The Payment Card Industry’s Data Security Standard (PCI DSS v3.2.1) has recently been updated (May 2018). The standard is crucial for averting breaches and credit card fraud, so preventing serious damages for businesses and customers.
However, reaching compliance with PCI DSS is traditionally extensive, expensive, as well as complex and onerous for businesses. This is compounded because “PCI DSS should be implemented into business-as-usual (BAU) activities as part of an entity’s overall security strategy."
In this post, we’ll look at how PCI DSS compliance presents major challenges within the modern virtual (or software-defined) data center. The intrinsic complexities and dynamism of the technology and industry are identified. It becomes obvious that many important PCI DSS requirements cannot be met effectively, if at all, using traditional (manual) methods.
We can see that using intelligent automation (such as that provided by the Runecast Analyzer) overcomes many of these challenges. Indeed, it becomes an indispensable asset for businesses as it empowers them to address PCI DSS directly, reduce costs and timescales dramatically, and deliver continuous protection in Business as Usual (BAU) processes. This is shown later in the article through citing a specific PCI DSS requirement: “6: Develop and maintain secure systems and applications”, in objective “3: Maintain a Vulnerability Management Program”.
PCI DSS: The Need to Comply
The requirements of the PCI DSS standard apply to organizations (merchants, processors, acquirers, issuers, and service providers) handling credit card payments and/or processing. It is the responsibility of these organizations to evidence (attest) validation of compliance against an extensive requirements set.
During scoping activities, an organization must define the boundary of their Cardholder Data Environment (CDE). The PCI DSS standard applies to all system components included in or connected to the CDE. It “comprises people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data. “System components” include network devices, servers, computing devices, and applications.”
Many PCI DSS requirements are outside technical scope for this discussion when singularly related to people and processes in a generic sense. Also, some technical requirements are out of scope as they apply to components that cannot be implemented virtually (such as Point of Sale (POS) devices).
However, modern businesses deploy vital CDE system components within a virtual data center technology stack and so it is imperative to properly attest their technical compliance. VMware’s Software-Defined Data Center (SDDC) provides virtualization for all fundamental resources in the data center by virtualizing workloads, compute, networking, and storage layers with its core products (vSphere vCenter/ESXi, NSX, and vSAN).
Virtualization Technologies and PCI DSS
As virtualization technologies are prevalent in most modern business CDEs, the PCI DSS standard provides supplemental guidance to clarify how virtual system components should be treated:
“If virtualization technologies are used in a cardholder data environment, PCI DSS requirements apply to those virtualization technologies.”
“Where virtualization is implemented, all components within the virtual environment will need to be identified and considered in scope for a PCI DSS review, including the individual virtual hosts or devices, guest machines, applications, management interfaces, central management consoles, hypervisors, etc.”
“Virtualization technology introduces new risks that may not be relevant to other technologies, and that must be assessed when adopting virtualization in cardholder data environments.”
“Virtual systems and networks are subject to the same attacks and vulnerabilities that exist in a physical infrastructure. An application that has configuration flaws or is vulnerable to exploits will still have those same flaws and vulnerabilities when installed in a virtual implementation. Similarly, a poorly configured virtual firewall could unwittingly expose internal systems to internet- based attacks in the same way misconfiguration on a physical firewall would do.”
Adherence to PCI DSS for system components within the virtual datacenter requires the same level of adherence to requirements but also poses many unique and difficult challenges. This is for multiple reasons. The data center is complex in its configuration and dynamic in its operational use.
Complexity is caused because the data center objects (such as Virtual Machines, hosts, virtual switches, and firewalls) are each software-defined and contain a myriad of parameters that together form its operational capability and security posture. Furthermore, objects within a data center are related throughout the stack. For instance, VMs by themselves are complex and contain many virtual hardware components. This complexity is amplified as VMs are hosted within host hypervisors. These, in turn, have complex configurations and (e.g.) will themselves be connected to port groups or datastores where intricate relationships are formed and enforced in software.
These multifaceted combinations must be understood to determine where vulnerabilities and risks exist. It is imperative that configurations are designed and maintained in accordance with industry best practices and security hardening guidelines. Furthermore, the dynamic and software-defined nature of the virtual data center implies that these complex configurations are subject to change in normal operation as well as misconfiguration and inevitable changes through upgrade cycles.
A further essential demand consists in the need to account for the ever-changing landscape of security vulnerabilities emerging within the industry (notable recent examples being Spectre and Meltdown). These are reported from vendors and other industry sources (e.g. the CVE system) when vulnerabilities are found. Each can potentially affect the multiplicity of potential attack surfaces extant within the virtual data center through compute, network, storage, workload, and management layers. Security risks (and others such as outage threats) relevant to the virtual datacenter are continually changing, even if its configuration could remain static.
These factors produce serious challenges for stakeholders needing to attest compliance in virtual data centers where cardholder data is being processed or stored. Given the inherent complexity of the virtual data center and ever-changing landscape of security threats, it is infeasible in many cases to employ manual, check-point, processes to meaningfully meet or address technical requirements. This is because the conditions necessary to confirm compliance are in an environment of continuous change.
Addressing PCI DSS Compliance with Automation
With the introduction of Runecast Analyzer, the use of automation enables many technical requirements set out in the PCI DSS standards to be effectively addressed for the VMware Virtual Data Center (including VMware vCenter / ESXi, vSAN, NSX-V).
In brief, the Analyzer continuously scans the configuration and logs from the specific environment to compare them with known vulnerabilities identified by the VMware knowledge base, its user community, and other industry sources. Deviations from vendor and industry security hardening recommendations and best practices are also raised as issues for the user. On detecting all issues the Analyzer provides quantification of risks (including security threats), their criticality and sources, as well as providing the explicit root-cause and remediation procedures to circumvent (or resolve) identified vulnerabilities.
Transformative advantages are gained from exploiting automation within a software-defined environment. The ability to access virtual environments through defined APIs allows complex configurations to be scanned effortlessly, very quickly or in real-time, and continuously. The necessary system data describing a virtual environment is retrieved programmatically. This approach overcomes challenges presented from configuration complexity and dynamic operation.
Codifying industry knowledge so that it is machine-readable allows it to be utilized within an automated process. The Runecast Analyzer cross-references industry knowledge to evaluate specific environments for vulnerabilities and non-compliances. Furthermore, the process for capturing continual additions and updates to new industry knowledge from multiple sources is itself automated using web-crawling technologies and natural language processing.
Citing a Specific PCI DSS Requirement
In this section, we look at an important case where Runecast Analyzer harnesses automation to address a major PCI DSS objective (Objective 3) to “Maintain a Vulnerability Program” and specifically the requirement “6: Develop and maintain secure systems and applications”.
Automation makes it possible to achieve adherence for virtualized system components and provides powerful protection for the CDE. This would otherwise be infeasible to implement as a manual process and certainly not possible to operate in BAU.
The PCI DSS Requirement content is given below and then it is shown how Runecast Analyzer addresses it:
PCI DSS Requirement Family 6: Develop and Maintain Secure Systems and Applications
“Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.”
PCI DSS Requirement 6.1:
“Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities.
Examine policies and procedures to verify that processes are defined for the following:
- To identify new security vulnerabilities
- To assign a risk ranking to vulnerabilities that includes identification of all “high risk” and “critical” vulnerabilities.
- To use reputable outside sources for security vulnerability information.
PCI DSS Guidance
“The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment. Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. Once an organization identifies a vulnerability that could affect their environment, the risk that the vulnerability poses must be evaluated and ranked.
The organization must therefore have a method in place to evaluate vulnerabilities on an ongoing basis and assign risk rankings to those vulnerabilities... This requires a process to actively monitor industry sources for vulnerability information. Classifying the risks (for example, as “high,” “medium,” or “low”) allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.”
Runecast Analyzer Adherence
The Runecast Analyzer directly fulfils the intent of this requirement for VMware virtualized (SDDC) system components within the CDE:
“The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment.”, it is required that “Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds…. this requires a process to actively monitor industry sources for vulnerability information.”
The Runecast Analyzer provides the required information for any specific CDE through a fully automated, fast (sub-minute) scanning process and real-time log inspection. The Analyzer contains thousands of articles that have been reported in the vendor (VMware) Knowledge Base, and is updated continuously with new and changed content including all VMSAs (VMware Security Advisories). The Analyzer also uses industry news groups, mailing lists, and RSS feeds to determine if the CDE is exposed to issues reported in the industry.
In the following screenshot, we can see results where a specific data center has been scanned and the security vulnerabilities contained in that environment have been discovered from the knowledge base:
It can be seen that risks are classified within the Runecast Analyzer, as it ranks all detected vulnerabilities (risks) by criticality (“Critical”, “Major”, “Medium”, and “Low”).
The full detail of the issue is also provided and the vendor recommended remediation workflow, as well as links to resources (such as patches) needed to resolve the vulnerability. The specific system components that are vulnerable are identified within the data center:
The Runecast knowledge data is kept continually up-to-date, so any changes in security hardening guidance or best practices are updated and any newly introduced vulnerabilities from non-compliances will also be identified in these cases. It also takes into account variation in versions at product- and component-level to obtain its results. The VMware data center’s specific configuration is vetted against authoritative industry guidance for security hardening and best practices.
These results are easily consumed in an audit view, and can be exported to multiple formats (e.g. as reports and/or emails). A full REST-API is also provided for extracting results or integrating with other systems.
The Runecast Analyzer application naturally works as part of BAU. It can be set to scan automatically and frequently. It will identify vulnerabilities from the latest industry sources, categorise their severity, showing where they are and how they can be resolved in the business’ specific CDE. To further assist in BAU processes, Runecast Analyzer can also integrate vulnerability detection within the standard VMware vSphere management client:
Meeting PCI DSS is vitally important for protecting the credit card industry. However, the compliance process presents major challenges for businesses. This is especially true when considering modern virtualized system components within a Cardholder Data Environment. The Runecast Analyzer uses knowledge automation to surmount these difficult demands when tracking an ever-changing landscape of emergent threats and best practices.
Through combining codified industry knowledge data with advanced system monitoring, PCI DSS requirements that were infeasible to address by manual means now become simple (Business as Usual) automated processes within VMware data centers.
This provides the conclusion that Runecast Analyzer equips businesses with indispensable and transformative capability to efficiently and effectively address PCI DSS compliance. In doing so, businesses reduce operational costs dramatically, whilst providing themselves and their Customers with real, continuous, and proactive protections.
A fully-featured trial version of Runecast Analyzer can be downloaded and installed in minutes. You will then be able to quickly run a non-intrusive automated scan for vulnerabilities within your specific VMware environment.
In this article an important, specific, requirement was cited to demonstrate this capability. In future articles other requirements will also be provided to show how and where Runecast further transforms the compliance process for virtual data centres.
Senior Product Developer