Posts

5 Ways that PCI DSS Micro-Segmentation Can Help You Achieve Compliance

As regulations for compliance become increasingly stringent, the consequences for failing an audit go far beyond a bureaucratic headache. As well as damage to your public image, you could be subject to financial penalties and even a halt to your business operations altogether until safety measures have been put into place.

Relying on a security solution that employs micro-segmentation can be a powerful tool that provides unparalleled control over the traffic cross your hybrid IT ecosystem. The right approach will be able to isolate and segment all applications, monitoring and routing all traffic, including east-west. By doing this, micro-segmentation can effortlessly check boxes for your compliance regulations, whether that’s PCI-DSS, HIPAA, or others.

PCI DSS Micro-Segmentation through Separation of Zones

When it comes to PCI DSS, micro-segmentation can support you in reducing scope. The compliance regulations are very clear. “To be considered out of scope for PCI DSS, a system component must be properly isolated from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” A similar rule is found for HIPAA compliance, but this time regarding Protected Health Information (PHI).

It is likely that some systems can be physically separated from your CDE or PHI. In the past, firewalls could enforce network zones, as could virtual LANs with strong ACLs. However, more complex architecture such as cloud-based VMs or containers have this made this difficult. Even simple compliance regulations, such as placing a firewall, become a challenge. Additionally, dynamic workloads mean you need granular visibility of where changes are happening within the CDE in real-time. This has encouraged businesses to look for a solution that allows for continuous process or identity level detail and control.

Ensuring that you have rich visibility into the flow of traffic is number one on the list for any auditor. This has two benefits. Firstly, it shows the regulatory board that you have a strong understanding of the data and access in your network. Secondly, it proves that you can automatically detect a threat or breach if the worst happens.

Reduced Impact of a Breach

Once you have established visibility, controlling traffic to isolate and resolve an attack should be next on the agenda. By starting with broad micro-segmentation policies and then creating more specific layers you can achieve the right balance between under and over segmenting your network. This should be done gradually, allowing you to gain the perfect amount of control without losing functionality and flexibility. Because the policies you build for micro-segmentation are application-aware, you can use them to enforce system access to specific regulated data, such as PHI for HIPAA compliance. Even if a breach happens to your perimeter, a hacker would not be able to move from an out of scope area to one that threatens compliance posture. Companies that only focus on protecting their perimeter between external and internal systems are behind the times. If attackers get through your perimeter, your entire data center or network is up for grabs. For PCI-DSS, micro-segmentation can provide a deeper level of security on all the important systems on your network. It can also stop attackers from making lateral moves within your network, pivoting dangerously from an out of scope area to one which can reach your CDE or PHI.

Another benefit for HIPAA or PCI DSS, micro-segmentation can meet the requirement of maintaining a vulnerability management program. For this to work best, your solution needs to work in tandem with a strong breach detection and mitigation solution, protecting your system against malware. Micro-segmentation works with the principle of least privilege, perfect for verticals like healthcare dealing with HIPAA compliance, where 70% of organizations cite employee negligence as the most worrying reason for breaches.

Another important element to keep in mind for compliance is having separate development and testing environments from production environments. Top tip: Make sure that scanning and auditing is done in a continuous cycle, not just periodically.

Locking Down Systems with PCI DSS Micro-Segmentation

PCI DSS dictates that more in-depth security features should be implemented for what they call “insecure” services, daemons or protocols. An example of this could be using a VPN for file sharing. Using a flexible policy engine is an important element of a compliance-ready micro-segmentation approach. This can enable you to validate administrative access to each system, and restrict specific protocols to using additional security measures.

Another element of compliance is ensuring that only one primary function can be implemented on each server. This means that functions with different security levels cannot be on the same server, preventing lateral moves from weaker entry points. By implementing PCI DSS micro-segmentation, process level policies can be enforced so that only necessary services are making connections, and only one secure function is implemented per server.

Logging all Systems and Mapping Vulnerabilities in PHI or PCI Micro-Segmentation

As well as showing that you’ve created zones in your network, nearly all compliance regulations will expect you to have visibility into the traffic that moves among them and the ability to log this information for later. Traditionally, companies have had visibility into north-south traffic which moves between client and server. The best approaches can now analyze and monitor east-west traffic, also known as server to server traffic, from within the data center itself. The policies that you define for your micro-segmentation approach can be used as documentation of your compliance, and the granular detail of east-west traffic serves as proof that you have a strong security posture that meets regulations.

