VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Transcription

1 March 2013 Solution Guide for Payment Card Industry (PCI) Partner Addendum VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard VCE Vblock Systems The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at If you require more information specific to this solution guide, you may contact us here:

2 Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 5 CONVERGED INFRASTRUCTURE VBLOCK SYSTEM 300 FAMILY... 7 SECURING THE CONVERGED VIRTUAL DATA CENTER - PRACTICAL ADVICE... 9 GUIDANCE FROM THE PAYMENT CARD INDUSTRY SECURITY STANDARDS COUNCIL VBLOCK SYSTEM PCI REQUIREMENTS MATRIX (OVERVIEW) VCE BUILD SERVICES VBLOCK SYSTEM PCI REQUIREMENTS MATRIX VBLOCK SYSTEM MIXED MODE AND MULTI-TENANT CONSIDERATIONS

3 Introduction Vblock Systems from VCE delivers extraordinary efficiency and business agility for virtualization and cloud computing, tightly integrating compute, network and storage technologies into a converged infrastructure from industry leaders Cisco, EMC, and VMware. Vblock Systems provide dynamic pools of resources that can be intelligently provisioned and managed to address changing demands and business requirements. Converged Infrastructure (CI) platforms are purpose-built virtualization systems, and are rapidly becoming the first phase in many organization s cloud strategy. Security and compliance requirements are a concern for organizations planning to process sensitive data through Vblock Systems. Organizations planning to make use of Vblock Systems for payment card processing must comply with requirements of the Payment Card Industry Data Security Standards (PCI DSS). This guide describes the overall compliance posture of Vblock Systems with respect to the PCI DSS version 2.0 and provides relevant information targeted to IT managers, system administrators and audit teams. The Vblock System 300 family of hardware and software were considered for the purposes of this document. While each Vblock System is customized to the end user s requirements, a Vblock System enables compliance with more than 25% of the PCI DSS requirements. The figure below depicts the compliance capabilities of the VMware product ecosystem with regards to the PCI DSS requirements and is based on the VMware Solution Guide for PCI released by VMware Inc. during September The Vblock System solution is comprised of VMware components as well as components sourced from VMware partners. Thus, Vblock Systems demonstrate compliance leveraging both VMware and partner capabilities. Figure 1: PCI Requirements 3

4 Figure 2: PCI Requirements on Vblock Systems PCI DSS Objectives PCI Requirements Requirements Supported by Vblock Systems Build and Maintain a Secure Network Protect Cardholder Data 42 2 Maintain a Vulnerability Management Program 38 6 Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy 40 1 Table 1: PCI Requirements and the Vblock Systems 4

5 Overview of PCI as it Applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). These payment brands require through their Operating Regulations that any merchant or service provider that processes, stores or transmits credit cards must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) version 2. Failure to meet PCI requirements could lead to fines, penalties, or inability to process credit cards in addition to potential loss of reputation. The PCI DSS has six categories with twelve total requirements as outlined below: Table 2: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the migration to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the term virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS version 2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI; however, they did not adequately clarify and explain the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in the two following Information Supplements: 1. PCI DSS Virtualization Guidelines released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG), and 2. PCI DSS Cloud Computing Guidelines released in February 2013 by the PCI SSC s Cloud Special Interest Group (SIG). 5

6 Figure 3: Navigating PCI DSS The virtualization and cloud supplements are written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * Vblock System solutions are designed to simplify and standardize the way in which data center infrastructure is acquired, deployed and managed and as such can help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations considering Vblock System solutions to help address such requirements. VCE encourages any organization considering Vblock System solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VCE makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. No information in this document should be considered a substitute for the advice of competent legal counsel. 6

7 Converged Infrastructure Vblock System 300 Family Figure 4: Vblock System Architecture

8 Converged Infrastructure (CI) is a recent IT infrastructure construct that integrates compute, network and storage technologies into a single system. CI solutions often include hardware, software and services that are tightly integrated to provide optimal performance, availability and manageability than if these same components were individually installed and independently managed. Collectively, the Vblock System 300 family that is described in this document is comprised of the following five components: Compute Environment Cisco UCS 5108 Blade Server Chassis Cisco UCS B-Series Blade Servers: B200 M2, B230 M2, B250 M2, B440 M2, B22 M3, B200 M3 Cisco UCS 2204XP Series Fabric Extenders or Cisco UCS 2208XP Series Fabric Extenders Cisco UCS 6248UP Series Fabric Interconnects or Cisco UCS 6296UP Series Fabric Interconnects Network Environment Cisco Nexus 1000V Series Virtual Switch Cisco Nexus 5548UP & 5596UP Switches Segregated and Unified Networking Cisco MDS 9148 Series Storage Switches (Fibre Channel) Segregated Networking Storage Environment EMC VNX 5300, 5500, 5700, 7500 Unified Storage EMC PowerPath/VE for VMware FAST Cache FAST/VP Virtualization Environment VMware vsphere 5.0, or vsphere 5.1 o VMware ESXi 5.0 Management Tools Cisco UCS Manager EMC Unisphere Manager VMware vcenter Server 5.1 The Vblock System 700 family is substantially similar to the reviewed Vblock System 300 family in both design and management. The Vblock System 700 family is built with a VMAX storage array and added networking capability to support additional compute scalability.

9 Securing the Converged Virtual Data Center - Practical Advice For most IT personnel, virtualization is not a new concept. Virtualization technology has been present in mainframe, midrange and x86 environments for some time and IT professionals are increasingly likely to see mission critical applications and data hosted in virtualized server, network and storage environments. It is important to recognize that virtualization, while introducing additional complexity of its own, offers opportunities for consolidation and standardization. The underlying hardware and management infrastructure supporting the virtual environment can be further simplified and streamlined with packaged Converged Infrastructure (CI) solutions. The additional standardization and simplification amplifies the operational efficiencies virtualization delivers. A virtual data center built on CI shares many of the same security control requirements found in non-converged data centers. One of the most important control requirements involves performing a comprehensive assessment to identify potential risks across the scoped system. It is towards that goal that customers will find it critical to identify a CI partner that can provide complete transparency into the details of their products. While it is clear that the management, administration and monitoring features available within (and integral to) CI solutions may require additional assessment, it is likely that these same type of interfaces exist in non-converged virtual environments as well. Just as in the non-converged virtual environments, organizations are encouraged to engage resources with the appropriate technical understanding and conduct a detailed risk assessment to identify the impact of the CI solution to their compliance efforts. In addition to technical controls, the administrative and management policies and processes must be considered when assessing risk a for a CI solution. The bottom line is that standardizing on CI solutions may introduce some additional scope items. However, the Vblock System provides the capability to integrate the customers existing policy, process and technology without significant changes to the risk profile of the business or its critical information assets. CI solutions may also simplify the environment as there is a single consistent control substrate in a more homogenous environment than dealing with multiple inconsistent, heterogeneous, substrates. Converged Infrastructure (CI) provides opportunities for IT departments to consolidate existing hardware and software inventories. In doing so, a CI project may affect existing security and compliance operations. Due to the possible impact on security boundaries and compliance control frameworks it is normal to expect interest from a broad range of stakeholders in an organization during CI project discussions. 9

10 Guidance from the Payment Card Industry Security Standards Council The PCI SSC has issued several documents that provide guidance for interpreting the Data Security Standards and implementing compliant virtual and Cloud environments. VCE has extracted several paragraphs from these documents that highlight some of the critical requirements/guidance that organizations are required to address as part of their deployments. VCE has also provided information regarding how VCE and partner tools are designed to help organizations address these controls. These documents and their abbreviations (which will populate the Source Column in the table below) are: PCI DSS Payment Card Industry Data Security Standard v2.0 October 2010 NAV Navigating PCI DSS V-SUP PCI DSS Virtualization Guidelines C-SUP PCI DSS Cloud Computing Guidelines S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S PCI DSS PCI DSS 10 The PCI DSS security requirements apply to all system components. In the context of PCI DSS, system components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. 10 Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity s network is not a PCI DSS requirement. However, it is strongly recommended. The Vblock System consists of multiple system components that together provide compute, network and storage resources to application workloads. All the hardware and software components that make up the Vblock System should be considered to be system components. Technologies such as VMware vcloud Networking and Security (vcns) and Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series Switches, which can enforce strong segmentation at the network level and isolation at the VM level, should be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. Vblock System contains UCS Manager, vcenter and EMC Unisphere, all of which contain configuration items that assist segmentation between the CDE and Non-CDE environments. PCI DSS 11 Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. The Vblock System can support control requirements for segmentation in multi-tenant, mixed-mode environments with offerings from VMware and Cisco. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. 10

11 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S PCI DSS PCI DSS 11 At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network's configuration, the technologies deployed, and other controls that may be implemented. 25 Requirement Implements only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. When the Vblock System is used in a cloud environment, organizations can leverage technology such as VMware s vcns Edge and vcns App or Cisco VSG to achieve required levels of segmentation. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. PCI DSS 2.0 clarifies that multiple virtual machines performing different functions can reside on the same physical hardware and associated Hypervisor. NAV 4 Qualified Security Assessor (QSA) can assist in determining scope within an entity s cardholder data environment along with providing guidance about how to narrow the scope of a PCI DSS assessment by implementing proper network segmentation. NAV 5 All components within the virtual environment will need to be identified and considered in scope for the review, including the individual virtual hosts or devices, guest machines, applications, management interfaces, central management consoles, hypervisors, etc. NAV 5 The implementation of a virtualized environment must meet the intent of all requirements, such that the virtualized systems can effectively be regarded as separate hardware. NAV 12 (Guidance for Requirement 1.1.2) - Network and data flow diagrams should include virtual system components and document Intra-host data flows. If an organization plans to use a QSA, VCE recommends they engage the QSA during the design phase. This ensures that the assessor and the organization are aligned to the risks and technologies deployed. VCE recommends that organizations work with assessors that are familiar with the technology and organizations should have dedicated specialists that understand both the PCI requirements and Vblock System capabilities. Identification of the different components within a Vblock System is achieved through the reporting capabilities of the management tools such as UCS Manager, Unisphere, and vcenter. Several features are embedded into VMware s products to identify the host, virtual machines, components, databases, and communication paths of the cloud environment. The management tools included with the Vblock System assist in enforcing a segmentation policy across multiple layers including the hypervisor, compute, network, storage and access to resources such as attached devices. Within a Vblock System, the network paths and the data flows can be identified using the management tools. Organizations should strive to create data flow and network flow maps for 11

12 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S VM to VM communications in the documentation of their CDE. NAV 18 Where virtualization technologies are used, each virtual component (e.g. virtual machine, virtual switch, virtual security appliance, etc.) should be considered a server boundary. Individual hypervisors may support different functions, but a single virtual machine should adhere to the one primary function rule. V-SUP 3 There are four simple principles associated with the use of virtualization in cardholder data environments: a. If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies. b. Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments. c. Implementations of virtual technologies can vary greatly, and entities will need to perform a thorough discovery to identify and document the unique characteristics of their particular virtualized implementation, including all interactions with payment transaction processes and payment card data. d. There is no one-size-fits-all method or solution to configure virtualized environments to meet PCI DSS requirements. Specific controls and procedures will vary for each environment, according to how virtualization is used and implemented. V-SUP 7, 8 Scope Guidance: If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope. Virtual Appliances used to connect or provide services to in-scope system components or networks would be considered in-scope. Any Virtual Security Appliance (VSA), also known as a Security Virtual Appliance (SVA), could impact the PCI DSS version 2.0 clarifies that multiple virtual machines of different functions can reside on the same physical hardware. If different security zones (such as DMZ s and Internal Networks) reside on shared hypervisors, each virtual server should still meet the one primary function rule and be logically separated from virtual servers of different functions. The Vblock System can support mixed-mode where virtual zones from different security zones reside on the same server through the use of additional technology such as VMware s vcns. VCE has followed the guidance from the PCI SSC and created documents that help customers understand the compliance features within the Vblock System series. While each customer implementation is unique, VCE provides configuration guides that describe the security features that can be leveraged to meet PCI requirements. Vblock Systems in association with VMware partner tools can support dedicated and mixed mode PCI environments when configured correctly. The system components that comprise Vblock Systems and enforce the segmentation should be included in the assessment if any of the virtual machines on that system are in scope for a PCI assessment. However, the scope does not necessarily extend to all of Vblock Systems components or workloads if adequate segmentation controls as described in 12

13 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S security of the CDE and would also be considered in scope. V-SUP 8 Networks provisioned on a hypervisor-based virtual switch will be in scope if provisioned with an in-scope component or if they provide services or connect to an in-scope component. Physical devices hosting virtual switches or routers would be considered in scope if any of the hosted components connects to an in-scope network. V-SUP 9 The use of cloud computing presents a number of scoping challenges and considerations. Entities planning to use cloud computing for their PCI DSS environments should first ensure that they thoroughly understand the details of the services being offered, and perform a detailed assessment of the unique risks associated with each service. Additionally, as with any managed service, it is crucial that the hosted entity and provider clearly define and document the responsibilities assigned to each party for maintaining PCI DSS requirements and any other controls that could impact the security of cardholder data. this guide are applied correctly. Management components that access the cardholder data environment are also in scope. The Non-PCI virtual machines running on Vblock Systems may be excluded from PCI scope if properly segmented. Organizations should confirm that whenever cardholder data flows through vswitches or Virtual Distributed Switches, such data is properly documented and adequate segmentation techniques are applied. Vblock Systems network equipment consists of Cisco Nexus series switches in virtual and physical configurations. The standard Cisco network segmentation controls such as VLANs and filtering are available by default. Technologies such as vcns and Cisco VSG, which can enforce strong segmentation at the network level and isolation at the VM level should also be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. Vblock Systems may be used for creating private, public or other hybrid versions of Cloud infrastructure and each implementation presents different security and compliance challenges. In all cases, guidance that describes the security responsibilities of the Cloud Service Provider (CSP) should be clearly documented. A security review of the proposed CI design will help to establish the risk impact of a CI implementation project. V-SUP 9 The cloud provider should clearly identify which PCI DSS requirements, system components, and services are covered by the cloud provider s PCI DSS compliance program. Any aspects of the service not covered by the cloud provider should be identified, and it should be clearly documented in the service agreement that these aspects, system components, and PCI DSS requirements are the responsibility of the hosted entity to manage and assess. The cloud provider should provide sufficient evidence and assurance that all processes and components under their control are PCI DSS compliant. When consolidation occurs due to the introduction of CI into an existing environment, roles and responsibilities may converge or shift. Security controls and responsibilities should be documented in a PCI Requirements Matrix or a similar document. 13

