CloudControl Support for PCI DSS 3.0



Similar documents
Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Can You be HIPAA/HITECH Compliant in the Cloud?

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

How to Achieve Operational Assurance in Your Private Cloud

PICO Compliance Audit - A Quick Guide to Virtualization

Drawbacks to Traditional Approaches When Securing Cloud Environments

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

The Top 8 Questions to ask about Virtualization in a PCI Environment

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

QTS Leverages HyTrust to Build a FedRAMP Compliant Cloud

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Learn the essentials of virtualization security

Protect Root Abuse privilege on Hypervisor (Cloud Security)

PCI DSS Virtualization Guidelines. Information Supplement: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Network Access Control in Virtual Environments. Technical Note

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

How To Protect Virtualized Data From Security Threats

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Secret Server Qualys Integration Guide

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

Hardening and Hacking vsphere and Private Cloud Everything you need to know about vsphere Security

Thoughts on PCI DSS 3.0. September, 2014

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

PCI Compliance in a Virtualized World

HyTrust Appliance Administration Guide

Mitigating Information Security Risks of Virtualization Technologies

Making Data Security The Foundation Of Your Virtualization Infrastructure

PCI DSS 3.1 and the Impact on Wi-Fi Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

HP Virtualization Performance Viewer

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Virtualization Security Checklist

Using Emergency Restore to recover the vcenter Server has the following benefits as compared to the above methods:

A Look at the New Converged Data Center

Virtualization Case Study

Install Guide for JunosV Wireless LAN Controller

Data Center Manager (DCM)

Josiah Wilkinson Internal Security Assessor. Nationwide

Open PCI DSS Scoping Toolkit. Open Scoping Framework Group

PCI-Compliant Cloud R eference Architecture. Introduction

Cedric Rajendran VMware, Inc. Security Hardening vsphere 5.5

Windows Least Privilege Management and Beyond

CONTENTS. PCI DSS Compliance Guide

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Network Segmentation in Virtualized Environments B E S T P R A C T I C E S

Virtual Compliance In The VMware Automated Data Center

Data Center Connector for vsphere 3.0.0

A Rackspace White Paper Spring 2010

Best Practices for PCI DSS V3.0 Network Security Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

VMware vsphere-6.0 Administration Training

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Learn the Essentials of Virtualization Security

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Control your corner of the cloud.

A PCI Journey with Wichita State University

CA ControlMinder for Virtual Environments May 2012

RealPresence Platform Director

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

VMware vcloud Air Security TECHNICAL WHITE PAPER

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

TECHNICAL PAPER. Veeam Backup & Replication with Nimble Storage

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

How to Use vsphere to Connect to and Manage an ESXi Hypervisor Installation

PCI Compliance for Cloud Applications

Effective End-to-End Cloud Security

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

VMware vsphere 5.0 Evaluation Guide

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Network Segmentation

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

STREAM FRBC

Logging and Alerting for the Cloud

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

How To Build A Software Defined Data Center

Transcription:

HyTrust CloudControl Support for PCI DSS 3.0 Summary In PCI DSS 3.0, hypervisors and virtual networking components are always in-scope for audit; Native auditing capabilities from the core virtualization vendors are not sufficient to meet PCI DSS requirements HyTrust CloudControlTM supports the broadest range of PCI DSS hypervisor controls for administrator activity and con guration management: -- Twenty-eight requirements for vsphere hypervisors in PCI DSS Sections 2, 6,7, 8 and 10 -- Eight PCI Council virtualization guidelines and best practices CloudControl is also essential for mixed mode environments that combine PCI and non-pci servers on the same virtual infrastructure CloudControl lowers the cost of PCI compliance with rich, segmented logging and sample size reduction Background: PCI DSS and virtualization The virtualization of PCI in-scope applications is now becoming a broadly accepted deployment model. The earliest versions of the PCI Data Security Standard (DSS) did not address virtualization specifically, leading to differing interpretations and general confusion as to what was permitted under the standard. Recognizing this, the PCI Council launched an initiative to clarify the use of technologies such as VMware vsphere (formerly ESXi ). This resulted in the publishing of the Virtualization Guidelines document in 2011, and new requirements for virtual infrastructure in PCI DSS Versions 2.0 and 3.0. While these documents do not resolve all ambiguity, they do clarify the most important questions, and provide fairly clear guidance for assessors as to how to audit these environments. PCI DSS places and hypervisor in-scope One of the most important additions to the PCI DSS standard in Version 2 was the mandatory inclusion of virtual infrastructure as in-scope for PCI audit. It is worth citing the exact text in the current 3.0 standard, as years of ambiguity and debate were eliminated in just a few sentences: The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. Examples of system components include but are not limited to the following: Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. 1 This definition of scope simply means that all DSS Requirements (controls) apply to virtual infrastructure, just as they apply to physical infrastructure supporting the Cardholder Data Environment (CDE). Therefore, vsphere hosts, VMware and Cisco virtual switches, and virtual firewalls all fall under PCI DSS if they host or transmit cardholder data. HyTrust CloudControl PCI DSS controls support HyTrust CloudControl was designed to be the most complete solution available for administrator and configuration controls on VMware vsphere and vcenter infrastructure. PCI DSS mandates controls in many areas, but two of the most important are administrator activity and infrastructure configuration, and these are the two areas CloudControl delivers unmatched capabilities. Specifically, CloudControl supports 28 controls in the following PCI DSS sections 1 PCI DSS 3.0, Scope of PCI DSS Requirements, Page 10

Section 2: Vendor Defaults Section 6: Secure Systems Section 7: Restrict Access to Cardholder Data Section 8: Identify and Authenticate Access Section 10: Track and Monitor All Access In addition, CloudControl supports a further six recommendations in the Virtualization Guidelines document, as well as one Best Practice recommendation and one Sampling example. Details of all 36 controls can be found in the appendices. It is not possible to meet all of these requirements with VMware vsphere and vcenter alone. HyTrust is the only vendor that can implement the broad hypervisor controls required by the PCI Data Security Standard. PC Control Area Configuration hardening Authentication controls including password management and two-factor Least privilege role-based access contols Reporting and auditing of administration activity Separation of duties (vnetwork/host; dev/test/prod) Mixed mode administrative segmentation Sampling reduction - Centralized operational processes and controls HyTrust CloudControl Lowering the cost of PCI compliance While passing a PCI audit is clearly the primary objective, close behind is the desire to meet the PCI requirements as easily and efficiently as possible. HyTrust CloudControl was designed to support this objective as well as the actual PCI requirements, freeing up valuable resources for other risk management activities. CloudControl supporting features include: Complete log entries - CloudControl log entries contain all required elements for efficient report creation and indexing, drastically reducing the time required for producing periodic or on-demand reports. Segmentation and reduction of scope - CloudControl can limit the manual movement of in-scope virtual servers to only the intended vsphere hosts, eliminating other hosts from the CDE and hence reducing the number of systems that must be audited. It also assists with the segmentation of the CDE with both vcenter administration controls and configuration hard- ening to lock down non-network communication paths. CDE segmented logging - CloudControl can support logging segmented for the CDE only, eliminating having to parse and dispose of log data irrelevant to the CDE. For example, if only a subset of the vsphere hosts or administrators in a vcenter domain

Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from outof-scope components in a virtual environment. PCI Council - Virtualization Guidelines If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample [of in-scope components] can be smaller than if there are no standard processes/controls in place. PCI DSS 3.0, Page 15 In a mixed-mode configuration, the hypervisor plays a critical role in enforcing process isolation between the in-scope and out-of-scope systems. PCI Council - Virtualization Guidelines are used for PCI, CloudControl can provide logging for only those in-scope assets or people. Not only does this reduce the effort of implementing the PCI controls, it reduces the load (and therefore cost) of the logging and reporting system. Sample size reduction via centralized and standardized procedures - PCI DSS 3.0 notes that assessors can reduce the sample size of their audit if centralized and standardized procedures are in place. As CloudControl centralizes vsphere configuration and imposes standard procedures for administration, the organization can reasonably request a more limited sample size, significantly reducing the cost of the audit. Mixed mode More aggressive organizations are considering combining PCI and non-pci virtual servers on a single hypervisor, in order to use hardware as efficiently as possible. This deployment model, known as Mixed Mode is not prohibited by the PCI DSS. However, the Virtualization Guidelines make it clear that this model will be held to an even higher standard during an assessment, because of the risk of attacks being launched from the non-pci workloads. It also puts more pressure on the proper administration of the hypervisor to ensure that strong segmentation of the PCI CDE is maintained. And finally, this mode has the potential to drive up the costs of compliance, because logging of the PCI and non-pci workloads and administration may become co-mingled. HyTrust CloudControl fully supports mixed-mode PCI deployments, and in fact it will be difficult to pass a PCI audit without implementing the controls CloudControl provides. Broadly speaking, CloudControl supports these four mixed-mode controls and functions for both administrative and logical segmentation: Enforced workload (VM) placement - Ensures both PCI and non-pci VMs are placed only on authorized servers Configuration hardening - Eliminates possible segmentation violations via hypervisor mis- configuration Administrator role separation - Allows different people to operate the non-pci workloads, moving their activities out of scope Independent logging of PCI workloads - Minimizes cost and effort of compliance controls and reporting Summary PCI DSS 3.0 identifies the critical role of virtual infrastructure in protecting cardholder data. While no single product or solution can meet all the PCI requirement on all in-scope components, HyTrust CloudControl offers a deeper level of support for administrator and configuration audit controls on virtual infrastructure than any other solution. It also is designed to help reduce the scope of the audit, segment the CDE, and implement the controls as efficiently as possible. It should therefore be considered for all VMware environments supporting critical applications and data, including those subject to PCI DSS audit. HyTrust - Cloud Under Control. 1975 W. El Camino Real, Suite 203 Mountain View, CA 94040, USA Phone: 1-844-681-8100 International: 1-650-681-8100 2015 HyTrust, Inc. All rights reserved. HyTrust, and the HyTrust logo are trademarks and/or registered trademarks of HyTrust, Inc., and/or its subsidiaries in the United States and/or other countries. All other trademarks are properties of their respective owners.

Appendix 1 Appendix 1: Hytrust CloudControl - PCI control support details HyTrust CloudControl supports all of the following PCI DSS 3.0 requirements for VMware vsphere hypervisors, as well as a subset of controls for Cisco NX-OS physical and virtual network infrastructure. PCI DSS 3.0 - Requirement Section Requirements 2: Vendor defaults 6: Secure systems 6.4.1, 6.4.2 7: Restrict access to cardholder data 8: Identify and authenticate access 10: Track and monitor all access 2.1, 2.2, 2.2.1, 2.2.4, 2.2.5, 2.4, 2.5, 2.6 7.1, 7.1.1, 7.1.2, 7.1.3, 7.2, 7.2.1, 7.2.2, 7.2.3 8.1, 8.2, 8.3, 8.5 10.2.2, 10.2.4, 10.2.5, 10.2.7, 10.3, 10.6 Multiple controls including configuration hardening (default elimination and service removal), password vaulting, tag-based placement policies for CDE isolation, server and virtual network admin separation of duties, inventory report Administration separation of duties for CDE/Non-CDE; Dev&Test/ Production. Two-person rule for adding assets to CDE. Label-based Access Control authorizations based on need-to- know, with default deny (no rights); authorizations based on admin role, activity function, and target asset Multiple controls including two- factor for all admin access; root password vaulting with temporary check-out support; enforcing complex passwords; five-day password rotation Multiple logging controls including all admin activities for inscope systems; failed logins include origination; changes to authentication; creation/ deletion of system level objects. All 10.3 log entry requirements met, plus additional entries for faster event reconciliation. Secured audit trail. Log review scope reduction: limit the volume of logs that need to be reviewed by enforcing least privilege and need to know to decrease overall log entry volume.

Appendix 2 Appendix 2: Hytrust CloudControl - PCI best practices and guidelines HyTrust CloudControl supports the following PCI DSS 3.0 best practices, and the guidelines published by the Council in the Virtualization Guidelines document. These are in addition to the core PCI DSS requirements (See Appendix 1). PCI DSS 3.0 - Guidance Section Best practices/bau (DSS page 13) Sampling (DSS page 15) Example 3 - Review environment changes prior to execution. If there are standardized, centralized PCI DSS security and operational processes and controls in place that ensure consistency and that each business facility/system component must follow, the sample can be smaller than if there are no standard processes/ controls in place. Two-person rules for sensitive changes to in-scope assets. By standardizing and centralizing consistent controls on HyTrust, the auditor can reduce the sample size for the audit. Virtualization Guidelines - Section Guidelines 4,1: General 4.1.6, 4.1.8, 4.1.11, 4.1.12 4.2: Mixed Mode Environments 4.4: Guidance for Assessing Risks in Virtual Environments 4.2.1 4.4.1 Multiple controls including 2-factor authentication; role-based control by function and by asset (separation of admin duties); twoperson authorizations; logs sent off-server. Hypervisor configuration hardening. Virtual networking controls (vswitch or NS-OS). Enables log monitoring for breach in the integrity of segmentation, security controls, or communication channels between workloads. Two-factor authentication, asset- based authorization to maintain isolation between CDE and non-cde components at the hypervisor level. Detailed logging of all hypervisor administration activity. Hypervisor configuration hardening (to eliminate possible technical breakdown of CDE isolation). Role based authorization (to meet defined roles and permissions requirement)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information