Many businesses struggle to prove the systems that they have deemed out of scope actually are separate from their CDE or PHI, especially when dynamic boundaries are part of their IT infrastructure. If you choose a PCI micro-segmentation approach with labeling functionality, you can examine the PCI or PHI environments and inspect the flows and communications in granular detail. Filtering where necessary can allow you to drill down to specific protocols at process level, granting you unparalleled levels of control in comparison to traditional network segmentation.

Finding an All-Inclusive Solution for Compliance

There are many requirements for ongoing compliance, and companies will need to have various security controls in place to establish they are meeting the regulations of complex standards like PCI DSS or HIPAA. For example, when you’re employing PCI DSS micro-segmentation to meet regulations, you will need a distributed firewall to separate the CDE from other applications, as well as file integrity monitoring on your CDE itself. For mapping and documentation you’ll benefit from powerful process level visibility on traffic and data flows.

Lastly, especially important in compliance-heavy industries like healthcare where attacks are so common, your micro-segmentation approach should integrate with tools that allow you to secure the environment and maintain overall vulnerability control. These could include powerful breach detection tools like honeypots and malware detection, Choose a solution that covers many requirements in one, and you’ll take on less risk and management overall, simplifying the road to ongoing compliance.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

Learn more about micro-segmentation and PCI compliance.

Streamlining a Rolling PCI Compliance Process Within Your Organization

Compliance with PCI regulations is not a one-time job that you can complete, and then check off your list. According to Verizon, who publish their regular Payment Security Report, “80% of companies that passed their annual assessment failed a subsequent interim assessment, which indicates that they’ve failed to sustain the security controls they put in place.”

Any business that works with payment data recognizes the challenges involved with maintaining a PCI compliant data center. IT environments are becoming increasingly complex, with diverse and dynamic technologies that are constantly changing to best support customer needs and to provide competitive differentiation. Even small companies with relatively simple company structures still may have on-premise data centers, virtual backups, SaaS applications or IaaS in both the public and private Cloud, and payment information on physical machines or devices internally. Many of these go through regular application or organizational changes that disrupt your ability to be compliant, as they shift data and workloads to meet demand.

Additionally, PCI regulations are not static, they change as the industry learns more about security and as wider threats evolve. This obviously has an influence on the security tools your business needs. With all this to consider, how can you bring your organization on board for sustainable compliance?

Reduce the Scope

According to the PCI Security Standards Council (SSC), the cardholder data environment (CDE) and all connected systems are all considered to be ‘in-scope.’ In fact, a system component can only be ‘out of scope’ if it is unable to communicate with any other component within the compliance environment, and therefore cannot compromise the CDE security. It’s worth remembering that even isolated networks need to be documented in your compliance report. This definition makes reducing scope, and thereby reducing the elements you need to include in your annual assessment difficult.

    • Tokenization: One way to go about the task of reducing scope is to reduce the data itself. Think about truncating or masking PAN (primary account number) data, which is rarely required in full, or consolidating the systems that store cardholder data, whether that’s hardware or software. Some companies replace PAN data with fixed-length message digest or use Tokenization which allows this data to then be removed from scope. Point to Point Encryption is becoming more popular in order to remove the whole of Merchant Services from scope altogether.
    • Segmentation & Micro-segmentation: Another tactic is reducing scope using architecture. Traditionally, firewalls were used to create partitions and enforce network zones, while segmentation gateways were shown to improve access control both internally and externally. Virtual LANs with strong ACLs were shown to have the same effect. Everything changed with the advent of Cloud-based and hybrid solutions, and today – there is no such thing as a simple IT environment. While segregation can help reduce scope using a combination of methods such as IP address restriction, communication protocol restriction, port restriction and application level restriction, micro-segmentation is garnering the most attention.

Micro-segmentation supports your staff to work at a process or identity level, setting the rules you need to keep your network secure. As you control the flow of data from process to process, the idea of a breach is no longer catastrophic, as even in the worst-case scenario it is automatically isolated and easily resolved.The benefits are clear. As well as gaining deep visibility and wide coverage of your architecture, micro-segmentation limits its complexity, making continued compliance that much easier.

Learn more about the benefits of Micro-Segmentation

Outsourcing for Compliance

Most enterprises have identified that while their environments continue to grow in complexity, their staffing size and skill sets remain somewhat static. There is a growing demand for qualified IT staff, and the growth in the workforce hasn’t kept up with the pace. Executives continue to complain about a shortage of skilled employees. In fact, a January 2018 research study by ESG showed 51 percent of respondents claimed their organization had a problematic shortage of cybersecurity skills.

