storage
More informationProtect Root Abuse privilege on Hypervisor (Cloud Security)
Protect Root Abuse privilege on Hypervisor (Cloud Security) Nantharat Puwarang, CISSP Senior Technical Consultant Protect Software Defined Data Center 1 The Road to Software Defined Data Centers: Virtualization
More informationClosing the cloud and virtualization gap
Closing the cloud and virtualization gap Use cases for workload security White Paper Table of Contents 3 Introduction Encouraging cross-functional collaboration Prepare for the worst 4 Operational risk
More informationPCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
More informationAchieving PCI COMPLIANCE with the 2020 Audit & Control Suite. www.lepide.com/2020-suite/
Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite 7. Restrict access to cardholder data by business need to know PCI Article (PCI DSS 3) Report Mapping How we help 7.1 Limit access to system
More informationNetwork Access Control in Virtual Environments. Technical Note
Contents Security Considerations in.... 3 Addressing Virtualization Security Challenges using NAC and Endpoint Compliance... 3 Visibility and Profiling of VMs.... 4 Identification of Rogue or Unapproved
More informationLogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software
Application Security Use Case: PCI Compliance Jaime D Anna Sr Dir of Product Strategy, TIBCO Software AGENDA PCI Overview App Security in Context Essential Steps to Compliance Q & A PCI Overview What is
More informationHow To Protect Virtualized Data From Security Threats
S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust
More informationCloud Under Control: How to Virtualize More by Virtualizing More Securely
H Y T RUST: WHITE PAPER Cloud Under Control: How to Virtualize More by Virtualizing More Securely Executive Overview Enterprises have reached an inflection point. The value of datacenter virtualization
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationPCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.
PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers. White Paper January 2013 1 INTRODUCTION The PCI SSC (Payment
More informationHardening and Hacking vsphere and Private Cloud Everything you need to know about vsphere Security
Hardening and Hacking vsphere and Private Cloud Everything you need to know about vsphere Security Course Length: 5 days Course Delivery: Traditional Classroom Online Live Course Overview We are well aware
More informationThoughts on PCI DSS 3.0. September, 2014
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
More informationPCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents
PCI DSS Best Practices with Snare Enterprise InterSect Alliance International Pty Ltd Page 1 of 9 About this document The PCI/DSS documentation provides guidance on a set of baseline security measures
More informationWhat s New in PCI DSS 2.0. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1
What s New in PCI DSS 2.0 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1 Agenda PCI Overview PCI 2.0 Changes PCI Advanced Technology Update PCI Solutions 2010 Cisco and/or
More informationPCI DSS Compliance: The Importance of Privileged Management. Marco Zhang marco_zhang@dell.com
PCI DSS Compliance: The Importance of Privileged Management Marco Zhang marco_zhang@dell.com What is a privileged account? 2 Lots of privileged accounts Network Devices Databases Servers Mainframes Applications
More informationPCI Compliance in a Virtualized World
PCI Compliance in a Virtualized World Security Technology Infrastructure Security Integration 24x7 Support MSS Training Information Assurance Staff Augmentation Presenters John Clark QSA, PMP, CISA, CISSP
More informationHyTrust Appliance Administration Guide
HyTrust Appliance Administration Guide Version 3.0.2 October, 2012 HyTrust Appliance Administration Guide Copyright 2009-2012 HyTrust Inc. All Rights Reserved. HyTrust, Virtualization Under Control and
More informationMitigating Information Security Risks of Virtualization Technologies
Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved Agenda Virtualization Overview Key Components of Secure Virtualization
More informationMaking Data Security The Foundation Of Your Virtualization Infrastructure
Making Data Security The Foundation Of Your Virtualization Infrastructure by Dave Shackleford hytrust.com Cloud Under Control P: P: 650.681.8100 Securing data has never been an easy task. Its challenges
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationTop 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
More informationPCI DSS 3.1 and the Impact on Wi-Fi Security
PCI DSS 3.1 and the Impact on Wi-Fi Security 339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043 www.airtightnetworks.com 2015 AirTight Networks, Inc. All rights reserved. Table of Contents PCI
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
More informationProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary
VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION
More informationHP Virtualization Performance Viewer
HP Virtualization Performance Viewer Efficiently detect and troubleshoot performance issues in virtualized environments Jean-François Muller - Principal Technical Consultant - jeff.muller@hp.com HP Business
More informationhow can I virtualize my mission-critical servers while maintaining or improving security?
