This is the final article in a three-part series on Illumio ASP for PCI DSS compliance. Part 1 introduces a joint Illumio/Protiviti research project. Part 2 discusses the challenges in PCI segmentation and scoping and how Illumio can help.
PCI DSS compliance has been around for more than 10 years. Networking and firewalls have been in use in corporate data centers for much longer and covered entities have relied on these technologies to segment their PCI environments and reduce their compliance and audit burdens. Today’s data center environments are more complex, abstracted, and distributed. The techniques and technologies utilized by bad actors have also evolved. As a result, we continue to see reports of high-profile data breaches. QSAs continue to issue findings on critical PCI scoping and segmentation errors, on failures to properly isolate the CDE and connected systems traffic, and for having networks that are too flat.
Part 2 of this blog series, PCI DSS Scoping and Segmentation: Challenges and Solutions, highlights how changes in the data center and in the payment infrastructure and ecosystem present hurdles in accurately scoping and effectively segmenting PCI environments. These challenges include:
- How to improve visibility in the data center and the PCI ecosystem, especially in changes in the “connected to/security impacting” systems so that you can maintain an accurate inventory of in-scope PCI systems.
- How to maintain segmentation security parity in response to changes in the cardholder data environment (CDE) and connected systems.
- How to reduce the compliance and audit burden.
- How to mitigate the risks from having a flat network through effective security segmentation.
- How to enable security segmentation of the internal environment without having to re-architect your networking infrastructure.
- How to enable security segmentation of your East-West traffic while avoiding death by data center and virtual firewalls.
Illumio ASP offers real-time visibility into the connections and flows across workloads, and helps organizations maintain an accurate inventory of systems that are in scope for PCI and ensure that their firewall rules are up to date. By moving security controls closer to the host, PCI-covered entities can realize PCI obligations and lower audit burdens without having to deal with the risks and costs of re-architecting the networking environment. They can secure their PCI environment without having to deal with the cost and ongoing management associated with deploying more data center firewalls and virtual firewalls inside their data centers. Firewalls are great for protecting your perimeter. But do you really want to deal with firewalls to control your complex East-West traffic?
To enable successful implementation and deployment of Illumio for their PCI environment, we recommend PCI-covered entities partner closely with their QSA in designing their segmentation architecture.
Your PCI segmentation design should also take into account the following issues:
- Organizational and process issues such as identifying key stakeholders, third-party partners and services in the PCI ecosystem, and how this impacts the governance of roles and segregation of duties. For example, which functional roles are allowed to create and update policies? How does one ensure that there is separation of duties between those that create policies vs. functional groups that provision security vs. internal audit vs. external audit? Is there a well-defined workflow for designing the micro-perimeters, creating policies, and then approving and provisioning policies?
- Security tags, labels, policy governance, and workflow automation and how these are influenced by the entities’ asset discovery and asset management tools, and enterprise architecture decisions. For example, consider an entity is that using CMDB, VMware vCenter as the asset system of record, and Palo Alto Networks for perimeter and DMZ firewalls. Each of these tools has its own tags and labels structure. How can the entity normalize the tags and labels across these tools to help streamline policy management for security segmentation?
- Networking and enterprise architecture and the entity's plans to balance network and application performance vs. security objectives. If the entity has a combination of brownfield and greenfield environments, as well as a multi-cloud data center architecture, are there ways to decouple security segmentation from networking to meet both security and network resiliency/performance goals? How does one maintain security parity as workloads move across these environments?
- Integration with IT operations, ITSM, security (such as SIEM and cloud security), cloud management, DevOps, and compliance tools to automate and orchestrate key IT ops and security workflows such as workload provisioning, security provisioning, incident and threat response, etc. How does the entity ensure that security is able to keep up with changes in the data center? Will the security segmentation solution support the DevOps environment? Does the solution integrate with CI/CD tools?
Illumio partnered with Protiviti, one of the world’s leading Payment Card Industry Qualified Security Assessors (PCI QSA), to observe how the Adaptive Security Platform can assist organizations in meeting their PCI DSS requirements. The outcome of this collaboration includes the white paper, The Illumio Adaptive Security Platform – Supporting PCI DSS Requirements. This document maps Illumio’s abilities to support, potentially meet, or be enabled as a compensating control for 8 of the 12 PCI DSS 3.2.1 requirements. If you're a PCI customer, you and your QSAs should view the findings and considerations provided in this report as a starting point for evaluating how Illumio ASP can enable and support PCI DSS compliance in your own environment.