Adaptive Segmentationmicro-segmentation September 10, 2015

Compliance Through a Different Lens

Dana Torgersen,

While the impacts of recent cyberattacks, high-profile data leaks, and compromised personally identifiable information (PII) are still being understood, credit card data breaches continue to plague enterprises. Unfortunately, 2014 was a watershed year for credit card theft as hundreds of millions of cards were stolen in a variety of attacks against organizations that took (or processed) payments from their customers. For many enterprises, these breaches occurred despite the fact these organizations took steps to protect this crucial data.

Compliance Through a Different Lens

The Payment Card Industry Data Security Standard (PCI DSS) is a best-practices security framework detailing the minimum steps organizations should take to help protect cardholder data. The framework is just that—it offers hundreds of requirements and recommendations, but the details in implementing the right security for the cardholder environment is the enterprise’s responsibility. IT and compliance teams are often under pressure to meet regulatory requirements, simplify audits, and repel sophisticated attacks in the face of a much more dynamic computing environment.

Dynamic environments make compliance difficult

Today’s modern, distributed computing environments are spread across different infrastructures, including private data centers, hybrid clouds, and public clouds. Due to the dynamic, flexible nature of these environments, PCI DSS compliance becomes increasingly difficult for enterprises to achieve and maintain. For example, changes in a company’s payment application, workload locations, development environments, and even organizational changes (like M&A activities) can all disrupt security efforts. Most businesses also face the following challenges when addressing PCI requirements:

  • Architectural limitations: Traditional security devices (e.g., firewalls, IDS/IPS) rely on static, error-prone security rules built using network constructs (e.g., IP addresses, subnets, VLANs, security zones) that are inflexible to application movements, workload additions, or decommissions.
  • Lack of visibility into the cardholder data environment (CDE): When preparing for audits, organizations have to manually create network topology diagrams using stacks of NetFlow data to understand the layout of their CDE—all of which requires updating the instant applications are changed in any way.
  • Manual change processes: Changes to workloads or applications inside the CDE requires updates to the fixed security policies already in place, often taking weeks to implement. Application developers complain that security change controls are an “act of congress” due to manual policy updates, network configuration changes, and time-consuming approvals.
  • Inconsistent security policies: Organizations deploying workloads in public clouds are forced to construct divergent security architectures and policies from the ones already implemented in their on-premises data center.
  • Platform dependencies: Legacy network or hypervisor-based workloads (e.g., bare-metal physical servers, VMs running on assorted hypervisors) create different security dependencies, making it difficult for organizations to apply uniform security controls.

Organizations often invest in multiple security technologies and techniques to overcome the security gaps in their CDE. This frequently leads to force-fitting technologies that may not be right for the situation, like implementing internal firewalls to protect East-West traffic. Worst of all, the enterprise is unable to take advantage of better, cheaper computing strategies—like migrating to public clouds—due to security limitations.

"Ringfence" your applications

Illumio helps enterprises avoid the “paradox of the perimeter”—the tendency to spend the bulk of security dollars securing just the 20 percent of traffic that flows in and out of their enterprise. The Illumio Adaptive Security Platform (ASP)™ is designed to secure the 80 percent of traffic that occurs between workloads inside data centers and clouds. Illumio ASP enables enterprises to isolate, or ringfence, high-value applications—especially the system components and data contained within the CDE. It lets organizations apply security down to every single compute instance inside the CDE and easily maintain compliance with policies that automatically adapt to changes. Here are three key ways Illumio makes this possible:

  • Live traffic visibility: Illumio ASP’s Illumination feature enables organizations to see live traffic of applications both inside and outside of the CDE, regardless of their location. Traffic connections to and from the CDE are visually graphed, along with any policy violations and anomalous traffic.
  • Granular application segmentation: Illumio ASP isolates the CDE, including payment applications and databases, down to the individual workload and processes within the workloads—an industry first. The Enforcement capability uses whitelisting to only permit approved traffic in or out of the CDE and denies all other connections by default, stopping threats in their tracks.
  • Policy-based encryption of data in motion: Illumio ASP safeguards sensitive cardholder data while it is transmitted over open, public networks. The SecureConnect capability establishes instant encryption of data in motion (using IPsec) between any combination of Linux and Windows Server workloads with a single click.

Zoom in closer

Read more about applying adaptive security to meet PCI challenges, and see how Illumio can help you address a variety of PCI DSS 3.1 requirements before your next audit.

Watch Illumio's resident technologist Jimmy Ray Purser go deeper on compliance:

Check out this short demo to see Illumio ASP in action:


Adaptive Segmentationmicro-segmentation
Share this post: