Catbird Addendum to VMware Product Applicability Guide. for. Payment Card Industry Data Security Standard (PCI DSS) version 3.0
|
|
- Doris Powers
- 6 years ago
- Views:
Transcription
1 Catbird Product Applicability Guide For Payment Card Industry (PCI) Partner Addendum VMware Compliance Reference Architecture Framework to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 August 2015 Product Applicability Guide
2 Table of Contents INTRODUCTION... 3 OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 8 SUMMARY OF RELEVANT CHANGES FROM PCI DSS 2.0 TO CATBIRD PCI REQUIREMENTS MATRIX OVERVIEW SUMMARY Product Applicability Guide 2
3 Introduction The virtualization and cloud revolution has brought unprecedented levels of agility and automation to IT infrastructure. Cloud systems leverage real-time, API driven provisioning and configuration engines. Applications scale up and out, down and in automatically based on utilization, performance and any other parameter desired. Data migrates across data centers for reasons of availability, resiliency and performance. Yet policy and compliance has largely remained static, a dusty three-ring binder in a world of big data. Traditional network security devices and approaches don t secure virtualized infrastructure. Virtual Machines depend on network interfaces that can t be controlled or monitored by existing physical network security. Traditional infrastructure boundaries have been blurred and virtualized. Configuration changes that used to require data center credentials, punchdown tools and screwdrivers can now be implemented in a few lines of code. Recent virtualization security guidelines published by PCI and NIST have become formal requirements and auditors are increasingly enforcing them. In a world where infrastructure has become dynamic increasing audit scope, complexity and duration compliance will need to become continuous; automated, instrumented, enforced and audited. CATBIRD SOLUTION Catbird brings policy and compliance out of the filing cabinet and into the cloud age, with a comprehensive cloud policy solution that automates, enforces and audits for continuous compliance. Automation of enforcement against third-party standards reduces the cost and complexity of assuring control and maintaining compliance in virtual and cloud-based data centers and eliminates potential objections from auditors and CISOs that can stall or stop cloud transformation. Catbird transforms dynamic, self-scaling environments into compliance-aware systems through policy-based security and continuous monitoring and measurement against standards like PCI. Product Applicability Guide 3
4 Figure 2: Catbird architectural elements: Catbird VMAs are deployed as a mesh of sensors implemented as virtual machines appliances (VMAs), configured in a classic hub and spoke architecture where the Control Center is the central process hub. Catbird TrustZones, Policy and Compliance depend on technical controls for monitoring and enforcement. The technical controls reside within each VMA and consist of the following control components: Virtual Infrastructure Monitoring (VIM) Catbird is fully integrated with the VMware virtual infrastructure. The Catbird Virtual Infrastructure Monitor is the security operator s eye into the virtual infrastructure, providing a real time view of relevant network security virtual machine and switch configurations. When a policy has been violated, the Catbird Virtual Infrastructure Monitor can perform response actions, including disconnecting a virtual machine from the network or powering off the virtual machine. The Virtual Infrastructure Monitor restores the principle of separation of duties in virtual infrastructure by providing the security operator real-time monitoring of the virtual infrastructure administrator s activities as they relate to network security. Firewall Management Catbird integrates with VMware vcloud Networking and Security App firewall (vcns) and NSX Distributed Firewall app giving the security architect the power of the native firewall in an easy to use and automated configuration methodology. Vulnerability Scanning, SCAP Checks Catbird includes a network based vulnerability scanner for vulnerability management. Understanding the networkaccessible vulnerabilities in virtualized infrastructure is the first step to tightening security posture and implementing a vulnerability management program for compliance. Catbird enables the security architect to view detected vulnerabilities from the same tool that configures the firewall and Intrusion Prevention System, for a holistic view of the enterprise security posture. Catbird expands its continuous monitoring capabilities to include extensive configuration checks based on Security Content Automation Protocol (SCAP). Integration with Service Composer compatible, third party vulnerability and SCAP configuration scanning services is available through the NSX/Service composer API set. Netflow Visualizing network topology is a powerful tool used by security architects to configure network based security controls. With an innovative network flow visualization display, Catbird provides the best possible view into network activity giving the security architect the capacity to easily configure access controls, manage vulnerabilities, or respond to security incidents. Netflow information can also be captured from NSX/Service Composer platform Intrusion Prevention System (IPS) Positioned on the virtual switch fabric, Catbird is in the optimal position to provide deep packet inspection for its Intrusion Prevention System. Monitoring all traffic traversing the virtual switch, Catbird can detect hostile traffic entering the virtual data center, and more importantly, all hostile traffic between virtual machines themselves. By virtualizing the Intrusion Prevention System, Catbird s software defined security approach provides a scalable solution for Intrusion Detection and Prevention. Integration with third party, Service Composer compatible IDS/IPS control vendors is available through the NSX/Service composer API set. Product Applicability Guide 4
5 Network Access Control (NAC) Catbird not only provides a combination of network based security controls on the virtual switch fabric, but helps to protect physical infrastructure as well. The virtual switches in the hypervisor can be connected to physical switches that interconnect physical devices that may be on the same layer-2 network as the virtualized asset. With Catbird s Network Access Control (NAC), the security architect knows at all times what is directly connected at layer-2 on the physical switches, optionally giving them the power to implement logical zoning inclusive of these directly connected assets. VMware Approach to PCI Compliance The Payment Card Industry Data Security Standard (PCI DSS) is applicable to all types of environments that Store, Process, or Transmit Card Holder Data. This includes information such as Personal Account Numbers (PAN), as well as any other information that has been defined as Card Holder Data by the PCI DSS v3.0. Cloud computing is no exception to the PCI DSS audit process, and many of the cloud s advantages over earlier paradigms -- sharing of resources, workload mobility, consolidated management plane, etc. themselves necessitate that adequate controls are adopted to help meet the PCI DSS audit. PCI considerations are essential for assessors to help to understand what they might need to know about an environment in order to be able to determine whether a PCI DSS requirement has been met. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the infrastructure and the applications running in that environment. Many enterprise computing environments in various vertical industries are subject to PCI DSS compliance, and generally those that deal in any kind of financial transaction for exchanging goods and services rely on VMware and VMware Technology Partner solutions to deliver those enterprise computing environments. As such, these enterprises seek ways to reduce overall IT budget while maintaining an appropriate overall risk posture for the in-scope environment. One of the greatest challenges in hosting the next generation enterprise computing environment is consolidating many modes of trust required such as those required for a Cardholder Data Environment (CDE) and a Non-Cardholder Data Environment. For these reasons VMware has enlisted its Audit Partners such as Coalfire, a PCI DSS-approved Qualified Security Assessor, to engage in a programmatic approach to evaluate VMware products and solutions for PCI DSS control capabilities and then to document these capabilities in a set of reference architecture documents. The first of these documents is this Product Applicability Guide, which contains a mapping of the VMware products and features that should be considered for implementing PCI DSS controls. The next two documents in the solution framework series that, together with this Guide, comprise the PCI DSS Reference Architecture are the Architecture Design Guide and the Validated Reference Architecture, which are intended to provide guidance on the considerations to be made when designing a vcloud environment for PCI DSS as well as a lab validation exercise analyzing an instance of this reference architecture which utilizes the concepts and approaches outlined therein. For more information on these documents and the general approach to compliance issues please review VMware's Approach to Compliance. This Product Applicability Guide Addendum builds upon the base VMware control mapping and alignment for PCI DSS 3.0, which is documented in the VMware Product Applicability Guide for PCI-DSS 3.0 on the VMware Solutions Exchange. In addition, VMware and Coalfire are engaged with VMware Technology Partners such as Catbird Networks, Inc. to analyze their products and solutions (available on VMware Solution Exchange) with the goal of providing continuing examples to the industry. While every environment is unique, together VMware and its partners can provide a solution that potentially addresses over 70% of the PCI DSS technical requirements. Product Applicability Guide 5
6 Figure 3: PCI Requirements Figure 4: VMware + Partner Product Capabilities for a Trusted Cloud Product Applicability Guide 6
7 Figure 5: VMware + Catbird Capabilities for a Trusted Cloud Product Applicability Guide 7
8 Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the Payment Card Industry Data Security Standards (DSS). Failure to meet PCI DSS requirements may lead to fines, penalties, or inability to process credit cards, in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud computing environments. Version 3.0 (and version 2.0) of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). Product Applicability Guide 8
9 Figure 6: Navigating PCI DSS The existing virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. Summary of Relevant Changes from PCI DSS 2.0 to 3.0 With the recent release of the PCI DSS (Data Security Standard) 3.0, while little additional guidance has been released with regard to virtualization specifically, there have been a number of enhancements and clarifications that may potentially have significant design & operational considerations above and beyond those which were required for compliance with the PCI DSS 2.0. It should be noted that none of the new PCI DSS 3.0 requirements or considerations are inconsistent with or materially different from those found in version 2.0, but rather are simply additions, enhancements, and clarifications. An updated Navigating PCI DSS document for version 3.0 has not been released by the PCI SSC (Security Standards Council) as of the time of this writing. With every iteration of the PDI DSS and the associated changes & updates, particularly when new requirements are presented, organizations are given additional time to implement these controls through the Sunrise process. While entities can choose to manage their cardholder data environments under the PCI DSS 2.0 until December 31, 2014 at the latest, after this point all PCI DSS programs and audits must adhere to version 3.0. Additionally, many of the new requirements under the PCI DSS 3.0 are considered best practices until July 1, 2015, giving organizations additional time to prepare to meet these new requirements in an appropriate manner. Product Applicability Guide 9
10 Many of the new controls and changes in PCI DSS 3.0 reflect the growing maturity of the Payment Card Industry, and the need to focus more on a risk-based approach and deal with the threats and associated risks which most commonly lead to incidents involving the compromise of cardholder data. Along with the new controls and focus areas, version 3.0 provides PCI organizations and assessors with additional guidance and flexibility around designing, implementing, and validating the requisite PCI DSS controls. It should also be noted that with increased guidance and flexibility in the standard and individual controls, a greatly increased level of stringency is required in the validation of those controls and the risk-based approach to managing PCI DSS requirements. At a high level, the updates to version 3.0 of the DSS include: Providing stronger focus on some of the greater risk areas in the threat environment Providing increased clarity on PCI DSS & PA-DSS requirements Building greater understanding on the intent of the requirements and how to apply them Improving flexibility for all entities implementing, assessing, and building to the Standards Driving more consistency among assessors Helping manage evolving risks / threats Aligning with changes in industry best practices Clarifying scoping and reporting Eliminating redundant sub-requirements and consolidate documentation We also have several key themes around managing PCI DSS 3.0 and taking a proactive business-as-usual approach to protecting cardholder data, and focusing primarily on security, as opposed to pure compliance, which have been updated in the latest version, and for which the PCI Security Standards Council has provided guidance. The following is guidance from the PCI DSS Version 3.0 Change Highlights document regarding these high-level concepts and how they apply to PCI DSS 3.0: Education and awareness Lack of education and awareness around payment security, coupled with poor implementation and maintenance of the PCI Standards, gives rise too many of the security breaches happening today. Updates to the standards are geared towards helping organizations better understand the intent of requirements and how to properly implement and maintain controls