Using Cisco’s VMDC to help facilitate PCI compliance
-
Upload
cisco-service-provider -
Category
Technology
-
view
309 -
download
0
Transcript of Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s
VMDC to help
facilitate PCI
compliance
June 20, 2014
Gary McCully
Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC.
Using Cisco’s VMDC to help facilitate PCI compliance
2
Synopsis
This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture
can help organizations with reducing their scope for PCI, and help with the facilitation of reaching and/or
maintaining PCI compliance.
Table of Contents
Introduction..............................................................................................................................................3
VDMC ................................................................................................................................................................ 3
SecureState ........................................................................................................................................................ 4
Who Needs to be PCI Compliant? ..............................................................................................................5
What are the Current Challenges? .............................................................................................................5
PCI DSS Goals and Requirements ...............................................................................................................6
How VMDC Can Help.................................................................................................................................7
Build and Maintain a Secure Network (Requirement 1 & 2) ................................................................................. 7
Protect Cardholder Data (Requirements 3 & 4).................................................................................................... 8
Maintain a Vulnerability Management Program (Requirements 5 & 6)................................................................. 8
Implement Strong Access Control Measures (Requirements 7, 8, & 9) .................................................................. 8
Regularly Monitor and Test Networks (Requirements 10 & 11) ............................................................................ 9
Maintain an Information Security Policy (Requirement 12) ................................................................................ 10
Achieving PCI Compliance ....................................................................................................................... 10
Using Cisco’s VMDC to help facilitate PCI compliance
3
Introduction
Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers, and large
organizations, can implement in order to provide a secure multi-tenant solution to their clients. The architecture that
VMDC utilizes greatly assists service providers in creating a network which satisfies clients with various security needs.
In order to evaluate the ability of Cisco’s VMDC network topology to facilitate PCI compliance on behalf of the clients that
implement this blueprint, Cisco had SecureState analyze the VDMC topology against the PCI Data Security Standard (DSS)
3.0 control set. Previously, SecureState evaluated earlier versions of the VMDC topology against PCI DSS version 2.0. All
organizations that store, process, and/or transmit credit card data (known as cardholder data, or CHD) are required to
comply with PCI, and PCI DSS version 3.0 officially goes into full effect on January 1, 2015. Cisco’s VMDC architecture
provides a number of controls which can either be directly configured to meet specific DSS 3.0 requirements, or can be
implemented in order to help fulfill a particular component of the overall control.
VDMC
The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of
guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the
data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching
technologies, network services, data center and cloud security, automation, and integrated solutions with those of
Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:
Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support
for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business
continuance
Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated
architecture, helping enable technology adoption and rapid deployment
Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with
confidence
Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a
comprehensive automation framework with portal-based resource provisioning and management capabilities
Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and
storage resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors
The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI)
together with other architectural components such as infrastructure abstraction, orchestration and automation,
assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment
of cloud infrastructure and services at multiple levels.
Using Cisco’s VMDC to help facilitate PCI compliance
4
SecureState
SecureState is a management consulting company specializing in information security and compliance services. We
believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their
DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with
clients at the CS, performing assessments to understand the security posture of the organization as it is constructed
today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the
DS and ultimately a managed SecureState (SS).
In terms of understanding PCI, SecureState provides these services to various organizations that are required to achieve
and/or maintain PCI Compliance on a consistent basis, assisting organizations in identifying their CurrentState of
compliance with PCI and assisting them to achieve their DesiredState and SecureState.
Using Cisco’s VMDC to help facilitate PCI compliance
5
Who Needs to be PCI Compliant?
All organizations that store, process, or transmit CHD are required to be compliant with PCI. However, not all
organizations are required to meet the same number of controls. Control requirements are based on annual volume of
credit card transactions, and the way these credit cards are processed, transmitted, and/or stored. In some cases, the
organization is even allowed to self-assess themselves for PCI Compliance. Organizations that process over six million
transactions per year must have an annual assessment completed by a Security Assessor (independent third party or
internal resource which has been approved by the PCI Security Standards Council).
Organizations can use segmentation to limit the scope of their Cardholder Data Environment (CDE), which will make the
task of achieving, and maintaining PCI compliance much easier. By adequately segmenting the CDE from the rest of the
internal network, many of the PCI controls will only apply to this subset of systems. In fact, one of the best features of
Cisco’s VMDC is its ability to utilize various technologies in order to achieve segmentation (e.g. Access Control Lists,
VLANs, multiple Sourcefire security contexts, virtual firewalls, etc.). Additionally, organizations can further reduce the
scope of their PCI environment by implementing any of the following technologies: secure redirects, point-to-point
encryption, and/or tokenization. In the context of PCI, less truly is more; that is, the fewer systems that come into
contact with CHD, and the fewer places CHD is stored, the easier it will be to achieve and/or maintain compliance.
What are the Current Challenges?
1. Scope. By far, the greatest challenge that most organizations face when trying to achieve PCI compliance is the
scope of the CDE. The scope of the CDE consists of all systems that transmit, store, and/or process CHD, all
systems that can affect the security of those systems, and all systems that are not adequately segmented from
those systems. In many cases, the organization’s entire internal network comes into scope for PCI, because
adequate segmentation is not in place. In large organizations, this makes the process of achieving and/or
maintaining PCI compliance practically impossible. Since all controls would need to be applied to every system
on the network, all systems would need appropriately hardened, monitored, patched, etc. One system that has
not been appropriately locked down could affect the compliance status of the entire organization. In
organizations with hundreds, or even thousands of systems, it is almost impossible to ensure that all of the
relevant appropriate controls have been applied to every single system in scope.
2. User Account Management. Many organizations are able to manage Windows domain accounts through the use
of Active Directory (AD), but accounts associated with network infrastructure, local administrator accounts,
Linux and/or Unix system accounts, Mainframe accounts, etc., must also comply with PCI requirements (i.e.,
password complexity, password minimum length, password history, etc.). Applying all of these controls to each
account can be a daunting task, and it is easy to miss devices within the CDE which have accounts which that
must comply with specific PCI requirements.
3. Device Hardening. All systems and applications in the CDE must be adequately locked down, using some
industry accepted security hardening standard. Common systems that must be locked down include databases
(Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web servers (IIS, Apache,
WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If the CDE is large and complex,
then hardening every in scope system can be a very difficult task.
Using Cisco’s VMDC to help facilitate PCI compliance
4. Patch Management. Although most organizations are adequately monitoring and applying patches to their
6
Windows systems, they struggle when it comes to patching non-Windows devices and products. It is common to
identify network architecture (e.g. firewalls, routers, switches, etc.), databases (i.e. Oracle, MySQL, etc.), and
non-Windows systems (i.e. various flavors of UNIX and Linux), that are missing critical patches.
As we review the PCI requirements, I will specifically highlight how Cisco’s VMDC can help with the facilitation of these
controls. While VMDC cannot help with the facilitation of all PCI requirements, it can help in achieving compliance in
many areas that organizations traditionally struggle with.
PCI DSS Goals and Requirements
The PCI DSS has twelve domains, which broadly align with six separate goals. The goals, and the requirements associated
with each of these controls is as follows:
1. Build and Maintain a Secure Network – The first goal encompasses DSS requirements one and two. PCI defines
this first requirement as “Install and maintain a firewall configuration to protect cardholder data.” Practically
speaking, this control defines network layer requirements for the CDE, and includes controls around firewalls,
routers, and network topology. For example, there are requirements restricting the external traffic that is
allowed to access particular devices on the DMZ and keeping a current network diagram of the CDE.
Additionally, the second requirement associated with this goal is in regards to properly hardening the various
devices on the network. This requirement states, “Do not use vendor-supplied defaults for system passwords
and other security parameters.” In this regard, PCI requires that devices be locked down using industry accepted
standards, and that these standards be kept up to date.
2. Protect Cardholder Data – This goal covers protection of the CHD while it is in transit or storage. This goal
directly maps to DSS requirements three and four. The first of these requirements is to "Protect stored
cardholder data." This requirement largely deals with encryption, retention, and destruction of digital CHD. The
second requirement deals with protecting CHD as they are in transit. This requirement is defined as "Encrypt
transmission of cardholder data across open, public networks." Requirement four has a lot to do with SSL, and
the use of encrypted channels when CHD traverses a public network.
3. Maintain a Vulnerability Management Program – The next goal of PCI involves maintaining a vulnerability
management program, and PCI maps this back to requirements five and six of the PCI DSS. Requirement five of
the DSS is defined as "Use and regularly update anti-virus software or programs," and has to do with the
installation, maintenance, and monitoring of anti-virus software. PCI requires that anti-virus be configured on all
devices that are commonly affected by malware, and requires that organizations monitor the industry in order
to determine which devices match this criteria. The sixth PCI DSS requirement is defined as "Develop and
maintain secure systems and applications." This control involves the processes around securing web applications
within the CDE, patching, and change management. There is great emphasis on the use of secure coding
practices, and ongoing maintenance.
4. Implement Strong Access Control Measures – Rather than encompassing just two of the DSS requirements, this
goal has three DSS requirements associated with it, DSS Requirements seven, eight, and nine. The first of these
Using Cisco’s VMDC to help facilitate PCI compliance
7
requirements is defined as "Restrict access to cardholder data by business need-to-know," and is primarily
concerned with centralized account management. The second requirement is to "Assign a unique ID to each
person with computer access," and has to do with proper account management, password policies, and user
provisioning and de-provisioning. The final requirement defined as "Restrict physical access to cardholder data."
This control has to do with physically protecting CHD, and securing back-ups that contain this data.
5. Regularly Monitor and Test Networks – The fifth goal encompasses DSS Requirements ten and eleven.
Requirement ten is defined as "Track and monitor all access to network resources and cardholder data," and
contains requirements around log monitoring, and retention. Additionally, there are extensive requirements
around NTP configuration, since NTP is critical for log analysis. The eleventh requirement of PCI DSS is defined as
"Regularly test security systems and processes." This control includes requirements around vulnerability
scanning, attack and penetration assessments, and Intrusion Prevention\Detection systems.
6. Maintain an Information Security Policy – The last goal only corresponds to one PCI DSS requirement. This is
the twelfth of the requirements, and is defined as “Maintain a policy that addresses information security for
employees and contractors.” In this regard, this requirement has to do with clearly defining key components of
the organization’s security program. Controls around have a clearly defined incident response plan, ensuring
that people who handle credit cards have had background checks performed on them, and ensuring that there is
ongoing security training for organizations required for appropriate personnel is included in this requirement.
How VMDC Can Help
Build and Maintain a Secure Network (Requirement 1 & 2)
Install and maintain a firewall configuration to protect CHD: During the assessment, SecureState reviewed the ASA
firewall, Nexus switches, and routers in order to evaluate how each device could be used to facilitate the various
controls outlined in this requirement. The ASA firewall could be used to meet all controls around the various firewall
configuration requirements, such as the implementation of ingress and egress filtering, secure DMZ configuration, and
anti-spoofing access control lists (ACLs). In this regard, the network infrastructure that is part of the VMDC can be used
to directly meet many of the requirements in this section of the DSS, and, many controls directly related to documenting
an organization’s network topology of the CDE. Organizations that have implemented Cisco’s VMDC network topology
will have a well-documented base topology that can be modified to meet their particular needs.
Do not use vendor-supplied defaults for system passwords and other security parameters: The various devices that are
part of Cisco’s VMDC can be locked down using well known configuration standards, and Cisco has developed
configuration guides for each component which can be used be used to apply specific controls. SecureState reviewed
each device in order to verify that they could be hardened in such a way as to meet PCI compliance requirements.
However, one of the best and easiest ways that organizations can meet this control is by limiting the number of devices
that are in scope for PCI. The fewer devices that are within the CDE, the easier it will be to lock each device down
appropriately. In this regard, VMDC provides robust network infrastructure which can be used in order to segment the
network. These technologies include ACLs, VLANs, and virtual firewalls. By combining these controls it is possible for an
organization to limit the number of systems within their CDE, which would make the task of achieving and maintaining
PCI Compliance easier.
Using Cisco’s VMDC to help facilitate PCI compliance
8
Protect Cardholder Data (Requirements 3 & 4)
Protect stored cardholder data: If it is possible to avoid storing CHD, SecureState recommends that organizations avoid
it. If CHD is not stored, then many of the controls in this section simply do not apply, and the organization limits their
liability. In this regard, many organizations use some sort of tokenization solution, in which CHD are sent to a third party
for storage and/or processing. This third party sends the organization a token, which can be used to reference the credit
card for further processing (e.g. chargebacks, reoccurring charges, etc.). However, in the cases where CHD must be
stored, the data should be stored in an encrypted format. VMDC is a solid network topology which contains a number of
technologies which can be used for segmentation, and all CHD could be segmented from the rest of the network.
Encrypt transmission of cardholder data across open, public networks: PCI requires that CHD traversing an open
network (i.e., internet) do so in a secure manner. In many cases, organizations will fulfill this requirement by setting up
VPN connections with third parties and partners, and the CHD traverses these links in an encrypted format. ASA firewalls
support site-to-site VPNs, and thus, can be used in this capacity. In ecommerce environments where customers need to
make purchases over the web, organizations can reduce their scope by using secure redirects to a third party where the
card is actually processed. Additionally, organizations that serve within a retail capacity may consider using a point-to-
point encryption solution. In this solution, a credit card is encrypted at the swiping device, and is sent to a third party
where the card is decrypted, and processed. In most cases, point-to-point encryption is tied into a tokenization solution,
thus reducing the organizations exposer even further.
Maintain a Vulnerability Management Program (Requirements 5 & 6)
Use and regularly update anti-virus software or programs: PCI requires that organizations configure anti-virus software
to run on all systems commonly affected by malware. Organizations are required to monitor the industry in order to
verify that these systems continue to fall into this category. Most QSAs (Qualified Security Assessors) would consider
Cisco equipment as being a device that is not commonly affected by malware. Additionally, Sourcefire is one of the
devices that are part of the VMDC topology, and has the ability to analyze files that are traversing the network for viruses
or malware with a known signature. If a file is found to contain such a virus, then either the traffic can be blocked, or the
appropriate individuals could be notified. In this regard, although Sourcefire does not explicitly meet this control, it adds
another layer of protection for the organization.
Develop and maintain secure systems and applications: This requirement mainly focuses on the development, and
rollout of new applications in the CDE. PCI requires that developers follow secure coding practices and follow a formal
process when making changes to these applications. However, this requirement also addresses the application of
patches. Cisco notifies their users when a new critical patch is released so that their systems can be quickly patched. In
this regard, Cisco’s patch notifications help organizations stay up-to-date on the latest patches for their Cisco devices,
and thus, help with the facilitation of this control. Many organizations use Red Hat and/or Windows servers in their CDE.
In order to help facilitate compliance with the patching requirement organizations generally use applications such as
Satellite and/or Windows WSUS.
Implement Strong Access Control Measures (Requirements 7, 8, & 9)
Restrict access to cardholder data by business need-to-know: This requirement discusses to the need to centrally
administer user accounts and the privileges associated with them. Most organizations use AD to administer the accounts
associated with their Windows servers. However, most organizations do not have a system that they can use to perform
Using Cisco’s VMDC to help facilitate PCI compliance
9
the same functions for the devices that part of their network infrastructure. In order address this issue, VMDC makes
use of Cisco’s Access Control System (ACS). While performing the review of the VMDC network architecture, SecureState
verified that ACS is capable of integrating each of the core pieces of network infrastructure into AD. In this regard, ACS
makes the job of centralized administration on network devices much easier, and thus, can help with the facilitation of
this PCI Requirement. Additionally, roles can be configured in ACS, which limit the types of commands a particular
account can run on a particular device. Furthermore, roles can be created which grant access to only a subset of network
devices in the network.
Assign a unique ID to each person with computer access: Whereas Requirement 7 deals with the need for centralized
account administration, this requirement is concerned with the administration of individual user accounts. Individual
accounts with various password requirements can be configured through AD, and then tied into Cisco’s ACS. These
accounts can then be placed into roles which have various levels of access to the devices that constitute the core
network architecture of Cisco’s VMDC. Unique accounts can be created for each individual that needs access to the
various components of the VMDC, and password policies would be setup in accordance with the Group Policy Objects
(GPOs) that are associated with each account. Thus, VMDC can help with the facilitation of meeting this requirement
from a network device perspective.
Restrict physical access to cardholder data: This requirement deals discusses physically protecting CHD. Further, this
control addresses physical access controls, the destruction of physical media containing CHD, and monitoring access to
the physical infrastructure. Although Cisco’s VMDC can help with the facilitation of digital information, it is the
responsibility of those organizations implementing VMDC to validate that the components of the VMDC are physically
protected.
Regularly Monitor and Test Networks (Requirements 10 & 11)
Track and monitor all access to network resources and cardholder data: This control essentially deals with requirements
around logging appropriate information, monitoring logs for anomalous activity, and the correct configuration of
Network Time Protocol (NTP). Cisco’s VMDC seamlessly ties into Splunk, which is a powerful Security Information and
Event Management (SIEM). Splunk can assist organizations in meeting the requirements around logging and monitoring
logs. Furthermore, the devices that make up Cisco’s VMDC can send their logs to a SIEM, which will help with the
facilitation of this control. Additionally, this requirement stresses proper NTP configuration, and all the devices within
Cisco’s VMDC can be configured to sync with a particular NTP server of the organization’s choice.
Regularly test security systems and processes: Cisco’s VMDC can help with meeting a number of the controls in this
requirement around File Integrity Monitoring, and Intrusion Detection/Prevention Systems (IDS/IPS). Splunk can be
configured to monitor logs for changes to particular files on a particular system. When changes are made to these files,
an alert can be sent to the organization, so that the appropriate organizational resources are able to review the alert
and respond accordingly. Additionally, this PCI requirement lists controls mandating the implementation of an IPS/IDS.
Part of Cisco’s VMDC network infrastructure includes Sourcefire, which is an industry leader in Intrusion Detection,
and/or Prevention. During this assessment, SecureState reviewed Sourcefire, and verified that it can be configured for
monitoring the network for particular patterns that are indicative of attacks/hacking attempts, block files which contain
signatures of malware, and block access to well-known malicious websites.
Using Cisco’s VMDC to help facilitate PCI compliance
10
Maintain an Information Security Policy (Requirement 12)
Maintain a policy that addresses information security for employees and contractors: This requirement discusses an
organization’s policies and procedures. Although it is obvious that Cisco’s VMDC cannot help with defining policies and
procedures, in some cases it can help with facilitating a particular policy or procedure. For example, this section contains
requirements around an organization’s incident response plan (IRP). Organizations may be able to use Sourcefire and
Splunk for detecting attacks, and alerting appropriate individuals when these attacks are detected. Thus, Sourcefire, and
Splunk are key to detecting potential attacks and compromises which would cause the IRP to be enacted.
Achieving PCI Compliance
Organizations can achieve PCI compliance through a variety of means and solutions. First, organizations should contact
their acquiring bank or processor in order to determine what particular requirements they must comply with.
Requirements are largely dependent upon the volume of cards the organization processes annual, and the way these
cards are processed, stored, and/or transmitted. In some cases, the organization only needs to complete a Self-
Assessment Questionnaire (SAQ), but in other cases the organization might be required to have an assessor (internal or
external) review their security program in order to verify it meets PCI’s security requirements around protecting CHD.
In these cases, the assessor will interview the appropriate individuals within the organization, and review appropriate
configurations, processes and documentation. If the organization is able to demonstrate that they meet all of the PCI
requirements, then the organization will be issued a Report on Compliance (RoC), and Attestation of Compliance (AoC).
Consequently the organization will be deemed as compliant for the year by their acquiring bank or processor.
For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html