Virtualization Impact on Compliance and Audit

Similar documents
Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Data Security Standards

PCI Compliance Top 10 Questions and Answers

How To Comply With The Pci Ds.S.A.S

CloudCheck Compliance Certification Program

PCI Compliance. Top 10 Questions & Answers

How To Achieve Pca Compliance With Redhat Enterprise Linux

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Managing Cloud Computing Risk

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

How To Protect Your Cloud From Attack

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

Securing Oracle E-Business Suite in the Cloud

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Achieving PCI Compliance Using F5 Products

March

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI Compliance in Oracle E-Business Suite

PCI Compliance for Cloud Applications

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Mitigating Information Security Risks of Virtualization Technologies

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

05.0 Application Development

PCI Requirements Coverage Summary Table

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

PCI Data Security Standards (DSS)

Total Cloud Protection

Payment Card Industry Data Security Standard (PCI DSS) v1.2

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

PCI Compliance for Large Computer Systems

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Thoughts on PCI DSS 3.0. September, 2014

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

PCI Compliance in a Virtualized World

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Presented By: Bryan Miller CCIE, CISSP

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

PCI DATA SECURITY STANDARD OVERVIEW

PCI Security Compliance

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table

LogRhythm and PCI Compliance

Becoming PCI Compliant

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Secure Multi Tenancy In the Cloud. Boris Strongin VP Engineering and Co-founder, Hytrust Inc.

PCI Standards: A Banking Perspective

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Private Cloud Database Consolidation with Exadata. Nitin Vengurlekar Technical Director/Cloud Evangelist

Achieving Compliance with the PCI Data Security Standard

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

PCI Data Security Standard 3.0

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Security & Cloud Services IAN KAYNE

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

You Can Survive a PCI-DSS Assessment

How To Protect Virtualized Data From Security Threats

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Data Security & PCI Compliance & PCI Compliance Securing Your Contact Center Securing Your Contact Session Name :

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Teleran PCI Customer Case Study

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Payment Card Industry Data Security Standards

PCI Compliance Overview

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

The Private Cloud Your Controlled Access Infrastructure

A Rackspace White Paper Spring 2010

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

And Take a Step on the IG Career Path

John Essner, CISO Office of Information Technology State of New Jersey

Payment Card Industry Data Security Standard Explained

Transcription:

2009 Reflex Systems, LLC Virtualization Impact on Compliance and Audit Michael Wronski, CISSP VP Product Management Reflex Systems

Agenda Introduction Virtualization? Cloud? Risks and Challenges? Compliance PCI and Virtualization Call to Action Q&A

What is Virtualization? Virtualization Layer Application Server E-Mail Oracle Print File Web Application Operating System Hardware Configuration Virtualization Server

What is Virtualization? Virtualization Technology: Hypervisor software emulates physical IT infrastructure, inside of a physical server: Virtualization Layer Virtual servers Virtual Networks Virtualization Benefits: Server consolidation one box instead of many Homogeneous Guest HW configuration Better resource utilization, efficiency Green Power / Cooling / Space Virtualization Server Easier deployment, manageability Better service quality, expense control, ROI

Virtualization Market Maturity How many physical servers in your data center run virtualization software? In 2009, on how many additional servers will you deploy virtualization software? Participants: Choices Selected: 598 Total Responses: 598 What percentage of your virtual machines is used for production applications in a production environment? Source: Virtualization Decisions 2009 Survey by TechTarget http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1369659,00.html

Virtualization Production Maturity Which applications run within virtual machines? Value Count Percent % Application server 439 73.41% Web server 403 67.39% Network infrastructure services (e.g., DNS, DHCP, firewalls, Active Directory, etc.) 334 55.85% Databases for development 307 51.34% Production databases 277 46.32% Email 245 40.97% End user home directories/file and print 243 40.64% Business intelligence 144 24.08% Over the next year, how will your use of virtual machines in production change? Customer relationship management (CRM)/sales automation 136 22.74% End user desktops 133 22.24% Enterprise resource planning (ERP) 95 15.89% None 4 0.67% antivirus Source: Virtualization Decisions 2009 Survey by TechTarget http://searchservervirtualization.techtarget.com/generic/0,295582,sid94_gci1369659,00.html

What is the Cloud? Cloud computing is a model for enabling convenient, on demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source NIST Draft Cloud is NOT Virtualization

Cloud Service Models Service Model Definition Considerations Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS) Capability to provision processing, storage, networks and other fundamental computing resources, offering the customer the ability to deploy and run arbitrary software, which can include operating systems and applications. IaaS puts these IT operations into the hands of a third party. End user has no control over the underlying infrastructure. Capability to deploy onto the cloud infrastructure customer-created or acquired applications created using programming languages and tools supported by the provider Capability to use the provider s applications running on cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based e-mail). Availability Confidentiality Privacy and legal liability in the event of a security breach (as databases housing sensitive information will now be hosted offsite) Data/Application ownership Geographic Location Source: http://www.isaca.org/cloud, http://csrc.nist.gov/groups/sns/cloud-computing/

Virtualization Security Risks Goal of security is to ensure the confidentiality, integrity and availability of information. Virtualization security issues include: Introduction of a new software layer Lack of policy enforcement Data theft and interception Unauthorized access Threat detection and mitigation Confidentiality Availability Integrity

Compliance Challenges Visibility and Transparency Challenges Change Management Network Visibility Network Segmentation Compliance Goals Separation of Duty

Visibility and Transparency Visibility Basis for All management and security activity Virtualization can create voids in information Transparency Basis of Compliance Audit Stakeholder Confidence Enables Cloud

Change Management Primary Problem Change is EASY Documentation Infrastructure Topology Audit Run Book Automation Security Authorization Audit Compliance Evidence

Network Visibility Virtualization Creates blind spots virtual networks Existing tools may not be sufficient Regulatory Requirements PCI DSS Pending HIPAA Changes Reconfiguration is trivial

Segmentation Same Traditional Reasons Classification / Data Sensitivity Regulation What s Different? Commodity Computing Shared Resource Damage is multiple of Consolidation Ratio Easy to combine data of different sensitivities

Separation of Duty Domain Separation Infrastructure Infrastructure Networking Storage Audit Virtual Administrator Sys Admin System Admin Security Why? Checks and Balances Compliance Security How? Apps w/rbac Domain Specific Views

Compliance Drivers Internal Policy Regulatory Policy PCI SOX HIPAA Reflex Systems Change Management Audit Evidence & Reporting Network Controls Infrastructure Policy & Control

Overview of the PCI DSS o Payment Card Industry Data Security Standard (PCI DSS) o A multifaceted security standard that is intended to help organizations that store, manage, or process payment card information to proactively protect customer account data. o Developed by the PCI Security Standards Council o Founded by AMEX, Discover, JCB, MasterCard, and Visa o Global forum for development, enhancement, storage, dissemination and implementation of security standards for cardholder account data protection o The PCI Security Standards Council s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. ** Reflex is not a Certified PCI QSA. This information is based on our industry experience and opinion

PCI DSS Requirements Twelve high-level compliance requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for employees and contractors PCI DSS v1.2 released October 2008 Contains +220 specific requirements For more info www.pcisecuritystandards.org

Virtualization s Impact on PCI PCI DSS does not specifically address virtualization Unique challenges faced by organizations that choose to deploy virtualization technology within its PCI environment Traditional security processes and tools Not adequate for protecting and monitoring virtualized environments Focus on managing higher layers of the network No visibility inside virtualized environments Some organizations have misinterpreted PCI DSS to mean that virtualization is incompatible with PCI DSS compliance There are challenges but with the right approach, PCI compliance is in reach

Network Segmentation and Monitoring Requirement 1- Install and Maintain a Firewall Configuration to Protect Cardholder Data Sub requirements 1.1, 1.2, 1.3. 1.4 Issue: Can virtual firewalls be deployed to meet these requirements and provide appropriate segregation? Virtual switches on the same host cannot exchange packets within the VM Virtual firewalls may be configured to allow data exchange Proper configuration is critical to avoid unauthorized traffic between virtual switches Policy enforcement must be based on defined security policies

Network Segmentation and Monitoring (continued) Requirement 2.2 Develop configuration standards for all system components Sub requirements 2.2.1, 2.2.2., 2.2.3, 2.2.4 2.2.1 - Implement only one primary function per server. Mistaken belief that 2.2.1. prohibits all virtualization What is intent of the requirement? Real risk is unauthorized access to CHD through a compromise of guest-tohost or guest-to-guest segmentation Intent can still be achieved through appropriate segmentation and policy monitoring and enforcement Determined on case-by-case basis by PCI QSA s

Patch Management and Change Control Requirement 5 Use and regularly update ant-virus software and programs. Sub requirement 5.2 Requirement 6 - Develop and maintain secure systems and applications. Sub requirements 6.1, 6.2 Extremely simple to deploy, copy, store, and move VM s All deployed VM s must conform to PCI requirements when deployed Risks Anti-virus updates and patches may not be deployed to VM s Use of snapshot and rollback" features may revert a VM to unpatched and therefore non-compliant state VM image files with CHD may not be adequately controlled Traditional network monitoring tools may not have visibility within the VM environment Best practice - continuous monitoring and periodic audits

Auditing and Logging Requirement 10.2 - Implement automated audit trails for all system components. Sub requirements 10.2.1, 10.2.2, 10.2.3 Native software tools may not be adequate to meet the audit, configuration, management, and ongoing log monitoring of virtualized environments Don t forget to log and store hypervisor configuration settings and administration rights Auditing and logging can consume resources - CPU cycles, memory, disk space and network bandwidth Consider storing all host log files on a secure remote syslog server

Security Testing Requirement 11- Regularly Test Security Systems and Processes Sub requirements 11.3 and 11.4 Penetration testing Must address unique risks associated with virtual environments Traditional IDS/IPS may not be adequate for VM s Need to monitor traffic within the VM Emerging threats unique to virtual environments May require specialized detection and mitigation

Policy Enforcement Requirement 12.5 - Assign information security management responsibilities Sub requirements 12.5.1 and 12.5.2 Many organizations fail to implement this requirement appropriately Virtual environments may require application aware monitoring Must have appropriate context to assess potential security threats and attacks

Call to Action Does your enterprise use virtualization? Any regulated components virtualized? What steps have been taken specific to virtualization? Updated Process / Procedures? New Compensating Controls? Virtualization Specific Audit / Monitoring tools?

About Reflex ISV Focused on Virtualization First to market with Reflex Virtual Security Appliance (VSA) in 2006 Highly scalable integrated management platform (Chosen by Savvis in 2009) Management, compliance regulation and auditing for virtual infrastructure Network visibility, control, and policy management and enforcement Security through network segmentation and infrastructure policy VMware VMsafe Certified Solution Recognized award-winning leader in the virtualization ecosystem

Reflex Cloud Command & Control Enable Cloud Computing Command & Control Enforce Business, IT & Security Policies Data Center Public/Private Cloud Ensure Security, Compliance & Audit Requirements Improve Efficiency & Agility Increase Flexibility & Scalability

Enterprise Management Capabilities Change Control Revision every change of virtual infrastructure Who/What/When Remediate, Automate, Self Heal Infrastructure Security Dynamic Security Policy VMsafe Capable Management Improved Mean Time to Innocence Performance, Network Services, Alarm Management, SOD Scale Large scale environments Quickly Search, Find, and Automate Decisions (VQL)

Thank You! Web: http://www.reflexsystems.com E-Mail: Mike Wronski (mike@reflexsystems.com) Twitter: @reflex_mike

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information