virtualization and pci vmware and tenable webinar allen shortnacy jeff man
TRANSCRIPT
Virtualization and PCI
VMware and Tenable WebinarAllen Shortnacy
Jeff Man
slide 2 of 44Copyright © 2014 - Tenable Network Security
Today’s Speakers
Allen Shortnacy - Allen Shortnacy is a Partner Architect in VMware's Global Strategic Alliances organization focused on improving automation of infrastructure partner solutions with the VMware product portfolio and broader go to market strategies. In addition, Allen is a subject matter expert in VMware’s Compliance Reference Architecture program where he supports validations of VMware and partner ecosystem configurations to help customers achieve regulatory compliance for business critical applications running in a VMware vCloud Suite environment.
Jeff Man – Jeff Man is Tenable’s Product Marketing Manager focused on PCI solutions. He has more than 30 years of experience working in all aspects of computer, network and data security, including risk management, vulnerability analysis, compliance assessments and attack and penetration testing. Prior to joining Tenable, Jeff served as a certified QSA, most recently with AT&T Consulting Services. In this role he provided PCI consulting and advisory services to some of the nation’s best known brands. Earlier in his career, Jeff held security research, management and product development roles with the NSA, DOD and private-sector enterprises.
PCI DSS V2.0 TO V3.0Changes, Clarifications, Guidance, New Requirements
“New” Theme – Business As Usual1. Monitoring of security controls to ensure they are operating effectively and as intended.
2. Ensuring that all failures in security controls are detected and responded to in a timely manner.
3. Review changes to the environment prior to completion of the change, and: • Determine the potential impact to PCI DSS scope.
• Identify PCI DSS requirements applicable to systems and networks affected by the changes.
• Update PCI DSS scope and implement security controls as appropriate.
4. Formal review of the impact to PCI DSS scope based on organizational changes.
5. Periodic reviews and communications to confirm that PCI DSS requirements are in-place and personnel are following secure processes.
6. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.
What’s New in PCI DSS v3.0
“New” Requirements:– 6.5.10: Address broken authentication and session
management coding vulnerabilities– 8.5.1: Service providers with remote access to customer
premises must use unique credentials per customer– 9.9: Physical inspection for POI devices to detect tampering
or substitution– 11.3: Implement a methodology for penetration testing– 12.9: Service providers acknowledge in writing they are
responsible for CHD they transmit, process, store, or could impact security of the data or CDE
What Else is New
• Self Assessment Questionnaires (SAQ)s have expanded from 5 to 9 versions
• Expanded SAQs include “expected testing”
• Merchants with E-commerce websites that outsource (redirect) payment processing to a third party are now required to prove the security of their own website (including ASV scanning)
• Multiple submissions allowed for evidence of quarterly vulnerability scanning
Which SAQs Require ASV Scanning
SAQ Version ASV Scanning Required
SAQ-A: Card-not present; all cardholder functions outsourced NO
SAQ-A-EP: Partially outsourced e-commerce; payment processing by third party YES
SAQ-B: Imprint, Stand-alone, or dial-out terminals NO
SAQ-B-IP: Stand-alone, IP-connected PTS POI terminals YES
SAQ-C: Payment application systems connected to the Internet YES
SAQ-C-VT: Web-based virtual payment terminals NO
SAQ-D (Merchant/Service Provider): YES
SAQ-P2PE-HW: HW-based PCI-listed P2PE solution NO
Expected Testing (More Than a Checkbox)
Brief HistoryPCI and Virtualization Technologies
slide 10 of 44Copyright © 2014 - Tenable Network Security
Brief History
• Virtualization not specifically addressed until PCI DSS v2.0 October 2010– Virtualization technologies are in-scope for PCI– Separate virtual instances allowed to meet 2.2.1
• PCI SSC released “PCI DSS Virtualization Guidelines” v2.0 June 2011– Supplemental Information– Does not replace or supersede PCI DSS
PCI DSS Scoping
“The PCI DSS security requirements apply to all system components. In the context of PCI DSS, ‘system components’ are defined as any network component, server, or application that is included in or connected to the cardholder data environment. ‘System components’ also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.”
PCI DSS Req. 2.2.1
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers and DNS should be implemented on separate servers.)
Note: Where virtualization technologies are in use, implement only one primary function per virtual system component.
PCI DSS Virtualization Guidelines
• Hypervisor creates new attack surface• Virtual environment misconfigurations and vulnerabilities• More than one function per physical system• Mixing VMs of different trust levels
– Creating a virtual CDE– Segmentation
• Immaturity of monitoring solutions• Assessing risk in a virtual environment• Vulnerability Management• What are industry/security best practices?
VMware AND PCIVMware technologies and strategies
Compliance Reference Architecture FrameworkWhat’s In the Framework?
