Most organizations spend the bulk of security investments protecting network and data center perimeters, but the inside of a firm’s data center—where the cardholder data environment (CDE) resides—may be left relatively flat, making these environments highly susceptible to lateral movement attacks by bad actors. Scoping and segmenting the system components of a CDE can be very challenging, especially as data centers become more dynamic. The inability to view CDE system components, including the traffic flowing in and out of them, makes it difficult to fully comply with PCI DSS.
To tackle these challenges, organizations are adopting a Zero Trust or least-privilege security strategy. The Illumio Adaptive Security Platform® (ASP) is a foundational component of this strategy. Illumio ASP provides live visibility into traffic within CDEs, externally facing applications and systems that connect into the CDE, and applications that are shared services between CDEs and non-CDEs. This visibility enables organizations to effectively scope covered systems for PCI DSS, design and execute micro-segmentation policies for compliance, map an attacker’s potential pathways for reaching the CDE, and employ micro-segmentation to significantly reduce the attack surface across both CDEs and non-CDEs.
Illumio ASP prevents the spread of breaches by delivering real-time application dependency mapping and micro-segmentation. Enterprises use Illumio to achieve and demonstrate PCI DSS compliance.
Benefits
Reduce CDE attack surface without breaking applications
Illumio ASP enables an organization to identify PCI data, visualize the data flows, identify connections with non-CDEs and shared services, and then use policy modeling to test policies before enforcement, all the while avoiding breaking production applications. Organizations can monitor and detect for policy deviations and failed connection attempts, as well as block or constrain traffic that violates policies. Integration with third-party tools helps the automation of security operations workflows.
Facilitate collaboration across application owners, security, compliance, internal audit, and QSA
Illumio ASP provides real-time visibility into the connections and traffic flows across CDEs, non-CDEs, and shared services. Internal and external stakeholders use this information to effectively scope CDEs, design a strategic blueprint for micro-segmentation, and facilitate compliance testing and audits.
Apply the applicable level of enforcement across heterogeneous compute environments
Illumio ASP delivers a single control plane for architecting and operationalizing security microperimeters across bare-metal servers, virtual machines, clouds, containers, load balancers, and switches, and mitigates the risks of a flat network. Security teams can program the native enforcement points to apply the relevant level of enforcement—from environmental segmentation (coarse-grained) to process-level controls (fine-grained)
Enhance vulnerability and patch management
Illumio ASP overlays third-party vulnerability scan data with an application dependency map to identify an attacker’s potential pathways. Organizations use this information to prioritize patching strategies and employ micro-segmentation as a compensating control when patching is not an option.
