WHITE PAPER Meeting PCI Compliance for Virtualized Environments Learn how the Juniper vgw Virtual Gateway can help organizations meet PCI Compliance for Virtualized Environments Copyright 2011, Juniper Networks, Inc. 1
Table of Contents Executive Summary........................................................................................................ 3 Introduction................................................................................................................ 3 Overview of PCI DSS..................................................................................................... 3 Table 1: PCI Data Security Standard (DSS) Requirements................................................................. 3 PCI DSS v2.0 and the Virtualization Special Interest Group (SIG)............................................................ 4 Achieving Compliance...................................................................................................... 4 Working with QSAs....................................................................................................... 4 How the Juniper Networks vgw Virtual Gateway Can Help Meet PCI DSS and Virtualization SIG Guidelines................................................................................................ 5 Table 2: PCI DSS and SIG Guidance Requirements Supported by Juniper vgw Virtual Gateway............................ 6 Conclusion................................................................................................................ 14 About Juniper Networks................................................................................................... 14 2 Copyright 2011, Juniper Networks, Inc.
Executive Summary This document highlights the PCI Data Security Standard (DSS) as it relates to virtualized environments, summarizes the PCI SIG Virtualization Guidelines requirements, and explains how Juniper Networks vgw Virtual Gateway can help organizations with virtualized environments stay in compliance. Introduction Overview of PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually either by an external Qualified Security Assessor (QSA) for organizations that handle large volumes of transactions or by Self- Assessment Questionnaire (SAQ) for companies that handle smaller volumes. PCI DSS originally began as five separate programs namely Visa Card Information Security Program (CISP), MasterCard Site Data Protection(SDP), American Express Data Security Operating Policy (DSOP), Discover Information Security and Compliance (DISC), and the JCB Data Security Program. All five companies had a common goal, which was to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. Ultimately, the PCI SSC was formed, and on December 15, 2004, those companies aligned their individual policies and collectively released the PCI DSS. Since then, the standard has been updated and revised a few times in an effort to provide further clarity and consistency among the standards and supporting documents, address evolving risks/threats, and improve flexibility. The PCI SCC has established 12 requirements for any business that stores, processes, or transmits payment cardholder data. These requirements are summarized in Table 1 below. Table 1: PCI Data Security Standard (DSS) Requirements Goals Build and Maintain a Secure Network PCI DSS Requirement Validated by Self or Outside Assessment (through a QSA) 1. Install and maintain a firewall configuration to protect cardholder data 2. do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel More information is available at the below locations: www.pcisecuritystandards.org/pdfs/pcissc_getting_started_with_pcidss.pdf www.pcisecuritystandards.org/security_standards/documents.php?category=standards Copyright 2011, Juniper Networks, Inc. 3
PCI DSS v2.0 and the Virtualization Special Interest Group (SIG) The current version of the PCI DSS standard is version 2.0, which was released on October 26, 2010. This version of the standard was supposed to be adopted by all organizations with payment card data by January 1, 2011, and starting on January 1, 2012, QSAs have to assess organizations based on this version. One of the notable changes between the most recent version, 1.2.1, and v2.0 is the inclusion of virtualization components in the Scope section and within requirement 2.2.1 of the standard. What this suggests is that recognizing that more and more organizations have either adopted or are planning to adopt virtualization as part of their PCI environments, the PCI SSC thought this merited providing some guidance akin to what is currently in the standard for physical environments for virtualized environments. In addition to including some guidance on virtualization in the PCI DSS standard itself, the PCI SSC formed a virtualization Special Interest Group (SIG) that examined some of the issues and challenges posed to PCI DSS compliance in virtualized environments. This group, which began meeting in the fall of 2008, brought together security vendors, practitioners, banks, merchants, auditors, and QSAs all meeting on a regular basis in order to draft a recommendation for how the PCI DSS might be enhanced to include virtualization technology. The SIG included a number of industry-leading security practitioners and vendors, including Juniper Networks (via Altor Networks). The SIG s work has been leveraged by a PCI technical working group, which, among other efforts, developed a guidance document, Information Supplement: PCI DSS Virtualization Guidelines, released in June 2011. This document provides muchneeded guidance for both organizations and service providers on how to protect cardholder data within virtualized workloads. Achieving Compliance Just as organizations must protect physical environments with cardholder data from being compromised both from a security and PCI compliance perspective, so too must they protect virtualized environments. While organizations need to use multiple solutions to meet PCI DSS as a whole, to protect cardholder data within a virtualized environment in particular, these organizations can take a few specific measures and utilize certain technology solutions tailored for such an environment. The latter is what we focus on in this paper. Working with QSAs As mentioned earlier, for large volume transactions in the cardholder data environment, organizations work with a QSA to determine their PCI DSS compliance audit posture. The QSA is an employee of one of a number of security companies certified by the PCI Security Standards Council to validate an organization s adherence to the PCI DSS. The PCI SSC maintains an in-depth program for companies seeking to be certified, as well as to be re-certified, each year. Despite more and more organizations adopting virtualized workloads into their data center, most QSAs are just getting up to speed on the specific security challenges associated with such workloads. Furthermore, to date, there isn t a specific certification for qualifying a QSA to be an expert at evaluating virtualized environments. Although the PCI SSC strives to ensure that the list of QSAs linked from its corporate site is current and the list is frequently updated, the council cannot guarantee that the list is always current. Hence, every time an organization engages a QSA, the organization should check the list to ensure that its QSA has successfully maintained its status as a QSA. 4 Copyright 2011, Juniper Networks, Inc.
How the Juniper Networks vgw Virtual Gateway Can Help Meet PCI DSS and Virtualization SIG Guidelines Juniper Networks, using its extensive experience and innovative research in protecting the network, offers advanced protection for virtualized environments through a powerful software suite capable of monitoring and protecting virtualized environments without negatively impacting performance. The vgw Virtual Gateway is a comprehensive virtualization security solution that includes a high-performance, hypervisor-based stateful firewall; integrated intrusion detection service (IDS); and virtualization-specific antivirus for complete virtual network protection. The vgw brings forward powerful features that offer layers of defenses and automated security as well as compliance enforcement within virtual networks and clouds. By leveraging virtual machine introspection, coupled with the vgw s wide-ranging information about the virtual network environment, the vgw creates an extensive database of parameters by which security policies and compliance rules can be defined and enforced. A hypervisor-based, VMsafe-certified virtualization security approach, in combination with X-ray-level knowledge of each virtual machine through VM Introspection, gives the vgw a unique vantage point in the virtualized fabric. Here, virtualization security can be applied efficiently and with context about the virtual environment and its state at any given moment. The vgw delivers total virtual data center protection and cloud security through visibility, protection and compliance: Visibility A full view to all network traffic flowing between VMs is provided. Also available is complete VM and VM group inventory, including virtual network settings. Deep knowledge of VM state including installed applications, operating systems and patch levels is made possible through VM Introspection. Protection A VMsafe-certified stateful firewall provides access control over all traffic via policies that include which ports, protocols, destination VMs, etc. should be blocked. Further, an integrated intrusion detection engine inspects packets for the presence of malware or malicious traffic and alerts as appropriate. Finally, virtualization-specific antivirus protections deliver highly efficient on-demand and on-access scanning of VM disks and files with the ability to quarantine infected entities. Compliance The vgw enables enforcement of corporate and regulatory policies for the presence of required or banned applications via VM Introspection. Some practical applications of compliance enforcement, such as assurance of segregation of duties, ensure that VMs are assigned to the right trust zones inside the virtual environment. Pre-built compliance assessment is based on common industry best practices and leading regulatory standards. The vgw can also enforce compliance to a VM gold image with quarantine or alerting for non-compliance, thereby ensuring that deviations from the desired VM configuration do not create a security risk. For meeting regulatory mandates such as PCI, the vgw provides a hierarchical policy editor for building the precise requirements a very restrictive policy can be applied to high-value virtual machines, and a permissive policy to other VMs. Juniper also addresses the reporting requirement of compliance with an automated reporting engine. System logging output gives security event management systems insight into virtual network activity. Administrators can print reports of historical VM traffic data and configure SNMP traps to alert them to selected events. Those events can then be sent via system logs to third-party security products like those specializing in security information and event management (SIEM) such as Juniper Networks STRM Series Security Threat Response Managers. These products can synthesize the vgw log and event information from the virtualized data center with events from other parts of the network in order to get a holistic picture of the entire data center and its security posture. Copyright 2011, Juniper Networks, Inc. 5
Table 2: PCI DSS and SIG Guidance Requirements Supported by Juniper vgw Virtual Gateway PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data. 1.1 Establish firewall and router configuration standards. 1.1.5 Provide documentation and business justification for use of all services, protocols and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. 1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 1.3 Prohibit direct public access between the Internet and any system component in the CDE. Document business justification for any services, protocols and ports allowed through the firewall/router. Define and implement access control to block insecure protocols. For virtualized environments, a virtual firewall or router embedded within the hypervisor might be used to monitor and restrict traffic flowing through and within the virtual cardholder data environment, including inspection of VM-to-VM data flows. Implement firewall/router configurations so as to isolate traffic between untrusted networks (for example, from a wireless network) and the cardholder data environment. Configure the firewall/router to prevent access between the Internet-connected VLAN and any cardholder data-bearing VM or other virtual system component. The vgw is a purpose-built hypervisor-based stateful firewall that can enforce access control policies by ensuring VMs that are tied to payment systems are isolated from VMs that are not. Additionally, the vgw allows a build once, apply continuously model to security policy definition and enforcement. Any time a new VM is added to the network, the new VM simply inherits the settings of the parent, including the security policies and applications in existence for a VM of that type. This ensures that security for the new virtual system component is automatically provisioned, thus reducing the risk of exposure of the system and cardholder data to malicious traffic. The vgw is installed within the virtual infrastructure and stores all network communication (either VM-to- VM or VM-to-physical) in a database. Reports can be generated showing all network activity (protocols, ports, etc.) in use on every VM over any given time period. As new VMs are created, the vgw detects them automatically and can report on that activity. This information documents all known services/ protocols in operation and can aid in justifying their use in the network. The vgw can enforce access control on a per-vm basis so that if a particular VM is in the network where a payment system is connected, the vgw can be configured to stop traffic originating from an untrusted network from connecting with that VM. A hierarchy of firewall policies allows administrators to easily secure VMs. All VMs must conform to the Global Policy with highlevel and low-level rules. Additionally, Group Policies (for example, Web servers) restrict access to/from logical or business groupings of VMs. For maximum control, administrators can also create and enforce policies for individual VMs. All data in or out of the virtual environment can be tightly controlled (the intuitive rule editor defines traffic paths as inbound and outbound ). It doesn t matter if the remote network is wireless or Internet connected, traffic must pass through the vgw firewall before reaching the actual VM. The vgw firewall can ensure that no in-scope VM containing cardholder data is incorrectly assigned to an Internet-connected VLAN. Doing so triggers a policy violation alert and optional quarantine of the in-scope VM. 6 Copyright 2011, Juniper Networks, Inc.