Compliance Capable/Audit Ready Architecture
Regulations, Standards,
Best Practices
Common Control
Frameworks
Infrastructure Capabilities
• Access Control
• Segmentation
• Remediation
• Automation
• Policy Management
• Audit
Requirements Controls Capabilities Architectures
Reference Architectures
Applicability, Architecture, Validation
Product Applicability
Architecture Design
Auditor Validated Reference Architecture
Regulated Zone
VMware vSphere
Compliance Capable/Audit Ready Architecture
VMware Compliance Reference Architecture FrameworkProduct Applicability
Architecture Design
Auditor Validated Reference Architecture
Audit Partners
Technology Partners
Audit Partners
VMware Technology Partner Product Applicability Guides
NSBU, MBU, EUC, Core
Converged Infrastructure
Compliance ReferenceArchitectures
Auditor Validated
Joint
Reference Architecture
1StandardsFrameworksTechnologyGuidance
2VMwareInfr Partners3rd Party AuditValidated
3Joint RA3rd Party ValidationSolution
Compliance Reference Architecture MethodologyHow is it Created?
Compliance Use Case “Lenses”
Remediation
Automation
AuditPolicy
Privileged User Control
Segmentation
Compliance Regulations
HIPAAHITECH
FISMAFedRAMP
CJISFINRA
FFIEC
PCI DSS
Technology Solution Categories – Compliance Capabilities
DLP
Encryption
BCDR
Anti VirusEndpoint Protection
Firewall
AAAIdentity
and Access
Multi FactorAuthN
File Integrity Monitor
IPS/IDS
SIEM
PenetrationTesting
VulnerabilityAssessment
PatchMgmt
ConfigMgmt
DB/AppMonitor
VMware Provided
VMware Enabled
Partner Provided
LEGEND
VMware Partner
Eco-system
Compliance Reference Architecture Methodology
Dynamic Composition with Line of Sight
• Technology Partner Choice
• Regulation Independent Use Case Controls
• Regulatory Specificity for Audit
• Process Methodology for Delivery and Maturity
Compliance Reference Architecture TechnologiesCombining the Right Multi-Vendor Solution
24
Internet
Hypervisor
Physical Host
VM VMVM
vSwitchHypervisor
Physical Host
vSwitch
VM VM
VM
Security Policy
Perimeter Firewalls
VM
CloudManagementPlatform
SDDC Approach for Micro-Segmentation
• Hypervisor-based, in kernel distributed firewalling
• Platform-based automated provisioning and workload adds/moves/changes
Trading Off Context and Isolation
Hypervisor
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
OS
Application High Context Low Isolation
High IsolationLow Context
No UbiquitousEnforcement
Traditional Approach
vSwitch
25
Endpoint
The Hypervisor is the Security “Goldilocks Zone”
26
Hypervisor
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
L2 Switching L3 Routing
Firewalling/ACLs Load Balancing
Network & Security Services Now in the Hypervisor
Application
OS
vSwitchEndpoint
SDDC – Delivering Context and Isolation
27
Hypervisor
Software DefinedData Center (SDDC)
Any Application
SDDC Platform
Any x86
Any Storage
Any IP network
Data Center Virtualization
OS
Application
High Context
High Isolation
Ubiquitous Enforcement
SDDC Approach
Secure Host Introspection
vSwitchEndpoint
Security Extensibility in the Guest
28
Hypervisor
OS
Application
Gain previously impossible vulnerability intelligence based on application
purpose, data class and user roles to drive rich, policy driven response,
including in-place quarantine.
Vulnerability Management
CONFIDENTIAL
29
Automate Security Response to Reach ‘Safe’ States
ACTION (then)ATTRIBUTE (if)
Virus found
IIS.EXE
Vulnerability found (old software version)
VM
“PCI”
Sensitive Data Found
VM
Allow & Encrypt*
VM
Restrict access while investigating
OR
VM
Automated detection of security conditions(virus, vulnerability, etc.)
Security policies define automated actions
Security operations are automated and adapt to dynamic conditions
Monitor VMwith IPS
Quarantine VM with Firewall
TENABLE AND PCITenable Solutions and Strategies
How Tenable Works With VMware
Provides Vulnerability Management
• Active scanning detects all virtual machines
• Vulnerability scanning
Proves Secure Implementation according to Best Practices
• Configuration audits for ESX, ESXi, vSphere, vCenter
• Continuous monitoring assures secure configurations, current patches, vulnerability mitigation
BUT WAIT THERE’S MORE!
Where the World is Headed
• ~10 billion devices growing to 15 billion by 2015
• Increased cloud, mobile, and virtualization technologies
• Increasingly blurred lines between trusted and untrusted
• Increased threat from insiders and automated attacks
• Increased security awareness from the general public and government law makers
slide 34 of 44Copyright © 2014 - Tenable Network Security
Product Suites
Mapping Tenable Solutions
• PCI DSS Challenges– Customers must apply PCI DSS requirements
to all in-scope system components comprising numerous technologies
– Virtualization adds complexity to this process, especially in hosted, cloud environments
• Tenable solutions validated by Coalfire, a VMware partner, for applicability to PCI DSS v3.0
• Applicability to PCI DSS independent of environment
Tenable Solutions and PCI DSSv3
PCI DSS REQUIREMENT
NUMBER OF PCI REQUIREMENTS
NESSUS ENTERPRISE CLOUD
NESSUS
VULNERABIL ITY SCANNER
PASSIVE VULNERABIL ITY SCANNER
SECURITY CENTER CONTINUOUS V IEW
TOTAL NUMBER OF CONTROLS MET OR AUGMENTED BY TENABLE
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 35 8 13 21 21Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 32 14 14 14 14
Requirement 3: Protect stored cardholder data 44 1 1 2 2
Requirement 4: Encrypt transmission of cardholder data across open, public networks 11 3 6 7 7 7Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs 11 5 4 6 6
Requirement 6: Develop and maintain secure systems and applications 42 13 14 10 14 14Requirement 7: Restrict access to cardholder data by business need to know 10 7 7 7Requirement 8: Identify and authenticate access to system components 43 13 19 19Requirement 9: Restrict physical access to cardholder data 44 1 1Requirement 10: Track and monitor all access to network resources and cardholder data 41 3 2 23 23Requirement 11: Regularly test security systems and processes 36 6 12 4 16 16Requirement 12: Maintain a policy that addresses the information security for all personnel 47 2 2 5 8 8
Requirement A: Shared hosting providers must protect the cardholder data environment 8 2 2
TOTAL 404 30 85 60 140 140
Advantages of Continuous Network Monitoring
• Real time reporting/dashboards that monitor firewall rule changes, network traffic flows, system configurations, anti-virus/malware solutions, patch levels, access controls, user authentication, user account parameters
• Active monitoring of network traffic to identify CHD flows, detect unencrypted CHD transmission, preserve the integrity of the CDE, indicators of compromise (malware)
• Enterprise-wide vulnerability management in real-time• Event logging, monitoring, review, and correlation
slide 38 of 44Copyright © 2014 - Tenable Network Security
Tenable Network Security Platform
NESSUS®
ENTERPRISE CLOUD
NESSUS®
VULNERABILITY SCANNER PVS™
PASSIVE VULNERABILITY SCANNER
LCE™
LOG CORRELATION ENGINE
SECURITYCENTER™
EVENT
EVENT
EVENT
slide 39 of 44Copyright © 2014 - Tenable Network Security
DISCOVER
Discover All Assets• Physical/Virtual• Mobile/Cloud
Configurations• Network ACLs• File/apps Access• Users/groups/roles• Priv. IDM/SSO
Device Relations• Trust Relations• Internal comms• External traffic
C o n t i n u o u s N e t w o r k M o n i t o r i n g
ASSESS
Known Vulns.• Unpatched systems• Misconfigured devices• Vulnerability scans• Asset-based scans
Known Threats• Signatures/hashes• 3rd Pty threat Intel.• Blacklists/whitelists
Complex Threats• Cross-correlation• Pattern Recognition• Network flows, file xfers• Spikes, botnet activity
REPORT
Network Forensics• Statistical anomalies• Behavioral anomalies• Network proxies
Host Forensics• Failed DNS queries• Failed logins• Crowd surges• Processes/registry
Log Correlation• Query filters• Pivot & drill-down• Dynamic watch-lists• Generate alerts
TAKE ACTION
Prioritized Risk• List of Action Items• Based on Analytics• User/asset centric
Work Flows• Send Notification• Send Email• Generate Trouble Tkts.
Automated Actions• Launch Scans• Invoke APIs
Requirements for Security
Create Custom PCI Dashboards
Want to Learn More?
Download your copy of the Applicability Guide here:
http://www.tenable.com/whitepapers/vmware-product-applicability-guide-for-pci-dss
To schedule a demo or evaluate our products go here:
http://www.tenable.com/evaluate
Have More Questions about PCI?
Tenable hosts a PCI Discussion Forum, moderated by Jeff Man, where anyone can ask questions related to any and all aspects of PCI. If your question is a little too sensitive for a public forum, feel free to contact me directly. I’m also happy to field questions/concerns from customers and prospects or join sales calls as time allows.
Straight Talk about PCI:
https://discussions.nessus.org/community/pci
Jeff Man
T: 443-545-2102 ext. 366
M:443-285-2561
To Contact VMware:[email protected]
Questions?