SOLUTION BRIEF Securing Virtual Environments how can I virtualize my mission-critical servers while maintaining or improving security? agility made possible CA ControlMinder for Virtual Environments provides
More informationAutomating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0
WHITE PAPER Automating Cloud Security Control and Compliance Enforcement for 3.0 How Enables Security and Compliance with the PCI Data Security Standard in a Private Cloud EXECUTIVE SUMMARY All merchants,
More informationVirtualization Security Checklist
Virtualization Security Checklist This virtualization security checklist is intended for use with enterprise full virtualization environments (as opposed to paravirtualization, application or operating
More informationUsing Emergency Restore to recover the vcenter Server has the following benefits as compared to the above methods:
Executive Summary This document provides certain best practices with regards to the Emergency Restore feature in vsphere Data Protection 5.5 release. It also describes the methods and processes to be used
More informationA Look at the New Converged Data Center
Organizations around the world are choosing to move from traditional physical data centers to virtual infrastructure, affecting every layer in the data center stack. This change will not only yield a scalable
More informationRealities of Private Cloud Security
SESSION ID: CSV-F03 Realities of Private Cloud Security Scott Carlson PayPal @relaxed137 PayPal Cloud & Software Defined Data Center VIRTUAL Cloud Design Principals, traditional Data Center Deploy from
More informationVirtualization Case Study
INDUSTRY Finance COMPANY PROFILE Major Financial Institution. BUSINESS SITUATION Internal security audits found that VMware ESX, Red Hat Linux, and Solaris systems lacked an efficient way to control access
More informationInstall Guide for JunosV Wireless LAN Controller
The next-generation Juniper Networks JunosV Wireless LAN Controller is a virtual controller using a cloud-based architecture with physical access points. The current functionality of a physical controller
More informationData Center Manager (DCM)
DATA SHEET Data Center Manager (DCM) Unified Virtual/Physical Data Center Fabric Management Benefits LOWER OPERATIONAL COSTS High degree of automation within physical and virtual environments to streamline
More informationJosiah Wilkinson Internal Security Assessor. Nationwide
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
More informationOpen PCI DSS Scoping Toolkit. Open Scoping Framework Group
Open PCI DSS Scoping Toolkit Open Scoping Framework Group August 24, 2012 Open PCI DSS Scoping Toolkit 1 Executive Summary... 4 2 Problem Statement... 7 3 Introduction to the PCI Technology Scoping Toolkit...
More informationPCI-Compliant Cloud R eference Architecture. Introduction
PCI-Compliant Cloud R eference Architecture Cisco, VMware, HyTrust, Trend Micro, Savvis and Coalfire have collaborated to construct a cloud reference architecture that addresses some of the unique challenges
More informationCedric Rajendran VMware, Inc. Security Hardening vsphere 5.5
Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5 Agenda Security Hardening vsphere 5.5 ESXi Architectural Review ESXi Software Packaging The ESXi Firewall ESXi Local User Security Host Logs
More informationWindows Least Privilege Management and Beyond
CENTRIFY WHITE PAPER Windows Least Privilege Management and Beyond Abstract Devising an enterprise-wide privilege access scheme for Windows systems is complex (for example, each Window system object has
More informationCONTENTS. PCI DSS Compliance Guide
CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not
More informationVM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware
VM-Series for VMware The VM-Series for VMware supports VMware NSX, ESXI stand-alone and vcloud Air, allowing you to deploy next-generation firewall security and advanced threat prevention within your VMware-based
More informationSecuring Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption
THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has
More informationNetwork Segmentation in Virtualized Environments B E S T P R A C T I C E S
Network Segmentation in Virtualized Environments B E S T P R A C T I C E S ware BEST PRAC TICES Table of Contents Introduction... 3 Three Typical Virtualized Trust Zone Configurations... 4 Partially Collapsed
More informationVirtual Compliance In The VMware Automated Data Center
Virtual Compliance In The VMware Automated Data Center July 2011 LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll Free: 888 347 3883 Tel: +1
More informationData Center Connector for vsphere 3.0.0
Product Guide Data Center Connector for vsphere 3.0.0 For use with epolicy Orchestrator 4.6.0, 5.0.0 Software COPYRIGHT Copyright 2013 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS
More informationWHITE PAPER August 2012. A Practical Guide to HIPAA-Compliant Virtualization
WHITE PAPER August 2012 A Practical Guide to HIPAA-Compliant Virtualization Table of Contents SECTION 1: 3 Summary SECTION 2: 3 Enforcement and virtualization increase the stakes SECTION 3: 4 Privileged
More informationA Rackspace White Paper Spring 2010
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationWHITE PAPER May 2012. How Can Identity and Access Management Help Me with PCI Compliance?
WHITE PAPER May 2012 How Can Identity and Access Management Help Me with PCI Compliance? Table of Contents Executive Summary 3 SECTION 1: Challenge 4 Protection of confidential cardholder information SECTION
More informationBAE Systems PCI Essentail. PCI Requirements Coverage Summary Table
BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance
More informationA Practical Guide to HIPAA-Compliant Virtualization
WHITE PAPER A Practical Guide to HIPAA-Compliant Virtualization Virtualization in PCI DSS 2.0 Summary Healthcare enterprises have achieved major cost savings, operational benefits, and great ROI from virtualizing
More informationVMware vsphere-6.0 Administration Training
VMware vsphere-6.0 Administration Training Course Course Duration : 20 Days Class Duration : 3 hours per day (Including LAB Practical) Classroom Fee = 20,000 INR Online / Fast-Track Fee = 25,000 INR Fast
More informationLeveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP
P a g e 1 Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP December 24, 2015 Coalfire Systems, Inc. www.coalfire.com 206-352- 6028 w w w. c o
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
More informationLearn the Essentials of Virtualization Security
Learn the Essentials of Virtualization Security by Dave Shackleford by Dave Shackleford This paper is the first in a series about the essential security issues arising from virtualization and the adoption
More informationInformation Sheet. PCI DSS Overview
The payment card industry (PCI) protects cardholder data through technical and operations standard set by its Council. Compliance with PCI standards is mandatory. It is enforced by the major payment card
More informationSecuring sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant
Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV Nadav Elkabets Presale Consultant Protecting Your Data Encrypt Your Data 1 ProtectFile StorageSecure ProtectDB ProtectV Databases File
More informationControl your corner of the cloud.
