Written by Warren Legg, Senior Product Developer, Runecast
The PCI Data Security Standard (PCI DSS) sets
important requirements and controls designed to prevent breaches and fraud
leading to serious damages for businesses and consumers alike. For businesses,
achieving compliance with the standard and quickly identifying non-compliances
presents many difficult challenges - especially as it is designed to be
maintained continuously as Business as Usual (BAU) process.
Modern PCI environments (Cardholder Data
Environments, or "CDEs") are often built in virtual (or software-defined) data
centers using products such as VMware's vSphere and NSX. Such platforms offer
significant capability and flexibility but this presents issues for security
and compliance as these systems are inherently complex and vulnerable to change.
These platforms are also situated within a fast-moving industry where exploits
and breach threats are constantly emerging (think of recent examples such as
L1TF, Spectre and Meltdown).
The good news is that whilst virtualized
systems seem inherently less secure at first, security can actually be
radically improved by fully embracing software-based technology. From
automating industry knowledge and the PCI DSS security standard,
vulnerabilities and non-compliances become rapidly visible enabling proactive and
continuous protection of PCI CDEs.
Virtualization Technologies and
PCI DSS
The importance of the virtual data center
platform is recognised by the PCI Standards Council. Their specific guidance highlights that
virtualized systems present new risks:
"Virtualization technology introduces new risks that may not be
relevant to other technologies, and that must be assessed when adopting
virtualization in cardholder data environments."
It is recognized that the virtualization
platform has many interrelated components needing to be in scope for
compliance:
"Where virtualization is implemented, all components within the virtual
environment will need to be identified and considered in scope for a PCI DSS
review, including the individual virtual hosts or devices, guest machines,
applications, management interfaces, central management consoles, hypervisors,
etc."
And it is explicitly stated that the catalogue
of PCI DSS requirements must be met and evidenced throughout the virtual
platform:
"If virtualization technologies are used in a cardholder data
environment, PCI DSS requirements apply to those virtualization technologies"
"Virtual systems and networks are subject to the same attacks and
vulnerabilities that exist in a physical infrastructure... a poorly configured
virtual firewall could unwittingly expose internal systems to internet- based
attacks in the same way misconfiguration on a physical firewall would do."
Whilst virtual platform components must comply
with PCI DSS, the compliance process poses many unique and difficult challenges
because the data center is complex in its configuration and dynamic in its
operational use.
Complexity is caused because virtual
components (such as Virtual Machines, hosts, virtual switches, and firewalls)
are each configured in software and contain many parameters forming their
security posture. Components within a data center are interrelated. VMs by
themselves are complex and contain many virtual hardware components. This is
amplified as VMs are hosted within hypervisors which in turn have complex
configurations and are themselves related to virtual networks and datastores
where intricate relationships are formed and enforced in software. All this
must be accounted for when assessing the complex environment.
The dynamic nature of the virtual data center
leads to changes in normal operation (e.g. VM workloads are mobile by nature).
Misconfigurations and non-compliances can also be introduced accidentally even
within stringent change processes. It is inevitable that changes occur through
upgrade cycles, as the platform software itself is changing.
In order to test for compliance in a virtual
data center it is necessary to interpret the hundreds of requirements and
lower-level controls in the PCI DSS standard. These cover a broad spectrum of
security-related areas (e.g. physical access, business processes, and
personnel) as well as the many technically-specific requirements. The requirements
are written in a general sense and not specifically for virtual technologies or
products. Therefore it is a difficult task to translate these requirements to
technical validation checks implementable within a virtual environment.
These factors combine to produce serious
challenges for businesses and technical staff needing to attest compliance to
PCI DSS requirements in virtualized CDEs. Achieving this through manual
processes is barely feasible; the conditions necessary to confirm compliance
are in an environment of continuous change, both within the virtual environment
operation and wider industry knowledge.
Through deploying intelligent and automated
tooling to exploit knowledge automation, these problems can be squarely addressed
and overcome.
Addressing PCI DSS Compliance
with Knowledge Automation
The ability to access virtual environments
through defined APIs allows effortless scanning of complex configurations to
rapidly locate non-compliances to technical requirements found throughout the
PCI DSS standard.
Runecast Analyzer is an application that uses
automation to monitor and report on non-compliances and vulnerabilities
throughout the VMware Virtual Data Center (including VMware vSphere - vCenter /
ESXi, NSX-V, vSAN).
Knowledge Automation: Continuous
PCI DSS Compliance Checks
Recently, the extensive set of technical
requirements within the latest PCI DSS standard (v.3.2.1) have
been translated and converted into many hundreds of automated checks performed
by Runecast Analyzer. These form a profile making it possible to quickly view
where violations are occuring against the standard.
Shown below is an example screenshot for a
single PCI DSS non-compliance revealed from an automated scan. Within the
interface, the relevant knowledge content from the standard itself is displayed
from the related requirement and lower level control. It shows which technical
check is being carried out in the virtual datacenter to detect for
non-compliance and explains why the check applies to the requirement.
The Analyzer highlights specifically which
components (e.g. VMs, Hosts) and settings are involved in the failure. It
provides technical staff with detailed instruction from the appropriate
industry knowledge to resolve the issue:
The example shows knowledge automation being
used to provide a full audit trail from the PCI DSS standard to the specific
non-compliance in the virtual data center configuration. Also to be noted is
the opportunity to use the PCI "Prioritized Approach" milestones,
enabling businesses to accelerate effective remediation by tackling higher risk
non-compliances first.
Many PCI DSS requirements can be addressed
using the hundreds of specific configuration checks implemented within the
profile (such as the example above). There are also other important areas of
PCI DSS including risk assessment and vulnerability management that benefit
hugely from proactive knowledge automation.
Knowledge Automation:
Vulnerability Management for PCI DSS
PCI DSS sets requirements for businesses to
perform vulnerability management and risk assessment activities in BAU process.
When implementing these processes, businesses must take full account of the
ever-changing landscape of security threats emerging within the industry as
reported from vendors and other industry sources. For a specific example, see
the Requirement 6.1:
"Establish a process to identify security vulnerabilities, using
reputable outside sources for security vulnerability information, and assign a
risk ranking (for example, as "high," "medium," or "low") to newly discovered
security vulnerabilities.
Examine policies and procedures to verify that processes are defined
for the following:
- To identify new security vulnerabilities
- To assign a risk ranking to vulnerabilities that includes
identification of all "high risk" and "critical" vulnerabilities.
- To use reputable outside sources for security vulnerability
information."
Guidance
The intent of this requirement is that organizations keep up to date
with new vulnerabilities that may impact their environment. Sources for
vulnerability information should be trustworthy and often include vendor
websites, industry news groups, mailing list, or RSS feeds. Once an
organization identifies a vulnerability that could affect their environment,
the risk that the vulnerability poses must be evaluated and ranked.
The organization must therefore have a method in place to evaluate
vulnerabilities on an ongoing basis and assign risk rankings to those
vulnerabilities."
The Runecast Analyzer continuously scans the
configuration and logs from virtual environments to compare them with known
vulnerabilities identified by the VMware knowledge base (KB), Security
Advisories (including CVEs), the user community, reputed social networks, and
other industry sources. The process for capturing continual additions and
updates to industry knowledge from multiple sources is itself automated using
web-crawling technologies and natural language processing.
For all detected issues the Analyzer provides
their criticality and sources, and identifies which objects are vulnerable. The
following screenshot from Runecast Analyzer illustrates how this requirement is
met for the virtual datacenter in continuous operation:
When drilling down into
each issue, the Analyzer provides full detail for each vulnerability by
supplying the relevant industry knowledge source (e.g. a VMware Security
Advisory) in the user interface. It also provides the vendor's best-practice
remediation procedures to resolve. This example shows exposure to, and
resolution for, the recent L1TF vulnerability:
The specific objects (e.g. Hosts, VMs) that
are at risk from the vulnerability in the environment are shown in the
interface:
These examples show how knowledge automation
is used to fulfill the PCI DSS requirement and intent, giving businesses the
ability to quickly identify and proactively circumvent emerging security risks.
Whilst there is only limited room available in
this article to show two specific examples, the following table shows the list
of technical requirements within the PCI DSS standard that benefit from
knowledge automation and can be addressed within business as usual process by
Runecast Analyzer:
Summary
The examples given in this article illustrate
how knowledge automation provides businesses with a transformative capability
to monitor and report on their VMware virtualized Cardholder Data Environments
within PCI DSS requirements. The table above shows the extent of coverage where
this approach can be employed continuously to offer major benefit for
compliance.
Virtual data centers are complex in their
configuration; they are also extremely dynamic and flexible - which appears to
make them less secure. This is because they are complex and software-defined,
they lack transparency and so it is barely feasible to assess their security
posture manually. Additionally, industry knowledge is ever-changing and new
threats emerge continuously.
However, using the software-based knowledge
automation available in Runecast Analyzer overcomes these significant
challenges. VMware virtual data centers actually become more secure as they can
be scanned rapidly to identify and locate non-compliances and vulnerabilities.
Non-compliances to requirements and controls within the PCI DSS standard are
detected and raised in business-as-usual operation. Immediate reporting is
available to quantify these risks within the data center and record historical
compliance results over time. Furthermore, leveraging industry knowledge
empowers businesses as it combines the latest security information with
technical information to proactively manage vulnerabilities and quickly
remediate according to best practice.
Start Using Knowledge Automation Today
Runecast offer a free trial for the Runecast
Analyzer, which you can install and start assessing your environment against
PCI DSS in minutes. Full functionality (including industry knowledge) is
available completely offline to support operations in secure PCI DSS Cardholder
Data Environments. The trial version is available here: www.runecast.com
For VMblog readers, Runecast are offering an
exclusive promotion where you can have 7 days' access to the full (non-trial)
application. The offer is available until 15th September. Use the promo code VMBLOG to activate.
For further information on Runecast Analyzer
and PCI DSS specifically, please reach out to the Runecast team who are always
happy to provide advice and assistance: www.runecast.com
##
About the Author
Warren Legg, Senior Product Developer
vExpert, VCAP-DCA, VCP-DCV 3, 5, 6, 6.5,
VCA-NV 6
Warren has been working with VMware technologies for well over a decade. In that time he has created software to automate and protect some of the most sensitive virtual data centers in the World. Warren was proud to join the innovative Runecast team 18 months ago because he believes proactive knowledge automation is a #musthave for keeping modern SDDCs safe.