Using Cisco’s VMDC to help facilitate PCI compliance

Using Cisco’s

VMDC to help

facilitate PCI

compliance

June 20, 2014

Gary McCully

Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC.

Using Cisco’s VMDC to help facilitate PCI compliance

2

Synopsis

This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture

can help organizations with reducing their scope for PCI, and help with the facilitation of reaching and/or

maintaining PCI compliance.

Table of Contents

Introduction..............................................................................................................................................3

VDMC ................................................................................................................................................................ 3

SecureState ........................................................................................................................................................ 4

Who Needs to be PCI Compliant? ..............................................................................................................5

What are the Current Challenges? .............................................................................................................5

PCI DSS Goals and Requirements ...............................................................................................................6

How VMDC Can Help.................................................................................................................................7

Build and Maintain a Secure Network (Requirement 1 & 2) ................................................................................. 7

Protect Cardholder Data (Requirements 3 & 4).................................................................................................... 8

Maintain a Vulnerability Management Program (Requirements 5 & 6)................................................................. 8

Implement Strong Access Control Measures (Requirements 7, 8, & 9) .................................................................. 8

Regularly Monitor and Test Networks (Requirements 10 & 11) ............................................................................ 9

Maintain an Information Security Policy (Requirement 12) ................................................................................ 10

Achieving PCI Compliance ....................................................................................................................... 10


3

Introduction

Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers, and large

organizations, can implement in order to provide a secure multi-tenant solution to their clients. The architecture that

VMDC utilizes greatly assists service providers in creating a network which satisfies clients with various security needs.

In order to evaluate the ability of Cisco’s VMDC network topology to facilitate PCI compliance on behalf of the clients that

implement this blueprint, Cisco had SecureState analyze the VDMC topology against the PCI Data Security Standard (DSS)

3.0 control set. Previously, SecureState evaluated earlier versions of the VMDC topology against PCI DSS version 2.0. All

organizations that store, process, and/or transmit credit card data (known as cardholder data, or CHD) are required to

comply with PCI, and PCI DSS version 3.0 officially goes into full effect on January 1, 2015. Cisco’s VMDC architecture

provides a number of controls which can either be directly configured to meet specific DSS 3.0 requirements, or can be

implemented in order to help fulfill a particular component of the overall control.

VDMC

The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of

guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the

data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching

technologies, network services, data center and cloud security, automation, and integrated solutions with those of

Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:

Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support

for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business

continuance

Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated

architecture, helping enable technology adoption and rapid deployment

Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with

confidence

Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a

comprehensive automation framework with portal-based resource provisioning and management capabilities

Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and

storage resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors

The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI)

together with other architectural components such as infrastructure abstraction, orchestration and automation,

assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment

of cloud infrastructure and services at multiple levels.


4

SecureState

SecureState is a management consulting company specializing in information security and compliance services. We

believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their

DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with

clients at the CS, performing assessments to understand the security posture of the organization as it is constructed

today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the

DS and ultimately a managed SecureState (SS).

In terms of understanding PCI, SecureState provides these services to various organizations that are required to achieve

and/or maintain PCI Compliance on a consistent basis, assisting organizations in identifying their CurrentState of

compliance with PCI and assisting them to achieve their DesiredState and SecureState.


5

Who Needs to be PCI Compliant?

All organizations that store, process, or transmit CHD are required to be compliant with PCI. However, not all

organizations are required to meet the same number of controls. Control requirements are based on annual volume of

credit card transactions, and the way these credit cards are processed, transmitted, and/or stored. In some cases, the

organization is even allowed to self-assess themselves for PCI Compliance. Organizations that process over six million

transactions per year must have an annual assessment completed by a Security Assessor (independent third party or

internal resource which has been approved by the PCI Security Standards Council).

Organizations can use segmentation to limit the scope of their Cardholder Data Environment (CDE), which will make the

task of achieving, and maintaining PCI compliance much easier. By adequately segmenting the CDE from the rest of the

internal network, many of the PCI controls will only apply to this subset of systems. In fact, one of the best features of

Cisco’s VMDC is its ability to utilize various technologies in order to achieve segmentation (e.g. Access Control Lists,

VLANs, multiple Sourcefire security contexts, virtual firewalls, etc.). Additionally, organizations can further reduce the

scope of their PCI environment by implementing any of the following technologies: secure redirects, point-to-point

encryption, and/or tokenization. In the context of PCI, less truly is more; that is, the fewer systems that come into

contact with CHD, and the fewer places CHD is stored, the easier it will be to achieve and/or maintain compliance.

What are the Current Challenges?

1. Scope. By far, the greatest challenge that most organizations face when trying to achieve PCI compliance is the

scope of the CDE. The scope of the CDE consists of all systems that transmit, store, and/or process CHD, all

systems that can affect the security of those systems, and all systems that are not adequately segmented from

those systems. In many cases, the organization’s entire internal network comes into scope for PCI, because

adequate segmentation is not in place. In large organizations, this makes the process of achieving and/or

maintaining PCI compliance practically impossible. Since all controls would need to be applied to every system

on the network, all systems would need appropriately hardened, monitored, patched, etc. One system that has

not been appropriately locked down could affect the compliance status of the entire organization. In

organizations with hundreds, or even thousands of systems, it is almost impossible to ensure that all of the

relevant appropriate controls have been applied to every single system in scope.

2. User Account Management. Many organizations are able to manage Windows domain accounts through the use

of Active Directory (AD), but accounts associated with network infrastructure, local administrator accounts,

Linux and/or Unix system accounts, Mainframe accounts, etc., must also comply with PCI requirements (i.e.,

password complexity, password minimum length, password history, etc.). Applying all of these controls to each

account can be a daunting task, and it is easy to miss devices within the CDE which have accounts which that

must comply with specific PCI requirements.

3. Device Hardening. All systems and applications in the CDE must be adequately locked down, using some

industry accepted security hardening standard. Common systems that must be locked down include databases

(Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web servers (IIS, Apache,

WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If the CDE is large and complex,

then hardening every in scope system can be a very difficult task.


4. Patch Management. Although most organizations are adequately monitoring and applying patches to their

6

Windows systems, they struggle when it comes to patching non-Windows devices and products. It is common to

identify network architecture (e.g. firewalls, routers, switches, etc.), databases (i.e. Oracle, MySQL, etc.), and

non-Windows systems (i.e. various flavors of UNIX and Linux), that are missing critical patches.

As we review the PCI requirements, I will specifically highlight how Cisco’s VMDC can help with the facilitation of these

controls. While VMDC cannot help with the facilitation of all PCI requirements, it can help in achieving compliance in

many areas that organizations traditionally struggle with.

PCI DSS Goals and Requirements

The PCI DSS has twelve domains, which broadly align with six separate goals. The goals, and the requirements associated

with each of these controls is as follows:

1. Build and Maintain a Secure Network – The first goal encompasses DSS requirements one and two. PCI defines

this first requirement as “Install and maintain a firewall configuration to protect cardholder data.” Practically

speaking, this control defines network layer requirements for the CDE, and includes controls around firewalls,

routers, and network topology. For example, there are requirements restricting the external traffic that is

allowed to access particular devices on the DMZ and keeping a current network diagram of the CDE.

Additionally, the second requirement associated with this goal is in regards to properly hardening the various

devices on the network. This requirement states, “Do not use vendor-supplied defaults for system passwords

and other security parameters.” In this regard, PCI requires that devices be locked down using industry accepted

standards, and that these standards be kept up to date.

2. Protect Cardholder Data – This goal covers protection of the CHD while it is in transit or storage. This goal

directly maps to DSS requirements three and four. The first of these requirements is to "Protect stored

cardholder data." This requirement largely deals with encryption, retention, and destruction of digital CHD. The

second requirement deals with protecting CHD as they are in transit. This requirement is defined as "Encrypt

transmission of cardholder data across open, public networks." Requirement four has a lot to do with SSL, and

the use of encrypted channels when CHD traverses a public network.

