Ever wish you could get inside your QSA’s head before your next PCI audit?
QSA Adam Gaydosh of Anitian, and Nimmy Reichenberg, VP of Strategy at AlgoSec present the inside scoop on what QSAs are looking for when they audit you. Aimed at security and networking professionals, this webinar will provide insider tips and tricks to help you prepare for and pass your audit – wherever your credit card data is stored – and remain continuously compliant even if you’re breached.
Learn about the pitfalls your colleagues have already faced, and how to make the audit experience less stressful, including:
- Less is more: demystifying the scope of a PCI audit
- What’s in and what’s out: Segmenting your network for compliance
- Best practices for configuring your security infrastructure
- PCI in the public cloud – it’s not an oxymoron
2. intelligent information securityANITIAN
Adam Gaydosh
• Director of Professional Services at Anitian
• QSA since 2007
• 15+ years of InfoSec experience including auditing, risk
assessment, penetration testing and forensics
• Co-developed Anitian’s RiskNow™ - Rapid Risk Assessment
approach
• Championed movement toward practical, pragmatic information
security solutions
3. intelligent information securityANITIAN
Anitian
• We enlighten, protect and empower great security leaders.
• We believe security will make the world a better place.
• Security is necessary for innovation and growth
• Security can be empowering when it is practical and pragmatic
• Good security comes from rational, scientific methods of analysis
5. Firewall Breaches Data Center Automation
5% Vulnerabilities
95% Misconfiguration
The Security Management Balancing Act
5
Security
Agility
Prevent Cyber
Attacks
Enable Business
Applications
Resource Time to
Provision
Server Minutes
Storage Minutes
Security
Access Days/Weeks
6. Business
Applications
Security
Infrastructure
Managing Security at the Speed of Business
6
AlgoSec Security Management Suite
Application Owners SecurityNetwork Operations
Faster Connectivity
Provisioning for
Business Applications
Streamlined and
Automated
Change Management
Total Visibility and
Control of your
Security Policy
9. intelligent information securityANITIAN
What is in the Assessment Scope?
The Assessment Scope includes the people, process and
technologies of three primary categories:
• Cardholder Data Environment (CDE)
• Systems connected to the CDE
• Systems that can affect the security of the CDE
10. intelligent information securityANITIAN
What is the Cardholder Data Environment?
The follow systems are defined as CDE systems:
• Any system that stores, processes, or transmits Cardholder Data (CHD)
• Examples: POS terminals, cardholder databases, payment processing applications, the firewalls,
switches, and routers that handle any CHD traffic, etc.
• Any system that shares a network segment with a CDE system (e.g.
resides on the same VLAN or subnet as a CDE system)
11. intelligent information securityANITIAN
What Else Is In Scope?
• Other In-Scope Systems
• Any system that connects to the CDE (e.g. makes a network connection
into the CDE, or that receives an outbound network connection from a
CDE system)
• Examples: AD server, DNS server, FIM server, AV console, SIEM, backup server, web proxy, etc.
• Any system that can otherwise affect the security of the CDE
• Examples: password repositories, data center physical security systems, managed security
providers (MSPs), etc.
12. intelligent information securityANITIAN
How to Determine Scope
• Map the data flows of all CHD to determine which people, process
and technologies touch CHD
• For merchants, this can be done by meeting with the business process
owners of each payment channel
• These systems and network devices are in the CDE
• Inventory all network segments with CDE systems
• Inventory all systems on those CDE network segments
• These systems are in the CDE even if they don’t touch CHD
• Review access control lists (ACLs) to determine which non-CDE
systems connect to CDE systems
16. intelligent information securityANITIAN
Why Implement Network Segmentation
• Reduce the cost of compliance
• By default, the entire IT environment is considered to be in scope.