PCI DSS Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.2.1 Implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server. (For example, Web servers, database servers and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. 2.2.1.b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device. 2.2.2 Enable only necessary and secure services, protocols, daemons, etc. as required for the function of the system. 2.2.3 Configure system security parameters to prevent misuse. 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN or SSL/TLS for web-based management and other non-console administrative access. Within virtualized environments, ensure that only one primary function is implemented per system component or device (for example, virtual machine). As part of the security policy for a given system, allow only those services and protocols it requires to perform its task(s), and remove unnecessary functionality (for example, scripts, drivers, file systems, etc.). Control non-console administrative access to systems by utilizing strong cryptography technologies. The vgw produces network connection reports that clearly show the protocols in use by every VM on the network where payment systems are connected. A practical application of such a report is to determine if unnecessary Web servers are running or file servers are functioning or any other applications are in use that shouldn t be. In accordance with 2.2.1, which states that a single virtual system component (for example, VM) should only be serving one primary function, the vgw can help ensure this by monitoring and alerting on any changes to system configuration. If someone is trying to install a database server and an application server on a single VM, and the associated security policy designates that such an action should not be allowed, the vgw can be configured to alert the relevant personnel so that appropriate action can be taken (for example, add another VM to the network and install just one of the servers on this new VM). Systems that the vgw determines to be inappropriately connected to secure networks like the VMsafe communication network (that is, per defined policy) can be automatically disconnected. Proprietary protocols that might introduce risks are automatically detected and their presence is alerted on by the vgw security application. The vgw uses encryption for all system communication and requires encrypted authentication to access the vgw management server application (all passwords are force changed during install). The vgw can monitor, alert and/or stop the use of non-encrypted protocols on the network (Telnet or FTP instead of SSH or SCP/SFTP). Copyright 2011, Juniper Networks, Inc. 7
PCI DSS Requirement 2 (continued) 2.4 Shared hosting providers must protect each entity s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers. The multi-tenant hosting provider must protect each entity s hosted environment and cardholder data by putting in place administrative, process and technical segmentation to isolate each hosted entity s environment from other entities. At a minimum, this isolation should encompass all PCI DSS controls, including but not limited to segmented authentication, network and access controls, encryption, and logging. The vgw, through its built-in virtual firewall, can be configured to segment tenant resources (virtual system components) from one another, ensuring isolation of their security policies. The vgw provides an XML-RPC programming interface that lets service providers and large enterprises customize and automate firewall provisioning. Users of the API can efficiently secure virtualization services for internal or external customers while ensuring strict isolation of customer VMs. Additionally, the vgw includes a feature called Split- Center that can be utilized in multi-tenant virtualized environments that require segregation of a single security management platform into parts that are consistent with unique security policies per hosted entity. Split-Center allows segmentation of the information contained in one virtualization management layer into what are effectively seen as multiple independently managed vgw centers to improve resource isolation for multi-tenancy. PCI DSS Requirement 5 Use and regularly update antivirus software or programs. 5.1 Deploy antivirus software on all systems commonly affected by malicious software. 5.2 Ensure that all antivirus mechanisms are current, actively running and generating audit logs. Install relevant (for example, purpose-built) antivirus software on all systems (including servers and hosts) that are vulnerable to malware. Keep antivirus software subscription up to date to account for the latest threats and ensure that the software is actively running and generating audit logs. Virtualization-specific antivirus provides a layer of defense against malware (such as viruses, worms and spyware) with minimal impact on VM memory and disk. The vgw antivirus engine provides optional on-access and on-demand scanning to help meet this requirement. The vgw s antivirus protection stays up to date through automatic signature updates available for the life of the software subscription (with an active license). Audit logs are automatically generated as long as the vgw antivirus engine is enabled. PCI DSS Requirement 6 Develop and maintain secure systems and applications. 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Apply the most recent security patches as soon as possible, especially for critical systems and software applications. Consider prioritizing the application of security patches (apply patches to at-risk systems sooner than for less risk prone ones). For any newly discovered dayzero threats, assign a severity rating to the threats and add these to the vulnerability database. The vgw has two types of patches/updates: 1. vgw application fixes 2. vgw signature feed for malicious traffic monitoring (IDS) In both cases, the vgw application does not notify an administrator that a patch needs to be applied. The patches for signature updates can also be applied without administrator intervention on a predefined schedule. The vgw integrated IDS includes a risk rating for new vulnerabilities. This risk rating can be modified by the virtual infrastructure administration to better reflect the security environment of the CDE. 8 Copyright 2011, Juniper Networks, Inc.
PCI DSS Requirement 6 (continued) 6.4.1 Separate development/test and production environments. 6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes including: 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. 6.5.2 Buffer overflow 6.5.3 Insecure cryptographic storage 6.5.4 Insecure communications 6.5.5 Improper error handling Note: Requirements 6.5.7 through 6.5.9 apply to Web applications and application interfaces (internal or external): 6.5.7 Cross-site scripting (XSS) 6.5.8 Improper access control (such as insecure direct object references, failure to restrict URL access, and directory traversal) 6.5.9 Cross-site request forgery (CSRF) 6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Review public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. Install a Web application firewall in front of public-facing Web applications. Isolate application development/ test and production environments. Develop applications based on generally accepted secure coding guidelines and prevent common coding vulnerabilities. Organizations must review their Web applications regularly and ensure these applications are protected against both known and unknown (for example, day-zero ) threats. There are multiple commercially available vulnerability security assessment tools and methods available to meet this requirement. Virtualized environments often have a testing/ development cluster as well as a production cluster. Because the vgw is installed in the kernel of each individual hypervisor host, it is easy to create security policies that completely isolate the traffic in each environment. The vgw has an IDS engine that is incorporated into the virtual infrastructure. The IDS engine is signature based, and a portion of the signatures comes from the Sourcefire VRT professional feed the foundation of which has more than 3.7 million users and is the most widely distributed intrusion detection technology in the world. Juniper also adds custom signatures and expertise to this feed, giving users layers of enterprisegrade protection. The IDS signature rules detect XSS, injection flaws, malicious file extensions, insecure direct object references, and other malicious or inappropriate traffic. Since the vgw monitors all connection flows, it can be used to spot information leakage between systems (for example, VM1 communicating 10 GB of traffic to VM2 unexpectedly). The vgw has an advanced stateful firewall and a combination of web-based IDS signatures that in concert inspect and detect anomalous Web activity thereby protecting web-based applications. Copyright 2011, Juniper Networks, Inc. 9
PCI DSS Requirement 10 Track and monitor all access to network resources and cardholder data. 10.1 Establish a process for linking all access to system components. 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual accesses to cardholder data 10.2.7 Creation and deletion of system-level objects 10.3 Record audit trail entries for all system components for each event. Put in place a method to monitor and log all access to system components by user for auditing and investigation purposes should there be a data compromise. Automatically track individual access to cardholder data and creation and deletion of systemlevel objects events. By recording the following audit trail entries for all system components for each event, a potential compromise can be quickly identified with sufficient detail of who, what, when, where, and how: User ID, type of event, date and time, success/failure indication, origination of event, ID or name of affected data, system component, or resource. Juniper s vgw, through its stateful firewall, provides access control over all traffic via policies that include which ports, protocols, destination VMs, etc. should be blocked. The vgw can monitor and optionally log all access activity including blocked attempts to VMs. These logs might include information about the source of the traffic including an IP address. For a complete user authentication solution, vgw can be integrated with the Juniper SRX Series Services Gateway and Unified Access Control (UAC) products to gain visibility into the specific user accessing a particular system component. Controlling access to cardholder data can be accomplished by implementing network-based control (that is, firewall blocking of access from system to system). The vgw can monitor and display all access details between systems and enforce access at the lowest level possible (that is, system to system). Because the vgw is tightly integrated into the virtualization management layer, it has complete virtual awareness in the application of security including when VMs have been cloned, created, deleted, or have migrated. Policy is automatically applied to these new VMs, ensuring that they either inherit the policy of their group or are quarantined until a policy is defined. Any changes that affect the VM state networking changes, installed applications or security policy changes are monitored and reported on. The vgw can essentially function as an IP traffic collector recording all traffic between VMs. This data can be sent to a log aggregation device for the purpose of creating a comprehensive audit trail of all access activity in the CDE including that activity among inscope VMs. 10 Copyright 2011, Juniper Networks, Inc.
PCI DSS Requirement 10 (continued) 10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing and storing time. Note: One example of time synchronization technology is Network Time Protocol (NTP). 10.4.1.b Verify that the designated central time servers peer with each other to keep accurate time, and confirm that other internal servers receive time only from the central time servers. 10.5 Secure audit trails so they cannot be altered. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. Synchronize all critical system clocks and times by utilizing a time-synch technology (for example, NTP); ensure that designated central time servers regularly consult with each other to maintain accurate time and that other internal servers only receive time from the central servers. Prevent audit trails from being changed and write logs for external-facing technologies onto a log server on the internal LAN The vgw can monitor all NTP traffic in the environment and block payment card systems from using unauthorized NTP systems. Externally-facing systems in the virtual environment can have logging turned on for their activities. The vgw allows secure storage of these logs in a local database or can be configured to send logs via system log to a central log collector. PCI DSS Requirement 11 Regularly test security systems and processes. 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.4 Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines, baselines and signatures up to date. 11.5 Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files. Scan network for vulnerabilities at least quarterly and after any major network change. Monitor traffic at the perimeter of and within critical points inside of the cardholder data environment and alert relevant personnel to suspicious events. A purpose-built IDS/IPS solution might be used to monitor traffic in virtual networks and/or between virtual systems. Monitor critical files in a virtual environment to prevent someone from changing configuration file contents, OS programs or application executables, which might render existing security controls ineffective and/or result in cardholder data being stolen with no perceptible impact to normal processing. The vgw doesn t have an explicit vulnerability scanning engine, but it does maintain deep knowledge of the state of each VM, including installed operating systems, applications, versions, and patches. Any changes to the state of a VM that, per policy, reduce the VM s security posture (for example, turning off antivirus) are automatically detected, alerted on, and the VM can be automatically quarantined in order to mitigate risk. The vgw s integrated IDS engine can inspect traffic for the presence of malware, malformation or other malicious activity. Alerts are generated automatically and stakeholders receive the relevant report. The vgw identifies the alert source and provides the mechanism to shut it down. Juniper s antivirus functionality can provide partial compliance with this requirement through a mechanism for routine and scheduled antivirus scanning of key files. Copyright 2011, Juniper Networks, Inc. 11
PCI DSS Requirement 12 Maintain a policy that addresses information security for all personnel. 12.1 Establish, publish, maintain, and disseminate a security policy. 12.2 Develop daily operational security procedures. 12.3 Develop usage policies for critical technologies and define proper use of these technologies. 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. 12.5 Assign to an individual or team the following information security management responsibilities: 12.5.2 Monitor and analyze security alerts and information, and distribute to appropriate personnel. 12.5.5 Monitor and control all access to data. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. 12.9.1.a Verify that the incident response plan includes coverage and responses for all critical system components. 12.9.5 Include alerts from intrusion detection, intrusion prevention and file integrity monitoring systems. Specific security policies might need to be developed to address unique aspects of virtual environments. Specific operational security procedures might need to be developed to address unique aspects of virtual environments. Specific usage policies might need to be developed to address unique aspects of virtual environments. Map information security policy and procedures to the respective personnel. Designate an individual/team to be responsible for monitoring, synthesizing and analyzing security alerts and information, distributing the information to relevant stakeholders, and monitoring and controlling all access to cardholder data. Have an incident response plan to handle system breaches, generate alerts for network intrusion detection and file integrity threats, and plan for all critical system components. The vgw s singular view to the virtualization security environment provides the means for multiple stakeholders