Lower PCI Audit Cost and Mitigate Lateral
Movement Risk with Effective Segmentation
PCI DSS compliance is hard. Qualified Security Assessors (QSAs) continue to issue findings about segmentation errors. Reports about high profile data breaches via lateral movement attacks are still common. If your organization is using traditional segmentation methods like data center firewalls and VLANs to secure East-West traffic in your PCI environment, these are your challenges:
- How to lower the audit burden and prevent lateral movement attacks due to PCI scoping and segmentation errors.
- How to keep track of change and automatically adapt the applicable firewall rules – at scale.
- How to avoid the cost and management complexity associated with using networking/SDN and data center firewalls to segment internal traffic.
Segmentation is not a PCI requirement. But accurate scoping and effective security segmentation will help lower your audit burden. It also reduces your attack surface. The Illumio Adaptive Security Platform® (ASP) delivers a host-based, compute infrastructure-agnostic solution for segmenting your PCI environment’s East-West traffic, while avoiding the cost and management complexity of networking/SDN and data center firewalls.
Reduce your PCI audit burden by eliminating segmentation errors
Poor visibility leads to scoping and segmentation errors, which in turn lead to higher PCI compliance and audit program costs. Illumio ASP enables you to identify the PCI system components, detect for the changes in connections across the CDE and connected systems or security impacting systems, and then automatically update the applicable firewall rules. The result? Your inventory of PCI system components is accurate. Your PCI firewall rules are more precise and up to date. You reduce friction with your QSA and lower your overall compliance and audit cost.
Avoid the cost and complexity of data center firewalls
You struggle with keeping your firewall rules up to date in response to changes in connections across the CDE and connected systems or security impacting systems. But you do not want to re-architect your networking environment and deploy more data center firewalls to secure your East-West PCI traffic.
Illumio ASP enables you to decouple segmentation from networking. You can apply the appropriate segmentation granularity – from coarse-grained to process-based segmentation – by programming each host’s native Layer 3/Layer 4 stateful firewall.
Reduce PCI attack surface without breaking applications
Your QSA finds that malicious actors can take advantage of compromised connected system components to breach your CDE. These compromised components provide critical services to the entire organization so you need to make sure that your firewall rules will not break your applications.
With Illumio ASP, you identify an attacker’s potential attack pathways. You can apply the appropriate level of granularity – from environment to applications, application tier, and processes. You are also able to test policies before enforcement, thus avoiding the risk of breaking production applications. Illumio will enable you to reduce the exploitable workloads and minimize the dwell time. You can also use Illumio to monitor and detect for policy deviations and failed connection attempts in addition to blocking traffic that violates policies.
"We had a compliance need which required us to enable firewalls on approximately 500 internal systems within a 3-month period. Without the ability to map and visualize traffic ahead of setting up firewall policies for these systems, we would not have been able to achieve the goal within the timeline."Read More
Supporting PCI DSS Requirements: An Illumio/Protiviti Research Project
Download white paperSolution brief
Effective Segmentation and Mapping Illumio ASP to PCI 3.2.1 Controls
Download solution briefCustomer story
Leading eCommerce Retailer Achieves PCI Compliance in Record Time with Illumio
Download customer story