3. Maintain a Vulnerability Management Program – The next goal of PCI involves maintaining a vulnerability

management program, and PCI maps this back to requirements five and six of the PCI DSS. Requirement five of

the DSS is defined as "Use and regularly update anti-virus software or programs," and has to do with the

installation, maintenance, and monitoring of anti-virus software. PCI requires that anti-virus be configured on all

devices that are commonly affected by malware, and requires that organizations monitor the industry in order

to determine which devices match this criteria. The sixth PCI DSS requirement is defined as "Develop and

maintain secure systems and applications." This control involves the processes around securing web applications

within the CDE, patching, and change management. There is great emphasis on the use of secure coding

practices, and ongoing maintenance.

4. Implement Strong Access Control Measures – Rather than encompassing just two of the DSS requirements, this

goal has three DSS requirements associated with it, DSS Requirements seven, eight, and nine. The first of these


7

requirements is defined as "Restrict access to cardholder data by business need-to-know," and is primarily

concerned with centralized account management. The second requirement is to "Assign a unique ID to each

person with computer access," and has to do with proper account management, password policies, and user

provisioning and de-provisioning. The final requirement defined as "Restrict physical access to cardholder data."

This control has to do with physically protecting CHD, and securing back-ups that contain this data.

5. Regularly Monitor and Test Networks – The fifth goal encompasses DSS Requirements ten and eleven.

Requirement ten is defined as "Track and monitor all access to network resources and cardholder data," and

contains requirements around log monitoring, and retention. Additionally, there are extensive requirements

around NTP configuration, since NTP is critical for log analysis. The eleventh requirement of PCI DSS is defined as

"Regularly test security systems and processes." This control includes requirements around vulnerability

scanning, attack and penetration assessments, and Intrusion Prevention\Detection systems.

6. Maintain an Information Security Policy – The last goal only corresponds to one PCI DSS requirement. This is

the twelfth of the requirements, and is defined as “Maintain a policy that addresses information security for

employees and contractors.” In this regard, this requirement has to do with clearly defining key components of

the organization’s security program. Controls around have a clearly defined incident response plan, ensuring

that people who handle credit cards have had background checks performed on them, and ensuring that there is

ongoing security training for organizations required for appropriate personnel is included in this requirement.

How VMDC Can Help

Build and Maintain a Secure Network (Requirement 1 & 2)

Install and maintain a firewall configuration to protect CHD: During the assessment, SecureState reviewed the ASA

firewall, Nexus switches, and routers in order to evaluate how each device could be used to facilitate the various

controls outlined in this requirement. The ASA firewall could be used to meet all controls around the various firewall

configuration requirements, such as the implementation of ingress and egress filtering, secure DMZ configuration, and

anti-spoofing access control lists (ACLs). In this regard, the network infrastructure that is part of the VMDC can be used

to directly meet many of the requirements in this section of the DSS, and, many controls directly related to documenting

an organization’s network topology of the CDE. Organizations that have implemented Cisco’s VMDC network topology

will have a well-documented base topology that can be modified to meet their particular needs.

Do not use vendor-supplied defaults for system passwords and other security parameters: The various devices that are

part of Cisco’s VMDC can be locked down using well known configuration standards, and Cisco has developed

configuration guides for each component which can be used be used to apply specific controls. SecureState reviewed

each device in order to verify that they could be hardened in such a way as to meet PCI compliance requirements.

However, one of the best and easiest ways that organizations can meet this control is by limiting the number of devices

that are in scope for PCI. The fewer devices that are within the CDE, the easier it will be to lock each device down

appropriately. In this regard, VMDC provides robust network infrastructure which can be used in order to segment the

network. These technologies include ACLs, VLANs, and virtual firewalls. By combining these controls it is possible for an

organization to limit the number of systems within their CDE, which would make the task of achieving and maintaining

PCI Compliance easier.


8

Protect Cardholder Data (Requirements 3 & 4)

Protect stored cardholder data: If it is possible to avoid storing CHD, SecureState recommends that organizations avoid

it. If CHD is not stored, then many of the controls in this section simply do not apply, and the organization limits their

liability. In this regard, many organizations use some sort of tokenization solution, in which CHD are sent to a third party

for storage and/or processing. This third party sends the organization a token, which can be used to reference the credit

card for further processing (e.g. chargebacks, reoccurring charges, etc.). However, in the cases where CHD must be

stored, the data should be stored in an encrypted format. VMDC is a solid network topology which contains a number of

technologies which can be used for segmentation, and all CHD could be segmented from the rest of the network.

Encrypt transmission of cardholder data across open, public networks: PCI requires that CHD traversing an open

network (i.e., internet) do so in a secure manner. In many cases, organizations will fulfill this requirement by setting up

VPN connections with third parties and partners, and the CHD traverses these links in an encrypted format. ASA firewalls

support site-to-site VPNs, and thus, can be used in this capacity. In ecommerce environments where customers need to

make purchases over the web, organizations can reduce their scope by using secure redirects to a third party where the

card is actually processed. Additionally, organizations that serve within a retail capacity may consider using a point-to-

point encryption solution. In this solution, a credit card is encrypted at the swiping device, and is sent to a third party

where the card is decrypted, and processed. In most cases, point-to-point encryption is tied into a tokenization solution,

thus reducing the organizations exposer even further.

Maintain a Vulnerability Management Program (Requirements 5 & 6)

Use and regularly update anti-virus software or programs: PCI requires that organizations configure anti-virus software

to run on all systems commonly affected by malware. Organizations are required to monitor the industry in order to

verify that these systems continue to fall into this category. Most QSAs (Qualified Security Assessors) would consider

Cisco equipment as being a device that is not commonly affected by malware. Additionally, Sourcefire is one of the

devices that are part of the VMDC topology, and has the ability to analyze files that are traversing the network for viruses

or malware with a known signature. If a file is found to contain such a virus, then either the traffic can be blocked, or the

appropriate individuals could be notified. In this regard, although Sourcefire does not explicitly meet this control, it adds

another layer of protection for the organization.

Develop and maintain secure systems and applications: This requirement mainly focuses on the development, and

rollout of new applications in the CDE. PCI requires that developers follow secure coding practices and follow a formal

process when making changes to these applications. However, this requirement also addresses the application of

patches. Cisco notifies their users when a new critical patch is released so that their systems can be quickly patched. In

this regard, Cisco’s patch notifications help organizations stay up-to-date on the latest patches for their Cisco devices,

and thus, help with the facilitation of this control. Many organizations use Red Hat and/or Windows servers in their CDE.

In order to help facilitate compliance with the patching requirement organizations generally use applications such as

Satellite and/or Windows WSUS.

Implement Strong Access Control Measures (Requirements 7, 8, & 9)

Restrict access to cardholder data by business need-to-know: This requirement discusses to the need to centrally

administer user accounts and the privileges associated with them. Most organizations use AD to administer the accounts

associated with their Windows servers. However, most organizations do not have a system that they can use to perform


9

the same functions for the devices that part of their network infrastructure. In order address this issue, VMDC makes

use of Cisco’s Access Control System (ACS). While performing the review of the VMDC network architecture, SecureState

verified that ACS is capable of integrating each of the core pieces of network infrastructure into AD. In this regard, ACS

makes the job of centralized administration on network devices much easier, and thus, can help with the facilitation of

this PCI Requirement. Additionally, roles can be configured in ACS, which limit the types of commands a particular

account can run on a particular device. Furthermore, roles can be created which grant access to only a subset of network

devices in the network.

Assign a unique ID to each person with computer access: Whereas Requirement 7 deals with the need for centralized

account administration, this requirement is concerned with the administration of individual user accounts. Individual

accounts with various password requirements can be configured through AD, and then tied into Cisco’s ACS. These

accounts can then be placed into roles which have various levels of access to the devices that constitute the core

network architecture of Cisco’s VMDC. Unique accounts can be created for each individual that needs access to the

various components of the VMDC, and password policies would be setup in accordance with the Group Policy Objects

(GPOs) that are associated with each account. Thus, VMDC can help with the facilitation of meeting this requirement

from a network device perspective.

Restrict physical access to cardholder data: This requirement deals discusses physically protecting CHD. Further, this

control addresses physical access controls, the destruction of physical media containing CHD, and monitoring access to

the physical infrastructure. Although Cisco’s VMDC can help with the facilitation of digital information, it is the

responsibility of those organizations implementing VMDC to validate that the components of the VMDC are physically

protected.

Regularly Monitor and Test Networks (Requirements 10 & 11)

Track and monitor all access to network resources and cardholder data: This control essentially deals with requirements

around logging appropriate information, monitoring logs for anomalous activity, and the correct configuration of

Network Time Protocol (NTP). Cisco’s VMDC seamlessly ties into Splunk, which is a powerful Security Information and

Event Management (SIEM). Splunk can assist organizations in meeting the requirements around logging and monitoring

logs. Furthermore, the devices that make up Cisco’s VMDC can send their logs to a SIEM, which will help with the

facilitation of this control. Additionally, this requirement stresses proper NTP configuration, and all the devices within

Cisco’s VMDC can be configured to sync with a particular NTP server of the organization’s choice.

Regularly test security systems and processes: Cisco’s VMDC can help with meeting a number of the controls in this

requirement around File Integrity Monitoring, and Intrusion Detection/Prevention Systems (IDS/IPS). Splunk can be

configured to monitor logs for changes to particular files on a particular system. When changes are made to these files,

an alert can be sent to the organization, so that the appropriate organizational resources are able to review the alert

and respond accordingly. Additionally, this PCI requirement lists controls mandating the implementation of an IPS/IDS.

Part of Cisco’s VMDC network infrastructure includes Sourcefire, which is an industry leader in Intrusion Detection,

and/or Prevention. During this assessment, SecureState reviewed Sourcefire, and verified that it can be configured for

monitoring the network for particular patterns that are indicative of attacks/hacking attempts, block files which contain

signatures of malware, and block access to well-known malicious websites.


10

Maintain an Information Security Policy (Requirement 12)

Maintain a policy that addresses information security for employees and contractors: This requirement discusses an

organization’s policies and procedures. Although it is obvious that Cisco’s VMDC cannot help with defining policies and

procedures, in some cases it can help with facilitating a particular policy or procedure. For example, this section contains

requirements around an organization’s incident response plan (IRP). Organizations may be able to use Sourcefire and

Splunk for detecting attacks, and alerting appropriate individuals when these attacks are detected. Thus, Sourcefire, and

Splunk are key to detecting potential attacks and compromises which would cause the IRP to be enacted.

Achieving PCI Compliance

Organizations can achieve PCI compliance through a variety of means and solutions. First, organizations should contact

their acquiring bank or processor in order to determine what particular requirements they must comply with.

Requirements are largely dependent upon the volume of cards the organization processes annual, and the way these

cards are processed, stored, and/or transmitted. In some cases, the organization only needs to complete a Self-

Assessment Questionnaire (SAQ), but in other cases the organization might be required to have an assessor (internal or

external) review their security program in order to verify it meets PCI’s security requirements around protecting CHD.

In these cases, the assessor will interview the appropriate individuals within the organization, and review appropriate

configurations, processes and documentation. If the organization is able to demonstrate that they meet all of the PCI

requirements, then the organization will be issued a Report on Compliance (RoC), and Attestation of Compliance (AoC).

Consequently the organization will be deemed as compliant for the year by their acquiring bank or processor.

For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

Technology

Using Cisco’s VMDC to help facilitate PCI compliance