Vormetric Addendum to VMware Product Applicability Guide

Vormetric Data Security Platform Applicability Guide F O R P A Y M E N T C A R D I N D U S T R Y ( P C I ) P A R T N E R A D D E N D U M Vormetric Addendum to VMware Product Applicability Guide FOR PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) VERSION 3.0 OCTOBER 2014

Table of Contents INTRODUCTION... 3 THE CHALLENGE: ESTABLISHING COMPLIANCE AND SUSTAINING IT... 3 THE SOLUTION: VORMETRIC TRANSPARENT ENCRYPTION... 3 HOW VORMETRIC TRANSPARENT ENCRYPTION WORKS... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 6 SUMMARY OF RELEVANT CHANGES FROM PCI DSS 2.0 TO 3.0... 7 CLOUD COMPUTING... 9 DEPLOYING VORMETRIC SOLUTIONS IN THE CLOUD... 11 VORMETRIC PCI COMPLIANCE SOLUTION... 12 VORMETRIC PCI REQUIREMENTS MATRIX OVERVIEW... 13 PCI REQUIREMENTS MATRIX: HOW VORMETRIC ADDRESSES SPECIFIC CONTROLS... 14 SUMMARY... 20 ACKNOWLEDGEMENTS... 20 TRADEMARKS AND COPYRIGHTS... 21 V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 2

Introduction The Challenge: Establishing Compliance and Sustaining It For businesses in just about any industry and of any size, sensitive assets continue to be exposed, proving all too susceptible to attacks, breaches, and data loss. While these incidents can be costly for any organization, they re particularly devastating for businesses that manage cardholder data. Beyond the immediate penalties associated with remediation, forensics, and brand damage, these organizations can also be hit with fines levied by the Payment Card Issuers if they are found to have been non-compliant. When it published the Payment Card Industry Data Security Standard (PCI DSS), the association intended to provide organizations with the policies, techniques, and guidelines that would help guard against breaches. However, establishing compliance is no trivial effort, and sustaining compliance continues to be challenging, particularly as threats and the environments that have to be secured continue to evolve. It is within this context that the increased reliance on virtualization technologies and cloud services grows increasingly significant. The PCI DSS requires compliance of all systems and devices that store, transmit, or process cardholder data. Traditionally, a merchant s IT staff could segment the network in order to separate the systems that manage cardholder data from those that do not. This approach can make it easier to apply the specific controls required to safeguard sensitive payment data. This method removes specific systems from the scope of a PCI DSS audit, which can help reduce audit costs and efforts. The introduction of virtualization and cloud computing into cardholder environments can blur the lines of segmentation. To safeguard sensitive cardholder data in virtualized and cloud environments, organizations need to apply consistent, robust, and granular controls. The Solution: Vormetric Transparent Encryption Vormetric Transparent Encryption helps organizations address a number of PCI DSS 3.0 requirements with its capabilities for providing data-at-rest encryption, privileged user access control, and audit logging. The product encrypts and tracks access to structured databases and unstructured files including those residing in physical, big data, private, public and hybrid cloud environments. By leveraging this product s transparent approach to data security, your organization can implement encryption, without having to make changes to your applications, infrastructure, or business practices. Unlike other encryption solutions, Vormetric Transparent Encryption s protection does not end after the encryption key is applied. The product continues to log access and enforce least-privileged user policies to protect against unauthorized access. All access events can be captured in audit logs. These logs are easily integrated into popular Security Information and Event Management (SIEM) tools and other log collection solutions. With these capabilities, you can ensure continuous protection and control of your data as well as meet and support many PCI DSS 3.0 requirements. How Vormetric Transparent Encryption Works Vormetric Transparent Encryption is an agent available for Windows, Linux, and UNIX platforms regardless of the underlying storage technology. All policy and key administration is done through the Vormetric Data Security Manager. The Vormetric Transparent Encryption agent runs in the cardholder data environment as a kernel module within the virtual machine. These agents are installed on each virtual machine in which data requires protection. These agents perform encryption, decryption, access control, and logging. Vormetric Transparent Encryption agents evaluate any attempt to access protected data and either grant or deny such attempts, according to policies specified in the Vormetric Data Security Manager. The agents are transparent to users, applications, databases, file systems, networks, and storage architecture. The agents maintain a strong separation of duties on the server by encrypting files while leaving their metadata in the clear so that Storage and ESX Administrators can perform their jobs without directly accessing encrypted information. Since the agents are kernel modules within virtual machines, the product delivers performance, scalability and eliminates the bottlenecks and latency that plague proxy-based solutions. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 3