14 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S V-SUP 10 A key risk factor unique to virtual environments is the hypervisor if this is compromised or not properly configured; all VMs hosted on that hypervisor are potentially at risk. The hypervisor provides a single point of access into the virtual environment and is also potentially a single point of failure. Misconfigured hypervisors could result in a single point of compromise for the security of all hosted components. V-SUP 12 Inactive VMs containing payment card data can become unknown, unsecured data stores, which are often only rediscovered in the event of a data breach. Because dormant VMs are not actively used, they can easily be overlooked and inadvertently left out of security procedures. V-SUP 13 Specialized tools for monitoring and logging virtual environments may be needed to capture the level of detail required from the multiple components, including hypervisors, management interfaces, virtual machines, host systems, and virtual appliances. VMware provides extensive product guidance to ensure virtual components and hypervisors are fully patched and configured appropriately. vcenter and vum are tools present within a Vblock System that can help maintain approved patching levels for critical virtualization components. A VM is simply a set of software files, which are executed when run in the context of a hypervisor. Vblock Systems supports tools such as VMware Configuration Manager to monitor and update dormant VM s, providing better than physical patching and signature updates for virtual components when properly implemented. The hardware and software components within Vblock Systems are capable of sending logs to a remote server using the syslog format. This feature can be used to integrate Vblock Systems with a Security Information and Event Management (SIEM) solution. V-SUP 11, 20 The risk of hosting VMs of different trust levels on the same host needs to be carefully assessed. In the virtual context, a VM of lower-trust will typically have lesser security controls than VMs of higher-trust levels. The lower-trust VM could therefore be easier to compromise, potentially providing a stepping stone to the higherrisk, more sensitive VMs on the same system. It is strongly recommended (and a basic security principle) that VMs of different security levels are not hosted on the same hypervisor or physical host; the primary concern being that a VM with lower security requirements will have lesser security controls, and could be used to launch an attack or provide access to more sensitive VMs on the same system. The Hypervisor technology used by Vblock Systems is the VMware ESXi, a Type I hypervisor. The architecture of ESXi significantly limits the attack profile compared to competitive hypervisor offerings. The portfolio of security technologies designed to identify and mitigate or eliminate threats from the environment provides additional security assurances. Technologies such as vcns and Cisco VSG, which can enforce strong segmentation at the network level and isolation at the VM level should also be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. V-SUP 20 As a general rule, any VM or other virtual component that is hosted on the same hardware or hypervisor as an in-scope component would also be in scope for PCI DSS, as both the hypervisor and underlying host provide a connection (either physical, logical, or both) between the virtual components, and it may not be possible to achieve an appropriate level of isolation, or segmentation, between in-scope and out-of-scope components located on the As virtualization and CI have evolved so has the ability to provide proper levels of isolation. Technology such as vcns, which can enforce strong segmentation at the network level and isolation at the VM level should also be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. 14

15 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S same host or hypervisor.. V-SUP 21 In order for in-scope and out-of-scope VMs to co-exist on the same host or hypervisor, the VMs must be isolated from each other such that they can effectively be regarded as separate hardware on different network segments with no connectivity to each other. Any system components shared by the VMs, including the hypervisor and underlying host system, must therefore not provide an access path between the VMs. V-SUP 21 All existing out-of-band channels should be identified and documented whether they are actively used or not and appropriate controls implemented to isolate workloads and virtual components. C-SUP 12 Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation. Mechanisms to ensure appropriate isolation Organizations can use orchestration processes or virtual profiles to confirm that any provisioned hosts and/or virtual components are locked down and do not have any unnecessary connectivity. VMware Configuration Manager can be used to identify misconfiguration of running and offline machines. Technologies such as vcns and Cisco VSG, which can enforce strong segmentation at the network level and isolation at the VM level should also be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. In the ESXi architecture, many out of band channels have been eliminated to reduce the complexity and risk to the hypervisor. VCE has also provided features that enable management processes to flow through centralized tools (such as UCS Manager) that can be used to control access, logging, and monitoring functions. Organizations can also limit the impact of out-of-band channels by implementing policies to reduce the risk (such as prohibiting dirty snapshots and ensuring that snapshots are only maintained for a brief period). The UCS manager and the Unisphere tools are capable of supporting the standard network and storage segmentation controls such as VLANs and VSANs. All Vblock System subcomponent management interfaces are clearly identified and documented. In addition, these administrative interfaces are isolated from production workloads. Vblock Systems contains UCS Manager, vcenter and EMC Unisphere, all of which contain configuration items that help segment CDE and Non-CDE workloads and data within a 15

16 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored. C-SUP 13 Once any layer of the cloud architecture is shared by CDE and non-cde environments, segmentation becomes increasingly complex. This complexity is not limited to shared hypervisors; all layers of the infrastructure that could provide an entry point to a CDE must be included when verifying segmentation. C-SUP 25 In addition to the known range of intended storage locations, data may also be present in other Cloud Service Provider (CSP) systems used for maintenance of the cloud infrastructure, such as VM images, backups, monitoring logs, and so on. Cardholder data stored in memory could also be written to disk for recovery or high availability purposes (for example, in the case of virtual machine suspension or snapshot). Such stored data may easily be forgotten and so not protected by data security controls. All potential capture points should be identified and managed as necessary to prevent unintended or unsecured storage or transmission of sensitive data. Specialized tools and processes may be needed to locate and manage data stored on archived, offline, or relocated images. cloud environment. Technologies such as vcns and Cisco VSG, which can enforce strong segmentation at the network level and isolation at the VM level, should be considered in a Cloud environment. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. The UCS Manager contains configuration items for network segmentation. The vcenter contains configuration items that control resource sharing at the hypervisor level. EMC Unisphere and Cisco MDS can be used to configure SAN segmentation through VSANs, LUN masking and port zoning technologies. Technologies such as vcns and Cisco VSG, which can enforce strong segmentation at the network level and isolation at the VM level, should also be considered. Further guidance is provided in the section Mixed Mode and Multi-tenant Considerations. The standard Vblock System provides RAID level 6 SAN storage for all components including virtual machines. Organizations that leverage additional storage techniques such as backups, archives and replication should ensure that these data stores are captured within data flow diagrams. If these data stores contain Cardholder Data (CHD) then the data store, associated networks, and the data store management software should be included in PCI scope. Administrative controls should restrict configurations that cause data to be copied onto multiple locations such as snapshots and high availability configurations. Technology associated with logging, introspection, intrusion prevention, malware detection etc. may inadvertently retain copies of sensitive data while performing their regular functions. Organizations should have adequate standards around the configuration and use of these technologies in a Vblock System environment. 16

17 S O U R C E P AG E P C I G U I D A N C E V B L O C K S Y S T E M S O L U T I O N S C-SUP 25 Potential hypervisor access to data in memory should also be taken into consideration to ensure that client-defined access controls are not unintentionally bypassed by CSP administrator personnel. C-SUP 28 Management of VM-to-VM traffic that does not pass through traditional network-based security controls may require the use of additional host-based security controls to monitor and control the traffic. C-SUP 28 Traditional agent-based software security solutions that are not designed for virtualized environments may cause operational issues. For example, software agents, such as those often used for anti-virus, each use a small percentage of memory and processing resources; this can result in a large overhead when multiple agents are installed on multiple VMs on the same host. C-SUP 28 Shared credentials (such as user accounts and passwords) should not be used in the CSP environment for example, for system administration and maintenance nor should generic or shared accounts be assigned to or used by clients. C-SUP 29 Functionality that allows the hypervisor to control and monitor individual VM activity from outside the VMs is known as introspection. Hypervisor introspection expands the functionality of the hypervisor to allow a deeper analysis of the data being processed by the VM, and typically includes visibility into stored data files as well as monitoring of network traffic, memory and program execution, and other elements of the VM. Vblock Systems provide centralized management tools to configure and maintain a Vblock System environment. These tools have the capability to provide role-based access control and audit trails of administrator activity. Virtual environment monitoring capabilities have matured, including vcns and Cisco VSG capabilities to offload traffic for review by virtual IDS/IPS appliances and other monitoring tools. Additionally, vcns provides for hypervisor driven introspection of the endpoints, or virtual machines. These capabilities are far more efficient than traditional agent-driven host security controls. The portfolio of partners that provide both capabilities is extremely robust. Generally Vblock Systems depend on external devices to perform higher network layer functions such as inter-vlan routing. Some virtual machines running on Vblock Systems such as the Cisco Nexus series virtual switches can be aware of higher network layer functions. Vblock Systems support vcns Endpoint that allows offloading of the anti-malware processing to a secure virtual machine, eliminating the large overhead from multiple agents are installed on multiple VMs on the same host. Vblock System components support Active Directory/LDAP integration and multifactor authentication. This capability is shipped standard with Vblock Systems. The VMware Ready for Networking and Security Program helps ensure that introspection products are developed in parallel with hypervisor advances. The possibility of vulnerabilities occurring in system software cannot be completely mitigated, but the VMware program provides some controls around the use of this technology by third parties within their solutions. Table 3: PCI Guidance 17

18 Vblock System PCI Requirements Matrix (Overview) Solution Guide for Payment Card Industry (PCI) Organizations achieve compliance through a combination of people, process and technology based controls. Vblock Systems can help customers meet the requirements of certain technical controls and enable certain process controls through the built-in management tools. The PCI requirements matrix shown on table 4 provides clarity on the compliance capabilities of Vblock Systems and the controls that a customer must address through other tools and processes. While each Vblock System is built to the customer s specifications, a Vblock System can address or support the majority of the applicable technical controls. The following table shows an example of a dedicated environment that has been deployed using Vblock Systems 300 series platforms. The remaining gaps in addressing PCI requirements may be filled by the customer through the use other VMware tools or VMware partner tools and other techniques (i.e. approving customers policies, keeping an updated network diagram, approving changes, etc.) Figure 5: Diagrammatic VMware PCI Suite and VMware partner products 18

19 P I E C H A R T P C I D S S R E Q U I R E M E N T # O F P C I ASSES S M E N T T E S T S T E S T S A D D R E S S E D B Y T H E D E F A U L T V B L O C K S Y S T E M T E S T S A D D R E S S E D I N V M W AR E ' S S U I T E S T E S T S A D D R E S S E D O R E N H A N C E D B Y P AR T N E R S Requirement 1: Install and maintain a firewall configuration to protect cardholder data T E S T S N O T A D D R E S S E D B Y V M W A R E O R P AR T N E R S Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data

20 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Requirement A.1: Shared hosting providers must protect the cardholder data environment 8 Special case usage outside the scope of this document TOTAL Note: Control totals do not add up to 297 due to overlapping features of VMware products and partner products Table 4: PCI DSS Requirements 20

21 VCE Build Services A customer may use the VCE professional services team to customize a Vblock System to their specific environment. This service is termed as the VCE Build Services and the first step in the process is the collection of information through the Logical Configuration Survey (LCS). The LCS and the Logical Build Guide (LBG) are used by VCE professional services teams to tailor the configuration of a Vblock System. The configuration and subsequent testing is carried out on VCE premises and Vblock Systems is shipped in the preconfigured state directly to the customer s data center. Integration of Vblock Systems into an existing environment is thus simplified. VCE Customers are encouraged to engage appropriate security and audit stakeholders in this process to provide direction. By providing this information in advance, customer teams reduce the required effort configuring the components of a Vblock System in a compliant manner. Examples of important information to collect include: 1) Standard firewall ports to be opened on the ESXi Hypervisor local firewalls 2) Standard roles to be created in UCS, Unisphere and vcenter and the Advanced Management Pod (AMP) Active Directory 3) Password strength requirements for local accounts on ESXi, MDS, Fabrics, Storage processors, UCS, Unisphere and any other system software in Vblock Systems 4) Standard communications management settings in UCS 5) Standard SNMP settings 6) Provision of SSL Certificates for components within Vblock Systems 7) Standard resource allocation settings for the AMP virtual machines 8) Standard SQL installation and hardening configuration for the vcenter 9) Standard VUM settings patch frequency, schedule, criticality and default patch installation method 10) Standard VSAN and WWPN configuration 21

22 Vblock System PCI Requirements Matrix Vblock System Solution Guide for Payment Card Industry (PCI) For the purposes of this guide, Vblock Systems environment includes the vcenter Orchestrator and vcenter Update Manager. VMware vsphere provides the foundation of the virtual architecture allowing for the optimization of IT assets. While it encompasses many features for storage, network and compute; for the purposes of this PCI guide, the critical components that apply to PCI for Vblock Systems include the following six components ESXi Hosts, vcenter Server, vcenter Update Manager, vcenter Orchestrator, EMC Unisphere, and Cisco UCS. ESXi ESXi is a type 1 hypervisor (bare metal) that is significantly different from the ESX architecture and offers improvements in security. The ESXi kernel has a small footprint, no service console and can limit communication to vcenter access only. This PCI reference architecture is only applicable to ESXi architectures because the ESXi architecture and the ESX architectures are quite different. vcenter Server vcenter Server is a server (virtual or physical) that provides unified management for the entire virtual infrastructure and unlocks many key vsphere capabilities. vcenter Server can manage thousands of virtual machines across multiple locations and streamlines administration with features such as rapid provisioning and automated policy enforcement. vcenter Update Manager (vum) vum automates tracking, patching and updating for vsphere hosts (ESXi hosts and clusters), VMtools, and VMware virtual appliances. It provides a centralized, automated, actionable patch management solution to confirm that all VMware components are updated and to enforce the latest security patches. vcenter Orchestrator (vco) vco is a virtual appliance that automates tasks for VMware vsphere and enables orchestration between multiple solutions. VMware vcenter Orchestrator allows administrators to automatically create workflows that capture best practices and manual workflows and creates automated, repeatable solutions. EMC Unisphere Unisphere is a management interface that enables integrated management for various EMC storage technologies. Unisphere replaces older technology specific management interfaces and provides all of the capabilities of Navisphere Manager and Celerra Manager. Unisphere simplifies storage provisioning and related storage management tasks with wizards. Cisco Unified Computing System (UCS) Manager UCS Manager provides unified, embedded management of all software and hardware components in the Cisco UCS. The UCS manager provides single pane management of all the devices that make up the UCS platform. The UCS is embedded in the fabric interconnect and provides the capability to enforce hardware profile policies, role bases access control, service profiles and templates. 22

23 P C I D S S V 2. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Segmentation - Though technically not a requirement, segmentation provides a means to reduce the PCI environment and is strongly recommended. Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters C O N T R O L S A D D R E S S E D N/A 1.1.1, 1.1.2a, b, 1.1.4, 1.3.1, 1.3.7, 1.3.8a, b 2.1, 2.2.a, 2.2.b, 2.2.c, a, a, b, b, c, a, b, c, 2.3.a, 2.3.c D E S C R I P T I O N Vblock Systems make use of the ESXi hypervisor, which provides adequate segmentation between guest virtual machines. PCI DSS 2.0 clarifies that multiple virtual machines of different functions can reside on the same physical hardware. Technologies such as vcns and Cisco VSG, can enforce strong segmentation at the network level and isolation at the VM level. Vblock Systems management tools such as the UCS Manager, vcenter and Unisphere allow segmentation controls to be defined managed and demonstrate compliance with segmentation requirements. Tools such as vco allow organizations to provision virtual infrastructure according to security baselines. The security baselines can include information on network connectivity, user accounts, and profiles designed to separate the CDE from other environments. Additionally, VCE and VMware have an extensive portfolio of partners that can provision and manage segment environments. Technologies such as vcns and Cisco VSG, can enforce strong segmentation at the network level and isolation at the VM level. The components within Vblock Systems are configured and managed through the UCS Manager, Unisphere and vcenter. Each of these tools enable an organization s centralized change control process by providing functionality to modify compute, network and storage resources via central consoles. VCE provides detailed diagrams of the internal network components of Vblock Systems during the build process. These diagrams can be leveraged to document the complete CDE. Additionally, the vcenter software provides real time maps and diagrams of network and storage connections that can be leveraged by an organization to document their overall CDE. The management tools within Vblock Systems contain role-based access control functionality that allows organizations to extend their existing role definitions into Vblock Systems environments. Vblock Systems network configuration includes Nexus and vcenter Networking tools. The default configuration of Vblock Systems does not perform any layer 3 functions and hence does not participate in any layer 3 routing processes. The ability to extend organizational VLANs and support a DMZ exists. It is possible to deploy DMZ and internal zone servers on the same Vblock System if the proper segmentation controls are in place. See section Mixed Mode and Multi-tenant Considerations. VCE provides organizations the ability to have their Vblock System environment pre-configured before shipping through their build services program. Organizations should validate that their organizational standards have been adequately addressed within the different components of Vblock Systems. vco is an add on tool that can be integrated with the vcenter and can automate the provisioning of virtual infrastructure according to security baselines. vco and vum provide organizations the ability to implement security baselines in an ongoing manner. An organization should ensure that the security baselines configured within these tools are updated regularly. 23

