PCI DSS and the A10 Solution

Similar documents
PCI DSS and the A10 Solution

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

Healthcare Security and HIPAA Compliance with A10

A10 Thunder and AX Series

Load Balancing Security Gateways WHITE PAPER

Driving Down the Cost and Complexity of Application Networking with Multi-tenancy

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Orchestrating the next generation data center

PCI Compliance Updates

Security Overview and Cisco ACE Replacement

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Thunder ADC: 10 Reasons to Select A10 WHITE PAPER

Dynamic L4-L7 Service Insertion with Cisco ACI and A10 Thunder ADC REFERENCE ARCHITECTURE

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 Part Number: E April 2016

AX ADC Application Delivery Controller

PCI DSS 3.0 Compliance

Can PCI DSS Compliance Be Achieved in a Cloud Environment?

INSTALLATION GUIDE. A10 Thunder TM Series vthunder for AWS

SSL Insight Certificate Installation Guide

Cloud Security Who do you trust?

Effective End-to-End Cloud Security

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Thank you for joining us today! The presentation will begin shortly. Thank you for your patience.

Cloud Courses Description

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

A10 Networks LBaaS Driver for Thunder and AX Series Appliances

VMware Solution Guide for. Payment Card Industry (PCI) September v1.3

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

How To Protect A Web Application From Attack From A Trusted Environment

access convergence management performance security

How To Protect Your Cloud From Attack

Cloud Security Who do you trust?

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

A Survey on Cloud Security Issues and Techniques

Using SUSE Cloud to Orchestrate Multiple Hypervisors and Storage at ADP

Security That Ensures Tenants Do Not Pose a Risk to One Another In Terms of Data Loss, Misuse, or Privacy Violation

Application Deliver Control Next Generation Load balancing

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

dotdefender PCI Compliance and You

Where every interaction matters.

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

A10 Device Package for Cisco Application Centric Infrastructure (ACI)

Achieving PCI Compliance: How Red Hat Can Help. Akash Chandrashekar, RHCE. Red Hat Daniel Kinon, RHCE. Choice Hotels Intl.

Virtualization Impact on Compliance and Audit

PICO Compliance Audit - A Quick Guide to Virtualization

Keyword: Cloud computing, service model, deployment model, network layer security.

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

SERENA SOFTWARE Serena Service Manager Security

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Security Issues in Cloud Computing

Conquering PCI DSS Compliance

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Achieve Single Sign-on (SSO) for Microsoft ADFS

Top 10 PCI Concerns. Jeff Tucker Sr. Security Consultant, Foundstone Professional Services

From Secure Virtualization to Secure Private Clouds

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Security April Solving the data security challenge with our enhanced private and hybrid cloud services

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

AAM Kerberos Relay Integration with SharePoint

How To Power Down A Powerline I3 (Powerline) With A Power Supply (Power) And Power Supply For A Powerpack (Powerplant) (Powerboard) (Microtower) (Networking) (Wireless) (

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Vyatta Network OS for Network Virtualization

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Cloud Computing in a Restaurant Environment

PCI DSS: An Evolving Standard

PCI DSS COMPLIANCE DATA

Cloud and Data Center Security

Ensuring PCI DSS Compliance in the Cloud

Peak Hosting, founded in 2001, provides comprehensive ITas-a-service

THUNDER ADC Next-generation Application Delivery Controller

Meeting the Challenges of Virtualization Security

2013 ovh.com. All rights reserved

Lecture 02b Cloud Computing II

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

Cloud Contact Center. Security White Paper

Trend Micro. Secure virtual, cloud, physical, and hybrid environments easily and effectively INTRODUCTION

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

CLOUD COMPUTING OVERVIEW

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Cloud Courses Description

Citrix Solutions for Complying with PCI-DSS ENSURING PROTECTION OF WEB APPLICATIONS AND PRIVACY OF CARDHOLDER INFORMATION

PCI Compliance for Cloud Applications

Building A Secure Microsoft Exchange Continuity Appliance

Proactively Secure Your Cloud Computing Platform

Mirantis OpenStack Express: Security White Paper

Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

Cloud Contact Center. Security White Paper

The Evolving Threat Landscape and New Best Practices for SSL

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

CONTENTS. PCI DSS Compliance Guide

Transcription:

White Paper A10 Thunder Series PCI DSS and the A10 Solution For cloud service providers, A10 s Thunder Series & AX Series appliances and SoftAX are the first step towards PCI compliance, allowing you to achieve a secure web infrastructure for your clients. October 2013 WP_PCIDSS 10092013

Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. Copyright 2013 A10 Networks, Inc. All rights reserved. A10 Networks, A10 Thunder, vthunder, ACOS, acloud, aflex, axapi, avcs, Virtual Chassis, SoftAX, and aflow are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. 2

The Challenge of PCI Compliance While the Payment Card Industry Data Security Standards (PCI DSS) pertain to secure processing and storage of cardholder data, these standards can apply to any cloud service provider (CSP) as a framework for constructing a safe cloud environment. Achieving the stamp of PCI compliance is an important advertisement to customers, as one of the biggest marketing challenges for CSPs is promising data security in the cloud. It also allows CSPs to set concrete security measures internally, giving them a way to specify procedures for quality assurance engineers and IT staff. However, in such dynamic environments where CSP-client boundaries can be fluid, CSPs can only achieve PCI compliance starting at the application infrastructure level. Given these goals, the question for most CSPs is this: how do they uphold security while maintaining rapid delivery of services to their clients? With the A10 solution, you won t have to compromise one for the other. Overview of PCI DSS The Payment Card Industry (PCI) Council was formed in 2006 by leading credit card companies (American Express, Discover, JCB International, MasterCard, and Visa), who established PCI DSS as a set of rules for payment industries to prevent credit card fraud, hacking, and other security threats. 1 These standards apply to any company that stores, processes, or transmits Primary Account Numbers (PANs), cardholder data, expiration codes, or service codes. These standards apply to all system components such as servers, network components, applications, and all virtualized parts (virtual machines [VMs], hypervisors, and so on). 2 Over time, these standards have also become a reference guide for IT professionals to devise procedures for building safe application infrastructures and ensuring sound data security practices. PCI DSS consists of 12 standards, of which certain sets of the 12 standards fall under general security requirements. In the 2013 revisions, PCI DSS was updated to include considerations and tools for cloud services, offering ways to measure PCI compliance for specific cloud layers and components. These standards (displayed in the table below) are intended to provide a general framework for discussion. Supplemental information on how CSPs can comply with these standards is provided in the PCI DSS Cloud Computing Guidelines. CSPs can refer to the supplemental guidelines for further tools to assess their PCI compliance. These tools include questions for defining requirements, which differ based on role (CSPs vs. their clients) at every cloud layer, outlined for various service models (SaaS, PaaS, or IaaS). 1 Source: Information Supplement: PCI DSS Cloud Computing Guidelines, PCI Council, February 2013. Pg. 50 2 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, PCI Council, October 2010. Pg. 7-10 3

Table 1 PCI DSS Requirements and Standards. 3 Virtualization and the PCI Dilemma Importantly, the 2013 PCI Guidelines point out that different virtualization structures will demand different security solutions. 4 There is no one-size fits all solution to PCI compliance for CSPs, because the differing needs of private, public, and hybrid clouds demand customized approaches to security. Furthermore, full compliance is not possible without full cooperation of both the CSP and the client. This makes it necessary for CSPs to define the scope of security controls for the CSP vs. their client. Scope can vary, but as PCI DSS explains, there are some common considerations that hold for most CSPs. PCI DSS provides an explanation illustrating security controls for clients and CSPs at every cloud layer for different service models. As illustrated in the diagram below, certain trends emerge for CSPs to consider. One trend is that for all service models, it is a given that CSPs will be held accountable for full control of security starting from the physical data center level to the hypervisor level. For IT, this is a relatively straightforward component. It primarily involves selecting hardware with appropriate capacity, scalability, and data-loss prevention. The other trend is that SaaS and PaaS models will have to assume almost 100 percent control over security at the application-related cloud layers, as little is left up to client control. The application component is where we see the more fluid parts of the CSP model, which have made it difficult for IT to judge compliance in the past. 3 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, PCI Council, October 2010. Pg.5 4 Source: Information Supplement: PCI DSS Cloud Computing Guidelines, PCI Council, February 2013. Pg. 6 4

Either CSPs or clients will have to select the right security measures for safe application delivery. This makes it all the more necessary for these services, or their clients, to choose the best application delivery hardware, as elements of virtual network infrastructure, solution stack, applications, and interfaces are more vulnerable parts of a CSP model to security breaches. While PCI gives a general idea of what CSPs need to look for in selecting hardware/software solutions for virtualization, specific features are not described. 5 PCI standards suggest implementing firewalls, tenant isolation, and encryption, but for network architects, this can mean a variety of options. An easy solution is to select the right application delivery controller (ADC) which covers a sizeable component of PCI compliance. The A10 Solution What do you specifically need to create a PCI-compliant application infrastructure for cloud services with ADCs? You need a solution that can offer: Multi-tenancy Web Application Firewall (WAF) SSL/TLS and STARTTLS encryption DDoS protection Flexible scripting technology API management capability Admin and network separation Ability to work with third-party hypervisors Figure 1 Breakdown of security responsibilities by service model and cloud layer. A10 Networks carries several hardware and software solutions that can help ensure PCI compliance for your network infrastructure. Our Thunder Series and AX Series appliances as well as SoftAX are equipped with features that can help with tenant isolation and thwart network attacks, delivering advanced solutions beyond basic load balancing. 5 Source for table: Same. Pg. 8 5

Thunder Series & AX Series ADCs Our award-winning Advanced Core Operating System (ACOS), featured in our Thunder and AX Series appliances, essentially functions as an ADC virtual system, allowing easy deployment of Application Delivery Partitions (ADPs) to function as virtual components with ADC capability. ADPs meet PCI compliance by: Enforcing strict network and administration separation through Layer 3 virtualization (L3V) (via private partitions ) support (PCI Standards 7,8) Providing role-based access (RBA) control (PCI Standards 7,8,9) Additionally, all these solutions are equipped with: DDoS protection (PCI Standards 1,5,6) SSL and TLS encryption features, and STARTTLS for email encryption (PCI Standards 3,4) WAF, for protection against SQL attacks, CSRF and XSS breaches, and other threats (PCI Standards 1,2,5,6) Application Access Management (AAM) for robust, flexible authentication and authorization of end-user traffic (PCI Standards 7,8,9) A10 ADCs are equipped with axapi to allow custom management of traffic reporting and integration with third-party applications. axapi uses a REST-style XML API for custom management and integration of third-party hypervisors. A10 ADCs also provide aflex, a feature for deep packet inspection and Layer 4-7 scripting, which allows easy integration of applications with the A10 load-balancing solution. SoftAX Virtual ADC You can use our SoftAX virtual ADC to deploy multiple virtual machines that run on a single hardware platform, offering complete device and service isolation with a third-party hypervisor. Our SoftAX ADC is compatible with a variety of third-party hypervisors. These include VMware ESXi, Microsoft Hyper-V, KVM and Citrix XenServer. SoftAX instances are strongly isolated and operate independently of one another. This isolation ensures maximum safety for client data. (PCI Standards 1,2) Security feature support for WAF, encryption, and DDoS protection on SoftAX are all similar to support for these features on Thunder and AX Series hardware-based appliances as well. (PCI Standards 1-6) Hence, you can take advantage of our multiple security features simply at the software level. Conclusion A10 Thunder & AX Series hardware appliances and SoftAX virtual appliances enable CSPs and their clients to be compliant with PCI standards 1-9, simply through their support at the load-balancing level. Hence, integrating A10 appliances within your network infrastructure can help with many of your security needs. For the remaining PCI standards (10-12), it is incumbent on the CSP to provide operational oversight and establish procedures for safe cloud building. However, A10 provides 24/7 technical assistance by phone for your A10 devices as part of our Gold Level Support. In short, building a PCI-compliant cloud has never been simpler than with A10 we deliver security without compromising performance. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information