The art of mastering PCI DSS compliance is primarily about defining the scope of compliance, meaning the perimeters of the Cardholder Data Environment (CDE) within the enterprise network. The goal is to isolate the CDE from the rest of the network, and to be able to prove to auditors that ‘out of scope’ assets are truly separate. These measures protect the CDE from unauthorized access, while ensuring that all access is accurately and comprehensively logged.
Defining the CDE by identifying all applications, workloads and data it touches or encompasses can be a tough chore under the best of circumstances. In today’s virtualized and DevOps managed environments where clustering, dynamic provisioning of additional workloads and auto scaling prevail, there are many new challenges for meeting PCI standards. Keeping up with the payment card industry’s risk assessment guidelines has become a top priority for CISOs, yet many are still very concerned about maintaining compliance in hybrid cloud environments.
Taking the Leap
In the past, traditional segmentation techniques like VLANs and Firewalls prevailed. In today's complex environments, which include everything from premises to cloud, legacy platforms to containers, these manually implemented, traditional techniques are incapable of isolating/segmenting where they need to protect. As well as this, the dynamic nature of these environments makes it impossible to maintain. Micro-segmentation that is made to cover heterogeneous environments dynamically and seamlessly has stepped in as the means to isolate, segment and ensure PCI compliance.
Most companies perceive micro-segmentation as a platform-specific solution set found among earlier hypervisor firewalls and cloud security groups. Being tied to individual platforms and only enforcing down to host, requiring multiple solutions to cover one’s entire environment. They also could not reduce attack surfaces and risk enough to be deployed. Today’s micro-segmentation solutions seek to cover the entire heterogeneous environment with one solution, simplifying management. Furthermore, they are enforcing down to a process (application) level – providing the maximum reduction in attack surface and therefore providing maximum risk reduction.
Compliance and a Fluid Security Posture
As all enterprises know, PCI compliance has imposed considerable pressures on organizations. Failure to meet the new standards can mean heavy monetary penalties, liability exposure and other sanctions. Fortunately, PCI compliance offers the perfect opportunity to embrace micro-segmentation. This is because PCI compliance is precisely a matter of isolating the CDE from the rest of the network. At its very foundation, the task of segmentation is an inherent and unavoidable aspect of PCI compliance. So it really comes down to either performing it on an ad hoc and unprincipled basis, or taking advantage of new regulatory requirements to fully embrace all the benefits of micro-segmentation.
First, you want to be able to rely on an understanding of and deep real-time and historical visibility into all network assets and application dependencies down to the process level. Furthermore, one must have a solution that makes labeling easy.
This is accomplished from automated ingestion of meta-data from the various orchestration platforms, ingestion of CMDB data as well as providing other manual and dynamic methods. Subsequently having a flexible policy engine allows defining and enforcing policies based on the types of policies you wish to create.
This means being agile enough to address the fluidity of infrastructure virtualization and containerized environments, and address the complete isolation of the CDE and numerous other requirements of PCI compliance at the same time.
Integrating a security solution that employs micro-segmentation can be a powerful tool that provides unparalleled control over the traffic across your hybrid IT ecosystem. Let us review how micro-segmentation helps remove the stress of keeping up with the latest compliance issues in hybrid cloud environments.
Micro-Segmentation Helps Reduce PCI Risk
One of the challenges of achieving PCI cloud security compliance is proving that systems marked as out of scope are really separate from the cardholder data. A good micro-segmentation tool featuring sophisticated labeling functionality will allow you to examine the PCI environment and inspect the flows and communications in granular detail. You can even drill down to specific protocols at process level, which provides you with unprecedented levels of control. Having such accurate dynamic mapping of your entire data center and network gives you granular visibility of precisely where changes are happening within the CDE in real-time.
Rich visibility into the flow of traffic is at the top of the list for any auditor and provides two very distinct benefits: it not only shows the regulatory board that you have a strong understanding of the data and access in your network, but also proves you can automatically detect a threat or breach if the worst happens.
Set Policies and Rules for Cardholder Data
One of the greatest advantages of micro-segmentation is intelligent rule design that can protect you in case of a breach, but also helps you refine and strengthen your compliance policies for safeguarding cardholder data. Setting and enforcing strict compliance rules using a flexible policy engine is essential. These can be higher-level best practices for securing larger segments, and then more specific rules for micro-segments.
A Comprehensive Solution
Meeting PCI compliance regulations for highly valuable, mission critical applications, can be a major undertaking. Ideally, you will choose a micro-segmentation solution that offers deep visualization capabilities for setting policies around specific applications, and for preventing unauthorized process-level communications. With a comprehensive solution, you would have built-in threat intelligence, the flexibility to define the types of behavior that are allowed and the forensics to determine whether a threat is real or not.
The dynamic nature of hybrid environments gives you the agility you need to keep up the pace of development while fulfilling all regulatory obligations. A powerful micro-segmentation solution will help you get there.
