White Paper A10 Thunder Series PCI DSS and the A10 Solution For cloud service providers, A10 s Thunder Series & AX Series appliances and SoftAX are the first step towards PCI compliance, allowing you to achieve a secure web infrastructure for your clients. October 2013 WP_PCIDSS 10092013
Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. Copyright 2013 A10 Networks, Inc. All rights reserved. A10 Networks, A10 Thunder, vthunder, ACOS, acloud, aflex, axapi, avcs, Virtual Chassis, SoftAX, and aflow are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. 2
The Challenge of PCI Compliance While the Payment Card Industry Data Security Standards (PCI DSS) pertain to secure processing and storage of cardholder data, these standards can apply to any cloud service provider (CSP) as a framework for constructing a safe cloud environment. Achieving the stamp of PCI compliance is an important advertisement to customers, as one of the biggest marketing challenges for CSPs is promising data security in the cloud. It also allows CSPs to set concrete security measures internally, giving them a way to specify procedures for quality assurance engineers and IT staff. However, in such dynamic environments where CSP-client boundaries can be fluid, CSPs can only achieve PCI compliance starting at the application infrastructure level. Given these goals, the question for most CSPs is this: how do they uphold security while maintaining rapid delivery of services to their clients? With the A10 solution, you won t have to compromise one for the other. Overview of PCI DSS The Payment Card Industry (PCI) Council was formed in 2006 by leading credit card companies (American Express, Discover, JCB International, MasterCard, and Visa), who established PCI DSS as a set of rules for payment industries to prevent credit card fraud, hacking, and other security threats. 1 These standards apply to any company that stores, processes, or transmits Primary Account Numbers (PANs), cardholder data, expiration codes, or service codes. These standards apply to all system components such as servers, network components, applications, and all virtualized parts (virtual machines [VMs], hypervisors, and so on). 2 Over time, these standards have also become a reference guide for IT professionals to devise procedures for building safe application infrastructures and ensuring sound data security practices. PCI DSS consists of 12 standards, of which certain sets of the 12 standards fall under general security requirements. In the 2013 revisions, PCI DSS was updated to include considerations and tools for cloud services, offering ways to measure PCI compliance for specific cloud layers and components. These standards (displayed in the table below) are intended to provide a general framework for discussion. Supplemental information on how CSPs can comply with these standards is provided in the PCI DSS Cloud Computing Guidelines. CSPs can refer to the supplemental guidelines for further tools to assess their PCI compliance. These tools include questions for defining requirements, which differ based on role (CSPs vs. their clients) at every cloud layer, outlined for various service models (SaaS, PaaS, or IaaS). 1 Source: Information Supplement: PCI DSS Cloud Computing Guidelines, PCI Council, February 2013. Pg. 50 2 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, PCI Council, October 2010. Pg. 7-10 3
Table 1 PCI DSS Requirements and Standards. 3 Virtualization and the PCI Dilemma Importantly, the 2013 PCI Guidelines point out that different virtualization structures will demand different security solutions. 4 There is no one-size fits all solution to PCI compliance for CSPs, because the differing needs of private, public, and hybrid clouds demand customized approaches to security. Furthermore, full compliance is not possible without full cooperation of both the CSP and the client. This makes it necessary for CSPs to define the scope of security controls for the CSP vs. their client. Scope can vary, but as PCI DSS explains, there are some common considerations that hold for most CSPs. PCI DSS provides an explanation illustrating security controls for clients and CSPs at every cloud layer for different service models. As illustrated in the diagram below, certain trends emerge for CSPs to consider. One trend is that for all service models, it is a given that CSPs will be held accountable for full control of security starting from the physical data center level to the hypervisor level. For IT, this is a relatively straightforward component. It primarily involves selecting hardware with appropriate capacity, scalability, and data-loss prevention. The other trend is that SaaS and PaaS models will have to assume almost 100 percent control over security at the application-related cloud layers, as little is left up to client control. The application component is where we see the more fluid parts of the CSP model, which have made it difficult for IT to judge compliance in the past. 3 Source: PCI DSS Requirements and Security Assessment Procedures, Version 2.0, PCI Council, October 2010. Pg.5 4 Source: Information Supplement: PCI DSS Cloud Computing Guidelines, PCI Council, February 2013. Pg. 6 4
Either CSPs or clients will have to select the right security measures for safe application delivery. This makes it all the more necessary for these services, or their clients, to choose the best application delivery hardware, as elements of virtual network infrastructure, solution stack, applications, and interfaces are more vulnerable parts of a CSP model to security breaches. While PCI gives a general idea of what CSPs need to look for in selecting hardware/software solutions for virtualization, specific features are not described. 5 PCI standards suggest implementing firewalls, tenant isolation, and encryption, but for network architects, this can mean a variety of options. An easy solution is to select the right application delivery controller (ADC) which covers a sizeable component of PCI compliance. The A10 Solution What do you specifically need to create a PCI-compliant application infrastructure for cloud services with ADCs? You need a solution that can offer: Multi-tenancy Web Application Firewall (WAF) SSL/TLS and STARTTLS encryption DDoS protection Flexible scripting technology API management capability Admin and network separation Ability to work with third-party hypervisors Figure 1 Breakdown of security responsibilities by service model and cloud layer. A10 Networks carries several hardware and software solutions that can help ensure PCI compliance for your network infrastructure. Our Thunder Series and AX Series appliances as well as SoftAX are equipped with features that can help with tenant isolation and thwart network attacks, delivering advanced solutions beyond basic load balancing. 5 Source for table: Same. Pg. 8 5
Thunder Series & AX Series ADCs Our award-winning Advanced Core Operating System (ACOS), featured in our Thunder and AX Series appliances, essentially functions as an ADC virtual system, allowing easy deployment of Application Delivery Partitions (ADPs) to function as virtual components with ADC capability. ADPs meet PCI compliance by: Enforcing strict network and administration separation through Layer 3 virtualization (L3V) (via private partitions ) support (PCI Standards 7,8) Providing role-based access (RBA) control (PCI Standards 7,8,9) Additionally, all these solutions are equipped with: DDoS protection (PCI Standards 1,5,6) SSL and TLS encryption features, and STARTTLS for email encryption (PCI Standards 3,4) WAF, for protection against SQL attacks, CSRF and XSS breaches, and other threats (PCI Standards 1,2,5,6) Application Access Management (AAM) for robust, flexible authentication and authorization of end-user traffic (PCI Standards 7,8,9) A10 ADCs are equipped with axapi to allow custom management of traffic reporting and integration with third-party applications. axapi uses a REST-style XML API for custom management and integration of third-party hypervisors. A10 ADCs also provide aflex, a feature for deep packet inspection and Layer 4-7 scripting, which allows easy integration of applications with the A10 load-balancing solution. SoftAX Virtual ADC You can use our SoftAX virtual ADC to deploy multiple virtual machines that run on a single hardware platform, offering complete device and service isolation with a third-party hypervisor. Our SoftAX ADC is compatible with a variety of third-party hypervisors. These include VMware ESXi, Microsoft Hyper-V, KVM and Citrix XenServer. SoftAX instances are strongly isolated and operate independently of one another. This isolation ensures maximum safety for client data. (PCI Standards 1,2) Security feature support for WAF, encryption, and DDoS protection on SoftAX are all similar to support for these features on Thunder and AX Series hardware-based appliances as well. (PCI Standards 1-6) Hence, you can take advantage of our multiple security features simply at the software level. Conclusion A10 Thunder & AX Series hardware appliances and SoftAX virtual appliances enable CSPs and their clients to be compliant with PCI standards 1-9, simply through their support at the load-balancing level. Hence, integrating A10 appliances within your network infrastructure can help with many of your security needs. For the remaining PCI standards (10-12), it is incumbent on the CSP to provide operational oversight and establish procedures for safe cloud building. However, A10 provides 24/7 technical assistance by phone for your A10 devices as part of our Gold Level Support. In short, building a PCI-compliant cloud has never been simpler than with A10 we deliver security without compromising performance. 6