HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Similar documents
CLOUD WORKLOAD SECURITY

Best Practices in Securing a Multicloud World

Best Practices for PCI DSS Version 3.2 Network Security Compliance

SoftLayer Security and Compliance:

Total Security Management PCI DSS Compliance Guide

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Vulnerability Management

Carbon Black PCI Compliance Mapping Checklist

PCI DSS Compliance. White Paper Parallels Remote Application Server

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

Everything visible. Everything secure.

How Security Policy Orchestration Extends to Hybrid Cloud Platforms

SIEMLESS THREAT MANAGEMENT

ALERT LOGIC LOG MANAGER & LOG REVIEW

AWS Reference Design Document

Qualys Cloud Platform

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

CSP & PCI DSS Compliance on HPE NonStop systems

Enterprise & Cloud Security

Microsoft Security Management

McAfee Public Cloud Server Security Suite

The threat landscape is constantly

Dynamic Datacenter Security Solidex, November 2009

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

LOGmanager and PCI Data Security Standard v3.2 compliance

Community Edition Getting Started Guide. July 25, 2018

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Clearing the Path to PCI DSS Version 2.0 Compliance

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Daxko s PCI DSS Responsibilities

McAfee Cloud Workload Security Product Guide

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Simple and Powerful Security for PCI DSS

WHITEPAPER. Security overview. podio.com

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Securing Your Amazon Web Services Virtual Networks

A QUICK PRIMER ON PCI DSS VERSION 3.0

Qualys Cloud Platform

Comprehensive Database Security

Protecting Your Cloud

SYMANTEC DATA CENTER SECURITY

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

The Why, What, and How of Cisco Tetration

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

W H IT E P A P E R. Salesforce Security for the IT Executive

Security and PCI Compliance for Retail Point-of-Sale Systems

Cloud Customer Architecture for Securing Workloads on Cloud Services

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

in PCI Regulated Environments

DEVOPSIFYING NETWORK SECURITY. An AlgoSec Technical Whitepaper

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Hybrid Cloud Management: Transforming hybrid cloud delivery

Product Guide Revision B. McAfee Cloud Workload Security 5.0.0

Why the cloud matters?

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

PCI DSS and the VNC SDK

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

A10 HARMONY CONTROLLER

The Evolution of Data Center Security, Risk and Compliance

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

the SWIFT Customer Security

BUILDING SECURITY INTO YOUR DATA CENTER MODERNIZATION STRATEGY

SECURITY PRACTICES OVERVIEW

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

BUYER S GUIDE EVALUATING VULNERABILITY ASSESSMENT SOLUTIONS

Minfy MS Workloads Use Case

Closing the Hybrid Cloud Security Gap with Cavirin

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Security as Code: The Time is Now. Dave Shackleford Founder, Voodoo Security Sr. Instructor, SANS

Safeguarding Cardholder Account Data

Cloud Computing: Making the Right Choice for Your Organization

CONTINUOUS COMPLIANCE. Your next cloud compliance audit could be your last. With LayerV s Continuous Compliance Service you re covered

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

PCI DSS v3.2 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD PCI DSS

Securing the Software-Defined Data Center

Google Cloud Platform: Customer Responsibility Matrix. December 2018

AWS Integration Guide

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

AUTOMATE THE DEPLOYMENT OF SECURE DEVELOPER VPCs

Total Protection for Compliance: Unified IT Policy Auditing

ForeScout Extended Module for IBM BigFix

Network Security Protection Alternatives for the Cloud

EBOOK: VMware Cloud on AWS: Optimized for the Next-Generation Hybrid Cloud

SIEMLESS THREAT DETECTION FOR AWS

Integrated Access Management Solutions. Access Televentures

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

Escaping PCI purgatory.

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Patching and Updating your VM SUSE Manager. Donald Vosburg, Sales Engineer, SUSE

The Common Controls Framework BY ADOBE

Transcription:

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere.

THE PROBLEM Online commercial transactions will hit an estimated $2.35 trillion by 2017, according to emarketer in their Worldwide Retail Ecommerce Forecast. Coincident with this explosive growth has been the widespread adoption of cloud-based IT infrastructures that are able to handle the high volume of transactions that online and mobile commerce create. Traditionally, enterprises have deployed a variety of IT controls to comply with the PCI DSS regulation strong access controls, vulnerability assessment, file integrity monitoring, log monitoring, and other controls. This patchwork of controls works fine when all the card data resides in a traditional data center environment, but it breaks down in Infrastructureas-a-Service (IaaS) environments such as Amazon Web Services (AWS). Traditional security controls are not fundamentally designed to operate efficiently in these new environments. When you try to operate traditional PCI security controls in IaaS environments, you encounter the following problems: Traditional host-based security products and log management products are slow to deploy and require manual effort to configure. This positions the security team as a bottleneck to the speed and agility that businesses expect from modern cloud environments and agile/devops organizations. Traditional controls do not operate continuously, therefore they can miss seeing shortlived workloads. For example, network scanning products that are based on periodic scanning windows (weekly or monthly) can completely miss seeing workloads that come and go within that time period. This would likely cause an auditor to flag these controls as being inadequate. Coordinating scanning permissions with cloud service providers (e.g. AWS) is a laborintensive task for IT security personnel. Deploying traditional network scanners in the cloud configuring each one for a specific IP range, and then adjusting them if/when your network changes cannot be performed fast enough in the time windows required to ensure adequate protection. To get high-quality detections, network scanners require credential-based authenticated scanning to be performed on endpoints. But managing credentials is a significant effort when systems are constantly changing and credentials are constantly updated throughout the environment. - 2 -

THE SOLUTION: CLOUDPASSAGE HALO The CloudPassage Halo automated security and compliance platform solves all of these challenges. Halo provides businesses the easiest, most automated way to ensure compliance with the Payment Card Industry Data Security Standard. Halo works across any cloud or virtual infrastructure: public, private, hybrid, multicloud or virtualized data center including bare metal. Halo aligns directly with the critical needs of today s commerce-focused enterprise: delivered on-demand, fast to deploy, fully automated, and works at any scale. Halo is continuous. The Halo microagent can continuously monitor workloads that spin up and down rapidly in the cloud. Fresh information can be gathered from your entire environment in a matter of minutes. Halo is a 100% SaaS-based product. Halo s cloud-optimized architecture provides IT security managers a real-time, holistic view of their security posture and provides auditors a complete set of data from which to base a PCI audit without the use of appliances or scanners. Halo leverages a lightweight onboard microagent which results in high-quality information without the need to manage credentials to the endpoints. Halo is fast to deploy and easy to manage. Installation of the microagent is totally automated. Halo integrates with DevOps tools such as Chef, Puppet, Salt, and Ansible. Halo is portable. If workloads move or IP addresses change, Halo policies automatically follow the workload. Halo is audit-friendly. Halo provides information based on the workload type, not the IP address which may frequently change in IaaS environments. Halo also includes open integration APIs to allow data to flow into popular GRC systems and SIEM systems. Halo provides a broad range of controls that are required to prove compliance with s, including: Software vulnerability assessment Configuration security monitoring Server access monitoring File integrity management Log-based intrusion detection Software and hardware inventory - 3 -

AGENTS AGENTS PUBLIC CLOUD DATA CENTER AUTOMATED DEPLOYMENT & POLICY ASSIGNMENT AUTOMATED SECURITY ORCHESTRATION ENGINE PORTAL REST API THE POWER OF HALO GET INSTANT VISIBILITY Workloads are tracked and reported on instantly and automatically. REDUCE COSTS & IMPROVE EFFICIENCY Eliminate manual processes streamline and automate workflows. VERIFY SYSTEM & DATA INTEGRITY Apply and verify all required controls are in place. AUTOMATE COMPLIANCE WORKFLOWS Integrate with your existing tools and processes seamlessly GENERATE & TRACK AUDIT LOGS Ensure all critical activities are archived and readily available. SCALE ON DEMAND Non-intrusive, agent- based model scales without breaking a sweat. STAY FLEXIBLE Deploy seamlessly across any cloud or virtual infrastructure. - 4 -

Here is how Halo controls replace traditional controls for PCI compliance: Traditional controls Network intrusion prevention File integrity monitoring Software vulnerability management Configuration management Strong access control Halo controls Halo includes log-based intrusion detection and file integrity management which can take the place of traditional network intrusion prevention Halo includes file integrity management Halo includes software vulnerability assessment Halo includes configuration security monitoring Halo includes server account management Here is how Halo helps you meet each of the twelve s: Goal 1: Build and maintain a secure network and systems Install and maintain a firewall configuration to protect cardholder data SUPPORTS SOME REQUIREMENTS Halo can ensure that local firewall software is installed and configured correctly. In addition, Halo is compatible with any existing network firewalls or cloud-based zoning mechanisms that a customer may be using to support PCI requirements. Do not use vendor-supplied defaults for system passwords and other security parameters Server and application configuration scanning is a core Halo feature. This functionality is capable of identifying default OEM and cloud provider configuration options, including those that create security vulnerabilities. Two common examples of serious deficiencies in default configurations include Linux servers created with no root account password and servers with no password expiration controls. Halo provides out-of-the-box, customizable templates that alert to default and weak security parameters for servers and applications services. In addition to identifying poor default security configurations, Halo s configuration scanning provides ongoing assurance of system and application configuration compliance, with historical reporting that makes generating audit-related data fast and simple. - 5 -

Goal 2: Protect cardholder data Protect stored cardholder data SUPPORTS SOME REQUIREMENTS This requirement is very broad, including a number of data management, authentication and encryption requirements. CloudPassage Halo supports implementation of these requirements through management of encryption mechanisms and associated keys. Halo s configuration scanning functionality can continuously monitor for presence and configuration of encryption functions and access restrictions to cryptographic keys. This monitoring can be performed for operating system, application, and database platforms. SUPPORTS SOME REQUIREMENTS Encrypt transmission of cardholder data across open, public networks This requirement is really twofold: ensuring encryption of cardholder data in transit, and ensuring that cardholder data is never transmitted in the clear. Halo supports verification of correct configuration, as well as the explicit absence of unwanted data transmission facilities like FTP servers. As mentioned above, Halo s configuration scanning functionality can continuously monitor configurations for services capable of transmitting cardholder data. For example, web server configurations can be scanned to ensure that only HTTPS protocols are enabled. Another example is scanning of services listening on the network for FTP and other non-encrypted data transmission facilities. Given the typical scale of cloud-deployed applications, automation of these scans means saving extensive time and energy in manual verification and collection of data required for audits. - 6 -

Goal 3: Maintain a vulnerability management program Protect all systems against malware and regularly update antivirus software or programs SUPPORTS SOME REQUIREMENTS Halo does not provide antivirus capability, but does provide secondary controls to ensure that antivirus software is current, correctly configured, and maintains integrity. The configuration scanning capabilities in Halo provide the ability to ensure that antivirus software is present, the correct version, and active on the system. Specific configuration parameters, scan scheduling, and presence of memoryresident antivirus processes can all be continuously monitored. Halo s file integrity monitoring capability ensures that anti-virus binaries and signature data files have not been tampered with and therefore can provide accurate results. This requirement is one of the most broad in the PCI DSS, impacting nearly every area of information technology development and operation. It s also one of the areas where Halo adds very high value to cloud-based deployments. Develop and maintain secure systems and applications Halo provides functions to develop and maintain secure servers and applications. The software vulnerability scanning directly addresses requirements 6.1 and 6.2. Halo can also scan and monitor web server and application stack configurations to ensure resistance to applicationlevel attacks, supporting requirement 6.6. Halo s file integrity monitoring and configuration scanning tools directly support requirements in sections 6.3 and 6.4. Collectively, Halo includes insight into known vulnerabilities; ability to enforce secure authentication and logging; ensure ongoing secure configurations; proper maintenance of accounts; monitoring of change control process and environments; and auditing of system and application changes. - 7 -

Goal 4: Implement strong access control measures Restrict access to cardholder data by business need to know This section requires implementation of access controls on a needto-know basis and includes a number of reporting and verification requirements. Halo was specifically designed to implement these functions across large numbers of cloud servers. Halo s system configuration scanning and server account management features address the majority of server-level access control requirements in section 7. Halo also provides a centralized view of server accounts and their privileges across cloud hosting environments. DIRECTLY SUPPORTS SOME REQUIREMENTS This requirement entails maintenance of individual accounts on servers for anyone requiring access. These requirements include user authentication, provisioning, and password management practices. Halo Server Account Management addresses some of these needs. Identify and authenticate access to system components Halo Server Account Management provides web or API interfaces for management of accounts on cloud servers. Accounts can be created, modified, disabled and deleted; capabilities include password construction enforcement, secure password reset, and distribution of server authentication certificates. Halo also allows monitoring for account usage, abandoned accounts, and modifications to account security parameters. NO REQUIREMENTS COVERAGE Restrict physical access to cardholder data Halo does not address physical security requirements. Physical security is the responsibility of the owner/operator of the cloud environment in question. Service-level agreements and audit reports from the provider typically satisfy requirements where servers are hosted with external cloud service providers. - 8 -

Goal 5: Regularly monitor and test networks Track and monitor all access to network resources and cardholder data CloudPassage Halo directly satisfied fulfillment of multiple server-related requirements in this area of the PCI DSS. In addition to the access management capabilities explained in Requirement 8 (above), Halo provides extensive usage monitoring, logging and alerting capabilities. Some examples of server states and events that can be monitored include account usage, file ACL states, and process effective rights. These capabilities also provide extensive automated recordkeeping that saves time and effort in audit-related data collection. This section requires that vulnerability scans are conducted regularly and whenever changes to the environment occur (e.g. new system components, changes in topology, firewall rule modifications, product upgrades). In dynamic cloud environments, these kinds of changes are constant meaning that continuous vulnerability monitoring is required. Regularly test security systems and processes The requirements in section 11 also include intrusion detection monitoring and alerting at critical points in the infrastructure, such as on application and database servers. The standard also contains an explicit requirement for file-integrity monitoring tools that alert personnel to unauthorized modification of critical system files, configuration files, or content files. Halo addresses the need for vulnerability scans with Security Configuration Monitoring and Security Vulnerability Scanning features. Pre-defined templates provide deep configuration security policies for servers and application components, providing continuous monitoring that s automatically enabled whenever new cloud servers are deployed. Vulnerability scanning utilizes industry-standard software vulnerability signatures to monitor for known security issues in packages used by servers and applications. Halo s File Integrity Monitoring feature directly satisfies the PCI DSS requirement for detecting and alerting unexpected changes to critical system files. As with all Halo features, deployment of FIM controls is automatic for new servers deployed in cloud environments. In addition to immediate alerting, Halo provides a historical record of FIM scans and issues which speeds data collection needed at audit time. - 9 -

Goal 6: Maintain an information security policy Maintain a policy that addresses information security for all personnel Section 12 of the s is extensive. The key requirement that drives a need for Halo s deep security automation is 12.2, which calls for daily operational security procedures that are consistent with requirements in this and other sections. This single requirement creates dozens of day-to-day operational tasks that demand automation to achieve compliance in dynamic cloud environments. Halo was explicitly designed to automate deployment and operation of a broad range of controls in rapidly changing public, private and hybrid cloud hosting environments. Halo s extensive capabilities for automating day-to-day security operations is summarized in the sections above, and is extensively documented in resources on the CloudPassage website. ABOUT CLOUDPASSAGE CloudPassage Halo is the world s leading automated agile security platform that orchestrates security on-demand, at any scale and works in any cloud or virtual infrastructure (private, public, hybrid or virtual data center). Halo delivers a comprehensive set of continuous security and compliance functions right where it counts at the server, VM, container, or workload. Our platform empowers our customers to take full advantage of cloud infrastructure with the confidence that their critical business assets are protected. Leading enterprises like Citrix, Salesforce.com, and Adobe use CloudPassage today to enhance their security and compliance posture, while at the same time enabling business agility. www.cloudpassage.com 800.215.7404 2017 CloudPassage. All rights reserved. CloudPassage and Halo are registered trademarks of CloudPassage, Inc. SB_COMPLIANCE_04282017-10 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback