How to automate PCI DSS compliance

Auditing, reporting and remediation across your Hybrid Cloud.

In this presentation, Runecast CEO and CoFounder Stan Markov shows you how to automate the financial industry's Payment Card Industry Data Security Standard (PCI DSS) compliance auditing, reporting, and remediation across your Hybrid Cloud.

Video Duration:
0:38:55

Video Transcription

All right. Hello, everyone! In this session, we will be talking about how to automate PCI DSS compliance, auditing, reporting, and remediation across your Hybrid Cloud.

My name is Stan Markov and I’m one of the Co-founders and the CEO of Runecast. Together with the rest of my co-founders, we started Runecast back in 2014. We all used to work for IBM for many, many years where we built the VMware Center of Excellence. And we started Runecast with the idea to help admins save more time and avoid problems from happening in their environment, and also automate their security compliance. That’s something that we’d been struggling a lot from on a day to day basis.

And in this particular session, we will cover one of the popular security compliance standards, PCI DSS, which is especially challenging to comply with and it can cost you a lot of time – and you might still have some gaps if you have some security audit. So we will see how Runecast Analyzer will help you to save time and to ensure that you are audit-ready at any time.

All right. Well, first of all, what is PCI DSS? It stands for Payment Card Industry Data Security Standard. “And do I need to be compliant?” If you are asking yourself this question, then the answer is probably “No” because those of you that have to be PCI DSS compliant, you have probably already been directed by somebody – by some external audit organization or somebody on top in your company, that you must ensure that your systems are PCI DSS compliant.

Basically, if you are handling any credit card data, if you’re a merchant of any sort, a financial organization, or really a retailer or anybody that’s handling credit card information, you must comply with PCI DSS. You probably would have some security audits that are happening maybe once or twice or more times per year, which for those of you that participated in such audits, they can be quite stressful. And what’s even more stressful, if you have some audits, some concerns or some findings, then the potential of some penalties because of these findings.

So usually when we have audits, we have to provide a lot of reports, anything that the auditors ask for in a very short period of time. So we will see how Runecast Analyzer helps you to generate very nice, out-of-the-box reports that are related to PCI DSS.

All of these take a lot of time, not just when you have an audit but regular health checking once every few months maybe – or once a month your entire environment – and making sure that it’s PCI DSS compliant.

One of the biggest challenges with PCI DSS is that the security controls and requirements there are not specifying some specific capabilities and features of products or services. So a lot of people see them as quite vague and you really need to figure out a way how to map a specific security control and requirement. For example, making sure that you have encryption or firewall-enabled and map that to a specific capability of maybe vCenter or ESXi or any of your AWS services.

So in this session in particular, we will see how you can automate your security compliance, auditing, reporting, and remediation for VMware and for AWS. This is what Runecast Analyzer can help you with. So this is a product that was built more than five years ago, which is using AI-assisted knowledge parsing and a patented rules engine to analyze your VMware, AWS, and Kubernetes environment and discover any hidden bugs, best practices and compliances, hardware compatibility lists, compatibility problems and, last but not least, security compliance issues.

So here, we will talk mainly about PCI DSS, but just keep in mind that – if PCI DSS is not the standard that you need to comply with but you still need to keep your environment secure – Runecast still scans against vendor, Security Hardening Guides, also against NIST, DISA STIG, HIPAA, BSI, CIS, GDPR. And also today, we announced ISO 27001 as one of the security compliance standards that we cover for VMware and for AWS.

A little bit about the architecture of the product. First of all, it comes as a pre-installed pre-configured, pre-compressed virtual machine that’s just in one single OVA file which is just over 1 [GB]. You can download it from a website, import it into your vSphere infrastructure, set the IP address, and you can connect it to all the endpoints. And by endpoints, I mean vCenters, NSX Managers, Horizon connection servers, Kubernetes clusters, and AWS accounts. You can do that using a single virtual machine.

So Runecast Analyzer at each instance is really highly scalable. We have a customer that’s running 13,000 ESXi hosts. And by the way, one of the main reasons they are using Runecast is PCI DSS compliance, and they are using a single instance of Runecast Analyzer to manage their entire environment that has multiple vCenters and thousands of ESXi hosts and thousands of virtual machines. So keep in mind that it’s highly scalable.

You probably do not need to deploy a second virtual machine of Runecast Analyzer. But if you need to, we have a scale-up functionality as well that we call Enterprise Console, and it’s simply a dashboard that you can enable any of the instances connected to the rest of the Runecast Analyzer instances and consolidate all these important data and security compliance and risks into a single dashboard.

Everything is inside this appliance, so the patented rules engine, thousands of rules, all the user interface, APIs, and so on. So it can run even in a dark site. We have customers that are even defense organizations, military, financial institutions – they do not want to upload any data over to the internet externally from their organizations. So Runecast Analyzer fits them perfectly. It’s still recommended to update it regularly.

So whenever there are some new content, maybe new version of PCI DSS or perhaps new knowledge base articles, bugs, best practices, or updates of hardware compatibility list, we do release weekly updates, usually every Tuesday. And they can be downloaded and deployed automatically without any human intervention if you are able to connect Runecast Analyzer over to the Runecast Central Repository via a secure proxy. But we do provide an offline update functionality as well. So if Runecast runs in an air-gap site, you can just download an ISO file with all the updates, attach the ISO to the Runecast Analyzer instance and perform the update this way.

You can also set up a local repository. So you could have the local repository with the latest updates. The local Runecast Analyzer instance can access it and it can perform the updates this way as well.

So the session is about auditing, reporting, and remediation. So we will cover all these three important aspects of the whole cycle of the workings for PCI DSS compliance.

First of all, auditing. Well, the first thing you need to do, of course if you decide to use Runecast Analyzer is to download and deploy the OVA which again is about 1 [GB] in size. You can download it from our website, Runecast.com. Import it. You can try it. There’s a 14-day trial. Connect it to your vCenters, NSX managers through your AWS accounts. And it shouldn’t take more than 2 minutes to already receive the results of your security compliance posture.

It’s completely agentless. You don’t need to deploy any additional agents but in the second part of this session, we will talk about our vRealize Orchestrator Plug-In which you can use for remediation. So that’s the only additional thing that you may want to deploy.

Currently, Runecast Analyzer supports VMware, AWS, and Kubernetes, but for PCI DSS compliance, so far we’ve covered vSphere, NSX, and AWS – with Kubernetes coming up very soon.

A really great feature of Runecast is that it not only gives you the current security compliance posture but it keeps information of all the analysis that it has done for at least 365 days. So if you have an auditor that’s coming to you and asking you for complete and detailed security compliance data for PCI DSS in your environment, in your Hybrid Cloud, over the last year, there is a very easy way how to generate this report.

But the historical configuration tracking also is really important because it allows you to see how your configuration changes. So if you did something or somebody did something that changed something in the configuration which maybe either solved a PCI DSS gap or maybe caused some new vulnerability, or a PCI DSS gap to open, then you can see exactly why – when it happened, on which object and which particular issue.

We will also – and I will switch to the live demo of the product in just a minute – but I will show you also customizable rules. So we have over 200 rules that are related to PCI DSS that Runecast Analyzer uses to discover some incompliances. Some of them you can customize. You can change the parameters against which Runecast Analyzer checks in your environment. So this is really useful to align the analysis to your specific environment, your specific requirements.

We also offer granular filters. So if you need to switch off, filter out any of the rules on any groups of objects like clusters or virtual machines, hosts, or AWS accounts, you can do that with the granular filters.

And last but not the least, a fairly new functionality that we added is called Custom Profiles, which allows you to choose from the thousands of rules Runecast Analyzer already has. You can copy them into a new profile. You can change severity, change the title, and the name of the profile. Basically, really aligning it if you have some internal policy that’s maybe deriving from PCI DSS, then you can create it also in Runecast Analyzer and report against it.

All right, now before we continue with the presentation, let’s switch over to the live demo. And let me just mention at this point that if any of you would like to, without even deploying Runecast Analyzer, but if you just want to try everything that I’m showing you here, you can simply go to demo.runecast.com. We have an online demo. You can log in and there you have the Runecast Analyzer product so you can play with it. You can see its capabilities in a very easy way without downloading anything.

All right. So let’s take a look at our test environment here. Okay. So this is how Runecast Analyzer looks once we deploy it. I will not cover the deployment here because it’s really straightforward. You just go to your vCenter web clients, select the cluster, import an OVA, and set up the IP address and that’s about it.

Once you’ve deployed, you can already access this web interface here and you have a configuration wizard that will help you connect to your vCenters, NSX managers, or AWS accounts. But you can also do it from here, from Settings. Once I click on Settings, I will be able to add vCenters, NSX managers, Horizon connection servers, and AWS accounts. The minimum required privilege is read-only. There are a few more privileges, if you want to use a full Runecast Analyzer functionality, that can be given to the vCenter user to cover a hundred percent of that. But admin is not required.

So this is really the main stuff that you have to do. Just connect to your vCenters and AWS accounts. And it’s also recommended to set up the automatic scheduler. During the initial configuration wizard, you will be encouraged to schedule it to run at least once a day – so you will be able to just sit back and relax and Runecast Analyzer can continuously make sure that you’re PCI DSS compliant. And if you are not, you can also set up email alerting which will pretty much alert you over email if you have any new incompliances. You can set up the email alerting from here.

Of course, you can also configure it to run on an hourly or weekly basis. You can set up the configuration of the Automatic Scheduler.

All right, once – you can also trigger manual analysis from “Analyze now” as I’ve mentioned – it shouldn’t take more than 2 minutes, depending on the size of your environment.

Then on the Main Dashboard, you will be able to see how many critical major or medium issues are detected and also issues that are found in the logs, in the configuration, level of best practice adoption, and level of security compliance. So this is the overall security compliance based on all the profiles that you have enabled in your Runecast Analyzer.

And that’s something that I need to show you as well. Now, let’s go back to settings and we will go to Knowledge Profiles. By default, Runecast will scan against various different best practices, knowledge-based articles, hardware compatibility list, and also the VMware security guidelines. This is what’s enabled by default. But you can enable any of these additional standards here. And for the purpose of this demo, we enabled all of them but you can enable just PCI DSS if that’s what you’re interested in. So that’s an important step to remember as well. That you need to enable PCI DSS from settings and knowledge profiles.

Okay. So in any case on the Main Dashboard, we can always see what is the level of our security compliance at the moment. And if I want to dive into the PCI DSS reports themselves, I can just go to the Security Compliance section. On the left-hand menu here, I can click PCI DSS and there you go. So I’m looking at about 240 different entries of either gaps that were discovered in vSphere, NSX, or AWS services. Or if there is... if everything is configured properly, I will get a green result it’s configured.

Obviously, I want to focus first on all the gaps that I currently have in my environment. And here, you can also filter out for which products you want to see PCI DSS compliance. So as mentioned, currently we cover vSphere, NSX, and also AWS services like S3 and VPC, EC2, and IAM.

Let’s for example focus just on vSphere and NSX and take a look at one example of an issue or a rule that came out as red, as failed. The reason why it came as “failed” is we see that there is at least one object in my environment which is incompliant with this particular rule. And the rule is called “Ensure that the ESXi host firewall is enabled.” What you see here in brackets is the specific security control and its requirement from the PCI DSS document.

I’ve just expanded this first rule and I see in the reference that this is the latest PCI DSS guidance from the Official PCI Security Standards Council. And in PCI DSS detail, I can see that the example from that document about Security Control ID 1.1.4, which talks about the first requirement is: install and maintain firewall configuration to protect cardholder data.

So obviously, this is not talking about VMware at all – or AWS or vSphere or NSX. But it’s a general guidance, a requirement, where you have to make sure that you install and maintain firewall configuration to protect the cardholder data.

So in the case of ESXi, as we know, there is a firewall – it just needs to be enabled. And that’s why this particular check or this particular rule is associated with that requirement and control from PCI DSS.

Under Technical Description, we have provided explanation why this rule exists and how it maps to this particular PCI DSS security control and requirement.

If you click Findings, you will see what the affected objects are. In this particular case, we have an ESXi host and the host firewall status is showing currently disabled.

So as you can see, the information here is really important because it gives you not only the technical checks and the results from some technical analysis, but when you have an audit, the auditors would be asking you “how are you compliant” to this document that I have, the PCI DSS 321 document. So, it’s really important that we ensure that there is mapping between the security controls and requirements and the actual technical checks and to get this out-of-the-box report directly from Runecast Analyzer.

If we go down and see another rule here, we can look at... this is related to NSX-V so it’s the same Control ID. However, it’s relating to the NSX distributed firewall. So in Findings, we can see that the configuration of NSX manager and a number of policies to use reports, protocols, and services are set to 2, which is in compliance with this particular security control and requirement – and in the technical description where it’s describing also why.

So, we have over 240 of those. And for each one of them, you can see what the incompliant objects are, if there are any, hopefully not, what the product is, and very importantly, what is the particular Control ID and requirement from PCI DSS.

All right. This is a really important view. Another one that I want to show you is the All Issues view, which is very versatile because, here, you can look at the compliance information from Runecast – not just PCI DSS, but for anything that’s detected in the security compliance standard or best practice, knowledge-based articles, and so on.

But here for the purpose of this presentation, we will just look at PCI DSS and maybe I want to look only at critical issues and maybe in this particular case, I want to look only at... let’s see if I have any S3 gap. So I have one critical security issue related to AWS S3, which is a PCI DSS incompliance. So I can just check what that is... “Ensure that S3 buckets are accessible only through HTTPS (4.1).”

So in PCI DSS, you are able to see again the example from the official PCI DSS document and technical description would describe why this is a rule and how it maps to 4.1, to the PCI DSS control and requirement from the official document. And in Findings, I can see all the S3 buckets that have this incompatible configuration.

Now, the great thing about this historical graph here is also you are able to very quickly see what changed between two different configuration scans. So let’s just remove S3 from here so I’m just looking at PCI DSS critical issues. And if I click in any point in time where successful analysis was completed, the table underneath will be updated with the results from that particular date and time.

And I can also click “Compare with previous result” which will basically compare this result with the previous one and show me what new issues appeared, on which object, and maybe which issues have been resolved. So it’s a really important change log so that you can keep track on how your environment is changing and what maybe you have solved or maybe what kind of new issues appeared over time.

All right. Let me just switch over to the presentation. And by the way, feel free to ask any questions. I will just attend to the questions after we finish with the presentation.

All right. So we covered the deployment. As mentioned, it’s really quick. It’s agentless, supporting vSphere, NSX, AWS, historical configuration tracking. I will show you now: customizable rules, granular filters, and custom profiles. And then we will cover various ways how we can do reporting, which is really important. This is something that we have to give to your... maybe security team or directly to the auditors that came externally. And we will see how we can export in CSV, in PDF, even in Excel spreadsheets. You can configure email reporting and we a have very rich REST API that you can also use for reporting.

And then at last but not the least, we will look at how you can use the vRealize Orchestrator Runecast Plug-in to do remediation on PCI DSS issues that were detected on your vSphere environment. So for the remediation, we are currently covering the vSphere part.

Okay, let’s go back to the demo and let’s look at the PCI DSS report that we were looking at earlier. Keep in mind that you can filter out just the customizable rules. So a customizable rule means that Runecast Analyzer is scanning your environment for a specific parameter. For example, in this particular case, I expanded the enable remote syslog rule. It’s checking whether we have syslog configured, but it’s not checking for a specific FQDN or IP of the syslog configuration.

Now, since this rule is customizable, you are able to define this yourself. So you can define FQDN or IP of the syslog destination that you want to have as configuration for your ESXi hosts. You can click “Add Custom Value”. Specify in this case the FQDN or IP and scope it for either your entire environment – where you want the whole environment to be configured for the same syslog server – or to specific clusters, virtual data centers, or vCenters. And once you do that, from that moment on, Runecast Analyzer will scan this particular part of your environment against the parameter that you have specified.

So these are the customizable rules. So you can customize scientific configuration, password complexity policy, and so on.

Another thing which is really important is the granular filters. You might have noticed this button “Ignore” which is in every rule if I expand it. If I click “Ignore” it will trigger a creation of a filter and I can filter out this particular rule: “Establish password policy for ESXi”. I can disable it for any portion of my environment, like for whole vCenters, or for specific ESXi hosts or clusters.

The filters are very useful also if you have some clusters, maybe, that don’t need to be PCI DSS compliant. You can just disable all of the PCI DSS checks for those environments.

And when you create filters, they will be visible here under Settings -> Filters. You can enable/disable them. You can create them also from here and you can basically switch off any rule from any portion of your environment. So these are really useful.

And also, maybe you don’t want to filter out the rule completely, but you just want to add a specific note, maybe a note for the security – or maybe there’s a reason why you currently have a deviation here. So the justification that you add in the note field will appear in all the reports for that particular rule. And that’s pretty useful. Also maybe you’ve scheduled a change for a few weeks from now to fix that so you could add them all here as well and acknowledge it. So that’s pretty useful if you don’t want to completely filter out a particular rule.

And I’ll just quickly show you the Custom Profiles functionality as well. So if you want to create your own security compliance profile and just leverage all the rules that Runecast Analyzer already has, you can create your custom profile here, give it some name, some description, and then just pick and choose any rule that you want. Click “Copy to Custom Profile” and this is how it can build your own profiles that are really aligned with your particular organization. You can change the titles of the rules and the severities as well.

Okay. Let’s cover a little bit about the reporting. So from this interface here, you could export into CSV, PDF. You could have a more summary report or you could decide also to include all the affected objects. So let’s for example click on “PDF Export.” That will use all the information here which is currently for vSphere, NSX, AWS, and will put it into one big PDF file which is pretty much just a summary. So it doesn’t mention the objects that are affected.

But if you’d like to include the objects as well, you could just click “Include Affected Object” and then you could generate an even much bigger PDF, of course depending on the size of your environment. That will also include all the objects and values that are incompliant. And of course, it will show those that are properly configured as well.

All right. While we are waiting for this particular report to be completed, I want to show you the last type of report, which is for PCI DSS so we can generate an Excel spreadsheets report. And let me show what this looks like. This is an example of a report that you can just generate from that same menu from export.

Here, I have three vCenters, several clusters, and I can click on any of the vCenters. So let’s click on this one here. And it will redirect me to the particular sheets in my spreadsheets that include information about all the hosts and clusters in that particular vCenter. And in this nice format, you can see whether each host passes or fails against each one of the PCI DSS rules. And as you can see, the PCI DSS rule is described here on top and in brackets in the end you can see the specific Security Control ID from the PCI DSS standard that this rule relates to.

So this particular report is also very useful. And this is where you can generate it, by clicking “Consolidated Export” in Excel.

Our PDF report is completed. This one is with all the objects as well, so it’s a much, much bigger one, a 210-pages PDF report. So these are the kind of things that you can export from here. From the All Issues View, you have export functionality as well and that one is particularly useful if the auditor asks you for historical security compliance posture, for example, for your last week or last 365 days. You can specify the time span here and then you can export in PDF together with this graph. So it will generate another PDF report and it will also include this particular historical graph.

I mentioned slightly, before, that you can also set up email alerting. So you could just make sure to do that so you don’t have to log into the Runecast Analyzer interface all the time. In fact, we do have a plug-in also for your vSphere web clients. So if you want to receive all these results for PCI DSS compliance directly in your web clients, you can install that as well. You can do it from here. Install or configure a web client plug-in.

And very important to mention, especially for large organizations, is that we have a full REST API. You can explore the Swagger interface here and you can even try all the different API calls. So you can obtain any sort of data that you want directly from Runecast Analyzer and put it in whatever shape and form that you prefer. And the API endpoint that you’re going to be using a lot is Results of Analysis.

All right. A little bit about remediation. So as we could see, there are various different reporting functionalities. Now, reporting is great, but at some point – probably especially in the beginning – you have to spend some time on covering some gaps that you might have currently in your environment. So the vRO plug-in of Runecast can help you save a lot of time there, especially if you have a large environment and maybe many PCI DSS gaps discovered.

It comes with an out-of-the-box workflow called Secure vSphere. So you don’t need to be a vRO expert. You just deploy the Runecast Analyzer plug-in for vRO, you will already see this workflow created. So all you need to do is run it and then you have to select your Runecast Analyzer instance. You can then select your vCenter that you want to work on to remediate some of the objects. Select PCI DSS and then you can select what type of object you would like to remediate, whether it’s a Virtual Machine, a Host, or DVPortgroup. Let’s select the Host and let’s see if there are any issues, PCI DSS issues currently detected from any of my hosts.

So what vRO will now do is... it will connect to the Runecast Analyzer instance that’s specified, and it will fetch information about affected hosts and PCI DSS gaps on these hosts. So I see that there are three hosts here. I can just select all of them and there are only a few issues thankfully where we currently have PCI DSS gaps on these hosts. I can select all of them, click “Accept,” and then I can finish with “Submit” which will just go ahead and change those settings on these ESXi hosts and make them compliant to PCI DSS.

This is a small environment that I’m running this on, but you might have hundreds of ESXi hosts or thousands of virtual machines. So this will certainly save you a lot of time if you have to do some PCI DSS remediation.

All right. Let me see if we covered everything for now. I think we did. What I would really encourage you is to either go to the Runecast Demo online or you could just download Runecast Analyzer and start a 14-day trial. So if you want to see what kind of potential gaps are in your environment, then you can easily do that by deploying the OVA and connecting to your vCenters and AWS accounts.

All right. So we have a few questions here. The first one is: what APIs are supported for exports to?

Well, Runecast Analyzer comes with its own API. So basically – I mean first of all, you can export as I mentioned a CSV, open to Clipboard, or you can pretty much export in PDF and Excel spreadsheet – but you can also leverage the REST APIs that I showed you earlier. You could just explore the Swagger interface in the settings page and you can use the API endpoints there, obtain the information about the results of analysis and then you can pretty much put it in any format that you wish.

There’s another question: Also if we consider auto-remediation for some type of issues, so it can be fixed straight from the Runecast Console?

So for now, on purpose, we put the auto-remediation module separately, because for large organizations – especially if you need to make any changes on your environment – as you know, you need to go through change controls, some of them could be more disruptive... so you really have to make sure that they are done at the right time. So at this moment, we have the auto-remediation module outside and you can trigger it whenever you wish. So it will still save you a lot of time, but it’s up to you to decide when you want to trigger that and to select which issues to resolve.

We are still considering sometime in the future to… well... to expand the remediation capability. So currently, we have it for vSphere. We will also expand to AWS, to Kubernetes as well. And it’s still yet to be decided whether – most likely, it will be directly into the product – but we will make sure that everything is handled also from a security perspective.

All right. There is another question here: If there is an option to see how many filters are currently enabled or how many filters I put to ignore in the report if I set it?

Okay, got it. So the question is, in the reports, whether it’s visible, if any filters are applied and what filters. I believe we received such a question several times actually, recently. I will actually check the report right now. I believe the answer currently is “No”. But that’s a great suggestion and that’s something that I will just take to the product team so that we can implement it soon. I’ll just open one of the reports to see... I don’t believe that we are including information about filters right now in the reports. But that’s something that we will certainly consider.

The notes themselves are visible in the reports, so let me share my screen once more and I will show this to you. This is one of the reports I just generated from the historical graph, so that you can see that I have some issues here with 10 affected objects and all the notes. There’s a separate column for the notes that I have put forth for each one of these issues.

All right, if you have any more questions, you can still put them in the chat or in the Q&A. I’ll be monitoring this for a while. But I want to thank you all for attending this session and I hope it has been useful for you. Go ahead and try Runecast Analyzer, and just remember: today we also announced the ISO 27001 security compliance. So along with PCI DSS and many others, we have now ISO as well. So go ahead and try that.

All right, thank you very much, everyone. Have a great rest of the day.

Test Runecast Analyzer for free

Want to see what Runecast Analyzer can do for your specific environment and needs?
Start free trial