Firehost Webinar: Do you know where your Cardholder Data Environment is?
1. Do you know where your CDE
(Cardholder Data Environment) is?
PCI 3.0 Webinar Series: Part 2 of 6
Kurt Hagerman
Chief Information Security Officer
2. Today’s Speaker
Kurt Hagerman
Chief Information
Security Officer
Kurt Hagerman oversees all compliance
related and security initiatives. He is
responsible for leading FireHost in attaining
ISO, PCI, HIPAA and other certifications,
which allows FireHost customers to more
easily achieve their own compliance
requirements. He regularly speaks and
writes on information security topics in the
payments and health care spaces as well as
on cloud security.
Webinar Series: Defining Your CDE
3. Agenda
• PCI DSS 3.0
• What To Think About
12 Months Out
• Understanding Your Cardholder
Data Environment (CDE)
• Key Elements of Defining
Your CDE
• Defining Where Your Cardholder
Data Lives
• Network & Data Flow Diagrams
• Inventory of Systems & Applications
• Network Segmentation
• Third Party Services
• What’s Next
• Questions & Answers
Webinar Series: Defining Your CDE
4. PCI DSS 3.0: A New Era in Compliance
• Changes reflect shifting security landscape
• In effect now, but January 2015 is deadline
• Critical to avoid fines and brand damage
• Visit info.firehost.com/webinar-series-new-pci-register.html
3.0
Webinar Series: Defining Your CDE
5. What to think about 12 months out
• Talk to your QSA
• Know how the new standard impacts your organization
• Identify issues now that may take longer to resolve
• Begin integrating PCI compliance into your daily operations
Webinar Series: Defining Your CDE
6. Understanding Your Cardholder
Data Environment (CDE)
• It’s about people, processes AND technology
• Understand who interacts with cardholder data and how
• Consider processes such as settlement, reconciliation, charge backs,
as well as manual order processes
• Technology elements
• Network, servers, virtualization, security services
• Applications that interact with cardholder data
• Don’t forget your third party service providers
Webinar Series: Defining Your CDE
7. Key Elements of Defining CDE
• Define where your cardholder data lives
• Create network & data flow diagrams
• Create inventory of all systems and applications that
interact with cardholder data
• Detail any segmentation methods used to limit the scope
of the CDE
• Consider third party services
Webinar Series: Defining Your CDE
8. Defining Where Your
Cardholder Data Lives
• Develop methodology for defining cardholder data
in your environment
• Demonstrate that cardholder
doesn’t exist outside of where
you say it exists
• Don’t assume and limit
your search
• Analyze and identify where
cardholder data is
across your entire
enterprise
Webinar Series: Defining Your CDE
9. Network & data flow diagrams
Organizations need clear network diagrams that show:
• How all components of CDE are connected
• Connections between CDE and
other networks
• How the CDE is related to your
overall network
• How cardholder data flows
through your applications and systems
• Where segmentation is used to
limit the scope of the CDE
Webinar Series: Defining Your CDE
10. Inventory of Systems & Applications
Create and maintain inventory of all hardware/software
• Network equipment
• Payment applications
• Security infrastructure
• Server & storage infrastructure
• Authentication infrastructure
• Management applications
Webinar Series: Defining Your CDE
11. Network Segmentation
Segmentation isolates cardholder data into
fewer locations to reduce:
• Compliance scope
• Audit costs
• Compliance cost and complexity
• The risk to an organization
Network segmentation methods:
• Properly configured internal network firewalls
• Routers with strong access control lists
• Other technologies that restrict data access
Webinar Series: Defining Your CDE
12. Third Party Services
• UNDERSTAND - anyone that has access to or can impact the
security of your CDE is in scope
• Examples: hosting providers, managed security service
providers, DR providers, contractors, etc.
• Identify and maintain list of service providers
• Monitor service provider PCI compliance
• Understand and define roles & responsibilities
• Identify who’s responsible for what – get it spelled out
• Use a provider who is transparent about how they help
• Work with “validated” providers who undergo their own
PCI DSS assessments
Webinar Series: Defining Your CDE
13. What’s Next
• Verifying Segmentation Effectiveness
• Pen Testing
• Credit Card Searches
PCI 3.0: Part 3
Getting Ready 9 Months Out
March 11, 2014
Webinar Series: Defining Your CDE
Will: Hello and welcome to the second in our series on the PCI DSS 3.0 compliance changes. Today we’ll be talking about your CDE – your Cardholder Data Environment. We’ll leave some time at the end to take your questions, and you can also submit questions during the webinar through the chat feature. To mute your phone, <instructions>.
Will: I’d like to introduce our speaker today. I’m Will Morgan and I’ll be moderating our discussion. Kurt Hagerman, FireHost’s Chief Information Security Officer, will be leading today’s session on the guidance you should take now to transition your compliance practices in time for the 3.0 deadline.
Will: Now let’s take a look at our agenda today. We’ll be talking about the PCI DSS 3.0 changes and what you need to get started on right now. We’ll also talk about defining your CDE and using network segmentation, along with the data flow diagrams you’ll need. Finally, we’ll have some time at the end to take your questions live.
Kurt, I’ll turn the discussion over to you as we talk more about the 3.0 changes.
Kurt:
Thank you, Will.
- These changes reflect shifting security landscape. Compliance isn’t just about passing audits - it’s about successfully defeating threats like XSS attacks and SQL injections. Cybercriminals get more sophisticated every day. many new payment methods now which means that attack surfaces are now larger. hackers understand multiple points of access to cardholder data
As all of you know, the new PCI DSS guidelines went into effect on the 1st of this year. You have until January 2015 to get ready, but there are factors you should start thinking about now to transition your compliance systems throughout the year. That’s what we’re talking about today.
Just as before, meeting regulations is critical for avoiding the fines and brand damage that come with a breach. Important not to lose sight of that – doing this work is ultimately to your benefit.
- If you didn’t attend our first webinar in the series, do so to make sure you have a complete grasp of the basics. http://info.firehost.com/webinar-series-new-pci-register.htmll
Kurt:
Today we’re going to focus on the factors you’ll want to start thinking about right now.
First up, you’ll want to talk to your QSA – they are the arbiters of your compliance, so start those conversations now and find out what they think the impact of 3.0 will be on your organization.
By identifying issues now that might take longer to resolve, you’ll face less work in crunch time.
This includes looking at your business environments and security strategies and strengthening your provider relationship.
3.0 focuses on shifting from annual compliance checklist mindset to proactive, business-as-usual approach to security. Now is the time to begin integrating PCI compliance into your daily operations.
Will – let’s jump right into the cardholder data environment, the CDE. Kurt can you take us through…
Kurt:
3.0 places more emphasis on defining the in-scope environment on a regular basis - these definitions help by pointing out potential weaknesses in your system.
It’s important to remember that your CDE isn’t just about technology – it includes people, processes and technology
Which means you must understand exactly who interacts with your cardholder data and how.
Consider processes like settlements, charge backs, reconciliations, manual order process – all of those are subject to PCI requirements
As far as technologies – that includes network devices, servers, virtualization, security services, and applications that interact with cardholder data.
Remember that your 3rd party providers are included in this too.
Kurt:
Your first step: accurately determine CDE scope.
First you must define where your cardholder data lives and create network and data flow diagrams that illustrate this. Identifying all locations and flows of cardholder data is critical to make sure no data exists outside of CDE.
Next get a solid grasp on your inventory – what are all the devices and applications that interact with cardholder data?
Security services and segmentation systems: authentication servers, internal firewalls, resolution or web redirection servers
Virtualization components: virtual machines, switches/routers, appliances, applications, hypervisors.
Network components: firewalls, switches, routers, wireless access points, network appliances
Server types like web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS)
All internal and external applications
Finally, you’ll need to detail any all segmentation methods you’re using to limit your scope.
And once again, you must consider your provider and how their systems influences your CDE.
Kurt:
Now that you understand exactly what your CDE is, it’s time to define where your cardholder data lives.
The most efficient way to do this is to develop a methodology for defining data in your environment. This is a two-way street; not only will you need to define the data in your CDE, you need to prove it doesn’t exist outside of that CDE.
If you go into this process assuming you already know where the data is, you may overlook areas you’re unaware of – as a result, the data will be vulnerable.
So it’s important not to limit your search – it’s necessary to identify where any cardholder data is across the entire enterprise.
Kurt:
You’ll need network diagrams that show:
how all components of CDE are connected
connections between CDE and other networks
How the CDE is related to your overall network
How cardholder data flows through your systems and applications
Where segmentation is used to limit the scope of the CDE
These diagrams show the success of your network segmentation at isolating the CDE and help you understand and keep track of your scope
- without them, devices could be accidentally overlooked and vulnerable to attack
- diagrams must be kept current and updated
Kurt: The 3.0 is very clear on the need to maintain a complete and accurate inventory of all systems and applications in scope.
That includes:
Network equipment
Server and storage infrastructure
Security infrastructure
Authentication infrastructure
Payment applications
Management applications
Kurt:
Segmentation reduces your scope for cardholder data - isolates cardholder data into fewer, more controlled locations
Shrinking the organization’s attack surface creates fewer points of entry for attackers - lightens your compliance burden, lowers your risk.
without network segmentation, your entire network is in scope and that’s going to be a major headache.
You want to address this right now - restricting cardholder data to a few locations means eliminating unnecessary data, and consolidating the right data.
That can mean you need to rejigger your usual processes, and even part of your foundational infrastructure sometimes - important to start now.
Using network segmentation:
properly configured internal network firewalls
routers with strong access control lists
or other technologies that restrict access to a particular segment of a network.
NOTE: Might bleed onto two slides to keep from being too word heavy – defer to Casey
Kurt:
Compliance validation must be performed on all system components in the CDE – anyone that has access to your CDE or impacts it is in scope.
This includes any third-party hosting providers, managed security service providers, DR providers, contractors -their routers, firewalls, databases, physical security and servers
After identifying and putting together a clear list of all relevant providers, you’ll need to identify who’s responsible for what.
Don’t make assumptions – get everything spelled out in contracts, whether it’s an MOU, SLA or Terms of Service contract.
Also important to work with a “validated” provider who undergoes their own PCI DSS assessments and can show you evidence of their compliance.
Kurt - Next up in March, we’ll have another webinar on PCI 3.0 – this time we’ll talk about what you need to do 9 months out. We’ll talk about the controls you need to test and verify your CDE, including pen testing, credit card searches and more.
Will: Now that we’ve taken a look at what you need to do now to get ready for 3.0, let’s hear your questions. If you have any compliance struggles or challenges that you’re facing, let us know and we’ll talk about the right actions to take. Just use the chat feature to submit your questions.
Will: Thank you for joining us today. We hope you enjoyed learning more about getting ready for PCI DSS 3.0 and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on March 25 for part 3 of “Getting Ready for PCI 3.0.” We look forward to seeing you again.