and administrator groups to define and maintain a security policy. Daily security operations can be aided with the vgw s customizable reporting of all aspects of the virtualized environment including the compliance state of inscope VMs. The vgw s VM and hypervisor monitoring of both configuration and access activity can help meet requirements and guidelines for usage. Access to the security configuration of in-scope VMs can be limited to those administrators with the requisite privilege thereby enforcing the responsibilities, duties and policies for those administrators. The vgw has a reporting module that informs security personnel of all activity and changes in the virtual network (including changes to the networking, new VMs, etc.). Alerts are generated and defined by severity risk rating (high, medium, low), giving guidance on mitigation urgency. The reports can be generated automatically at predefined intervals. Reports in their entirety or subsets of desired information can be sent to individuals based on a subscription frequency. IDS reports can be easily created and even filtered for payment card systems only. Alerts for various activities include SMTP and SNMP. Being able to create a backup of the virtualization security infrastructure including critical system components, settings and policy is critical for quickly replicating those protections for the purposes of disaster recovery and compliance. The vgw configuration backup and restore allows administrators to quickly and securely restore designated data centers containing critical system components to a given point in time should the situation warrant reverting to a prior configuration such as one that was in compliance. 12 Copyright 2011, Juniper Networks, Inc.
PCI DSS Requirement A.1 Shared hosting providers must protect the CDE. A.1 Protect each entity s hosted environment and data. Ensure that each entity only runs processes that have access to that entity s cardholder data environment. Restrict each entity s access and privileges to its own cardholder data environment only. Ensure logging and audit trails are enabled and unique to each entity s cardholder data environment and consistent with PCI DSS Requirement 10. The vgw, through its built-in virtual firewall, can be configured to segment tenant resources (virtual system components) from one another, ensuring isolation of their security policies. The vgw provides an XML-RPC programming interface that lets shared hosting service providers customize and automate firewall provisioning. Users of the API can efficiently secure virtualization services for internal or external customers while ensuring strict isolation of customer VMs. The vgw includes a feature called Split-Center, which allows segmentation of the information contained in one virtualization management layer into what are effectively seen as multiple independently managed vgw centers to improve resource isolation for multitenancy. The vgw enables each hosted entity (for example, merchant) to have access to and review logs specific to its own cardholder data environment. Copyright 2011, Juniper Networks, Inc. 13
Conclusion The Juniper Networks vgw Virtual Gateway can serve as a key component of the overall security infrastructure by helping organizations (for example, merchants) and service providers protect virtualized environments and meet key PCI DSS requirements. The vgw is a comprehensive virtualization security solution that includes a high-performance, hypervisorbased stateful firewall; integrated intrusion detection service (IDS); and virtualization-specific antivirus for complete virtual network protection. It brings forward powerful features that offer layers of defenses and automated security as well as compliance enforcement within virtual networks and clouds. About Juniper Networks Juniper Networks is in the business of network innovation. From devices to data centers, from consumers to cloud providers, Juniper Networks delivers the software, silicon and systems that transform the experience and economics of networking. The company serves customers and partners worldwide. Additional information can be found at www.juniper.net. Corporate and Sales Headquarters APAC Headquarters EMEA Headquarters To purchase Juniper Networks solutions, Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA Phone: 888.JUNIPER (888.586.4737) or 408.745.2000 Fax: 408.745.2100 www.juniper.net Juniper Networks (Hong Kong) 26/F, Cityplaza One 1111 King s Road Taikoo Shing, Hong Kong Phone: 852.2332.3636 Fax: 852.2574.7803 Juniper Networks Ireland Airside Business Park Swords, County Dublin, Ireland Phone: 35.31.8903.600 EMEA Sales: 00800.4586.4737 Fax: 35.31.8903.601 please contact your Juniper Networks representative at 1-866-298-6428 or authorized reseller. Copyright 2011 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. 2000383-002-EN Sept 2011 Printed on recycled paper 14 Copyright 2011, Juniper Networks, Inc.