Enabling Continuous PCI DSS Compliance. Achieving Consistent PCI Requirement 1 Adherence Using RedSeal

Similar documents
Improving Network Security Change Management Using RedSeal

Leveraging Network and Vulnerability metrics Using RedSeal

Optimizing Network Vulnerability

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE

Total Protection for Compliance: Unified IT Policy Auditing

Real-Time Security for Active Directory

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

AD Management Survey: Reveals Security as Key Challenge

WHITEPAPER PROACTIVE SECURITY INTELLIGENCE RETURN ON INVESTMENT

PCI DSS Reporting WHITEPAPER

FIREMON SECURITY MANAGER

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI-DSS Penetration Testing

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Managing SSL Certificates with Ease

PCI DSS Top 10 Reports March 2011

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

The Emergence of Security Business Intelligence: Risk

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

PCI DSS Overview and Solutions. Anwar McEntee

Compliance Management, made easy

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Why You Need to Test All Your Cloud, Mobile and Web Applications

SAME PRINCIPLES APPLY, BUT NEW MANDATES FOR CHANGE

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

Preemptive security solutions for healthcare

PCI DSS READINESS AND RESPONSE

PCI Requirements Coverage Summary Table

Log Management Solution for IT Big Data

Payment Card Industry Data Security Standard

Feature. Log Management: A Pragmatic Approach to PCI DSS

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Accelerate Your Enterprise Private Cloud Initiative

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

The Business Case for Security Information Management

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Leveraging a Maturity Model to Achieve Proactive Compliance

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Security for a Smarter Planet IBM Corporation All Rights Reserved.

Boosting enterprise security with integrated log management

Tokenization Amplified XiIntercept. The ultimate PCI DSS cost & scope reduction mechanism

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

Continuous Diagnostics & Mitigation:

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Requirements Coverage Summary Table

How to Painlessly Audit Your Firewalls

Is the PCI Data Security Standard Enough?

PCI Self-Assessment: PCI DSS 3.0

Automated Firewall Change Management. Ensure continuous compliance and reduce risk with secure change management workflows

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Symantec Control Compliance Suite. Overview

protect your assets. control your spending

Demonstrating the ROI for SIEM: Tales from the Trenches

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

Attack Intelligence: Why It Matters

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Windows Least Privilege Management and Beyond

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

RSA ARCHER OPERATIONAL RISK MANAGEMENT

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Proving Control of the Infrastructure

8 Key Requirements of an IT Governance, Risk and Compliance Solution

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

2016 Firewall Management Trends Report

DEMONSTRATING THE ROI FOR SIEM

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

HITRUST CSF Assurance Program

Automate Key Network Compliance Tasks

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

And Take a Step on the IG Career Path

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

Overcoming PCI Compliance Challenges

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Western Australian Auditor General s Report. Information Systems Audit Report

Transcription:

SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc. 3965 Freedom Circle, Suite 800, Santa Clara, 95054 Tel (408) 641-2200 Toll Free (888) 845-8169 www.redsealnetworks.com

2 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Contents Executive Summary: 3 Fighting to Maintain Control: Chasing PCI DSS Requirement 1 3 Off the Grid: Why Today s PCI Requirement 1 Initiatives Fall Short 4 Evolving Requirements: Implementing Continuous PCI Validation 5 The Solution: RedSeal Proactive Security Intelligence 7 Conclusions: 8

Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 3 Enabling Continuous PCI DSS Compliance Achieving Consistent PCI Requirement 1 Adherence Using RedSeal Executive Summary: This solution brief examines the numerous benefits and challenges facing today s organizations in achieving continuous compliance with network security requirements of the PCI DSS standard specifically PCI Requirement 1 s directive to implement, track and validate necessary firewall configurations. In addition to outlining common obstacles many practitioners face in maturing PCI initiatives into more proactive and efficient practices those that better support ongoing policy adherence and resulting improvement of network security this paper will highlight the specific manner in which RedSeal s proactive security intelligence solutions facilitate advancement using automation. By maintaining constant visibility into changing conditions and the overall effectiveness of today s IT security infrastructure, and automatically identifying changes in network security over time, RedSeal empowers enterprises with the actionable metrics they need to ensure that PCI compliance initiatives not only satisfy auditors expectations, but also reduce real-world risks. Fighting to Maintain Control: Chasing PCI DSS Requirement 1 Since the Payment Card Industry (PCI) first issued the Data Security Standards in 2004, the practice of achieving, maintaining and validating ongoing compliance with the guidelines has, for many enterprises, evolved into a 24/7 responsibility. Despite the seemingly straightforward nature of PCI Requirement 1, which dictates that organizations implement and sustain basic firewall protection of cardholder data and properly document ongoing modifications made to those systems over time IT security professionals tasked with implementing the process almost uniformly cite the overwhelming difficulty of their efforts. In today s environment of constantly changing network infrastructure driven by powerful catalysts including emerging business models and targeted threats the challenge of maintaining consistent firewall configurations, and tracking their evolution, has developed into a complicated and time consuming effort especially wherever manual processes are employed. www.redsealnetworks.com

4 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance As noted in the Verizon Business 2011 PCI Compliance Report, based on the company s experiences in performing hundreds of PCI compliance assessments for its clients, roughly 50 percent of all organizations that are expected to adhere to Requirement 1 still fall short, based primarily on their inability to account for network change. Further, Verizon also found that even in many cases when security infrastructure has been successfully kept within PCI-specifications, a number of organizations still run a strong risk of failing audits, based on their inability to keep required firewall management documentation up to date. To advance today s PCI DSS Requirement 1 initiatives beyond fragmented, reactive efforts that fail to meet auditors expectations and protect against realworld risks, organizations demand new processes and solutions that leverage automated assessment and trending of security infrastructure performance to confirm compliance, and communicate related intelligence. RedSeal provides continuous monitoring of network security controls, ensuring that network access is compliant with policy. This screen shot demonstrates the state of compliance between the various zones required by PCI DSS. Off the Grid: Why Today s PCI Requirement 1 Initiatives Fall Short According to the 2010 Enterprise Management Associates report Trends and Issues Surrounding Network and Security Monitoring, roughly 81 percent of enterprise professionals feel they still lack sufficient visibility into their networks, despite having made numerous investments in solving that issue over the years. Further, the EMA report, based on a survey of network and security professionals, found that another 80 percent of respondents blame the absence of solutions that offer sufficient visibility into security infrastructure s effectiveness as the biggest contributor to this issue.

Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 5 With no evidence to suggest that the rate of change within enterprise security infrastructure will slow any time soon, and plenty of proof to the contrary including weighty drivers such as virtualization, mobility and cloud computing it s clear that traditional assessment methods cannot meet the needs of today s practitioners around PCI DSS Requirement 1. As best evidenced by the sheer volume of data breaches experienced by organizations previously certified as PCI DSS compliant, time-honored methods of security infrastructure assessment have failed for reasons including: Reliance on methodologies that are too narrow in focus and can t determine how access is controlled across all PCI-relevant areas of the network. Too infrequent auditing of network security policy implementation that fails to illustrate or measure how ongoing change is being addressed related to PCI requirements. The inability to demonstrate that all changes to critical data access have been approved, in compliance with mandated PCI change control processes. The fact that so many enterprise security teams have not fully addressed PCI Requirement 1, and that almost 50 percent of those organizations that do achieve adherence often still fail audits, illustrates the demand for new practices that provide the desperately needed visibility into network security. As Gartner notes in Tools for Network-aware Firewall Policy Assessment, available solutions that automate network security analysis and offer new levels of visibility into access, including the specific documentation of PCI compliance, should offer hope to organizations still struggling with common issues of security infrastructure configuration management. Evolving Requirements: Implementing Continuous PCI Validation To address the pervasive issue of infrastructure change and ensure that existing network defenses always implement required policies correctly, organizations must respond by creating the ability to validate their real-world security standing on a near constant basis. In addition to empowering organizations to improve protection and better leverage their PCI compliance investments to inform security management decisions with knowledge of available access, a growing body of evidence suggests that carrying out more frequent self-assessment actually drives down operational spending. According to the 2011 Cost of Compliance report published by researchers Ponemon Institute, organizations that conduct the most internal compliance audits each year also have the lowest per capita compliance cost, while the highest compliance costs were found among organizations that do not conduct any assessments at all. www.redsealnetworks.com

6 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Confronted with this evidence and the recognition that PCI DSS compliance is a challenge that will likely never go away, many organizations are seeking better methods of meeting Requirement 1 directives that also facilitate improvement of overall network security performance, including: Solutions that deliver continuous visibility into the current implementation of network security controls and provide network-wide validation of underlying processes. Processes that lower the amount of time and investment necessary to demonstrate ongoing compliance, and documentation of processes effectiveness to external auditors. Systems that generate meaningful, data-backed conclusions about program efficiency and the ROI of involved solutions to help drive future budgets and planning. According to Gartner s June 2011 report Tools for Network-aware Firewall Policy Assessment and Operational Support, solutions that automate security rules management offer important productivity benefits by continuously confirming necessary enforcement and trending security infrastructure effectiveness. By providing constant visibility into their success in adapting network defenses to changing conditions, and generating quantitative metrics that prove their ability to maintain PCI compliance on an ongoing basis, enterprises are moving quickly to adopt strategies and solutions that evolve today s insufficient processes into more advanced security monitoring. RedSeal provides an interactive network security visualization that displays network access across the enterprise. This example shows which networks have access to cardholder systems, providing continuous visibility into the effectiveness of security controls at protecting cardholder systems.

Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 7 The Solution: RedSeal Proactive Security Intelligence RedSeal s proactive security intelligence solutions are the only products on the market today that allow organizations to automate continuous compliance with PCI DSS Requirement 1 and provide them with the visibility necessary to understand whenever policy violations occur. With RedSeal, organizations can evolve PCI DSS compliance from a time-consuming battery of manual firewall reviews into a process of continuous monitoring one that informs management and operations when changes to infrastructure result in policy issues that represent risks. By allowing IT security management to define complex policies and analyze infrastructure s overall adherence on an ongoing, network-wide basis, RedSeal provides you with the in-depth visibility into current protection needed to: Confirm that controls are in place and functioning to enforce zone relationships within the specific parameters that are required. Supply auditors with detailed proof that demonstrates how policy compliance is being maintained and validated continuously. Documented justification for changes to access and details of any policy exceptions, including information on who requested the modifications, when they were granted, and why. To ensure proper implementation of PCI DSS policies, communicate more effectively with auditors, avoid failed assessments and translate requirements into larger improvements in network security, RedSeal delivers the powerful automation necessary to evolve compliance into real-world success. Using RedSeal, enterprises can collect and analyze key metrics that highlight the overall performance of compliance processes and solutions, prove ongoing diligence to external compliance auditors, and drive more efficient allocation of valuable staff and resources over time. RedSeal provides the necessary documentation for demonstrating compliance with auditors. This screen shot is of the PCI report that comes standard with RedSeal, demonstrating the status of compliance for each requirement. www.redsealnetworks.com

8 SOLUTION BRIEF Enabling Continuous PCI DSS Compliance Conclusions: With the growing recognition that despite years of ongoing investment into PCI compliance initiatives, many organizations still lack the visibility necessary to ensure policy enforcement as dictated by Requirement 1, or communicate the information needed to demonstrate their ability to do so, enterprise security management is actively seeking new methods to tackle these long-standing conundrums. According to the 2011 Gartner Survey, Challenged U.S. Firms Seek Alternative PCI-Compliance Solutions, improving the effective enforcement of network segmentation as dictated by PCI DSS Requirement 1 stands as the top technical priority today among companies working to comply with the standards, yet no single model for better addressing the challenge has emerged. RedSeal s proactive security intelligence solutions are the only products on the market that ensure continuous implementation of the PCI DSS Requirement 1 network security requirements, more effective communication of risk to auditors and the ability to successfully translate the involved compliance requirements into larger improvements in their overall security standing. About RedSeal: RedSeal Networks develops proactive security intelligence software that enterprise organizations depend on to visualize the effectiveness of security infrastructure, maintain continuous policy compliance and protect their most critical business assets and data. Unlike systems that measure the impact of attacks after they transpire or address individual elements of network protection, RedSeal analyzes the cumulative ability of defenses to control access and mitigate vulnerability exposure across the entire enterprise, providing the critical metrics necessary to trend performance and isolates gaps before they can be discovered by hackers. For more information on RedSeal products please visit the company s web site at www.redsealnetworks.com or contact RedSeal representatives directly at (888) 845-8169.

www.redsealnetworks.com Enabling Continuous PCI DSS Compliance SOLUTION BRIEF 9

WHITE PAPER RedSeal Networks, Inc. 3965 Freedom Circle, Suite 800, Santa Clara, 95054 Tel (408) 641-2200 Toll Free (888) 845-8169 www.redsealnetworks.com Copyright 2011 RedSeal Networks, Inc. All rights reserved. RedSeal and the RedSeal logo are trademarks of RedSeal Networks, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information