Illumio Blog
July 11, 2019

PCI Scoping and Segmentation: Challenges and Solutions

Vivian Tero,

This article is the second of a three-part series on Illumio ASP for PCI DSS compliance. Part 1 introduces a joint Illumio/Protiviti research project. Part 3 will cover best practices and design considerations for implementing Illumio ASP for PCI compliance.

 

The ability to accurately scope and segment your PCI environment is a critical first step of an effective and sustainable PCI compliance program. The PCI Standards Council published the "Information Supplement: Guidance for PCI DSS Scoping and Segmentation" to help organizations identify the systems that are in scope for PCI DSS; and also offers considerations for using segmentation to reduce the number of systems in scope for PCI DSS controls. Executing these activities is not always easy for many organizations.

Today’s data centers are increasingly complex and dynamic, challenging your organization’s ability to accurately scope and effectively segment its PCI environment and to maintain compliance.

Here are some of the key trends that contribute to PCI visibility and control challenges:
  • Workloads are running on different types of compute environment, including containers and across geographically dispersed data centers and public clouds.
  • PCI ecosystems of third-party cloud applications such as e-commerce platforms, ordering systems, customer loyalty programs, the acquiring bank, and credit card networks.
  • Core infrastructure and security are delivered as shared IT services to PCI and non-PCI systems.
  • Use of multiple payment platforms, payment devices, and kiosks, including both legacy and new technologies.

These developments in an enterprise data center present the following PCI challenges:
  • How to identify and keep track of the system components that make up the cardholder data environment (CDE), the systems that connect to the CDE (also known as “connected systems”), and the out-of-scope systems. Organizations need this information in order to right-scope their PCI environment. An overly broad scope results in a more costly PCI compliance and audit program. If the scope is too narrow, the organization increases its exposure to an audit failure and/or a data breach.

  • How to enable fast, easy, and cost-effective segmentation of system components that are in scope for PCI. Today’s data centers need security segmentation to move closer to the hosts. But how does one do that without significant investments in time and resources, and without re-architecting the networking and SDN architecture? For example, if PCI workloads are migrated between ESXi to Hyper-V, or change location between on-premise to AWS or Azure, your organization must have real-time visibility into these changes, and then automatically recalculate and adjust the applicable firewall rules so that security policies follow the PCI workloads.

  • How to segment internal traffic without having to deal with the risks and costs associated with deploying more data center firewalls and virtual firewalls. Your QSA and internal audit and security teams have agreed on the urgent need to segment your internal traffic for PCI compliance, specifically those that address shared services and out-of-scope systems. Your team has investigated or even tried using your existing networking architecture and deploying more data center and virtual firewalls. Your team concluded that these approaches do not scale and requires significant ongoing investments.

Illumio Can Help

Customers can use Illumio's Adaptive Security Platform (ASP) to accurately scope and effectively segment its PCI environment. The list below highlights some examples on how Illumio ASP can be used to enable PCI compliance.

Scoping the PCI environment
  • The real-time application dependency map, Illumination, visually shows the connections and flows across workloads, authorized third-party cloud services that make up your organization’s PCI ecosystems, authorized wireless devices and kiosks that are authorized to connect to your CDE, and the list of applications and workloads that indirectly connect to the CDE via the shared services components.
  • Create unmanaged workloads and virtual services in the Policy Compute Engine (PCE) to identify the authorized third-party cloud services and authorized devices that connect to the CDE via wireless networks.

Segmentation of the internal data center
  • Avoid re-architecting your networking architecture to enable more fine-grained internal segmentation. Segmentation is enforced by programming the native Layer 3/Layer 4 stateful firewall of each host. In Windows, it’s Windows Filtering Platform; in Linux Oracle Solaris and AIX, it programs the iptables. Illumio ASP uses a whitelist default-deny model so that connections between workloads are only allowed if there is an existing policy.
  • Illumio ASP is compute infrastructure agnostic and programs the firewall rules across heterogeneous compute resources – bare-metal servers, virtual machines, public cloud, private cloud instances, and containerized hosts.
  • Illumio ASP utilizes the historical connections and flows as a baseline to automatically calculate and recommend the applicable firewall rules. You can model and test policies before full enforcement to ensure that new and updated firewall rules will not break applications.
  • Segment and secure traffic between the CDE and authorized connected systems, between the CDE and authorized third-party cloud services, and between the CDE and authorized devices over wireless networks with process-based segmentation.

Reporting and auditing on the PCI scope and segmentation
  • Search the PCE historical traffic database to create an inventory of CDE and connected system components during the audit period and identify changes.
  • Search the PCE for the inventory of the policies and firewall rules that apply to the CDE and connected systems during the audit period.
  • Run a report on blocked traffic, potentially blocked traffic, and allowed traffic to validate that segmentation policies were enforced.

Illumio partnered with Protiviti, one of the world’s leading Payment Card Industry Qualified Security Assessors (PCI QSA), to observe how the Adaptive Security Platform can assist organizations in meeting their PCI DSS requirements. The outcome of this collaboration includes the white paper, The Illumio Adaptive Security Platform – Supporting PCI DSS Requirements. This document maps Illumio’s abilities to support, potentially meet, or be enabled as a compensating control for 8 of the 12 PCI DSS 3.2.1 requirements. If you're a PCI customer, you and your QSAs should view the findings and considerations provided in this report as a starting point for evaluating how Illumio ASP can enable and support PCI DSS compliance in your own environment.

Topics: cybersecurity

Share this post: