The Payment Card Industry Data Security Standard (PCI DSS) applies to any merchant or service provider that plays a role in credit card payment processing. First introduced in 2004, its primary purpose is to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
Meeting PCI DSS standards requires implementing many security controls that cover several categories. In addition, today’s applications and network environments are increasingly complex, spanning many machines and, in many cases, different infrastructure types, technologies and even physical locations. This can mean meeting and constantly verifying requirements puts a significant burden on organizations.
Network segmentation and PCI DSS scoping
Segmentation can help organizations meet several of the technical requirements demanded by PCI DSS and, most importantly, dramatically reduce its scope in an environment, cutting compliance costs and effort significantly. By default, the cardholder data environment (CDE) and any connected systems are subject to PCI DSS compliance according to the PCI Security Standards Council (SSC). However, by isolating a system so it can not communicate with any other component within the compliance environment, ensuring it can’t compromise CDE security, an organization can remove it from the PCI DSS scope.
To accurately scope what applications and network environments PCI DSS applies to, IT security and compliance teams will need to understand where workloads are located in the CDE at any given time. They also need to maintain a current list of all system components and prove that no non-compliant communications occur between assets.
Third-party user segmentation and PCI DSS compliance
Allowing vendors to have 24/7 access into a network or blanket administrative privileges if they need to support systems dramatically increases the chances of unauthorized access and introduces unnecessary risk. A bad actor is always more than happy to exploit an always-available external entry point into your network or overly permissive privileges.
Today’s security best practices call to limit users’ access based on context and identity, and PCI DSS extends this to third-party users as well. With PCI DSS, organizations are required to manage IDs used by third parties to access, support or maintain system components via remote access as follows:
- Enable only during the time period needed and disabled when not in use.
- Monitor when in use
Robust user segmentation can help organizations easily meet this specific requirement, and implementing it will improve access control overall.
Why legacy methods aren’t good enough
Many companies try traditional network segmentation methods, such as using legacy firewalls or VLANs. While these are a step in the right direction, improving access control both internally and externally, there are challenges. For example, PCI DSS requires controls across the CDE. Even placing a firewall can be difficult as putting firewalls between two containers, or two VMs, on the same hypervisor may require an entirely different set of technologies and APIs.
Also, with these approaches, changing your segmentation policies to secure an asset or take it out of scope means changing your infrastructure. This often involves lots of coordination across teams in a data center, setting an alarm clock for a middle-of-the-night change window or maybe even downtime for critical business activities. It’s a little easier in the cloud, but even then, organizations still sacrifice a lot of the agility and seamlessness that makes the cloud so appealing.
Then, even if you manage to work through all of that complexity, you’re locked into the original infrastructure. So if you want to do something like move an e-commerce application workload from the data center to a cloud platform, get ready to scrap all of your segmentation efforts so far and start over again to ensure compliance and appropriate security controls extend to the new environment.
With traditional methods, visibility is also a common issue as well. Even if progress is made, a lack of real-time and historical data about east-west traffic means businesses can often struggle to prove that the systems they have deemed out of scope are separate from their CDE. This is especially true when dynamic boundaries are part of their IT infrastructure.
What is network microsegmentation?
While the benefits of microsegmentation address many security and compliance use cases, one of the most useful is reducing the scope of regulations like PCI DSS.
A software-based microsegmentation solution enables companies to apply security controls to workloads no matter where they are in an environment — on-premises, in the cloud or a hybrid IT ecosystem. This allows IT security teams to control communications at the process or identity level, which is much more effective than static approaches, such as IP address restriction, communication protocol restriction, port restriction and application-level restriction.
In addition, many compliance regulations expect organizations to have accurate visibility to validate their compliance. Traditionally, companies have had decent visibility into north-south traffic, which moves between client and server. But, the ability to monitor and extend security controls to east-west traffic is something many lack. However, the right microsegmentation solution can address this. It can enable organizations to demonstrate compliance with real-time and historical data easily.
Steps for implementing microsegmentation for PCI DSS
As more organizations shift workloads to the cloud and need to manage hybrid infrastructures, regulated assets move from compliant enclaves to new environments where they are often only non- or partially compliant. Maintaining compliance in a heterogeneous environment is task enough for many security teams, but managing compliance-driven security controls, especially using physical network segmentation or traditional firewalls, is ineffective and expensive across multiple infrastructures. This can mean meeting and constantly verifying PCI DSS requirements puts a significant burden on organizations. Below are a few steps IT and security teams can take to simplify and accelerate segmentation with these microsegmentation best practices.
Remove the blindfold
Focus on gaining visibility across all of your applications and environments before you worry about how to layer segmentation on top of them. Only after you understand dependencies and the communication patterns between the full inventory of regulated assets can you accurately scope and create policies that enforce compliance.
Don’t be a plumber
Leave infrastructure dependency behind. This makes it possible to create and manage policies without changes or downtime. Not only is this much faster and easier, but it also leaves you with one set of policies that can run anywhere. If you move a workload from the data center to the cloud, its policies can move along with it. When you think about it, enterprise IT infrastructure has seen tremendous innovation and change in recent years and security and compliance approaches that lack agility will cost you in the long run.
Rather than thinking about IP addresses and ports, it’s best to think about meeting your compliance and security needs in terms of abstractions, such as production application servers connecting to production databases or finance users connecting to billing applications. This will allow you to clearly define your requirements and build effective security policies that are precise. Use meaningful attributes like processes, user identity, or the fully qualified domain names a user or application is trying to communicate within a session when defining security controls.
Get a good watchdog
PCI DSS compliance isn’t a “set it and forget it” kind of initiative. The final step is to monitor how effectively your segmentation policies are continuously performing and monitor for non-compliant behavior. On-premise data centers, cloud environments, and the regulations governing them are changing all of the time, so what worked yesterday might not be optimal today. Additionally, if you can see threats and even possible breaches in the context of your segmentation policies, you’ll not only be able to respond to security incidents and compliance violations quickly – you’ll also be able to fortify your segmentation policies based on the latest threat activity.