Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Similar documents
Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Vormetric Addendum to VMware Product Applicability Guide

Vormetric Encryption Architecture Overview

Vormetric and PCI Compliance in AWS A COALFIRE WHITE PAPER

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Complying with PCI Data Security

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

Securing and protecting the organization s most sensitive data

How To Achieve Pca Compliance With Redhat Enterprise Linux

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Teleran PCI Customer Case Study

GFI White Paper PCI-DSS compliance and GFI Software products

Virtualization Impact on Compliance and Audit

With Great Power comes Great Responsibility: Managing Privileged Users

PCI Data Security Standards (DSS)

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Alliance Key Manager Solution Brief

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Complying with Payment Card Industry (PCI-DSS) Requirements with DataStax and Vormetric

Using Encryption and Access Control for HIPAA Compliance

Achieving PCI Compliance Using F5 Products

PCI DSS COMPLIANCE DATA

Protecting Data at Rest with Vormetric Data Security Expert

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance for Cloud Applications

Windows Least Privilege Management and Beyond

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

PowerBroker for Windows

MySQL Security: Best Practices

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

Josiah Wilkinson Internal Security Assessor. Nationwide

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

SafeNet DataSecure vs. Native Oracle Encryption

How To Protect Visa Account Information

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

The Comprehensive Guide to PCI Security Standards Compliance

Effective End-to-End Cloud Security

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

CorreLog Alignment to PCI Security Standards Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

The Sumo Logic Solution: Security and Compliance

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

2013 AWS Worldwide Public Sector Summit Washington, D.C.

PCI Requirements Coverage Summary Table

Securing Sensitive Data

SonicWALL PCI 1.1 Implementation Guide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Security Overview Enterprise-Class Secure Mobile File Sharing

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Cyber-Ark Software and the PCI Data Security Standard

Becoming PCI Compliant

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Need to be PCI DSS compliant and reduce the risk of fraud?

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

How Reflection Software Facilitates PCI DSS Compliance

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

PCI DSS 3.0 Compliance

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Cloud Data Security. Sol Cates

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

2: Do not use vendor-supplied defaults for system passwords and other security parameters

A Rackspace White Paper Spring 2010

Thoughts on PCI DSS 3.0. September, 2014

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

SECURING SENSITIVE DATA WITHIN AMAZON WEB SERVICES EC2 AND EBS

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Securing Sensitive Data within Amazon Web Services EC2 and EBS

March

VMware vcloud Architecture Toolkit Public VMware vcloud Service Definition

PCI Requirements Coverage Summary Table

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PowerBroker for Windows Desktop and Server Use Cases February 2014

Feature. Log Management: A Pragmatic Approach to PCI DSS

Did you know your security solution can help with PCI compliance too?

Payment Card Industry Data Security Standards

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

74% 96 Action Items. Compliance

Securing Oracle E-Business Suite in the Cloud

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Transcription:

Partner Addendum Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments More information about Coalfire can be found at wwwcoalfirecom S O L U T I O N G U I D E A D D E N D U M 1

Table of Contents 1 INTRODUCTION 3 2 CLOUD COMPUTING 8 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS 12 4 VORMETRIC PCI COMPLIANCE SOLUTION 15 5 VORMETRIC PCI REQUIREMENTS MATRIX (OVERVIEW) 16 S O L U T I O N G U I D E A D D E N D U M 2

1 Introduction Safeguarding Data with Privileged User Access Controls The Flaw in the System Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their security architecture The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high level computer operator and their data access rights These users have always had access to every aspect of a system software installation, system configuration, user creation, networking, resource allocation and more, as well as access to all the data associated with the system These accounts exist because of the need for system maintenance and management But, as systems have become more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is increased risk from privileged user accounts Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent of new technologies and threats: Rights too broadly assigned - Superuser privileges are often assigned to DBAs, application developers, SysAdmins and others that don t have a real need for this level of access to private and confidential data Sharing of privileged accounts Traditionally, many IT departments allowed unrestricted sharing of privileged user accounts (logins and passwords), leading to a loss of personal accountability Cloud, virtualization and big data expand the threat - With each new technology layer used as part of system deployment and management new privileged user roles are created Advanced Persistent Threat (APT) attacks target privileged accounts Attackers have now found that if you want access to everything, you want to compromise privileged user accounts and their system and data access rights Though they may initially enter through less sensitive accounts privileged user credentials are a primary target S O L U T I O N G U I D E A D D E N D U M 3

Figure 1: Vormetric Data Firewall Solution Overview The Solution The Vormetric Data Firewall Allow Privileged Users to manage systems without risk to protected data The tasks performed by privileged users to maintain, repair and initiate systems are not optional these roles exist in order to meet essential requirements for all enterprise environments What s needed is to enable these users to perform their tasks, while removing their ability to access private and confidential data And when a category of account has a legitimate need for access to this sensitive data, to have the information available that allows identification of anomalous usage patterns that may indicate that the account has been compromised Transparent The Vormetric Data Firewall meets these needs with a transparent solution - enabling critical system processes to continue, without exposing data Strong The Vormetric solution firewalls your data using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured or unstructured data process, user, time and other parameters Efficient Vormetric provides a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors Easy Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand S O L U T I O N G U I D E A D D E N D U M 4

Meet Critical Enterprise Requirements Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical requirements: Meet Compliance Requirements Prevent Data Breaches Safeguarding Intellectual Property Figure 2: Vormetric Data Firewall for PCI Compliance Access Policies and Privileged User Control Vormetric provides fine-grained, policy-based access controls that restrict access to data ensuring that data is available only for authorized users and processes Encryption and Key Management Vormetric provides the strong, centrally managed, encryption and key management that enables compliance and is transparent to processes, applications and users Security Intelligence Vormetric logs capture all access attempts to protected data, providing high value security intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify compromised accounts and malicious insiders Automation For fast rollouts and integration with existing infrastructure, both web and command line level APIs provide access to the Vormetric Data Security environment for policy management, deployment and monitoring Multi-Tenancy Secure data in commingled and multi-tenant environments enabling end users to control policies and keys specific to their own data S O L U T I O N G U I D E A D D E N D U M 5

VMware s Approach to PCI Compliance Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases These use cases address questions like How to be PCI compliant in a VMware Private Cloud by providing helpful information for VMware architects, the compliance community, and third parties The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vcloud, vcloud Networking and Security, vcenter Operations (vcops) and View These product suites are described in detail in this paper The use case also provides readers with a mapping of the specific PCI controls to VMware s product suite, partner solutions, and organizations involved in PCI Private Clouds While every cloud is unique, VMware and its Partners can provide a solution that addresses over 70% of the PCI DSS requirements Figure 3: PCI Requirements S O L U T I O N G U I D E A D D E N D U M 6

Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud S O L U T I O N G U I D E A D D E N D U M 7

Figure 5: Help Meet Customers Compliance Requirements to Migrate Business Critical Apps to a VMware vcloud 2 Cloud Computing Cloud computing and virtualization have continued to grow significantly every year There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations VMware defines cloud or utility computing as the following (http://wwwvmwarecom/solutions/cloud-computing/public-cloud/faqshtml): Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party The cloud infrastructure may be on-premise or off-premise Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services S O L U T I O N G U I D E A D D E N D U M 8

Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology This enables data and application portability; for example, cloud bursting for load balancing between clouds With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations) It may be managed by the organizations or a third party, and may exist on-premise or offpremise To learn more about VMware s approach to cloud computing, review the following: http://wwwvmwarecom/solutions/cloud-computing/indexhtml#tab3 - VMware Cloud Computing Overview http://wwwvmwarecom/cloud-computing/cloud-architecture/vcat-toolkithtml - VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform PCI does not endorse or prohibit any specific service and deployment model The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform VMware is the market leader in virtualization, the key enabling technology for cloud computing VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment VMware offers free compliance checkers that are based on VMware s vcenter Configuration Manager solution Customers can simply point the checker at a target environment and execute a compliance assessment request The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation To download the free compliance checkers click on the following link: https://myvmwarecom/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000mjsmaaw S O L U T I O N G U I D E A D D E N D U M 9

Figure 6: Vormetric Data Firewall Blocks Privileged Users For additional information on VMware compliance solutions for PCI, please refer to the VMware Solution Guide for PCI S O L U T I O N G U I D E A D D E N D U M 10

Figure 7: VMware Cloud Computing Partner integration S O L U T I O N G U I D E A D D E N D U M 11

Figure 8: Vormetric Cloud Computing Integration Achieving PCI compliance is not a simple task It is difficult for many organizations to navigate the current landscape of information systems and adequately fulfill all PCI DSS requirements Vormetric, working with VMware, is continuing its leadership role in the industry by providing data firewall and data security solutions from the data center to the cloud, to help clients meet their compliance needs 3 Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc) The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS) Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss S O L U T I O N G U I D E A D D E N D U M 12

The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010 These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud Version 20 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ) This was followed by an additional document explaining the intent behind the PCI DSS v20, Navigating PCI DSS These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG) Figure 9: Navigating PCI DSS S O L U T I O N G U I D E A D D E N D U M 13

The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions) * VMware solutions are designed to help organizations address various regulatory compliance requirements This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements It is the responsibility of each organization to determine what is required to meet any and all requirements The information contained in this document is for educational and informational purposes only This document is not intended to provide legal advice and is provided AS IS VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel Figure 10: VMware PCI Compliance Products S O L U T I O N G U I D E A D D E N D U M 14

4 Vormetric PCI Compliance Solution Vormetric Data Firewall is a comprehensive solution providing privileged user control, centralized key and policy management, encryption of data at rest, and comprehensive security intelligence Vormetric offers strong data security controls that leverage policy-based access controls, separation of duties, and auditing capabilities, all of which can be managed through a centralized management console In addition, in highly virtualized environments Vormetric provides automatic installation, configuration, and dynamic policy enhancements based on real-time threats Vormetric has mapped its products against the PCI standard The table provides a product description of the Vormetric Solutions and how they relate to the PCI standard Table 2: Vormetric Solutions Solution Description Vormetric Data Security Manager Vormetric Data Security Manager integrates key management, data security policy management, and event log collection into a centrally managed cluster that provides high availability and scalability to thousands of Vormetric Agents This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed environments The Data Security Manager stores the data security policies, encryption keys, and audit logs in a hardened appliance that is physically separated from the Agents Security teams can enforce strong separation of duties over management of the Vormetric system by requiring the assignment of key and policy management to more than one data security administrator so that no one person has complete control over the security of data Vormetric Data Firewall Vormetric Data Security Manager is accessed from a secure Web-management console and supports multiple Vormetric Agents As a rack-mountable Federal Information Processing Standard (FIPS) 140-2, the Data Security Manager functions as the central point for creating, distributing, and managing data encryption keys, policies, and host data security configurations Vormetric Agents Vormetric Agents are software agents that insert above the file system logical volume layers The agents evaluate any attempt to access the protected data and apply predetermined policies to either grant or deny such attempts The agents maintain a strong separation of duties on the server by encrypting files and leaving their metadata in the clear so IT administrators can perform their jobs without directly accessing the information The agents perform the encryption, decryption, and access control work locally on the system that is accessing the data at rest in storage This enables encryption to be distributed within the data center and out to remote sites, while being centrally managed via the Data Security Manager cluster Vormetric Agents are installed on each server where data requires protection The agents are specific to the OS platform and transparent to applications, databases (including Oracle, IBM, Microsoft, Sybase, and MySQL) file systems, networks, and storage architecture Current OS support includes Microsoft Windows, Linux, Sun Solaris, IBM AIX, and HP-UX S O L U T I O N G U I D E A D D E N D U M 15

5 Vormetric PCI Requirements Matrix (Overview) Vormetric s PCI DSS Compliance Solution includes extensive data security and firewalling technology When properly deployed and configured the Vormetric solution either fully meets or augments the following PCI DSS requirements: Table 3: Vormetric PCI DSS Requirements Matrix PCI DSS REQUIREM ENT NUMB ER OF PCI REQUIREMENT S NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict Access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Requirement A1: Shared hosting providers must protect the cardholder data environment 25 24 33 13 9 6 32 7 7 32 2 28 29 18 24 1 40 8 TOTAL 297 41 S O L U T I O N G U I D E A D D E N D U M 16

Vormetric Data Firewall The following matrix maps the PCI DSS controls to the functionality of the Vormetric Data Firewall Vormetric provides an enterprise class platform that provides privileges user control, strong encryption, centralized key management, and comprehensive auditing In addition, automation and multi-tenant capabilities are designed into the platform It is designed to address an ever-changing landscape of threats and challenges, with a full suite of capabilities Vormetric provides solutions to support or meet PCI DSS controls Additional policy, process or technologies may be needed to be used in conjunction with Vormetric s solutions to fully comply with PCI DSS Table 4: Applicability of PCI Controls to Vormetric Data Firewall PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESSED N/A DESCRIPTION No controls in this PCI requirement are addressed by the Vormetric solution Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data N/A 34, 341, 351, 352, 36, 361, 362, 363, 364, 365, 366, 367, 368 No controls in this PCI requirement are addressed by the Vormetric solution Vormetric meets or augments the following specific controls: Vormetric directly supports testing procedure 34 by protecting stored data by encrypting and controlling access to the files or volumes where PANs reside Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in audit files or in databases Additionally, Vormetric offers Backup Encryption Expert to secure backup media Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128- and 256 bit lengths) PANs are protected using policy-based encryption so that only authorized users and services can encrypt and decrypt the protected files Vormetric directly supports testing procedure 341 by using file-level and volume-level encryption, not disk encryption Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key S O L U T I O N G U I D E A D D E N D U M 17

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric directly supports testing procedure 35X by ensuring encryption keys are securely stored on a FIPS- 140 Level 2 validated security server (hardware appliance) Level 3 is available with the HSM The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators Vormetric directly supports testing procedure 351 by ensuring cryptographic keys are centrally generated and stored by the Data Security Manager cluster Best practice also dictates that custodians store cryptographic keys off-site When cryptographic keys are backed-up for off-site storage, the Data Security Manager encrypts them with a split wrapping key Vormetric directly supported testing procedure 352 by ensuring that all data encryption keys are stored encrypted within the Data Security Manager Vormetric directly supports testing procedure 36 through an architecture where the Data Security Manager is the central repository for cryptographic keys and policies managed via a secure web management console, a command line interface over SSH, or a direct console connection Keys never leave the Data Security Manager in the clear Custodians can create keys, but do not have direct access to key material Vormetric directly supports testing of procedure 361 by ensuring cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards Vormetric directly supports testing of procedure 362 by ensuring data encryption keys are wrapped and then securely distributed via HTTPS to Vormetric agents configured to protect the PANs residing on file, app, or database servers Vormetric directly supports testing of procedure 363 by ensuring cryptographic keys are centrally stored within the Data Security Manager Customers have the option to store cryptographic keys on the host server Vormetric s highly secure agents protect these keys from unauthorized access, even from root administrators Vormetric directly supports testing of procedure 364 by providing facilities for changing both Data Security Manager master keys and data encryption keys as defined by the organization s S O L U T I O N G U I D E A D D E N D U M 18

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION security policy Vormetric directly supports testing of procedure 365 with the Data Security Manager as the central repository for cryptographic keys When a key is retired by a custodian it can either be permanently deleted or made available only for decryption operations Vormetric directly supports testing of procedure 366 by following a no knowledge approach in which the keys never leave the Data Security Manager in the clear Custodians can create keys, but do not have access to the key material The Data Security Manager supports an n of m sharing scheme A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager Vormetric directly supports testing of procedure 367 through cryptographic key policy and usage defined and managed by the custodian of the Data Security Manager, thereby prohibiting unauthorized substitution of cryptographic keys by developers, database administrators, or any other unauthorized users Further, the Vormetric solution provides robust separation of duties, such that one administrator may create a key but a separate administrator must activate or apply that key to protect data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update antivirus software or programs Requirement 6: Develop and maintain secure systems and applications N/A N/A N/A Vormetric directly supports testing of procedure 368 with the Data Security Manager as the key central repository for cryptographic keys, and forms can be distributed easily to the Data Security Manager custodians No controls in this PCI requirement are addressed by the Vormetric solution No controls in this PCI requirement are addressed by the Vormetric solution No controls in this PCI requirement are addressed by the Vormetric solution S O L U T I O N G U I D E A D D E N D U M 19

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT Requirement 7: Restrict access to cardholder data by business need to know CONTROLS ADDRESSED 711, 712, 713, 714, 721, 722, 723 DESCRIPTION Vormetric meets or augments the following specific controls: Vormetric directly supports testing procedure 71X by adding a layer of access control on top of the native operating system access control It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data Vormetric directly supports testing of procedure 711 by ensuring that data cannot be viewed by system administrators who do not have a need to know, while simultaneously ensuring that there is no interruption to data backup processes By leaving metadata in the clear, but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself Vormetric directly supports testing of procedure 712 by enforcing policies that ensure individuals, applications and processes are provided access to the cardholder data based on their classification and functions, thereby restricting access based on need to know Vormetric directly supports testing of procedure 713 by providing audit records to assist with the monitoring of privileges Any change made to the access control policies is always audited Any changes to authorizations can be reviewed Vormetric directly supports testing of procedure 714 by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data Available rights for Vormetric policies include release of encrypted contents for backup, decryption of contents based on need to know, and control of writes to the data file Vormetric directly supports testing of procedure 72X by setting access control policies that define a list of authorized users and applications Only users and applications that are part of this list can access the data in clear text (Administrators are given access to the cardholder data, but data is not decrypted for them) Vormetric directly supports testing of procedure 721 by protecting the cardholder data at rest anywhere on the server Vormetric directly supports testing of procedure 722 by enforcing policies help enforce policies that ensure individuals, applications and processes are provided access to the cardholder data S O L U T I O N G U I D E A D D E N D U M 20

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION based on their classification and functions, thereby restricting access based on need to know Requirement 8: Assign a unique ID to each person with computer access Vormetric directly supports testing of procedure 723 through default settings as deny-all for all access control policies 84, 8516 Vormetric meets or augments the following specific controls: Vormetric augments testing procedure 84 by providing the ability to ensure that all passwords can be encrypted during storage Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and cardholder data N/A 101, 1021, 1022, 1023, 1024, 1026, 1027, 1031, 1032, 1033, 1034, 1035, 1036, 1041, 1051, 1052, 1053, 1055 Vormetric directly supports testing procedure 8516 by preventing privileged user access from the operating system from access information stored in databases No controls in this PCI requirement are addressed by the Vormetric solution Vormetric meets or augments the following specific controls: Vormetric directly supports testing of procedure 101 by providing a detailed auditing at the File System level Any read/write request for sensitive data can be audited and the trails contain information to track access back to a specific user, application and time Vormetric directly supports testing of procedure 102X by providing logging and flexible policy options to audit access and changes to Vormetric infrastructure and protected resources Vormetric directly supports testing of procedure 1021 by including flexible policy options to audit access and changes to protected resources Policies can be constructed to monitor individual access to cardholder data Vormetric directly supports testing of procedure 1022 by constructing policies to monitor individual access to cardholder data Policies can also prevent privileged users from accessing data in the clear without interfering with their ability to perform their day-to-day administrative duties Both failed and successful attempts to view card data are logged Vormetric directly supports testing of procedure 1023 by enabling administrators of the Data Security Manager that are assigned the role of audit officer to access audit trails, which are centrally stored Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric All access and access attempts to Vormetric logs are audited S O L U T I O N G U I D E A D D E N D U M 21

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric directly supports testing of procedure 1024 through configuration to audit all denied access requests Vormetric directly supports testing of procedure 1026 by logging the initialization of Vormetric logs Vormetric directly supports testing of procedure 1027 by logging all custodian activity Vormetric directly supports testing of procedure 1031 by generating audit entries that include the username and group membership Vormetric directly supports testing of procedure 1032 by generating audit entries that include the type of event Vormetric directly supports testing of procedure 1033 by generating audit entries that include the date and time Vormetric directly supports testing of procedure 1034 by generating audit entries that include a success or failure indication In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data Vormetric directly supports testing of procedure 1035 by generating audit entries that note the origination of the event Vormetric directly supports testing of procedure 1036 by generating audit entries that include the host and the full path to the file that was the target of the access request Vormetric directly supports testing of procedure 1041 through synchronization with an NTP server Vormetric directly supports testing of procedure 1051 by limiting the viewing of audit trails to those individuals with job-related need Vormetric directly supports testing of procedure 1052 by ensuring that audit trails cannot be modified while they reside on the Vormetric Data Security Manager If log and audit files are sent to a centralized log server, this external log repository can be protected and safeguarded with S O L U T I O N G U I D E A D D E N D U M 22

PCI DSS V20 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric encryption and access control Vormetric directly supports testing of procedure 1053 by providing an extensive set of log and audit capabilities to track and monitor access to cardholder data These files can be sent to a customer s centralized log server or event management solution via syslog In addition, this external log repository can be protected and safeguarded with the Vormetric solution Vormetric directly supports testing of procedure 1055 by ensuring log files cannot be modified while they reside on the Vormetric Data Security Manager Further, customers may use the Vormetric solution to block or monitor changes to log files and other audit trails Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Vormetric augments testing of procedure 106 by generating log reports for monitoring of daily activity 115 Vormetric meets or augments the following specific controls: N/A Vormetric augments testing of procedure 115 by generating audit information for unintended direct access to card data and can be configured to generate alerts No controls in this PCI requirement are addressed by the Vormetric solution Requirement A1: Shared hosting providers must protect the cardholder data environment N/A No controls in this PCI requirement are addressed by the Vormetric solution S O L U T I O N G U I D E A D D E N D U M 23

Acknowledgements: VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program VMware would also like to recognize the Coalfire VMware Team wwwcoalfirecom/partners/vmware for their industry guidance Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v 20 and the Reference Architecture described herein The information provided by Coalfire and contained in this document is for educational and informational purposes only Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein About Coalfire Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, DC, and completes thousands of projects annually in retail, financial services, healthcare, government and utilities Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP For more information, visit wwwcoalfirecom S O L U T I O N G U I D E A D D E N D U M 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information