Virtualization and PCI

VMware and Tenable WebinarAllen Shortnacy

Jeff Man

slide 2 of 44Copyright © 2014 - Tenable Network Security

Today’s Speakers

Allen Shortnacy - Allen Shortnacy is a Partner Architect in VMware's Global Strategic Alliances organization focused on improving automation of infrastructure partner solutions with the VMware product portfolio and broader go to market strategies. In addition, Allen is a subject matter expert in VMware’s Compliance Reference Architecture program where he supports validations of VMware and partner ecosystem configurations to help customers achieve regulatory compliance for business critical applications running in a VMware vCloud Suite environment.

Jeff Man – Jeff Man is Tenable’s Product Marketing Manager focused on PCI solutions. He has more than 30 years of experience working in all aspects of computer, network and data security, including risk management, vulnerability analysis, compliance assessments and attack and penetration testing. Prior to joining Tenable, Jeff served as a certified QSA, most recently with AT&T Consulting Services. In this role he provided PCI consulting and advisory services to some of the nation’s best known brands. Earlier in his career, Jeff held security research, management and product development roles with the NSA, DOD and private-sector enterprises.

PCI DSS V2.0 TO V3.0Changes, Clarifications, Guidance, New Requirements

“New” Theme – Business As Usual1. Monitoring of security controls to ensure they are operating effectively and as intended.

2. Ensuring that all failures in security controls are detected and responded to in a timely manner.

3. Review changes to the environment prior to completion of the change, and: • Determine the potential impact to PCI DSS scope.

• Identify PCI DSS requirements applicable to systems and networks affected by the changes.

• Update PCI DSS scope and implement security controls as appropriate.

4. Formal review of the impact to PCI DSS scope based on organizational changes.

5. Periodic reviews and communications to confirm that PCI DSS requirements are in-place and personnel are following secure processes.

6. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.

What’s New in PCI DSS v3.0

“New” Requirements:– 6.5.10: Address broken authentication and session

management coding vulnerabilities– 8.5.1: Service providers with remote access to customer

premises must use unique credentials per customer– 9.9: Physical inspection for POI devices to detect tampering

or substitution– 11.3: Implement a methodology for penetration testing– 12.9: Service providers acknowledge in writing they are

responsible for CHD they transmit, process, store, or could impact security of the data or CDE

What Else is New

• Self Assessment Questionnaires (SAQ)s have expanded from 5 to 9 versions

• Expanded SAQs include “expected testing”

• Merchants with E-commerce websites that outsource (redirect) payment processing to a third party are now required to prove the security of their own website (including ASV scanning)

• Multiple submissions allowed for evidence of quarterly vulnerability scanning

Which SAQs Require ASV Scanning

SAQ Version ASV Scanning Required

SAQ-A: Card-not present; all cardholder functions outsourced NO

SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES

SAQ-B: Imprint, Stand-alone, or dial-out terminals NO

SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES

SAQ-C: Payment application systems connected to the Internet YES

SAQ-C-VT: Web-based virtual payment terminals NO

SAQ-D (Merchant/Service Provider): YES

SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO

Expected Testing (More Than a Checkbox)

Brief HistoryPCI and Virtualization Technologies

slide 10 of 44Copyright © 2014 - Tenable Network Security

Brief History

• Virtualization not specifically addressed until PCI DSS v2.0 October 2010– Virtualization technologies are in-scope for PCI– Separate virtual instances allowed to meet 2.2.1

• PCI SSC released “PCI DSS Virtualization Guidelines” v2.0 June 2011– Supplemental Information– Does not replace or supersede PCI DSS

PCI DSS Scoping

“The PCI DSS security requirements apply to all system components. In the context of PCI DSS, ‘system components’ are defined as any network component, server, or application that is included in or connected to the cardholder data environment. ‘System components’ also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.”

PCI DSS Req. 2.2.1

Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers and DNS should be implemented on separate servers.)

Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.

PCI DSS Virtualization Guidelines

• Hypervisor creates new attack surface• Virtual environment misconfigurations and vulnerabilities• More than one function per physical system• Mixing VMs of different trust levels

– Creating a virtual CDE– Segmentation

• Immaturity of monitoring solutions• Assessing risk in a virtual environment• Vulnerability Management• What are industry/security best practices?

VMware AND PCIVMware technologies and strategies

Compliance Reference Architecture FrameworkWhat’s In the Framework?

Compliance Capable/Audit Ready Architecture

Regulations, Standards,

Best Practices

Common Control

Frameworks

Infrastructure Capabilities

• Access Control

• Segmentation

• Remediation

• Automation

• Policy Management

• Audit

Requirements Controls Capabilities Architectures

Reference Architectures

Applicability, Architecture, Validation

Product Applicability

Architecture Design

Auditor Validated Reference Architecture

Regulated Zone

VMware vSphere

Compliance Capable/Audit Ready Architecture

VMware Compliance Reference Architecture FrameworkProduct Applicability

Architecture Design

Auditor Validated Reference Architecture

Audit Partners

Technology Partners

Audit Partners

VMware Technology Partner Product Applicability Guides

NSBU, MBU, EUC, Core

Converged Infrastructure

Compliance ReferenceArchitectures

Auditor Validated

Joint

Reference Architecture

1StandardsFrameworksTechnologyGuidance

2VMwareInfr Partners3rd Party AuditValidated

3Joint RA3rd Party ValidationSolution

Compliance Reference Architecture MethodologyHow is it Created?

Compliance Use Case “Lenses”

Remediation

Automation

AuditPolicy

Privileged User Control

Segmentation

Compliance Regulations

HIPAAHITECH

FISMAFedRAMP

CJISFINRA

FFIEC

PCI DSS

Technology Solution Categories – Compliance Capabilities

DLP

Encryption

BCDR

Anti VirusEndpoint Protection

Firewall

AAAIdentity

and Access

Multi FactorAuthN

File Integrity Monitor

IPS/IDS

SIEM

PenetrationTesting

VulnerabilityAssessment

PatchMgmt

ConfigMgmt

DB/AppMonitor

VMware Provided

VMware Enabled

Partner Provided

LEGEND

VMware Partner

Eco-system

Compliance Reference Architecture Methodology

Dynamic Composition with Line of Sight

• Technology Partner Choice

• Regulation Independent Use Case Controls

• Regulatory Specificity for Audit

• Process Methodology for Delivery and Maturity

Compliance Reference Architecture TechnologiesCombining the Right Multi-Vendor Solution

24

Internet

Hypervisor

Physical Host

VM VMVM

vSwitchHypervisor

Physical Host

vSwitch

VM VM

VM

Security Policy

Perimeter Firewalls

VM

CloudManagementPlatform

SDDC Approach for Micro-Segmentation

• Hypervisor-based, in kernel distributed firewalling

• Platform-based automated provisioning and workload adds/moves/changes

Trading Off Context and Isolation

Hypervisor

Software DefinedData Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

OS

Application High Context Low Isolation

High IsolationLow Context

No UbiquitousEnforcement

Traditional Approach

vSwitch

25

Endpoint

The Hypervisor is the Security “Goldilocks Zone”

26

Hypervisor

Software DefinedData Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

L2 Switching L3 Routing

Firewalling/ACLs Load Balancing

Network & Security Services Now in the Hypervisor

Application

OS

vSwitchEndpoint

SDDC – Delivering Context and Isolation

27

Hypervisor

Software DefinedData Center (SDDC)

Any Application

SDDC Platform

Any x86

Any Storage

Any IP network

Data Center Virtualization

OS

Application

High Context

High Isolation

Ubiquitous Enforcement

SDDC Approach

Secure Host Introspection

vSwitchEndpoint

Security Extensibility in the Guest

28

Hypervisor

OS

Application

Gain previously impossible vulnerability intelligence based on application

purpose, data class and user roles to drive rich, policy driven response,

including in-place quarantine.

Vulnerability Management

CONFIDENTIAL

29

Automate Security Response to Reach ‘Safe’ States

ACTION (then)ATTRIBUTE (if)

Virus found

IIS.EXE

Vulnerability found (old software version)

VM

“PCI”

Sensitive Data Found

VM

Allow & Encrypt*

VM

Restrict access while investigating

OR

VM

Automated detection of security conditions(virus, vulnerability, etc.)

Security policies define automated actions

Security operations are automated and adapt to dynamic conditions

Monitor VMwith IPS

Quarantine VM with Firewall

TENABLE AND PCITenable Solutions and Strategies

How Tenable Works With VMware

Provides Vulnerability Management

• Active scanning detects all virtual machines

• Vulnerability scanning

Proves Secure Implementation according to Best Practices

• Configuration audits for ESX, ESXi, vSphere, vCenter

• Continuous monitoring assures secure configurations, current patches, vulnerability mitigation

BUT WAIT THERE’S MORE!

Where the World is Headed

• ~10 billion devices growing to 15 billion by 2015

• Increased cloud, mobile, and virtualization technologies

• Increasingly blurred lines between trusted and untrusted

• Increased threat from insiders and automated attacks

• Increased security awareness from the general public and government law makers

slide 34 of 44Copyright © 2014 - Tenable Network Security

Product Suites

Mapping Tenable Solutions

• PCI DSS Challenges– Customers must apply PCI DSS requirements

to all in-scope system components comprising numerous technologies

– Virtualization adds complexity to this process, especially in hosted, cloud environments

• Tenable solutions validated by Coalfire, a VMware partner, for applicability to PCI DSS v3.0

• Applicability to PCI DSS independent of environment

Tenable Solutions and PCI DSSv3

 

PCI DSS REQUIREMENT

NUMBER OF PCI REQUIREMENTS

NESSUS ENTERPRISE CLOUD

 

NESSUS

VULNERABIL ITY SCANNER

 

 

PASSIVE VULNERABIL ITY SCANNER

 

SECURITY CENTER CONTINUOUS V IEW

 

TOTAL NUMBER OF CONTROLS MET OR AUGMENTED BY TENABLE

Requirement 1: Install and maintain a firewall configuration to protect cardholder data 35   8 13 21 21Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 32   14 14 14 14

Requirement 3: Protect stored cardholder data 44 1 1 2 2

Requirement 4: Encrypt transmission of cardholder data across open, public networks 11 3 6 7 7 7Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 11 5 4 6 6

Requirement 6: Develop and maintain secure systems and applications 42 13 14 10 14 14Requirement 7: Restrict access to cardholder data by business need to know 10 7   7 7Requirement 8: Identify and authenticate access to system components 43   13 19 19Requirement 9: Restrict physical access to cardholder data 44       1 1Requirement 10: Track and monitor all access to network resources and cardholder data 41   3 2 23 23Requirement 11: Regularly test security systems and processes 36 6 12 4 16 16Requirement 12: Maintain a policy that addresses the information security for all personnel 47 2 2 5 8 8

Requirement A: Shared hosting providers must protect the cardholder data environment 8       2 2

TOTAL 404 30 85 60 140 140

Advantages of Continuous Network Monitoring

• Real time reporting/dashboards that monitor firewall rule changes, network traffic flows, system configurations, anti-virus/malware solutions, patch levels, access controls, user authentication, user account parameters

• Active monitoring of network traffic to identify CHD flows, detect unencrypted CHD transmission, preserve the integrity of the CDE, indicators of compromise (malware)

• Enterprise-wide vulnerability management in real-time• Event logging, monitoring, review, and correlation

slide 38 of 44Copyright © 2014 - Tenable Network Security

Tenable Network Security Platform

NESSUS®

ENTERPRISE CLOUD

NESSUS®

VULNERABILITY SCANNER PVS™

PASSIVE VULNERABILITY SCANNER

LCE™

LOG CORRELATION ENGINE

SECURITYCENTER™

EVENT

EVENT

EVENT

slide 39 of 44Copyright © 2014 - Tenable Network Security

DISCOVER

Discover All Assets• Physical/Virtual• Mobile/Cloud

Configurations• Network ACLs• File/apps Access• Users/groups/roles• Priv. IDM/SSO

Device Relations• Trust Relations• Internal comms• External traffic

C o n t i n u o u s N e t w o r k M o n i t o r i n g

ASSESS

Known Vulns.• Unpatched systems• Misconfigured devices• Vulnerability scans• Asset-based scans

Known Threats• Signatures/hashes• 3rd Pty threat Intel.• Blacklists/whitelists

Complex Threats• Cross-correlation• Pattern Recognition• Network flows, file xfers• Spikes, botnet activity

REPORT

Network Forensics• Statistical anomalies• Behavioral anomalies• Network proxies

Host Forensics• Failed DNS queries• Failed logins• Crowd surges• Processes/registry

Log Correlation• Query filters• Pivot & drill-down• Dynamic watch-lists• Generate alerts

TAKE ACTION

Prioritized Risk• List of Action Items• Based on Analytics• User/asset centric

Work Flows• Send Notification• Send Email• Generate Trouble Tkts.

Automated Actions• Launch Scans• Invoke APIs

Requirements for Security

Create Custom PCI Dashboards

Want to Learn More?

Download your copy of the Applicability Guide here:

http://www.tenable.com/whitepapers/vmware-product-applicability-guide-for-pci-dss

To schedule a demo or evaluate our products go here:

http://www.tenable.com/evaluate

Have More Questions about PCI?

Tenable hosts a PCI Discussion Forum, moderated by Jeff Man, where anyone can ask questions related to any and all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. I’m also happy to field questions/concerns from customers and prospects or join sales calls as time allows.

Straight Talk about PCI:

https://discussions.nessus.org/community/pci

Jeff Man

T: 443-545-2102 ext. 366

M:443-285-2561

jman@tenable.com

To Contact VMware:Compliance-solutions@vmware.com

Questions?