Many enterprises have found that outsourcing specific components of their PCI strategy to Managed Security Services Providers is the right solution. In the right situations, outsourcing might help you reduce scope, or add tools that help maintain a compliant data center.

  • Security Outsourcing to MSSPs: PCI regulations include ensuring you have an up-to-date Antivirus solution, Think about SIEM/logging capabilities, File Integrity Monitoring, vulnerability and patch management solutions. These are great examples of things that can be outsourced to competent MSSPs, effectively outsourcing compliance, in an affordable and smart way of taking advantage of third-party expertise. Of course, Antivirus solutions are not all created equal. Some options will provide an added layer of vulnerability management, helping you achieve compliance without you lifting a finger on your side. Look for MSSPs who have solutions that check as many of the boxes as possible for you when it comes to technical requirements.
  • Other options for outsourcing include Storage, Processing and Handling, all of which can partially or completely remove cardholder data from your CDE, supporting your company in reducing scope.

Selecting Comprehensive Platform Solution over Multiple Point Products

Comprehensive Platform Approach: Since multiple tool sets often lend themselves to confusion and complexity, we’ve seen a shift from enterprises selecting multiple point solutions to unifying, comprehensive platforms. A solution may provide adequate threat detection for example, but do they have a distributed firewall, or response to breaches from the same platform? Dynamic environments need a lot of attention, so using one platform/solution instead of multiple to manage a whole area of compliance is invaluable when it comes to policy management and proof process.

Continued Compliance Enhances Enterprise Security as a Whole

It’s important to facilitate an environment where compliance isn’t viewed as a hassle or even a hindrance but instead a part of having a healthy, vibrant, safe and secure enterprise. While it’s true that PCI compliance is not a be-all and end-all, these continued compliance checks when done correctly lend themselves to the improvement of the organization as a whole. Here are some examples where continued PCI compliance lends itself to overall enterprise comprehensive health:

  • Flow Visualization: If you can access a visual map of all application workloads in granular detail, you can use working towards PCI compliance to uncover underlying security issues. Proper visualization could catch ineffective oversight mechanisms, organizational silos, wasted resources, or poor architecture design. Lack of data compromises security integrity. In addition to sustaining compliance, maintaining process-level visibility keeps an accurate tab on the state of your overall security.
  • Set Policies and Rules for Cardholder Data: Intelligent rule design can protect you in case of a breach, but also helps you refine and strengthen your compliance policies. Setting and enforcing strict compliance rules using a flexible policy engine is essential. These can be higher-level best practices for security when considering larger segments, and then more specific rules for micro-segments. Of course, these need to work across your entire Network, including in hybrid environments.
  • Reduce Complexity and Maintain Control: Simplify your IT architecture with business process corrections and investment in new hardware or software, reducing costs for the business. Using a single platform for visualization, micro-segmentation, and breach detection means you don’t have to fear becoming more vulnerable to attacks or less compliant to regulations.
  • Detailed Forensics: The immediate benefits of compliance may not always be clear. Continuous monitoring and sharing of detailed actionable analytics of breach detection or resolution can improve security posture and increase awareness and appreciation of these efforts among your staff. This creates an environment where data protection and compliance are shown to have true value.

Sustainable Compliance Needs Dedication

Ensuring that your security supports continued compliance doesn’t happen without work. All areas of the business need to be on board, from business strategists to customer call representatives. Simplifying your business process through reducing scope, outsourcing, selecting comprehensive platforms over multiple point solutions and understanding how continuous PCI compliance positively affects the health of your enterprise security overall will help make it an integral part of your company culture.

Complying with the SWIFT Security Controls Framework May Be Harder Than You Think

In my previous blog I briefly explained the new SWIFT regulations framework that will come into force on January 1st, 2018. In this blog I will focus on what is required to meet the first SWIFT requirement: “Restrict Internet Access & Protect Critical Systems from General IT Environment”. I will also explain how GuardiCore can help in complying with these requirements faster, simpler and in a more robust and maintainable way.

Read more

Beware of SWIFT Customer Security Controls Framework

In March 2017 SWIFT published its new Customer Security Controls Framework to the community. This is the first time SWIFT is publishing such security guidance and they announced that they will start auditing compliance with those requirements from January 2018, leaving SWIFT users (roughly any financial institution in the world) only a few months to take action. Organizations that are are found to be non-compliant will be published in a specific directory letting all other users of SWIFT to know that this counterpart maybe not safe to do business with. In practice this means that any respectable financial institution will have to do the effort to comply with the new regulations.

Read more