across their business. Changes to PCI DSS and PA-DSS will help drive education and build awareness internally and with business partners and customers. Increased flexibility Changes in PCI DSS 3.0 focus on some of the most frequently seen risks that lead to incidents of cardholder data compromise such as weak passwords and authentication methods, malware, and poor self-detection providing added flexibility on ways to meet the requirements. This will enable organizations to take a more customized approach to addressing and mitigating common risks and problem areas. At the same time, more rigorous testing procedures for validating proper implementation of requirements will help organizations drive and maintain controls across their business. Security as a shared responsibility Securing cardholder data is a shared responsibility. Today s payment environment has become ever more complex, creating multiple points of access to cardholder data. Changes introduced with PCIDSS focus on helping organizations understand their entities PCI DSS responsibilities when working with different business partners to ensure cardholder data security. Product Applicability Guide 10
11 Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following ( Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.. Figure 7: Cloud Computing There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for Product Applicability Guide 11
12 example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off premise. To learn more about VMware s approach to cloud computing, review the following: VMware Cloud Computing Overview VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing, including safely deploying business critical applications. Figure 8: VMware Software Defined Data Center Products Product Applicability Guide 12
13 Figure 9: VMware End User Computing VMware provides an extensive suite of products designed to help organizations support security and compliance needs. The solutions collective functionality features, and specific PCI DSS requirements are addressed in the VMware Applicability Guide for PCI, which provide detail information about VMware s support for PCI DSS v3. If you are an organization or partner that is interested in more information on the VMware Compliance Program, please us at compliance-solutions@vmware.com Figure 10: Catbird s Virtual Environment Deployment Product Applicability Guide 13
14 Catbird PCI Compliance Solution All merchants, service providers, financial institutions and other entities that store, process, or transmit payment cardholder data are required by card brands to comply with the Payment Card Industry Data Security Standard (PCI DSS). The use of virtualization technology in private clouds is not exempt from requirements of PCI DSS 3.0, which raises the bar for security in a virtualized Cardholder Data Environment (CDE). Traditional physical security components that are usually deployed at the network edge make it difficult if not impossible to effectively monitor and control virtual components, so it is vital for organizations using virtual technology in the CDE to adopt tools that protect cardholder data. Catbird is a unique solution engineered to automate seamless, comprehensive network security and PCI DSS compliance for organizations with a virtual CDE. Table 2: Catbird Solution Solution Description The Catbird Control Center acts as the Policy Definition Point, providing expert visualization, workflow and reporting built on top of three management components: Catbird TrustZones logical zones providing automatic detection, inventory and grouping of all VMs Policy-based security defining how Catbird s multi-function network security controls are applied to TrustZones Compliance enforces regulatory requirements in virtualized infrastructure by monitoring and capturing security events and measuring them in real-time against the leading compliance frameworks, including PCI. Catbird The Catbird Virtual Machine Appliances (VMA) is the collection of VMAs. A VMA is not deployed on individual virtual machines but only on the virtual network itself one per virtual switch. The Control Center distributes security tasks to this mesh of VMAs. By distributing the security load across the VMA mesh, Catbird can scale across multiple physical locations, and multiple virtual hosts, while executing hypervisor functions available only locally. In this way, Catbird s model of Software-Defined Security can leverage cloud-scale economics. The VMA sensors are the policy enforcement points tasked by the Control Center to monitor and enforce security. VMAs are Linux virtual machines executing the technical controls including firewall management, Network Access Control (NAC), Intrusion Detection and Protection (IDS/IPS), Netflow and vulnerability/configuration monitoring as well as executing numerous other security tasks via hypervisor interfaces. Product Applicability Guide 14
15 Catbird PCI Requirements Matrix Overview Catbird includes a demonstrable means for Enterprises to monitor, assess, and enforce key attributes of their Information Security Program in context with pertinent PCI 2.0 and 3.0 Standards. When properly deployed and configured, the Catbird solution either fully meets or augments the following PCI DSS requirements: Table 3: Catbird PCI DSS Requirements Matrix for PCI DSS v3 PCI DSS REQUIREM ENT N U M B E R O F P C I R E Q U I R E M E N T S T O T A L N U M B E R O F C O N T R O L S M E T O R A U G M E N T E D B Y C A T B I R D * Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 32 8 Requirement 3: Protect stored cardholder data 44 0 Requirement 4: Encrypt transmission of cardholder data across open, public networks 11 4 Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 11 4 Requirement 6: Develop and maintain secure systems and applications 42 5 Requirement 7: Restrict Access to cardholder data by business need to know 10 2 Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data 44 0 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Requirement A.1: Shared hosting providers must protect the cardholder data environment 8 1 TOTAL Product Applicability Guide 15
16 Catbird PCI Requirements Matrix (By Product) Catbird Security policy automation for private & hybrid clouds Logical zoning based on common trust class Support for leading hypervisors and SDN platforms Lifecycle security management for virtual machines Integrates existing network controls with new virtualized security controls Mapped to standards and audited for proof of continuous compliance In addition to supporting DSS control requirements as outlined below, Catbird can be used to reduce the scope for DSS compliance by defining or isolating the in-scope cardholder data environment through use of TrustZones. While not required by PCI DSS v3, isolating the cardholder data environment from other network segments can greatly reduce the scope of the network that is required to be DSS compliant. TrustZones network configuration policies defined for an organization s virtual CDE network can be used to isolate the zone that processes, stores, or transmits cardholder data from other virtual network segments. Catbird integrates with vcloud Networking and Security App firewall (vcns) and NSX Distributed Firewall to allow the network administrator to administer or orchestrate the virtual network firewall rules/policies using the Catbird Console s user interface. Using TrustZones to isolate (segment) the organization s CDE from other virtual processing, reduces the scope of an organization s network that must be compliant with PCI DSS v3; and makes administration, monitoring, and auditing for PCI DSS compliance easier for an organization. Refer to PCI DSS v3, section on Scope of PCI DSS Requirements and Network Segmentation and Appendix D for additional information regarding scoping and network segmentation as it applies to PCI compliance. Figure 11: Catbird Architecture Overview Catbird provides solutions to support or meet PCI DSS controls. Additional policy, process or technologies may be needed to be used in conjunction with Catbird s solutions to fully comply with PCI DSS. Product Applicability Guide 16
17 Table 4: Applicability of PCI DSS v3.0 Controls to Catbird P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Requirement 1: Install and maintain a firewall configuration to protect cardholder data C O N T R O L S A D D R E S S E D c, a, a, c, a, c, b, a, b, c, 1.3.1, 1.3.2, 1.3.3, 1.3.4, D E S C R I P T I O N Organizations are required to document and implement network policies, standards, and procedures for managing their cardholder data environment network. An organization can use Catbird to augment these policies and procedures to actually implement and monitor virtual networks and the hypervisor by using Catbird s asset discovery capabilities, orchestrating the virtual network controlled by vshield, and using Catbird TrustZones to provide appropriate segmentation within the virtual network, and to implement intra-net routing rules to meet PCI DSS requirement. Using these tools, a network administrator can: Support an organization s network change control process with real-time monitoring for network assets including discovering net virtual components introduced in to the cardholder data TrustZones, which allows the organization s change administrator to verify that all changes were introduced using the organizations authorized change control procedures (1.1.1.c) Support creation of network and dataflow diagrams by analyzing network traffic and providing Catbird diagrams representing actual traffic to create formal network and cardholder dataflow diagrams (1.1.2.a) and verify that existing diagrams are current and include all required connections (1.1.3) Use TrustZones to create vshield rules that isolate internal network zones from DMZ (1.1.4.c) Facilitate implementation of an organization s network configuration standard by providing real-time network traffic information that can be used to create (1.1.6.a) and examine (1.1.6.c) documented configuration control standards Facilitate periodic review of virtual firewall rules by providing reports of firewall rule sets (1.1.7.b) Define a CDE TrustZone and use the Catbird Firewall Orchestration component to create virtual firewall rules to permit necessary in-bound and out-bound traffic to the CDE zone and deny all other traffic (1.2.1.a c) Facilitate compliance with an organizations virtual firewall configuration standards by allowing the network administrator to orchestrate (or apply) vshield firewall rules to implement rules that limit - DMZ in-bound traffic to only systems components that authorized public ports/protocols (1.3.1) - Inbound Internet traffic to IP addresses within the DMZ (1.3.2) - Direct connections are prohibited between Product Applicability Guide 17
18 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters C O N T R O L S A D D R E S S E D 2.1.b, 2.2.b, 2.2.c,, 2.2.2, 2.2.3, b, 2.3.b, 2.4.a D E S C R I P T I O N Internet and CDE (1.3.3) - Prohibit unauthorized out-bound traffic from the CDE (1.3.4) - System components that store cardholder data to internal network zones (1.3.7) Use TrustZones to isolate virtual components used for cardholder data storage in to the Cardholder Data Environment (1.3.7) Catbird provides a SCAP-based configuration checking utility that enables the enterprise with the ability to verify that system passwords and other PCI DSS configuration requirements are in place on virtual machines and hypervisors. Industry recommended changes to hardening standards are provided to organizations as introduced by NIST either automatically or upon request, so that organizations can remain current on recommended changes to hardening standards. Catbird s SCAP-based configuration checking utility can be used by an organization to supplement the policies and procedures for administering virtual systems and hypervisors associated with the in-scope cardholder data environment to implement and monitor the virtual network components to comply with DSS Requirement 2, including: Identifying virtual machines (VM) or hypervisors with no passwords or vendor default passwords (2.1.b) Allowing administrator to automate compliance of NIST hardening checklists through use of NIST Tier IV checklists (2.2.c), ensuring that hardening checklists are up-to-date using Catbird s updates for newly identified vulnerabilities (2.2.b). Monitoring for emerging threats using Catbird s IDS/IPS functionality which allows an organization to monitor for new vulnerabilities that need to be addressed by generating reports based upon schedules controlled by organizations (2.2.b) Identifying actual ports/protocols using Catbird s realtime traffic monitoring, the organization can verify that all necessary network traffic is documented in system standards(2.2.2.b), and insecure ports/protocols justified (2.2.3) Allowing an organization to use the Tier IV hardening checklists to set or monitor security parameters for virtual systems (2.2.4.b) ensuring that unnecessary functionality is removed/ disabled. Monitoring flow between TrustZones and using hardening checklists to verify that non-console administrative activity is over encrypted protocol(2.3.b) Supplementing the process for creating and maintaining the asset inventory by using Catbird s Virtual Infrastructure Manager to discover virtual machines and hypervisors running in the network (2.4.a) Product Applicability Guide 18
19 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks N/A C O N T R O L S A D D R E S S E D 4.1.a, 4.1.b, 4.1.c, 4.1.e D E S C R I P T I O N Catbird does not directly contribute to this requirement. Catbird includes inventory, flow monitoring, IDS, and IPS capabilities. Catbird enables an enterprise with the means to monitor all virtual machines and enable the appropriate IPS templates to block unauthorized traffic to and from cardholder systems. Catbird s asset identification and flow monitoring capabilities can support an organizations process for identifying all traffic into and out of the Cardholder Data Environment, which can be identified as a TrustZone in Catbird. By analysing this information, an organization can use Catbird s IPS templates to monitor and if appropriate block unauthorized traffic to/from cardholder data TrustZone. An organization can use Catbird to: Identify traffic to/from cardholder data zone and other trusted zones that requires additional protection (4.1.a) Use SCAP-based configuration checklists to monitor for vulnerability associated with transmission key or certificate (4.1.b) Monitor flow analysis data to confirm that encrypted protocols are being used (4.1.c) Use flow analysis, vulnerability scanning, and configuration scanning to confirm secure configuration of transmissions (4.1.e) Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 5.1, 5.2.a, 5.2.b, 5.2.c While not an anti-virus tool, Catbird supports the DSS requirement 5 compliance by providing SCAP-based configuration checking which enables the enterprise with the ability to verify that anti-virus (AV) programs are properly deployed, including: ensuring that AV tools are current, configured to perform periodic scans, and that AV audit logs are generated (5.2.a 5.2.c). Catbird s vulnerability scanning can be used to identify vulnerable components (5.1) that do not have AV software configured. Requirement 6: Develop and maintain secure systems and applications 6.1.a, 6.2.b, b, 6.4.2, b Catbird can supplement other tools used in an organization s security vulnerability management program and patching processes, as well as it s organization infrastructure change management procedures by: Supplementing vulnerability management by using Catbird s vulnerability scanning and SCAP checklist signatures as one of the external sources used to identify new security vulnerabilities and applying CVSS risk rankings (6.1.a) Supplementing patch management processes by using Catbird s SCAP checklist monitoring to identify virtual machines or hypervisors that do not have the most current patches installed (6.2.b) Establishing TrustZones for production and Product Applicability Guide 19
20 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T C O N T R O L S A D D R E S S E D D E S C R I P T I O N development/test environments and monitoring activity to ensure separation of the environments (6.4.1.b) and by monitoring individual access to analyze compliance with separation-of-duties requirements (6.4.2) Reporting changes to the virtual network or hypervisor so that change administrators can oversee changes in the hypervisor management or virtual infrastructure configuration to verify that changes introduced comply with an organizations change control procedures (6.4.5.b) Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to systems components a, , 8.1.6, 8.1.7, 8.1.8, b, c, a, a, a, 8.7.c Catbird enhances an organizations ability to restrict access into the cardholder data environment by enabling an organization to restrict access into the cardholder data environment through Catbird s TrustZone functionality. Assets containing cardholder data may be isolated to a designated TrustZone that is distinct from all other Assets. Deny all rules can be established in Catbird to restrict access to the cardholder TrustZone from all non-administrative (authorized) zones (7.2.3). Additionally, Catbird provides role-based application access with six defined Catbird roles for administrating and using the Catbird application allowing for distribution of virtual and hypervisor network management responsibilities (71.2.a): 1. Administrator (super user for Catbird) 2. Auditor (read only) 3. Operator 4. Firewall Operator 5. IPS Operator 6. Vulnerability Scanner Catbird enables the enterprise with the ability to prevent the use of clear-text passwords or vulnerable services through IDS/IPS policies. Catbird provides a SCAP-based configuration checking mechanism that enables the enterprise with the ability to verify that system passwords are meeting DSS security requirements. Using Catbird s SCAP-based configuration checking, an organization can verify that they have properly configured the virtual systems and hypervisor to meet DSS Requirement 8 control requirements, including monitoring for compliance of virtual machines including reporting when: Accounts that have been inactive for 90 days (configurable threshold) have not been disabled (8.1.4) Systems are not configured to lock accounts after no more than 6 invalid logon attempts (8.1.6) Systems are not configured to lockout for a minimum of 30 minutes or until administer enables the user ID (8.1.7). Product Applicability Guide 20
21 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T C O N T R O L S A D D R E S S E D D E S C R I P T I O N Systems are not configured to require reauthentication after being idle 15 minutes (8.1.8) Systems are not configured to use strong-encryption for password storage (8.2.1.b), during transmission (8.2.1.c) Password control compliance requirements are not met, including: minimum password length of at least 7 characters (8.2.3.a), requiring users to change passwords at least every 90 days (8.2.4.a), and passwords cannot be changed to the same value as the previous 5 passwords (8.2.5.a) Virtual machines hosting databases do not require authentication (8.7.c) Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data N/A 10.1, , , a, b, c, , , , , , , a, , , , , Note that Catbird does not support application specific authentication control compliance. Catbird does not directly contribute to this requirement. Catbird enables the organization with the ability to generate automated audit logs for a variety of operational security events that are pertinent to the tracking and monitoring of virtual cardholder environment, including:. Using Catbird to enforce SCAP hardening standards for logging or by alerting a monitor/auditor when the log settings are not appropriately configured (10.1) Providing audit trails through Catbird for all hypervisor administration activity orchestrated through Catbird s firewall orchestration capabilities (10.2.2), for all invalid access attempts to the hypervisor, and for all Catbird application activity (10.2.4) Within the Catbird application, providing audit logs for use of Catbird including use of identification/authentication mechanism and changes to any account with Catbird privileges ( a and c) Generating log records that include all PCI DSS required information including user identification, type of event, date/time, success/failure indication, origin of event, and identity of affected component ( ) Catbird can be configured to use NCP and an organization s designated time server ( a) Catbird provides an audit role that can be used by designated individuals that have a need to view Catbird s audit records/reports without permitting other Catbird activities (10.5.1) Catbird provides no application function to alter Catbird audit log records, but Coalfire recommends that Catbird audit records be copied to an organization s central log server to protect the logs ( and ). If an organization places their central log server in a dedicated TrustZone, Catbird can Product Applicability Guide 21
22 P C I D S S V 3. 0 A P P L I C A B I L I T Y M A T R I X R E Q U I R E M E N T C O N T R O L S A D D R E S S E D D E S C R I P T I O N monitor access to the zone for inappropriate access. Catbird provides network log monitoring reports for monitoring hypervisor, orchestrated firewall rules, and IDS/IPS logs (10.6.1) and when defined in Catbird alerts will be generated for exceptions and anomalies based upon thresholds established by the organization (10.6.3) For PCI compliance, additional audit monitoring tools and processes will be needed for systems log and application log audit monitoring. Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment , , 11.4.a, 11.4.b, 11.5.a , , , A.1.2.b As part of an organization s PCI DSS required scanning program, Catbird supports the internal vulnerability scanning requirements. While not an Authorized Scanning Vendor (ASV), Catbird s Vulnerability Scanning tool, which includes an embedded SAINTscanner can be used to support internal scanning requirements (11.2.1) and schedule quarterly scanning with Catbird s policy-defined frequency (11.2.3). Catbird IDS/IPS capabilities support monitoring of traffic at the perimeter of CDE defined TrustZones including: Monitoring all perimeter traffic of the CDE and critical points within the CDE (11.4.a) Alerting personnel when suspect activity occurs (11.4.b) Catbird can partially support an organizations file integrity monitoring by detecting and alerting personnel when changes to critical system configuration files on virtual machines and hypervisor occur (11.5.a) Catbird can assist management s Acceptable Use Policy (AUP) documentation requirement by discovering assets on the network and assisting in creating the device inventory list for the AUP; and can be used to confirm that systems are configured to disconnect remote access sessions after a specified period of time as required by DSS requirement Catbird can be a component in an organization s Incident Response process when using Catbird vulnerability scans to cover critical network components to identify potential incidents, generate alerts based upon organization defined thresholds ( ), and if appropriate, disconnect/disable impacted network interfaces and virtual machines to supplement/support personnel designated for 24/7 incident response and monitoring ( ). Catbird can assist a shared hosting provider to comply with A.1 requirements when shared hosting providers configure each customer s environment as a separate TrustZone and monitor for any unauthorized traffic between customers zones (A.1.2.b) Product Applicability Guide 22
23 Summary Cloud computing and threats to sensitive data such as that covered by the Payment Card Industry under their Data Security Standards are both evolving. The benefits and maturity of cloud computing led by VMware and the Software Defined Data Center have led VMware's customers and partners to host most (and approaching all) of the enterprise applications on this platform. To answer that need VMware and its Technology and Audit partners have delivered a set of documentation pertinent to mainstream regulations such as PCI DSS version 3.0. Internalizing the information available on VMware Solution Exchange is the first step in understanding which of the VMware products can be leveraged along with features and capabilities that should be considered. This paper gives guidance on Catbird s product suite s applicability for addressing support of PCI DSS version 3.0 control requirements. Acknowledgements: VMware would like to recognize the efforts of Catbird Network, Inc., and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire Systems Inc. VMware Team for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 3.0 and the Reference Architecture described herein. The information provided by Coalfire Systems and contained in this document is for educational and informational purposes only. Coalfire Systems makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. About Coalfire Coalfire Systems is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA. For more information, visit VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW_YYQQ_DS_ProgramName 03/13 Product Applicability Guide 23
Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.
Townsend Security Addendum to VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 April 2015 v1.0 Product Applicability Guide Table of Contents INTRODUCTION...
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationBest Practices for PCI DSS Version 3.2 Network Security Compliance
Best Practices for PCI DSS Version 3.2 Network Security Compliance www.tufin.com Executive Summary Payment data fraud by cyber criminals is a growing threat not only to financial institutions and retail
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationin PCI Regulated Environments
in PCI Regulated Environments JULY, 2018 PCI COMPLIANCE If your business accepts payments via credit, debit, or pre-paid cards, you are required to comply with the security requirements of the Payment
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationOverview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview
PCI DSS stands for Payment Card Industry Data Security Standard. It was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card
More informationPayment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationLogRhythm Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard
Partner Addendum LogRhythm Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationRSA Solution Brief. The RSA Solution for Cloud Security and Compliance
The RSA Solution for Cloud Security and Compliance The RSA Solution for Cloud Security and Compliance enables enduser organizations and service providers to orchestrate and visualize the security of their
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationHALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.
HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationPayment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard
Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard Systems Security Standard ( v3.2) Page 1 of 11 Version and Ownership Version Date Author(s) Comments 0.01 26/9/2016
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationVMware vcloud Air SOC 1 Control Matrix
VMware vcloud Air SOC 1 Control Objectives/Activities Matrix VMware vcloud Air goes to great lengths to ensure the security and availability of vcloud Air services. In this effort, we have undergone a
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationAuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives
AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives AuthAnvil for Retail IT Exploring how AuthAnvil helps to reach compliance objectives As companies extend their online
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationPayment Card Industry Data Security Standards Version 1.1, September 2006
Payment Card Industry Data Security Standards Version 1.1, September 2006 Carl Grayson Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS v1.1 in More Detail Discussion, Questions and
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationDEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise
DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS Security Without Compromise CONTENTS INTRODUCTION 1 SECTION 1: STRETCHING BEYOND STATIC SECURITY 2 SECTION 2: NEW DEFENSES FOR CLOUD ENVIRONMENTS 5 SECTION
More informationVirtustream Cloud and Managed Services Solutions for US State & Local Governments and Education
Data Sheet Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education Available through NASPO ValuePoint Cloud Services VIRTUSTREAM CLOUD AND MANAGED SERVICES SOLUTIONS
More informationSite Data Protection (SDP) Program Update
Advanced Payments October 9, 2006 Site Data Protection (SDP) Program Update Agenda Security Landscape PCI Security Standards Council SDP Program October 9, 2006 SDP Program Update 2 Security Landscape
More informationWill you be PCI DSS Compliant by September 2010?
Will you be PCI DSS Compliant by September 2010? Michael D Sa, Visa Canada Presentation to OWASP Toronto Chapter Toronto, ON 19 August 2009 Security Environment As PCI DSS compliance rates rise, new compromise
More informationPCI DSS and the VNC SDK
RealVNC Limited 2016. 1 What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated by many major credit card companies, including Visa, MasterCard, American Express,
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationWhy the cloud matters?
Why the cloud matters? Speed and Business Impact Expertise and Performance Cost Reduction Trend Micro Datacenter & Cloud Security Vision Enable enterprises to use private and public cloud computing with
More informationMIS Week 9 Host Hardening
MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls
More informationAddressing PCI DSS 3.2
Organizational Challenges Securing the evergrowing landscape of devices while keeping pace with regulations Enforcing appropriate access for compliant and non-compliant endpoints Requiring tools that provide
More informationIntroduction to the PCI DSS: What Merchants Need to Know
Introduction to the PCI DSS: What Merchants Need to Know Successfully managing a business in today s environment is, in its own right, a challenging feat. Uncertain economics, increasing regulatory pressures,
More informationEstablish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions
Providing stronger ssecurity practices that enable PCI Compliance and protect cardholder data. Establish and Maintain Secure Cardholder Data with IBM Payment Card Industry Solutions Highlights Pre-assessment
More informationHow Security Policy Orchestration Extends to Hybrid Cloud Platforms
How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments www.tufin.com
More informationISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview
ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview February 10, 2011 Quick Overview RSM McGladrey, Inc. Greg Schu, Managing Director/Partner Kelly Hughes, Director When considered with
More informationThe Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels
The Devil is in the Details: The Secrets to Complying with PCI Requirements Michelle Kaiser Bray Faegre Baker Daniels 1 PCI DSS: What? PCI DSS = Payment Card Industry Data Security Standard Payment card
More informationRun the business. Not the risks.
Run the business. Not the risks. RISK-RESILIENCE FOR THE DIGITAL BUSINESS Cyber-attacks are a known risk to business. Today, with enterprises becoming pervasively digital, these risks have grown multifold.
More informationA QUICK PRIMER ON PCI DSS VERSION 3.0
1 A QUICK PRIMER ON PCI DSS VERSION 3.0 This white paper shows you how to use the PCI 3 compliance process to help avoid costly data security breaches, using various service provider tools or on your own.
More informationEMC Ionix IT Compliance Analyzer Application Edition
DATA SHEET EMC Ionix IT Compliance Analyzer Application Edition Part of the Ionix Data Center Automation and Compliance Family Automatically validates application-related compliance with IT governance
More informationSecurity by Default: Enabling Transformation Through Cyber Resilience
Security by Default: Enabling Transformation Through Cyber Resilience FIVE Steps TO Better Security Hygiene Solution Guide Introduction Government is undergoing a transformation. The global economic condition,
More informationSTRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview
STRATEGIC WHITE PAPER Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview Abstract Cloud architectures rely on Software-Defined Networking
More informationPCI DSS and VNC Connect
VNC Connect security whitepaper PCI DSS and VNC Connect Version 1.2 VNC Connect security whitepaper Contents What is PCI DSS?... 3 How does VNC Connect enable PCI compliance?... 4 Build and maintain a
More informationVMware vcloud Networking and Security Overview
VMware vcloud Networking and Security Overview Efficient, Agile and Extensible Software-Defined Networks and Security WHITE PAPER Overview Organizations worldwide have gained significant efficiency and
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationAchieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER
Achieving Digital Transformation: FOUR MUST-HAVES FOR A MODERN VIRTUALIZATION PLATFORM WHITE PAPER Table of Contents The Digital Transformation 3 Four Must-Haves for a Modern Virtualization Platform 3
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationSafeguarding Cardholder Account Data
Safeguarding Cardholder Account Data Attachmate Safeguarding Cardholder Account Data CONTENTS The Twelve PCI Requirements... 1 How Reflection Handles Your Host-Centric Security Issues... 2 The Reflection
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationEnabling compliance with the PCI Data Security Standards December 2007
December 2007 Employing IBM Database Encryption Expert to meet encryption and access control requirements for the Payment Card Industry Data Security Standards (PCI DSS) Page 2 Introduction In 2004, Visa
More informationClearing the Path to PCI DSS Version 2.0 Compliance
White Paper Secure Configuration Manager Sentinel Change Guardian Clearing the Path to PCI DSS Version 2.0 Compliance Table of Contents Streamlining Processes for Protecting Cardholder Data... 1 PCI DSS
More informationSecurity and PCI Compliance for Retail Point-of-Sale Systems
Security and PCI Compliance for Retail Point-of-Sale Systems In the retail business, certain security issues can impact customer confidence and the bottom line regulatory penalties, breaches, and unscheduled
More informationThe Evolution of Data Center Security, Risk and Compliance
#SymVisionEmea #SymVisionEmea The Evolution of Data Center Security, Risk and Compliance Taha Karim / Patrice Payen The Adoption Curve Virtualization is being stalled due to concerns around Security and
More informationINFORMATION SECURITY BRIEFING
INFORMATION SECURITY BRIEFING Session 1 - PCI DSS v3.0: What Has Changed? Session 2 - Malware Threats and Trends Session 3 - You've Been Breached: Now What? PONDURANCE: WHY ARE WE HERE? Goal: Position
More informationWHITE PAPER. PCI and PA DSS Compliance with LogRhythm
PCI and PA DSS Compliance with LogRhythm April 2011 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance
More informationWhat are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards
PCI DSS What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards Definition: A multifaceted security standard that includes requirements for security management, policies, procedures,
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationCustomer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers
VMware vcloud Network VMware vcloud Architecture Toolkit for Service Providers Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers Version 2.8 August 2017 Harold Simon 2017 VMware,
More informationthe SWIFT Customer Security
TECH BRIEF Mapping BeyondTrust Solutions to the SWIFT Customer Security Controls Framework Privileged Access Management and Vulnerability Management Table of ContentsTable of Contents... 2 Purpose of This
More informationBUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY
SOLUTION OVERVIEW BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY Every organization is exploring how technology can help it disrupt current operating models, enabling it to better serve
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationPCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring
PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring By Chip Ross February 1, 2018 In the Verizon Payment Security Report published August 31, 2017, there was an alarming
More informationComodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business
Comodo HackerGuardian PCI Security Compliance The Facts What PCI security means for your business Overview The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements intended
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationPCI Compliance: It's Required, and It's Good for Your Business
PCI Compliance: It's Required, and It's Good for Your Business INTRODUCTION As a merchant who accepts payment cards, you know better than anyone that the war against data fraud is ongoing and escalating.
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationPayment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.
Payment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.1 Assessor Company: Control Gap Inc. Contact Email: info@controlgap.com
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationPayment Card Industry (PCI) Point-to-Point Encryption
Payment Card Industry (PCI) Point-to-Point Encryption Solution Requirements and Version 2.0 (Revision 1.1) July 2015 Document Changes Date Version Revision Description 14 September 2011 1.0 Initial release
More informationPayment Card Industry (PCI) Qualified Integrator and Reseller (QIR)
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Implementation Instructions Version 4.0 March 2018 Document Changes Date Version Description August 2012 1.0 Original Publication November
More informationPCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity
Kaspersky Enterprise Cybersecurity Kaspersky Endpoint Security v3.2 Mapping 3.2 regulates many technical security requirements and settings for systems operating with credit card data. Sub-points 1.4,
More informationPROTECT WORKLOADS IN THE HYBRID CLOUD
PROTECT WORKLOADS IN THE HYBRID CLOUD SPOTLIGHTS Industry Aviation Use Case Protect workloads in the hybrid cloud for the safety and integrity of mission-critical applications and sensitive data across
More informationSQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD The Payment Card Industry Data Security Standard (PCI DSS), currently at version 3.2,
More informationThe Need In today s fast-paced world, the growing demand to support a variety of applications across the data center and help ensure the compliance an
Solution Overview Cisco ACI and AlgoSec Solution: Enhanced Security Policy Visibility and Change, Risk, and Compliance Management With the integration of AlgoSec into the Cisco Application Centric Infrastructure
More informationVMware vcloud Service Definition for a Public Cloud. Version 1.6
Service Definition for a Public Cloud Version 1.6 Technical WHITE PAPER 2011 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
More informationThe PCI Security Standards Council
The PCI Security Standards Council 2/29/2008 Agenda The PCI SSC Roles and Responsibilities How To Get Involved PCI SSC Vendor Programs PCI SSC Standards PCI DSS Version 1.1 Revised SAQ 2/29/2008 2 The
More informationYour guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au
Your guide to the Payment Card Industry Data Security Standard (PCI DSS) 1 13 13 76 banksa.com.au CONTENTS Page Contents 1 Introduction 2 What are the 12 key requirements of PCIDSS? 3 Protect your business
More informationCSP & PCI DSS Compliance on HPE NonStop systems
CSP & PCI DSS Compliance on HPE NonStop systems March 27, 2017 For more information about Computer Security Products Inc., contact us at: 30 Eglinton Ave., West Suite 804 Mississauga, Ontario, Canada L5R
More informationWhat is HIPPA/PCI? Understanding HIPAA. Understanding PCI DSS
What is HIPPA/PCI? In this digital era, where every bit of information pertaining to individuals has gone digital and is stored in digital form somewhere or the other, there is a need protect the individuals
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationSimple and Powerful Security for PCI DSS
Simple and Powerful Security for PCI DSS The regulations AccessEnforcer helps check off your list. Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them
More informationCloud First Policy General Directorate of Governance and Operations Version April 2017
General Directorate of Governance and Operations Version 1.0 24 April 2017 Table of Contents Definitions/Glossary... 2 Policy statement... 3 Entities Affected by this Policy... 3 Who Should Read this Policy...
More informationPCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide
PCI DSS VERSION 1.1 1 PCI DSS Table of contents 1. Understanding the Payment Card Industry Data Security Standard... 3 1.1. What is PCI DSS?... 3 2. Merchant Levels and Validation Requirements... 3 2.1.
More informationThree Key Challenges Facing ISPs and Their Enterprise Clients
Three Key Challenges Facing ISPs and Their Enterprise Clients GRC, enterprise services, and ever-evolving hybrid infrastructures are all dynamic and significant challenges to the ISP s enterprise clients.
More informationDISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017
DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017 Table of Contents Executive Summary 3 Introduction 3 vsphere Replication... 3 VMware NSX for vsphere... 4 What
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationVMware vcloud Air Accelerator Service
DATASHEET AT A GLANCE The VMware vcloud Air Accelerator Service assists customers with extending their private VMware vsphere environment to a VMware vcloud Air public cloud. This Accelerator Service engagement
More information