Nearly two years ago, I was lucky enough to join the Illumio team as Federal Product Manager. The first order of business was to acquire the necessary product certifications required by the federal government, including FIPS 140-2 and GSA Section 508 compliance. Recently, the Illumio Adaptive Security Platform (ASP) achieved another important government security certification called Common Criteria. With this certification, Illumio became the first enterprise security vendor to be certified with conformance to the National Information Assurance Partnership (NIAP) Standard Protection Profile for Enterprise Security Management, Policy Management v2.1, which focuses on access control policy definition and management.

This article was originally published on cyberdefensemagazine.com.

Over the past couple years, we’ve all heard of varying degrees of cyber-attacks being carried out on political campaigns, cities and towns, hospitals, and – perhaps not surprisingly – financial institutions. What I find the most interesting about these incidents is two-fold: that organizations are still leveraging traditional or outdated cybersecurity approaches in an era where cyberattacks have become so incredibly complex, and also how people, organizations, and governments respond and learn from them. I believe the former can be addressed much more quickly than we all think, but the latter unfortunately seems to be lagging behind.

By now we’re all aware of the breach at Capital One, which affected nearly 106 million U.S. and Canadian residents, due to an attacker bypassing a web application firewall (WAF) Capital One was using as part of its operations in the cloud. In a nutshell, the attacker was able to trick the WAF into sharing credentials with access to Capital One’s AWS operations, thus leading to the data breach. The WAF possessed excessive permissions – enough to view and copy information behind it in AWS S3 buckets.

Specifically, consensus has emerged that this is a Server-Side Request Forgery (SSRF) attack. Our aim here is not to conduct an attack post-mortem but rather think about how to best move forward. For a thorough, digestible review of the attack, please read Brian Krebs' excellent write up.

PCI DSS compliance has been around for more than 10 years. Networking and firewalls have been in use in corporate data centers for much longer and covered entities have relied on these technologies to segment their PCI environments and reduce their compliance and audit burdens. Today’s data center environments are more complex, abstracted, and distributed. The techniques and technologies utilized by bad actors have also evolved. As a result, we continue to see reports of high-profile data breaches. QSAs continue to issue findings on critical PCI scoping and segmentation errors, on failures to properly isolate the CDE and connected systems traffic, and for having networks that are too flat. 

The ability to accurately scope and segment your PCI environment is a critical first step of an effective and sustainable PCI compliance program. The PCI Standards Council published the "Information Supplement: Guidance for PCI DSS Scoping and Segmentation" to help organizations identify the systems that are in scope for PCI DSS; and also offers considerations for using segmentation to reduce the number of systems in scope for PCI DSS controls. Executing these activities is not always easy for many organizations.