Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard



Similar documents
Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

How To Protect Your Cloud From Attack

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Devising a Server Protection Strategy with Trend Micro

PCI DSS 3.0 Compliance

Netzwerkvirtualisierung? Aber mit Sicherheit!

Devising a Server Protection Strategy with Trend Micro

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Trend Micro. Advanced Security Built for the Cloud

Cloud and Data Center Security

Total Cloud Protection

PCI Data Security Standards (DSS)

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

GFI White Paper PCI-DSS compliance and GFI Software products

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Payment Card Industry Data Security Standards

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Thoughts on PCI DSS 3.0. September, 2014

Tenable Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

How To Comply With The Pci Ds.S.A.S

Deep Security. Προστατεύοντας Server Farm. Σωτήρης Δ. Σαράντος. Available Aug 30, Σύμβουλος Δικτυακών Λύσεων. Copyright 2011 Trend Micro Inc.

Trend Micro Cloud Security for Citrix CloudPlatform

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Vormetric Addendum to VMware Product Applicability Guide

I D C T E C H N O L O G Y S P O T L I G H T. S e r ve r S e c u rity: N o t W h a t It U s e d t o Be!

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

PCI DSS. Payment Card Industry Data Security Standard.

Virtualization Journey Stages

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Symantec Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

PICO Compliance Audit - A Quick Guide to Virtualization

Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

How To Protect A Web Application From Attack From A Trusted Environment

Comprehensive security platform for physical, virtual, and cloud servers

How To Achieve Pca Compliance With Redhat Enterprise Linux

Trend Micro Solutions for PCI DSS Compliance

Information for merchants. Program implementation details for merchants. Payment Card Industry Data Security Standard (PCI DSS)

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Josiah Wilkinson Internal Security Assessor. Nationwide

Becoming PCI Compliant

PCI Compliance Top 10 Questions and Answers

74% 96 Action Items. Compliance

Using Trend Micro s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.

PCI Compliance for Cloud Applications

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

VCE Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Why Is Compliance with PCI DSS Important?

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

The PCI DSS Compliance Guide For Small Business

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

PCI Compliance. Top 10 Questions & Answers

IT Security & Compliance. On Time. On Budget. On Demand.

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Where every interaction matters.

PCI DSS COMPLIANCE DATA

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PCI Security Compliance

PCI DSS READINESS AND RESPONSE

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

CONTENTS. PCI DSS Compliance Guide

PCI Requirements Coverage Summary Table

How to complete the Secure Internet Site Declaration (SISD) form

PCI Data Security Standards

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI Data Security Standard 3.0

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Virtual Patching: a Compelling Cost Savings Strategy

Transcription:

Partner Addendum Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at www.coalfire.com. If you require more information specific to this solution guide, you may contact us here: www.coalfire.com/trendmicro S O L U T I O N G U I D E A D D E N D U M 1

Table of Contents 1. INTRODUCTION... 3 2. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 4 3. TREND MICRO S DEEP SECURITY PCI COMPLIANCE SOLUTION... 5 4. TREND MICRO DEEP SECURITY PCI REQUIREMENTS MATRIX (OVERVIEW)... 6 5. TREND MICRO DEEP SECURITY PCI REQUIREMENTS MATRIX (DETAILS)... 7 S O L U T I O N G U I D E A D D E N D U M 2

1. Introduction As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With more than 20 years of experience, Trend Micro is recognized as the market leader in server security for delivering top-ranked client, server, and cloud-based security solutions that stop threats faster and protect data in physical, virtualized, and cloud environments. Using the VMware platform, Trend Micro Deep Security allows organizations to not only extend virtualization into environments containing sensitive data, but also leverage virtualization technologies to increase security and further reduce risk. Trend Micro Deep Security technologies can accelerate an organization s journey towards a 100 percent virtual environment with confidence. Through integration with VMware, Trend Micro s Deep Security solution enables organizations to assure protection and trust of enterprise information, and reduced compliance costs in a virtual environment while deploying the latest technologies. With the help of Trend Micro, organizations can accelerate complete adoption of VMware technologies with integrated security controls; adapt security policies to both physical and virtual IT environments, and advance endpoint security and protection using centrally managed virtual capabilities. Figure 1: VMware Partner Integration S O L U T I O N G U I D E A D D E N D U M 3

2. Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). S O L U T I O N G U I D E A D D E N D U M 4

3. Trend Micro s Deep Security PCI Compliance Solution Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects enterprise applications and data from breaches and business disruptions. Deep Security helps assure the PCI compliance and overall security of critical business servers and endpoints with a single, centrally managed solution that minimizes your operational costs. Deep Security provides core PCI security controls with a unique approach that economically solves the toughest compliance challenges. Deep Security provides the most comprehensive Agentless security controls for PCI in the market delivering significantly more efficient resource utilization and higher VM densities of traditional security solutions. Deep Security s integration with VMware vcenter and vcloud enables automated compliance protection of existing and newly added VMs ensuring that all VMs maintain their compliance posture regardless of their state or location. Deep Security also supports Agentbased security controls for physical servers that have not yet been virtualized or for workloads running in the cloud. Deep Security delivers comprehensive, adaptive, highly efficient agentless and agent-based protection that enable PCI compliance, including: Anti-Malware Integrates with VMware environments for agentless or agent-based malware protection Integrity Monitoring Firewall Monitors critical operating system, application files, and configuration files and alerts personnel to unauthorized changes Decreases the attack surface of your virtual servers and enables isolation of VMs to reduce audit scope Intrusion Detection and Prevention Log Inspection Shields unpatched vulnerabilities from attack and to monitor traffic within the virtualized CDE Provides visibility into important security events buried in log files and forwards events to a centralized logging server Web Reputation Strengthens protection against web threats for servers and virtual desktops Web Application Protection Provides protection against attacks such as SQL Injection, Cross-Site Scripting, amongst others S O L U T I O N G U I D E A D D E N D U M 5

4. Trend Micro Deep Security PCI Requirements Matrix (Overview) Table 2: PCI DSS Requirement Summary Table P CI DSS REQUIREMENT N U M B E R O F P CI R E Q U I R E M E N T S D E E P S E CURITY Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 25 14 9 2 Requirement 5: Use and regularly update anti-virus software or programs 6 6 Requirement 6: Develop and maintain secure systems and applications 32 4 Requirement 10: Track and monitor all access to network resources and cardholder data 29 4 Requirement 11: Regularly test security systems and processes. 24 5 TOTAL 297 35 S O L U T I O N G U I D E A D D E N D U M 6

5. Trend Micro Deep Security PCI Requirements Matrix (Details) PCI DSS V2.0 APPLICABILITY M ATRIX REQUIREMENT CONTROLS ADDRESSED DEEP SECURITY FIREWA LL Requirement 1: Install 1.1.3.a, 1.1.4, 1.1.5.a, and maintain a firewall 1.1.5.b, 1.1.6.a, configuration to protect 1.2.1.a, 1.2.1.b, 1.2.2, cardholder data 1.3.2, 1.3.3, 1.3.5, 1.3.6, 1.4.a, 1.4.b Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 5: Use and regularly update antivirus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 10: Track and monitor all access to network resources and cardholder data 2.2.2.a, 2.2.2.b 5.1, 5.1.1, 5.2.a, 5.2.b, 5.2.c, 5.2.d 6.5.1, 6.5.2, 6.5.7, 6.5.9 DESCRIPTION Trend Micro Deep Security Firewall facilitates network segmentation through stateful firewall implementation. Trend Micro Deep Security Firewall provides capabilities for managing network firewall configuration standards for process, procedure and testing approvals, as well as network management roles and responsibilities and requirements for periodic review of standards and configurations. Trend Micro Deep Security Firewall provides capabilities for defining standards related to confidential or sensitive information of what can or cannot be disclosed to authorized or unauthorized third parties, such as private IP address or routing information. Trend Micro Deep Security Firewall provides capabilities to validate only necessary services are enabled and functionality for administrators to review any enabled insecure services. Trend Micro Deep Security Anti-Malware provides capabilities for fully documenting policy and procedure requirements for maintaining antivirus software and definitions on systems commonly affected by malware. Anti-Malware is capable of detecting, blocking or removing all known types of malicious software. Trend Micro Deep Security Anti-Malware automatically updates from a known, trusted source and cannot be disabled or removed from protected systems. Trend Micro Deep Security Anti-Malware provides full function, state of the art Anti-Virus/Anti-Malware protection for registered devices. Trend Micro Deep Security Web Reputation provides capabilities for URL filtering effectively blocking access to known malicious web site. The module is fully configurable providing the ability to add web sites as needed or desired. Trend Micro Deep Security Deep Packet Inspection provides web application protection by intercepting web requests based on the OWASP top 10 vulnerabilities including Injection, Cross Site Scripting (XSS), HTTP(S) protocol violations. Deep Security blocks malicious requests from reaching the web server preventing these vulnerabilities to be exploited. 10.5.3, 10.5.5, 10.6.a Trend Micro Deep Security Integrity Monitoring provides active monitoring of critical files, folders, applications and registry settings for unauthorized changes. Trend Micro Deep Security Log inspection provides log correlation and inspection for protected systems. System logs are analyzed for configured events. Alerts from these events are raised in the Deep Security Manager providing administrators with near real time events for analysis. S O L U T I O N G U I D E A D D E N D U M 7

DEEP SECURITY DEEP P ACKET INSPECTION Requirement 11: Regularly test security systems and processes. Requirement 11: Regularly test security systems and processes. 11.4.a, 11.4.b, 11.4.c 11.5.a, 11.5.b Trend Micro Deep Security Deep Packet Inspection provides configurable Intrusion Detection/Intrusion Prevention protection for the environment. Trend Micro Deep Security Integrity Monitoring provides configurable and active monitoring of critical files, folders, applications and registry settings. Changes are reported to the Deep Security manager facilitating analysis and appropriate action by administrators Figure 2: Deep Security agent vs. agentless configuration S O L U T I O N G U I D E A D D E N D U M 8

Acknowledgements: VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire VMware Team www.coalfire.com/partners/vmware for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 2.0 and the Reference Architecture described herein. The information provided by Coalfire and contained in this document is for educational and informational purposes only. Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP. For more information, visit www.coalfire.com. S O L U T I O N G U I D E A D D E N D U M 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information