Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Transcription

1 Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at If you require more information specific to this solution guide, you may contact us here: S O L U T I O N G U I D E A D D E N D U M 1

2 Table of Contents 1. INTRODUCTION OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS TREND MICRO S DEEP SECURITY PCI COMPLIANCE SOLUTION TREND MICRO DEEP SECURITY PCI REQUIREMENTS MATRIX (OVERVIEW) TREND MICRO DEEP SECURITY PCI REQUIREMENTS MATRIX (DETAILS)... 7 S O L U T I O N G U I D E A D D E N D U M 2

3 1. Introduction As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With more than 20 years of experience, Trend Micro is recognized as the market leader in server security for delivering top-ranked client, server, and cloud-based security solutions that stop threats faster and protect data in physical, virtualized, and cloud environments. Using the VMware platform, Trend Micro Deep Security allows organizations to not only extend virtualization into environments containing sensitive data, but also leverage virtualization technologies to increase security and further reduce risk. Trend Micro Deep Security technologies can accelerate an organization s journey towards a 100 percent virtual environment with confidence. Through integration with VMware, Trend Micro s Deep Security solution enables organizations to assure protection and trust of enterprise information, and reduced compliance costs in a virtual environment while deploying the latest technologies. With the help of Trend Micro, organizations can accelerate complete adoption of VMware technologies with integrated security controls; adapt security policies to both physical and virtual IT environments, and advance endpoint security and protection using centrally managed virtual capabilities. Figure 1: VMware Partner Integration S O L U T I O N G U I D E A D D E N D U M 3

4 2. Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). S O L U T I O N G U I D E A D D E N D U M 4

5 3. Trend Micro s Deep Security PCI Compliance Solution Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions. Deep Security helps assure the PCI compliance and overall security of critical business servers and endpoints with a single, centrally managed solution that minimizes your operational costs. Deep Security provides core PCI security controls with a unique approach that economically solves the toughest compliance challenges. Deep Security provides the most comprehensive Agentless security controls for PCI in the market delivering significantly more efficient resource utilization and higher VM densities of traditional security solutions. Deep Security s integration with VMware vcenter and vcloud enables automated compliance protection of existing and newly added VMs ensuring that all VMs maintain their compliance posture regardless of their state or location. Deep Security also supports Agentbased security controls for physical servers that have not yet been virtualized or for workloads running in the cloud. Deep Security delivers comprehensive, adaptive, highly efficient agentless and agent-based protection that enable PCI compliance, including: Anti-Malware Integrates with VMware environments for agentless or agent-based malware protection Integrity Monitoring Firewall Monitors critical operating system, application files, and configuration files and alerts personnel to unauthorized changes Decreases the attack surface of your virtual servers and enables isolation of VMs to reduce audit scope Intrusion Detection and Prevention Log Inspection Shields unpatched vulnerabilities from attack and to monitor traffic within the virtualized CDE Provides visibility into important security events buried in log files and forwards events to a centralized logging server Web Reputation Strengthens protection against web threats for servers and virtual desktops Web Application Protection Provides protection against attacks such as SQL Injection, Cross-Site Scripting, amongst others S O L U T I O N G U I D E A D D E N D U M 5

6 4. Trend Micro Deep Security PCI Requirements Matrix (Overview) Table 2: PCI DSS Requirement Summary Table P CI DSS REQUIREMENT N U M B E R O F P CI R E Q U I R E M E N T S D E E P S E CURITY Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 5: Use and regularly update anti-virus software or programs 6 6 Requirement 6: Develop and maintain secure systems and applications 32 4 Requirement 10: Track and monitor all access to network resources and cardholder data 29 4 Requirement 11: Regularly test security systems and processes TOTAL S O L U T I O N G U I D E A D D E N D U M 6

7 5. Trend Micro Deep Security PCI Requirements Matrix (Details) PCI DSS V2.0 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DEEP SECURITY FIREWA LL Requirement 1: Install a, 1.1.4, a, and maintain a firewall b, a, configuration to protect a, b, 1.2.2, cardholder data 1.3.2, 1.3.3, 1.3.5, 1.3.6, 1.4.a, 1.4.b Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 5: Use and regularly update antivirus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 10: Track and monitor all access to network resources and cardholder data a, b 5.1, 5.1.1, 5.2.a, 5.2.b, 5.2.c, 5.2.d 6.5.1, 6.5.2, 6.5.7, DESCRIPTION Trend Micro Deep Security Firewall facilitates network segmentation through stateful firewall implementation. Trend Micro Deep Security Firewall provides capabilities for managing network firewall configuration standards for process, procedure and testing approvals, as well as network management roles and responsibilities and requirements for periodic review of standards and configurations. Trend Micro Deep Security Firewall provides capabilities for defining standards related to confidential or sensitive information of what can or cannot be disclosed to authorized or unauthorized third parties, such as private IP address or routing information. Trend Micro Deep Security Firewall provides capabilities to validate only necessary services are enabled and functionality for administrators to review any enabled insecure services. Trend Micro Deep Security Anti-Malware provides capabilities for fully documenting policy and procedure requirements for maintaining antivirus software and definitions on systems commonly affected by malware. Anti-Malware is capable of detecting, blocking or removing all known types of malicious software. Trend Micro Deep Security Anti-Malware automatically updates from a known, trusted source and cannot be disabled or removed from protected systems. Trend Micro Deep Security Anti-Malware provides full function, state of the art Anti-Virus/Anti-Malware protection for registered devices. Trend Micro Deep Security Web Reputation provides capabilities for URL filtering effectively blocking access to known malicious web site. The module is fully configurable providing the ability to add web sites as needed or desired. Trend Micro Deep Security Deep Packet Inspection provides web application protection by intercepting web requests based on the OWASP top 10 vulnerabilities including Injection, Cross Site Scripting (XSS), HTTP(S) protocol violations. Deep Security blocks malicious requests from reaching the web server preventing these vulnerabilities to be exploited , , 10.6.a Trend Micro Deep Security Integrity Monitoring provides active monitoring of critical files, folders, applications and registry settings for unauthorized changes. Trend Micro Deep Security Log inspection provides log correlation and inspection for protected systems. System logs are analyzed for configured events. Alerts from these events are raised in the Deep Security Manager providing administrators with near real time events for analysis. S O L U T I O N G U I D E A D D E N D U M 7

8 DEEP SECURITY DEEP P ACKET INSPECTION Requirement 11: Regularly test security systems and processes. Requirement 11: Regularly test security systems and processes a, 11.4.b, 11.4.c 11.5.a, 11.5.b Trend Micro Deep Security Deep Packet Inspection provides configurable Intrusion Detection/Intrusion Prevention protection for the environment. Trend Micro Deep Security Integrity Monitoring provides configurable and active monitoring of critical files, folders, applications and registry settings. Changes are reported to the Deep Security manager facilitating analysis and appropriate action by administrators Figure 2: Deep Security agent vs. agentless configuration S O L U T I O N G U I D E A D D E N D U M 8

9 Acknowledgements: VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire VMware Team for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 2.0 and the Reference Architecture described herein. The information provided by Coalfire and contained in this document is for educational and informational purposes only. Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP. For more information, visit S O L U T I O N G U I D E A D D E N D U M 9