Figure 1: Vormetric Transparent Encryption Enabling Encryption, Least Privileged Access, and Logging VMware Approach to PCI Compliance The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all types of environments that Store, Process, or Transmit Card Holder Data. This includes information such as Personal Account Numbers (PAN), as well as any other information that has been defined as Card Holder Data by the PCI DSS v3.0. Cloud computing is no exception to the PCI DSS audit process, and many of the cloud s advantages over earlier paradigms -- sharing of resources, workload mobility, consolidated management plane, etc. themselves necessitate that adequate controls are adopted to help meet the PCI DSS audit. PCI considerations are essential for assessors to help to understand what they might need to know about an environment in order to be able to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the infrastructure and the applications running in that environment. Many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and generally those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware Technology Partner solutions to deliver those enterprise computing environments. As such, these enterprises seek ways to reduce overall IT budget while maintaining an appropriate overall risk posture for the in-scope environment. One of the greatest challenges in hosting the next generation enterprise computing environment is consolidating many modes of trust required such as those required for a Cardholder Data Environment (CDE) and a Non-Cardholder Data Environment. For these reasons VMware has enlisted its Audit Partners such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and then to document these capabilities in a set of reference architecture documents. The first of these documents is this Product Applicability Guide, which contains a mapping of the VMware products and features that should be considered for implementing PCI DSS controls. The next two documents in the solution framework series that, together with this Guide, comprise the PCI DSS Reference Architecture are the Architecture Design Guide and the Validated Reference Architecture, which are intended to provide guidance on the considerations to be made when designing a vcloud environment for PCI DSS as well as a lab validation exercise analyzing an instance of this reference architecture which utilizes the concepts and approaches outlined therein. For more information on these documents and the general approach to compliance issues please review VMware's Approach to Compliance. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 4

This Product Applicability Guide Addendum builds upon the base VMware control mapping and alignment for PCI DSS 3.0, which is documented in the VMware Product Applicability Guide for PCI-DSS 3.0 on the VMware Solutions Exchange. In addition, VMware and Coalfire are engaged with VMware Technology Partners such as Vormetric, inc.. to analyze their products and solutions (available on VMware Solution Exchange) with the goal of providing continuing examples to the industry. While every environment is unique, together VMware and its partners can provide a solution that potentially addresses over 70% of the PCI DSS technical requirements. Figure 2: PCI Requirements Figure 3: VMware + Partner Product Capabilities for a Trusted Cloud V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 5

Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud Overview of PCI as it Applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the Payment Card Industry Data Security Standards (DSS). Failure to meet PCI DSS requirements may lead to fines, penalties, or inability to process credit cards, in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud computing environments. Version 3.0 (and version 2.0) of the Data Security Standard (DSS) specifically mentions the term V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 6

virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). Figure 5: Navigating PCI DSS The existing virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. Summary of Relevant Changes from PCI DSS 2.0 to 3.0 With the recent release of the PCI DSS (Data Security Standard) 3.0, while little additional guidance has been released with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design and operational considerations above and beyond those which were required for compliance with the PCI DSS 2.0. It should be noted that none of the new PCI DSS 3.0 requirements or considerations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements, and clarifications. An updated Navigating PCI DSS document for version 3.0 has not been released by the PCI SSC (Security Standards Council) as of the time of this writing. With every iteration of the PDI DSS and the associated changes and updates, particularly when new requirements are presented, organizations are given additional time to implement these controls through the Sunrise process. While entities can choose to manage their cardholder data environments under the PCI DSS 2.0 until December 31, 2014 at the latest, after this point all PCI DSS programs and audits must adhere to version 3.0. Additionally, many of the new requirements under the PCI DSS 3.0 are considered best practices until July 1, 2015, giving organizations additional time to prepare to meet these new requirements in an appropriate manner. Many of the new controls and changes in PCI DSS 3.0 reflect the growing maturity of the Payment Card Industry, and the need to focus more on a risk-based approach and deal with the threats and associated risks which most commonly lead to V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 7

incidents involving the compromise of cardholder data. Along with the new controls and focus areas, version 3.0 provides PCI organizations and assessors with additional guidance and flexibility around designing, implementing, and validating the requisite PCI DSS controls. It should also be noted that with increased guidance and flexibility in the standard and individual controls, a greatly increased level of stringency is required in the validation of those controls and the risk-based approach to managing PCI DSS requirements. At a high level, the updates to version 3.0 of the DSS include: Providing stronger focus on some of the greater risk areas in the threat environment Providing increased clarity on PCI DSS and PA-DSS requirements Building greater understanding on the intent of the requirements and how to apply them Improving flexibility for all entities implementing, assessing, and building to the Standards Driving more consistency among assessors Helping manage evolving risks / threats Aligning with changes in industry best practices Clarifying scoping and reporting Eliminating redundant sub-requirements and consolidate documentation We also have several key themes around managing PCI DSS 3.0 and taking a proactive business-as-usual approach to protecting cardholder data, and focusing primarily on security, as opposed to pure compliance, which have been updated in the latest version, and for which the PCI Security Standards Council has provided guidance. The following is guidance from the PCI DSS Version 3.0 Change Highlights document regarding these high-level concepts and how they apply to PCI DSS 3.0: Education and awareness Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise too many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers. Increased flexibility Changes in PCI DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise such as weak passwords and authentication methods, malware, and poor self-detection providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business. Security as a shared responsibility Securing cardholder data is a shared responsibility. Today s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCIDSS focus on helping organizations understand their entities PCI DSS responsibilities when working with different business partners to ensure cardholder data security. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 8

Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html: Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.. Figure 6: Cloud Computing There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 9

Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off premise. To learn more about VMware s approach to cloud computing, review the following: VMware Cloud Computing Overview VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing, including safely deploying business critical applications. Figure 7: VMware Software Defined Data Center Products V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 10

Figure 8: VMware End User Computing VMware provides an extensive suite of products designed to help organizations support security and compliance needs. The solutions collective functionality features, and specific PCI DSS requirements are addressed in the VMware Applicability Guide for PCI, which provide detail information about VMware s support for PCI DSS v3. If you are an organization or partner that is interested in more information on the VMware Compliance Program, please email us at compliance-solutions@vmware.com. Deploying Vormetric Solutions in the Cloud With Vormetric, you can fully support all the above outlined cloud computing deployment models (Private, Public, Hybrid and Community), while retaining the control you need to stay compliant with PCI DSS and other relevant security policies and mandates. Available as a physical or virtual appliance, Vormetric Data Security Manager (DSM) offers policy based security and compliance support for the underlying Infrastructure. The DSM features a flexible deployment model that enables you to retain custodianship of keys, whether they re on- or off-the merchant s premise. The DSM can also be deployed using automated provisioning scripts in a multi-tenant environment. It is important to note that the Vormetric Data Security Manager is the key and policy manager, but cardholder data and other sensitive data never passes through the appliance. Figure 9: Vormetric Securing Data VMware Private, Public, Hybrid and Community Clouds V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 11

Vormetric PCI Compliance Solution By leveraging the products and capabilities of Vormetric Transparent Encryption, outlined above, your organization can secure cardholder data, and do so with simplicity, efficiency, and low total cost of ownership. Whether an organization s sensitive data stored in virtualized, cloud, big data, or traditional data center environments; Vormetric can help safeguard it. The sections that follow detail how encryption, key management, privileged user access control and Vormetric Security Intelligence address a number of specific PCI DSS v 3.0 requirements. Table 2: Vormetric Solutions SOLUTION DESCRIPTION Encryption of data-at-rest for VMware Environments Using Vormetric Transparent Encryption, standards based AES256 encryption is applied to files and databases that contain cardholder or other sensitive data. The solution includes integrated key management that meets or supports PCI DSS requirements. Because the solution is transparent, no application or infrastructure changes are required. It is very high-performance encryption as it leverages Intel AES-NI hardware support and optimized engineering. Performance results can be reviewed in the VCE vblock certification test report. This capability helps satisfy PCI DSS requirements found in section 3. Privileged User Access Control Vormetric s unique ability to enforce least privileged access through privileged user access control policies assures that unauthorized users don t have access to cardholder data. This capability helps satisfy PCI DSS requirements found in section 7. Vormetric Transparent Encryption Vormetric Security Intelligence Logs Vormetric Security Intelligence logs produce an auditable trail of permitted and denied data access attempts from users and processes, delivering unprecedented insight into file access activities. The logs are granular to help you efficiently track and report on file access activities, including whom accessed files, which files were accessed, what application or process was used and when they were accessed. Logging occurs at the file system level, removing the threat of an unauthorized user gaining stealthy access to sensitive data. These logs can inform administrators of unusual or improper data access and accelerate the detection of insider threats, hackers, and APTs that go undetected by perimeter security. In addition, Vormetric logs are easy to integrate with your security information and event management (SIEM) systems, so you can efficiently produce compliance and security reports. This capability helps satisfy PCI DSS requirements found in section 10. Centrally Manage Keys for Multiple Encryption Products With the Vormetric Data Security Manager, an organization can centrally manage the entire Vormetric Data Security Platform product offerings. As an example, the Vormetric Data Security Manager delivers integrated key management for Vormetric Transparent Encryption; as discussed in this paper, and a column-level encryption solution, Vormetric Application Encryption. In addition, if your organization is running third-party encryption products, you can use Vormetric Key Management to centrally store the associated keys and certificates. The product provides a high availability, standards-based, FIPS 140-2 validated key management platform that can secure keys for Microsoft Transparent Data Encryption (TDE), Oracle TDE, and KMIP-compliant devices. By consolidating key management from multiple encryption products, Vormetric enables more consistent key management policy implementation across the organization and reduces training and maintenance costs. This capability helps satisfy PCI DSS requirements found in section 3. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 12

Vormetric PCI Requirements Matrix Overview When properly deployed and configured, the Vormetric solution can help you address a number of PCI DSS requirements. The table below details the number of requirements the solution can support. Table 3: Vormetric PCI DSS Requirements Matrix PCI DSS REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters NUMBER OF PCI REQUIREMENTS 35 32 NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC Requirement 3: Protect stored cardholder data 44 15 Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict Access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components 11 11 42 10 7 43 6 Requirement 9: Restrict physical access to cardholder data 44 1 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment 41 19 36 2 47 8 3 TOTAL 404 53 V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 13

PCI Requirements Matrix: How Vormetric Addresses Specific Controls The following matrix maps specific PCI DSS controls to the functionality of the Vormetric Data Security Platform. Table 4: Applicability of PCI DSS v3.0 Controls to the Vormetric Data Security Platform PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESSED N/A DESCRIPTION No controls in this PCI requirement are addressed by Vormetric. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters N/A No controls in this PCI requirement are addressed by Vormetric. It should be noted, that Vormetric components were developed to enforce the requirement that default passwords to its product are not allowed at implementation. Requirement 3: Protect stored cardholder data 3.2.b, 3,4,a, 3.4.b, 3.4.d, 3.5.1, 3.5.2.b, 3.5.2.c, 3.5.3, 3.6.1.a, 3.6.2.a, 3.6.3.a, 3.6.4.a, 3.6.5.a, 3.6.6.a, Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in files or in databases. Using Vormetric Transparent Encryption an organization can encrypt application data files and log files that might have sensitive data such as cardholder payment data, as required in DSS Requirement 3. Vormetric Transparent Encryption directly supports secure storage of sensitive authentication data (SAD) as required by 3.2.b, for those issuers or others that must store SAD, by using strong cryptography with associated key management for encrypting files or volumes where SAD reside. Vormetric s ability to encrypt structured and unstructured data means that it can protect the data whether it is in flat files or in databases. While issuers and companies supporting issuers, may have a legitimate business need for storing data, merchants, service providers supporting merchants, and acquirers must never store sensitive authentication after the payment transactions authorization is processed. Vormetric Transparent Encryption directly supports 3.4 by protecting stored data using strong cryptography with associated key-management for encrypting files or volumes where PANs reside (3.4.a). Databases are encrypted at the volume level (3.4.b). An organization can use Vormetric Transparent Encryption to encrypt log files (3.4.d) with sensitive data, including PAN. The Vormetric solution eliminates the need for Full Disk Encryption (3.4.1) by encrypting at the volume level. However, if Full Disk If encryption that supports standards based KMIP (key management interoperability protocol) is deployed, the decryption keys can be securely stored with the Vormetric solution as outlined in 3.5 and 3.6 below. While the user will need to document key managements procedures, V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 14

PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric supports an organization s key management procedures (3.5) by ensuring that encryption keys are protected by: Ensuring cryptographic keys are centrally generated and stored in the Data Security Manager (3.5.3). The actual keys are never visible to anyone, including key custodians or systems administrators (3.5.1). By restricting access to keys and key management activities and managing access within the Vormetric Data Security Manager, Vormetric decouples access rights from central access management systems such as Active Directory, thus restricting access by privileged users such as system administrators and root unless explicitly granted by policy within Vormetric s Data Security Manager. Encrypting the data encryption keys with an AES 256-bit key. This encrypted key is stored securely on the Data Security Manager (DSM) (3.5.2.b), which is separate from the location where the data encryption key is used. If the option to cache data encryption keys on the local server is selected, in order to eliminate network latency, the local keys are also encrypted with an AES 256-bit key (3.5.2.c). Vormetric also offers an HSM option (3.5.2.b). While the user must document the key-management processes used within their organization and ensure that key custodians understand and acknowledge their responsibilities, Vormetric Data Security Platform supports compliance of the technical requirements associated 3.6. The Vormetric Data Security Platform architecture is designed for strong crypto-key management using a secure web management console or through APIs providing 3.6 compliance: Cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS 140-2 standards (3.6.1.a). Clear text keys never leave the DSM. When keys are distributed to agents, they are encrypted with a one-time-use AES 256 key and sent over a mutually authenticated TLS connection (3.6.2.a). Providing a secure central repository for cryptographic keys and policies. Customers have the option to cache cryptographic keys on the host server. Vormetric s agents protect these keys from unauthorized access, even from root administrators. When keys are cached locally, the keys are protected with a wrapper key and are not assessable by any systems user (3.6.3,a). Crypto-key can be changed by key custodians based upon the organization s crypto-period policies. When a key is retired by a custodian it can be permanently deleted. Key change procedures will need to include a process for re-encrypting data with new keys before making old keys obsolete (3.6.4.a). Crypto-key can be changed by key custodians when key has been weakened or compromised; when a key is changed by a custodian it can be permanently deleted. Key change procedures will need to V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 15

PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT Requirement 4: Encrypt transmission of cardholder data across open, public networks CONTROLS ADDRESSED N/A DESCRIPTION include a process for re-encrypting data with new keys before making old keys obsolete (3.6.5.a). Manual clear-text cryptographic key management is not required by Vormetric. Custodians can create keys, but key values are not visible to the custodian. DSM protects keys from any one person having access to key material by following a no knowledge and configurable split knowledge/dual control policies (3.6.6.a). The DSM supports an m of n sharing scheme for backing up keys. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager. Access control policies defined within the DSM control access to key creation and other key management activities, restricting access to authorized key custodians only (3.6.7.a). No controls in this PCI requirement are addressed by Vormetric. Requirement 5: Protect all systems against malware and regularly update antivirus software or programs N/A No controls in this PCI requirement are addressed by Vormetric. The Vormetric DSM is an appliance with a hardened Linux kernel and is generally not considered commonly affected by malicious software. However, when the software version of DSM is deployed anti-virus technology may be required. The Vormetric user should consult their QSA regarding their architecture and the appropriate technology for protecting against malware. Requirement 6: Develop and maintain secure systems and applications N/A No controls in this PCI requirement are addressed by Vormetric. The use of Vormetric should be taken into account when developing software that stores, processes, or transmits cardholder data. However, the controls surrounding the software development life cycle and systems vulnerability management are outside of the scope of the paper. Requirement 7: Restrict access to cardholder data by business need to know 7.1.a, 7.1.1, 7.1.2.a, 7.1.3, 7.1.4, 7.2.2, 7.2.3 Vormetric directly supports 7.1.a by adding a layer of access control on top of the native operating system access control. It also can strengthen the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data. The solution enables least privileges access without interfering with normal administrative operations by: Ensuring that cardholder data cannot be viewed by system administrators who do not have a need to know, while simultaneously ensuring that there is no interruption to data backup and other administrative processes. By leaving metadata in the clear, V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 16

PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself (7.1.1). Enforcing policies that ensure privileged users, such as Administrator or Root, are granted access needed for their job responsibilities but restricted from accessing cardholder data unless explicated granted to meet a business need, thereby restricting access based on need to know (7.1.2.a). Enforcing policies that ensure individuals, applications and processes are provided least privileged access to the cardholder data based on their job classification and business responsibilities, thereby restricting access based on need to know (7.1.3). While the user will need to implement processes for approving requests for access, Vormetric supports 7.1.4 by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data. With an organization s documented approval process Vormetric policies can be configured to include release of encrypted contents for backup, decryption of contents based on need to know, and control of rights to the data file. Available audit records can be used to monitor granted or changed privileges to ensure documented process for granting access to cardholder data is enforced. Vormetric directly supports 7.2 by setting access control parameters that define through policies which authorize users and applications are granted access to cardholder data storage on any server or storage device. Only users and applications that are part of authorized policies, which can be assigned based upon role or group assignments (7.2.2), can access the data in clear text. (Administrators can be given access to the files containing cardholder data, but data is not decrypted for them.). Default policy is to deny all without explicit authorization through policies (7.2.3). Requirement 8: Identify and authenticate access to systems components 8.2.1.c, 8.2.1.e, 8.7.a, 8.7.b, 8.7.c, 8.7.d Vormetric is independent of the system and network account and password controls required. Vormetric integrates with existing directory services (LDAP, Active Directory) to authenticate user IDs. All transmission of Vormetric authentication and key material takes place over a mutually authenticated TLS channel. (8.2.1.c & 8.2.1.e) With Vormetric, direct access to data and database queries can be limited to only database administrators (8.7.c). Vormetric provides control at the file system-level, below the database. When a database is protected with Vormetric, all access to the data in the database must come from the database process (8.7.b). All other sources are denied access (8.7.a and 8.7.d). For example, an operating system super-user can have a policy preventing file copies and the ability to view the database contents. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 17

PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Requirement 9: Restrict access to cardholder data by business need to know 9.8.2 While not directly supporting requirement 9.8.2, Vormetric supplements other controls introduced to render retired hard drives unreadable. Should data not be adequately cleaned from media, the data will not be viewable unless the Vormetric Data Security Manager is available to authorize the release of the decryption key for the data on that media. Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4.1.a, 10.5.1, 10.5.2, 10.5.3, 10.5.5, 10.6.1.b Vormetric directly supports 10.1 by providing a detailed logging at the File System level. Any read/write and other access requests for sensitive data can be audited and the audit records contain information to track access back to a host machine, directory, file or resource accessed, specific user, user group, policy invoked, application and time. Vormetric provides a detailed auditing at the File System level. Any read/write or other request for sensitive data can be audited and the trails contain information to track access back to a specific user, application and time, including: Policies can be constructed to monitor individual access to cardholder data. (10.2.1) By constructing policies to monitor individual access to cardholder data individuals with root or administrative privileges is logged. Both failed and successful attempts to view card data are logged. (10.2.2) By enabling administrators of the Data Security Manager that are assigned the role of audit officer to access audit trails, which are centrally stored. Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric. All access and access attempts to Vormetric logs are audited. (10.2.3) Through configuration to audit all denied access requests. (10.2.4) By logging all key custodian activity. (10.2.7) Vormetric provides a detailed auditing at the File System level, by generating audit entries that include: Username and group membership. (10.3.1) Type of event. (10.3.2) Date and time. (10.3.3) Success or failure indication. In the case of a permitted action, the event data also includes whether the access was to clear text or to encrypted data. (10.3.4) Origination of the event. (10.3.5) Host and the full path to the file that was the target of the access request. (10.3.6) The DSM can be configured to synchronize with the organization s NTP server. (10.4.1.a) Vormetric secures audit trails generated by: Ensuring that audit trails cannot be modified while they reside on the V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 18

PCI DSS V3.0 APPLICABILITY MATRIX DATA SECURITY PLATFORM REQUIREMENT CONTROLS ADDRESSED DESCRIPTION Vormetric Data Security Manager. If log and audit files are sent to a centralized log server, this external log repository can be protected and safeguarded with Vormetric Transparent Encryption and access control (10.5.1 & 10.5.2). Providing an extensive set of log and audit capabilities to track and monitor access to cardholder data. These files can be sent to a customer s centralized log server or event management solution via syslog. In addition, this external log repository can be protected and safeguarded with the Vormetric solution (10.5.3). Ensuring log files cannot be modified while they reside on the Vormetric Data Security Manager. Further, customers may use the Vormetric solution to block or monitor changes to log files and other audit trails (10.5.5). Vormetric Data Security Platform supports monitoring requirements by generating log reports for monitoring of daily activity of users accessing cardholder data. (10.6.1.b) Requirement 11: Regularly test security systems and processes. 11.5.a, 11.5.b While not file integrity management software that can be used to alert changes to all operating system and execution files, Vormetric generates audit information for unintended direct access to cardholder data and can be configured to generate alerts thus providing integrity monitoring for cardholder data under its control and thus augments support for file integrity monitoring (11.5.a & 11.5.b). Requirement 12: Maintain a policy that addresses the information security for all personnel. N/A No controls in this PCI requirement are addressed by Vormetric. Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.2.a, A.1.2.b, A.1.2.d Vormetric can support a shared hosted providers efforts for compliance with requirement A.1.2 to restrict each entities access to its own cardholder data environment only by: Providing shared hosting provider the capability to block all access not explicitly granted to cardholder data and other sensitive data; thus forbidding access to data by applications that might run as a privileged user. (A.1.2.a). While Vormetric cannot enforce access controls for shared systems or directories, Vormetric partially addresses requirement A.1.2.b by allowing the organization to establish read/write permissions that restrict access to sensitive data to only the owning entity. Providing the shared hosting provider the ability to protect log files of various applications to restrict access to only approved user accounts within the owning entity (A.1.2.d) V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 19

Summary Cloud computing and threats to sensitive data such as that covered by the Payment Card Industry under their Data Security Standards are both evolving. The benefits and maturity of cloud computing led by VMware and the Software Defined Data Center have led VMware's customers and partners to host most and approaching all of the enterprise applications on this platform. To answer that need VMware, its Technology and Audit partners have delivered a set of documentation pertinent to mainstream regulations such as PCI DSS version 3.0. Internalizing the information in this document is the first step in understanding which VMware products can be leveraged along with which features and capabilities must be considered. This also provides the format with which VMware Technology Partners will publish Applicability Guides of their own further completing the picture of total controls addressed. VMware and select Technology Partners will co-author Architecture Design Guides highlighting the products asserted as 'Applicable' in this Guide and providing further guidance on how to design, configure and operate these products to mitigate risks. As a final step VMware's audit partners will validate an environment built on these products and architectural design concepts to help ease the burden of QSA audits. Acknowledgements VMware would like to recognize the efforts of the VMware Center for Policy and Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire Systems Inc. VMware Team www.coalfire.com/partners/vmware for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 3.0 and the Reference Architecture described herein. The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit www.coalfire.com. V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 20

Trademarks and Copyrights The VMware products and solutions discussed in this document are protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their companies. SOLUTION AREA VMware vcloud Infrastructure VMware vcloud Networking and Security VMware NSX VMware vrealize Operations (formerly vcenter) KEY PRODUCTS VMware ESXi, VMware vsphere, VMware vshield Endpoint, VMware vrealize Server and VMware vcloud Director VMware vcloud Networking and Security App, VMware vcloud Networking and Security Data Security, VMware vcloud Networking and Security Edge Gateway, VMware vcloud Networking and Security Manager VMware NSX Edge, NSX Firewall, NSX Router, NSX Load Balancer, NSX Service Composer VMware vrealize Operations Manager, VMware vrealize Configuration Manager, VMware vrealize Infrastructure Navigator, VMware vrealize Orchestrator, VMware vrealize Update Manager, VMware vrealize Automation Center, VMware vrealize Log Insight VMware, Inc. 3401 Hillview Avenue, Palo Alto, CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2014 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW_1404_WP_Vormetric Addendum PAG-PCIv3.0 10/14 V O R M E T R I C D A T A S E C U R I T Y P L A T F O R M A P P L I C A B I L I T Y G U I D E 21