24 P C I D S S V 2. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access C O N T R O L S A D D R E S S E D d, e N/A N/A 6.1.a, 6.1.b, 6.4.1, 6.4.2, 6.4.4, a, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.1, 7.2.2, , 8.2, 8.4.a, 8.5.1, 8.5.3, 8.5.4, 8.5.5, a, b, a, b, c, a, a, a, a, , D E S C R I P T I O N vsphere can be used to establish and enforce automated procedures designed to prevent virtual machines in the CDE from being retained for longer than required. This is achieved by providing a centralized process for deleting old virtual machines and snapshots. When a virtual machine or snapshot is no longer necessary, access to that system can be permanently revoked. N/A N/A Vblock Systems provide tools such as vco and vum that enable an organization to implement a patch baseline and demonstrate compliance. vco and vum can be configured to group environments together and apply customized baselines to each environment. Vblock System management tools also support separation of test/development and production environments. Vblock System management tools also allow role based access control that allows separation of users of test/development and production environments. Organizations should also ensure that the Network and Storage components are patched regularly. The provided management tools in Vblock Systems allow configuration of role, based access control and hence can be effective in enforcing a centralized change control process that accounts for applicable controls, including removal of test data and accounts. Vblock Systems management tools allow organizations to enforce Role-Based Access Control (RBAC) processes using existing organizational directories such as LDAP or Microsoft Active Directory. Vblock Systems management tools allow organizations to enforce RBAC processes using both local accounts and through extension of existing organizational directories such as LDAP or Microsoft Active Directory. When using existing authentication technology, organizations are able to enforce password and account related controls seamlessly. If Vblock Systems components are configured to leverage local authentication, each of the system component must be separately configured to meet PCI requirements. 24

25 P C I D S S V 2. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. C O N T R O L S A D D R E S S E D N/A 10.1, , , , , , , , , , , , , 10.4.a, 10.4.b, a, b, a, b, , , , , , , 10.7.a, 10.7.b N/A D E S C R I P T I O N N/A Vblock System components have the ability to send logs to a remote syslog server. Individual access to components can be tracked and logged. Audit trails can capture event, time, action and other details required for monitoring. System components are configured to obtain NTP updates from designated servers. Role-based access control can help ensure access to audit trails and time configuration is restricted and tracked. N/A Requirement 12: Maintain a policy that addresses information security for all personnel vco can be used to automate and enforce daily operational security procedures. Requirement A.1: Shared hosting providers must protect the cardholder data environment. N/A N/A Table 5: Applicability of PCI Controls to Vblock System 25

26 Mixed Mode and Multi-tenant Considerations Solution Guide for Payment Card Industry (PCI) The PCI Virtualization Supplement describes mixed mode as a virtualization configuration where both in-scope and outof-scope virtual components are running on the same hypervisor or host. For the purposes of this section, mixed mode environments in which multiple organizations/business units/departments coexist with no knowledge of how the other users are securing their environments are termed as multi-tenant environments. The Vblock Systems components in scope for a PCI assessment include the PCI workloads that store, process, or transmit cardholder data, inclusive of the physical infrastructure that supports the workloads. Items that may be considered out of scope may include non-pci workloads running on physically separate blades and storage pools. Additional virtual machines, hypervisor's, and physical infrastructure that do not store, process, or transmit cardholder data are typically considered out of scope for a PCI assessment if the appropriate segmentation technologies are used. Keep in mind that the components that manage the CDE are also considered in scope. The AMP that manages the PCI in-scope environment should be configured and managed to meet all applicable PCI-DSS controls. Additional technology such as VMware s vcns and Cisco VSG are required to create adequate segmentation and isolation controls. Further guidance is provided in the link provided below for the VMware solution guide for PCI: Consider building Vblock System environments with security best practices and fundamentals for all infrastructure components comprising the converged system. A high degree of correlation among security controls across different regulations and standards helps maintain compliance in a mixed mode environment. For example, working with PCI and healthcare information in the same system will be easier to manage over time if the more restrictive control set from PCI is used to govern the security baseline for the entire Vblock System. Consider applying PCI DSS to all the virtual machines hosted on the in-scope Vblock System. Applying security best practices across workloads may lead to reduced effort over managing compliance in a mixed mode environment. Strong change control processes along with regular configuration reviews should be considered to ensure that the segmentation controls are not modified inadvertently. Hardware and software modifications to the core Vblock System components may need to be reviewed for impact to PCI scope and controls. Considering that Converged Infrastructure reduces the boundaries between traditional data center teams, the Separation of Duties among the personnel that manage the virtual environment and the personnel that maintain the segmentation/security controls should be reviewed. Consider enforcing multi-factor authentication and technologies such as a jump-host or bastion servers for administrative access to act as added layers of segmentation. 26

27 The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit About VCE VCE, formed by Cisco and EMC with investments from VMware and Intel, accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE, through Vblock Systems delivers the industry's only fully integrated and fully virtualized cloud infrastructure system. VCE solutions are available through an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT infrastructure. For more information, go to 27