Chapter 1 of 5 Control your corner of the cloud. From the halls of government to the high-rise towers of the corporate world, forward-looking organizations are recognizing the potential of cloud computing
More informationA PCI Journey with Wichita State University
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
More informationCA ControlMinder for Virtual Environments May 2012
FREQUENTLY ASKED QUESTIONS May 2012 Top Ten Questions 1. What is?... 2 2. What are the key benefits of?... 2 3. What are the key capabilities of?... 2 4. Does this release include anything from the recently
More informationRealPresence Platform Director
RealPresence CloudAXIS Suite Administrators Guide Software 1.3.1 GETTING STARTED GUIDE Software 2.0 June 2015 3725-66012-001B RealPresence Platform Director Polycom, Inc. 1 RealPresence Platform Director
More informationHow To Protect Data From Attack On A Network From A Hacker (Cybersecurity)
PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security
More informationVMware vcloud Air Security TECHNICAL WHITE PAPER
TECHNICAL WHITE PAPER The Shared Security Model for vcloud Air The end-to-end security of VMware vcloud Air (the Service ) is shared between VMware and the customer. VMware provides security for the aspects
More informationProtecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems
Page 1 of 5 Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems In July the Payment Card Industry Security Standards Council (PCI SSC) published
More informationTECHNICAL PAPER. Veeam Backup & Replication with Nimble Storage
TECHNICAL PAPER Veeam Backup & Replication with Nimble Storage Document Revision Date Revision Description (author) 11/26/2014 1. 0 Draft release (Bill Roth) 12/23/2014 1.1 Draft update (Bill Roth) 2/20/2015
More informationWhitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption
Whitepaper What You Need to Know About Infrastructure as a Service (IaaS) Encryption What You Need to Know about IaaS Encryption What You Need to Know About IaaS Encryption Executive Summary In this paper,
More informationHow to Use vsphere to Connect to and Manage an ESXi Hypervisor Installation
How to Use vsphere to Connect to and Manage an ESXi Hypervisor Installation I am not responsible for your actions or their outcomes, in any way, while reading and/or implementing this tutorial. I will
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationEffective End-to-End Cloud Security
Effective End-to-End Cloud Security Securing Your Journey to the Cloud Trend Micro SecureCloud A Trend Micro & VMware White Paper August 2011 I. EXECUTIVE SUMMARY This is the first paper of a series of
More informationThe Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:
Compliance Brief The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements: Using Server Isolation and Encryption as a Regulatory Compliance Solution and IT Best Practice Introduction
More informationVMware vsphere 5.0 Evaluation Guide
VMware vsphere 5.0 Evaluation Guide Auto Deploy TECHNICAL WHITE PAPER Table of Contents About This Guide.... 4 System Requirements... 4 Hardware Requirements.... 4 Servers.... 4 Storage.... 4 Networking....
More informationSOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?
SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE How Can the CA Security Solution Help Me With PCI Compliance? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT CA Technologies
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationWhat are your firm s plans to adopt x86 server virtualization? Not interested
The benefits of server virtualization are widely accepted and the majority of organizations have deployed virtualization technologies. Organizations are virtualizing mission-critical workloads but must
More informationPuzzled about PCI compliance? Proactive ways to navigate through the standard for compliance
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com
More informationKeeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor
Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor www.netwrix.com Toll-free: 888.638.9749 Table of Contents #1: User Account Creations #2: Administrative Password Resets
More informationAdministrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
More informationNetwork Segmentation
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
More informationTrend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard
Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationDavid.Balka@chi.frb.org 2009 STREAM FRBC
Virtualization ti Dave Balka David.Balka@chi.frb.org Examination Elements Architecture Management Processes Integrity Availability Security 2 Datacenter Consolidation 3 What is Virtualization A framework
More informationLogging and Alerting for the Cloud
Logging and Alerting for the Cloud What you need to know about monitoring and tracking across your enterprise The need for tracking and monitoring is pervasive throughout many aspects of an organization:
More informationPayment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)
Payment Card Industry Data Security Standard (PCI / DSS) InterSect Alliance International Pty Ltd Page 1 of 12 Intersect Alliance International Pty Ltd. All rights reserved worldwide. Intersect Alliance
More informationPayment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0
Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0 September 2011 Changes Date September 2011 Version Description 1.0 To introduce PCI DSS ROC Reporting Instructions
More informationHow To Build A Software Defined Data Center
Delivering the Software Defined Data Center Georgina Schäfer Sr. Product Marketing Manager VMware Calvin Rowland, VP, Business Development F5 Networks 2014 VMware Inc. All rights reserved. F5 & Vmware
More information