• Isolating only those systems that touch CHD into dedicated network
segments limits the number of systems that can effect the CDE
17. intelligent information securityANITIAN
Network Segmentation Strategy
• Start with the current Scoping Inventory
• All systems that touch CHD
• All network segments those CDE systems reside in
• All other systems in those CDE segments
• All systems connected to those systems
• Isolate those systems that touch CDE by migrating them to
dedicated network segments (or removing the other systems)
• Determine the business need for all CDE connectivity
• Eliminate all connections where possible to reduce assessment scope
18. intelligent information securityANITIAN
Network Segmentation Strategy
• Enforce segmentation around the CDE network segments using
ACLs
• ACLs can be on either a router or firewall, except for Internet-facing DMZ
CDEs and segmenting wireless
• ACLs must be discretely defined at the port or protocol level
• Document and maintain updated Assessment Scope
19. intelligent information securityANITIAN
Network Segmentation Strategy
You will now have 3 types of systems on your network:
• CDE systems - Touch cardholder data, and are isolated in
dedicated network segments with ACLs
• In-scope systems - Not in the CDE, and don't touch CHD, but
either:
• Need access to a CDE system via an ACL
• Affect the security of the CDE (password servers, physical access control
systems, etc.)
• Out-of-scope system - Not in the CDE, don't touch CHD, don't have
access to a CDE system via an ACL or affect the security of the CDE
24. intelligent information securityANITIAN
Common Security Configurations Challenges
• Host hardening standards not consistently deployed
• Security patch deployment not comprehensive or timely
• Configuration changes not always tracked
• Excessive user accounts and rights
• Security event logs not appropriately aggregated and reviewed
• System change detection monitoring coverage not comprehensive
or not alerting
25. Policy Audit and Analysis
Confidential 25
Validate changes were
performed correctly and
identify "cowboy" changes
28. intelligent information securityANITIAN
Common Questions and Concerns
• Can you be PCI Compliant in the cloud?
• YES!
• What considerations do I need in choosing a cloud provider?
• What are the implications on my assessment scope?
29. intelligent information securityANITIAN
Choosing a Cloud Provider
• Must be PCI DSS compliant
• Require them to specifically define what areas of PCI they cover
(responsibility matrix, as required by PCI DSS 3.0)
• Applies to MSPs as well as PaaS and SaaS
• Understand the difference of “In the cloud” vs “Of the cloud”
• Do not assume you can just “outsource compliance”
• You will always have some responsibility
30. intelligent information securityANITIAN
Implications on Assessment Scope
• Pure cloud CDEs
• Simplest to manage
• Customer environment + PCI compliant cloud infrastructure
• Extended CDEs
• Hybrid architectures of cloud + on-prem
• Common for leveraging on-prem security management technologies
• Connection technologies (such as VPN) bridge CDEs between locations
• Ensure segmentation is not broken
35. Automated Compliance Reports
"Now we can get- in
a click of a button -
what took two to
three weeks per
firewall to produce
manually.”
Marc Silver,
Security Manager, Discovery
36. Where do you want your compliance to be?
Point in Time Continuous
More than ever, organizations today need to balance between security and business agility.
The first reason we deploy security infrastructure such as firewalls, routers, secure web gateways etc. is to protect the business against cyber attacks. But with today’s complexity, advanced threats and new technologies, it is a real challenge to manage the security policy. According to Gartner 95% of firewall breaches are a result of misconfiguration, not firewall flaws.
But firewalls have a second, and arguably more important objective – enabling connectivity for your business applications. (After all, most firewall are rules are not BLOCK rules, they are ALLOW rules). Modern datacenters are highly automated, and IT teams can provision a new server or database in minutes with just a few mouse clicks, sometimes this is a fully automated process which requires no human intervention.
However, provisioning security for the application (I.e. ensuring all the ports and connectivity paths are enabled) is still a very manual and lengthy process that slows down the business. Security team often needs days and even weeks to identify what firewalls to change, and design and push-out the change in a secure and efficient manner.
The AlgoSec Security Management Suite allows you to “manage security at the speed of business”. Let’s see what we mean by this:
You can provision security for business application much faster, because AlgoSec understands the connectivity requirements of your business applications (E.g. manufacturing, BI, HR, finance, online stores etc.) and how the security policy enables or blocks these critical business “flows”.
You can streamline firewall operations and gain total visibility and control of your security infrastructure. AlgoSec connects to your network security devices and analyzes the policy to automate many daily tasks such as troubleshooting and auditing.
You can align the different teams, application owners, network and security under one integrated solution – bridging traditional gaps and creating a much more agile and accountable organization.
Focus on common pitfalls, not standard review
AWS, Rackspace, Azure
Be wary of self-assessing providers (such as Alert Logic)