Using Cisco’s VMDC to help facilitate PCI compliance

1. Using Cisco’s VMDC to help facilitate PCI compliance June 20, 2014 Gary McCully Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC.

2. Using Cisco’s VMDC to help facilitate PCI compliance 2 Synopsis This whitepaper discusses how Cisco’s Virtualized Multiservice Data Center (VMDC) validated architecture can help organizations with reducing their scope for PCI, and help with the facilitation of reaching and/or maintaining PCI compliance. Table of Contents Introduction..............................................................................................................................................3 VDMC ................................................................................................................................................................3 SecureState........................................................................................................................................................4 Who Needs to be PCI Compliant? ..............................................................................................................5 What are the Current Challenges?.............................................................................................................5 PCI DSS Goals and Requirements...............................................................................................................6 How VMDC Can Help.................................................................................................................................7 Build and Maintain a Secure Network (Requirement 1 & 2) .................................................................................7 Protect Cardholder Data (Requirements 3 & 4)....................................................................................................8 Maintain a Vulnerability Management Program (Requirements 5 & 6).................................................................8 Implement Strong Access Control Measures (Requirements 7, 8, & 9)..................................................................8 Regularly Monitor and Test Networks (Requirements 10 & 11)............................................................................9 Maintain an Information Security Policy (Requirement 12)................................................................................10 Achieving PCI Compliance .......................................................................................................................10

3. Using Cisco’s VMDC to help facilitate PCI compliance 3 Introduction Cisco’s Virtualized Multiservice Data Center (VMDC) is a scalable network topology that service providers, and large organizations, can implement in order to provide a secure multi-tenant solution to their clients. The architecture that VMDC utilizes greatly assists service providers in creating a network which satisfies clients with various security needs. In order to evaluate the ability of Cisco’s VMDC network topology to facilitate PCI compliance on behalf of the clients that implement this blueprint, Cisco had SecureState analyze the VDMC topology against the PCI Data Security Standard (DSS) 3.0 control set. Previously, SecureState evaluated earlier versions of the VMDC topology against PCI DSS version 2.0. All organizations that store, process, and/or transmit credit card data (known as cardholder data, or CHD) are required to comply with PCI, and PCI DSS version 3.0 officially goes into full effect on January 1, 2015. Cisco’s VMDC architecture provides a number of controls which can either be directly configured to meet specific DSS 3.0 requirements, or can be implemented in order to help fulfill a particular component of the overall control. VDMC The Cisco VMDC is a tested and validated reference architecture for the Cisco Unified Data Center. It provides a set of guidelines and best practices for the creation and deployment of a scalable, secure, and resilient infrastructure in the data center. The Cisco VMDC architecture demonstrates how to bring together the latest Cisco routing and switching technologies, network services, data center and cloud security, automation, and integrated solutions with those of Cisco's ecosystem of partners to develop a trusted approach to data center transformation. Specific benefits include:  Demonstrated solutions to critical technology-related problems in evolving IT infrastructure: Provides support for cloud computing, applications, desktop virtualization, consolidation and virtualization, and business continuance  Reduced time to deployment: Provides best-practice recommendations based on a fully tested and validated architecture, helping enable technology adoption and rapid deployment  Reduced risk: Enables enterprises and service providers to deploy new architectures and technologies with confidence  Increased flexibility: Enables rapid, on-demand, workload deployment in a multitenant environment using a comprehensive automation framework with portal-based resource provisioning and management capabilities  Improved operating efficiency: Integrates automation with a multitenant pool of computing, networking, and storage resources to improve asset use, reduce operation overhead, and mitigate operation configuration errors The Cisco VMDC architecture, consisting of the Cisco Unified Data Center and Cisco Data Center Interconnect (DCI) together with other architectural components such as infrastructure abstraction, orchestration and automation, assurance, and integrated services and applications, as shown below, provide comprehensive guidelines for deployment of cloud infrastructure and services at multiple levels.

4. Using Cisco’s VMDC to help facilitate PCI compliance 4 SecureState SecureState is a management consulting company specializing in information security and compliance services. We believe in a different approach to security which guides our clients as partners, from their CurrentState (CS) to their DesiredState (DS) and ultimately their SecureState. As shown in the graph below, SecureState begins working with clients at the CS, performing assessments to understand the security posture of the organization as it is constructed today. Once SecureState identifies the CS, we then construct tactical and strategic methods to move from the CS to the DS and ultimately a managed SecureState (SS). In terms of understanding PCI, SecureState provides these services to various organizations that are required to achieve and/or maintain PCI Compliance on a consistent basis, assisting organizations in identifying their CurrentState of compliance with PCI and assisting them to achieve their DesiredState and SecureState.

5. Using Cisco’s VMDC to help facilitate PCI compliance 5 Who Needs to be PCI Compliant? All organizations that store, process, or transmit CHD are required to be compliant with PCI. However, not all organizations are required to meet the same number of controls. Control requirements are based on annual volume of credit card transactions, and the way these credit cards are processed, transmitted, and/or stored. In some cases, the organization is even allowed to self-assess themselves for PCI Compliance. Organizations that process over six million transactions per year must have an annual assessment completed by a Security Assessor (independent third party or internal resource which has been approved by the PCI Security Standards Council). Organizations can use segmentation to limit the scope of their Cardholder Data Environment (CDE), which will make the task of achieving, and maintaining PCI compliance much easier. By adequately segmenting the CDE from the rest of the internal network, many of the PCI controls will only apply to this subset of systems. In fact, one of the best features of Cisco’s VMDC is its ability to utilize various technologies in order to achieve segmentation (e.g. Access Control Lists, VLANs, multiple Sourcefire security contexts, virtual firewalls, etc.). Additionally, organizations can further reduce the scope of their PCI environment by implementing any of the following technologies: secure redirects, point-to-point encryption, and/or tokenization. In the context of PCI, less truly is more; that is, the fewer systems that come into contact with CHD, and the fewer places CHD is stored, the easier it will be to achieve and/or maintain compliance. What are the Current Challenges? 1. Scope. By far, the greatest challenge that most organizations face when trying to achieve PCI compliance is the scope of the CDE. The scope of the CDE consists of all systems that transmit, store, and/or process CHD, all systems that can affect the security of those systems, and all systems that are not adequately segmented from those systems. In many cases, the organization’s entire internal network comes into scope for PCI, because adequate segmentation is not in place. In large organizations, this makes the process of achieving and/or maintaining PCI compliance practically impossible. Since all controls would need to be applied to every system on the network, all systems would need appropriately hardened, monitored, patched, etc. One system that has not been appropriately locked down could affect the compliance status of the entire organization. In organizations with hundreds, or even thousands of systems, it is almost impossible to ensure that all of the relevant appropriate controls have been applied to every single system in scope. 2. User Account Management. Many organizations are able to manage Windows domain accounts through the use of Active Directory (AD), but accounts associated with network infrastructure, local administrator accounts, Linux and/or Unix system accounts, Mainframe accounts, etc., must also comply with PCI requirements (i.e., password complexity, password minimum length, password history, etc.). Applying all of these controls to each account can be a daunting task, and it is easy to miss devices within the CDE which have accounts which that must comply with specific PCI requirements. 3. Device Hardening. All systems and applications in the CDE must be adequately locked down, using some industry accepted security hardening standard. Common systems that must be locked down include databases (Oracle, MS-SQL, MySQL, etc.), servers (Windows 2003, Windows 2008, Red Hat, etc.), web servers (IIS, Apache, WebLogic, etc.), and network infrastructure (firewalls, routers, switches, etc.). If the CDE is large and complex, then hardening every in scope system can be a very difficult task.

6. Using Cisco’s VMDC to help facilitate PCI compliance 4. Patch Management. Although most organizations are adequately monitoring and applying patches to their 6 Windows systems, they struggle when it comes to patching non-Windows devices and products. It is common to identify network architecture (e.g. firewalls, routers, switches, etc.), databases (i.e. Oracle, MySQL, etc.), and non-Windows systems (i.e. various flavors of UNIX and Linux), that are missing critical patches. As we review the PCI requirements, I will specifically highlight how Cisco’s VMDC can help with the facilitation of these controls. While VMDC cannot help with the facilitation of all PCI requirements, it can help in achieving compliance in many areas that organizations traditionally struggle with. PCI DSS Goals and Requirements The PCI DSS has twelve domains, which broadly align with six separate goals. The goals, and the requirements associated with each of these controls is as follows: 1. Build and Maintain a Secure Network – The first goal encompasses DSS requirements one and two. PCI defines this first requirement as “Install and maintain a firewall configuration to protect cardholder data.” Practically speaking, this control defines network layer requirements for the CDE, and includes controls around firewalls, routers, and network topology. For example, there are requirements restricting the external traffic that is allowed to access particular devices on the DMZ and keeping a current network diagram of the CDE. Additionally, the second requirement associated with this goal is in regards to properly hardening the various devices on the network. This requirement states, “Do not use vendor-supplied defaults for system passwords and other security parameters.” In this regard, PCI requires that devices be locked down using industry accepted standards, and that these standards be kept up to date. 2. Protect Cardholder Data – This goal covers protection of the CHD while it is in transit or storage. This goal directly maps to DSS requirements three and four. The first of these requirements is to "Protect stored cardholder data." This requirement largely deals with encryption, retention, and destruction of digital CHD. The second requirement deals with protecting CHD as they are in transit. This requirement is defined as "Encrypt transmission of cardholder data across open, public networks." Requirement four has a lot to do with SSL, and the use of encrypted channels when CHD traverses a public network. 3. Maintain a Vulnerability Management Program – The next goal of PCI involves maintaining a vulnerability management program, and PCI maps this back to requirements five and six of the PCI DSS. Requirement five of the DSS is defined as "Use and regularly update anti-virus software or programs," and has to do with the installation, maintenance, and monitoring of anti-virus software. PCI requires that anti-virus be configured on all devices that are commonly affected by malware, and requires that organizations monitor the industry in order to determine which devices match this criteria. The sixth PCI DSS requirement is defined as "Develop and maintain secure systems and applications." This control involves the processes around securing web applications within the CDE, patching, and change management. There is great emphasis on the use of secure coding practices, and ongoing maintenance. 4. Implement Strong Access Control Measures – Rather than encompassing just two of the DSS requirements, this goal has three DSS requirements associated with it, DSS Requirements seven, eight, and nine. The first of these

7. Using Cisco’s VMDC to help facilitate PCI compliance 7 requirements is defined as "Restrict access to cardholder data by business need-to-know," and is primarily concerned with centralized account management. The second requirement is to "Assign a unique ID to each person with computer access," and has to do with proper account management, password policies, and user provisioning and de-provisioning. The final requirement defined as "Restrict physical access to cardholder data." This control has to do with physically protecting CHD, and securing back-ups that contain this data. 5. Regularly Monitor and Test Networks – The fifth goal encompasses DSS Requirements ten and eleven. Requirement ten is defined as "Track and monitor all access to network resources and cardholder data," and contains requirements around log monitoring, and retention. Additionally, there are extensive requirements around NTP configuration, since NTP is critical for log analysis. The eleventh requirement of PCI DSS is defined as "Regularly test security systems and processes." This control includes requirements around vulnerability scanning, attack and penetration assessments, and Intrusion PreventionDetection systems. 6. Maintain an Information Security Policy – The last goal only corresponds to one PCI DSS requirement. This is the twelfth of the requirements, and is defined as “Maintain a policy that addresses information security for employees and contractors.” In this regard, this requirement has to do with clearly defining key components of the organization’s security program. Controls around have a clearly defined incident response plan, ensuring that people who handle credit cards have had background checks performed on them, and ensuring that there is ongoing security training for organizations required for appropriate personnel is included in this requirement. How VMDC Can Help Build and Maintain a Secure Network (Requirement 1 & 2) Install and maintain a firewall configuration to protect CHD: During the assessment, SecureState reviewed the ASA firewall, Nexus switches, and routers in order to evaluate how each device could be used to facilitate the various controls outlined in this requirement. The ASA firewall could be used to meet all controls around the various firewall configuration requirements, such as the implementation of ingress and egress filtering, secure DMZ configuration, and anti-spoofing access control lists (ACLs). In this regard, the network infrastructure that is part of the VMDC can be used to directly meet many of the requirements in this section of the DSS, and, many controls directly related to documenting an organization’s network topology of the CDE. Organizations that have implemented Cisco’s VMDC network topology will have a well-documented base topology that can be modified to meet their particular needs. Do not use vendor-supplied defaults for system passwords and other security parameters: The various devices that are part of Cisco’s VMDC can be locked down using well known configuration standards, and Cisco has developed configuration guides for each component which can be used be used to apply specific controls. SecureState reviewed each device in order to verify that they could be hardened in such a way as to meet PCI compliance requirements. However, one of the best and easiest ways that organizations can meet this control is by limiting the number of devices that are in scope for PCI. The fewer devices that are within the CDE, the easier it will be to lock each device down appropriately. In this regard, VMDC provides robust network infrastructure which can be used in order to segment the network. These technologies include ACLs, VLANs, and virtual firewalls. By combining these controls it is possible for an organization to limit the number of systems within their CDE, which would make the task of achieving and maintaining PCI Compliance easier.

8. Using Cisco’s VMDC to help facilitate PCI compliance 8 Protect Cardholder Data (Requirements 3 & 4) Protect stored cardholder data: If it is possible to avoid storing CHD, SecureState recommends that organizations avoid it. If CHD is not stored, then many of the controls in this section simply do not apply, and the organization limits their liability. In this regard, many organizations use some sort of tokenization solution, in which CHD are sent to a third party for storage and/or processing. This third party sends the organization a token, which can be used to reference the credit card for further processing (e.g. chargebacks, reoccurring charges, etc.). However, in the cases where CHD must be stored, the data should be stored in an encrypted format. VMDC is a solid network topology which contains a number of technologies which can be used for segmentation, and all CHD could be segmented from the rest of the network. Encrypt transmission of cardholder data across open, public networks: PCI requires that CHD traversing an open network (i.e., internet) do so in a secure manner. In many cases, organizations will fulfill this requirement by setting up VPN connections with third parties and partners, and the CHD traverses these links in an encrypted format. ASA firewalls support site-to-site VPNs, and thus, can be used in this capacity. In ecommerce environments where customers need to make purchases over the web, organizations can reduce their scope by using secure redirects to a third party where the card is actually processed. Additionally, organizations that serve within a retail capacity may consider using a point-to- point encryption solution. In this solution, a credit card is encrypted at the swiping device, and is sent to a third party where the card is decrypted, and processed. In most cases, point-to-point encryption is tied into a tokenization solution, thus reducing the organizations exposer even further. Maintain a Vulnerability Management Program (Requirements 5 & 6) Use and regularly update anti-virus software or programs: PCI requires that organizations configure anti-virus software to run on all systems commonly affected by malware. Organizations are required to monitor the industry in order to verify that these systems continue to fall into this category. Most QSAs (Qualified Security Assessors) would consider Cisco equipment as being a device that is not commonly affected by malware. Additionally, Sourcefire is one of the devices that are part of the VMDC topology, and has the ability to analyze files that are traversing the network for viruses or malware with a known signature. If a file is found to contain such a virus, then either the traffic can be blocked, or the appropriate individuals could be notified. In this regard, although Sourcefire does not explicitly meet this control, it adds another layer of protection for the organization. Develop and maintain secure systems and applications: This requirement mainly focuses on the development, and rollout of new applications in the CDE. PCI requires that developers follow secure coding practices and follow a formal process when making changes to these applications. However, this requirement also addresses the application of patches. Cisco notifies their users when a new critical patch is released so that their systems can be quickly patched. In this regard, Cisco’s patch notifications help organizations stay up-to-date on the latest patches for their Cisco devices, and thus, help with the facilitation of this control. Many organizations use Red Hat and/or Windows servers in their CDE. In order to help facilitate compliance with the patching requirement organizations generally use applications such as Satellite and/or Windows WSUS. Implement Strong Access Control Measures (Requirements 7, 8, & 9) Restrict access to cardholder data by business need-to-know: This requirement discusses to the need to centrally administer user accounts and the privileges associated with them. Most organizations use AD to administer the accounts associated with their Windows servers. However, most organizations do not have a system that they can use to perform

9. Using Cisco’s VMDC to help facilitate PCI compliance 9 the same functions for the devices that part of their network infrastructure. In order address this issue, VMDC makes use of Cisco’s Access Control System (ACS). While performing the review of the VMDC network architecture, SecureState verified that ACS is capable of integrating each of the core pieces of network infrastructure into AD. In this regard, ACS makes the job of centralized administration on network devices much easier, and thus, can help with the facilitation of this PCI Requirement. Additionally, roles can be configured in ACS, which limit the types of commands a particular account can run on a particular device. Furthermore, roles can be created which grant access to only a subset of network devices in the network. Assign a unique ID to each person with computer access: Whereas Requirement 7 deals with the need for centralized account administration, this requirement is concerned with the administration of individual user accounts. Individual accounts with various password requirements can be configured through AD, and then tied into Cisco’s ACS. These accounts can then be placed into roles which have various levels of access to the devices that constitute the core network architecture of Cisco’s VMDC. Unique accounts can be created for each individual that needs access to the various components of the VMDC, and password policies would be setup in accordance with the Group Policy Objects (GPOs) that are associated with each account. Thus, VMDC can help with the facilitation of meeting this requirement from a network device perspective. Restrict physical access to cardholder data: This requirement deals discusses physically protecting CHD. Further, this control addresses physical access controls, the destruction of physical media containing CHD, and monitoring access to the physical infrastructure. Although Cisco’s VMDC can help with the facilitation of digital information, it is the responsibility of those organizations implementing VMDC to validate that the components of the VMDC are physically protected. Regularly Monitor and Test Networks (Requirements 10 & 11) Track and monitor all access to network resources and cardholder data: This control essentially deals with requirements around logging appropriate information, monitoring logs for anomalous activity, and the correct configuration of Network Time Protocol (NTP). Cisco’s VMDC seamlessly ties into Splunk, which is a powerful Security Information and Event Management (SIEM). Splunk can assist organizations in meeting the requirements around logging and monitoring logs. Furthermore, the devices that make up Cisco’s VMDC can send their logs to a SIEM, which will help with the facilitation of this control. Additionally, this requirement stresses proper NTP configuration, and all the devices within Cisco’s VMDC can be configured to sync with a particular NTP server of the organization’s choice. Regularly test security systems and processes: Cisco’s VMDC can help with meeting a number of the controls in this requirement around File Integrity Monitoring, and Intrusion Detection/Prevention Systems (IDS/IPS). Splunk can be configured to monitor logs for changes to particular files on a particular system. When changes are made to these files, an alert can be sent to the organization, so that the appropriate organizational resources are able to review the alert and respond accordingly. Additionally, this PCI requirement lists controls mandating the implementation of an IPS/IDS. Part of Cisco’s VMDC network infrastructure includes Sourcefire, which is an industry leader in Intrusion Detection, and/or Prevention. During this assessment, SecureState reviewed Sourcefire, and verified that it can be configured for monitoring the network for particular patterns that are indicative of attacks/hacking attempts, block files which contain signatures of malware, and block access to well-known malicious websites.

10. Using Cisco’s VMDC to help facilitate PCI compliance 10 Maintain an Information Security Policy (Requirement 12) Maintain a policy that addresses information security for employees and contractors: This requirement discusses an organization’s policies and procedures. Although it is obvious that Cisco’s VMDC cannot help with defining policies and procedures, in some cases it can help with facilitating a particular policy or procedure. For example, this section contains requirements around an organization’s incident response plan (IRP). Organizations may be able to use Sourcefire and Splunk for detecting attacks, and alerting appropriate individuals when these attacks are detected. Thus, Sourcefire, and Splunk are key to detecting potential attacks and compromises which would cause the IRP to be enacted. Achieving PCI Compliance Organizations can achieve PCI compliance through a variety of means and solutions. First, organizations should contact their acquiring bank or processor in order to determine what particular requirements they must comply with. Requirements are largely dependent upon the volume of cards the organization processes annual, and the way these cards are processed, stored, and/or transmitted. In some cases, the organization only needs to complete a Self- Assessment Questionnaire (SAQ), but in other cases the organization might be required to have an assessor (internal or external) review their security program in order to verify it meets PCI’s security requirements around protecting CHD. In these cases, the assessor will interview the appropriate individuals within the organization, and review appropriate configurations, processes and documentation. If the organization is able to demonstrate that they meet all of the PCI requirements, then the organization will be issued a Report on Compliance (RoC), and Attestation of Compliance (AoC). Consequently the organization will be deemed as compliant for the year by their acquiring bank or processor. For further information, refer to the VMDC Cloud Security 1.0 Design guide at: http://www.cisco.com/c/en/us/solutions/enterprise/data-center-designs-cloud-computing/landing_vmdc.html

Using Cisco’s VMDC to help facilitate PCI compliance

Cisco Service Provider

Using Cisco’s VMDC to help facilitate PCI compliance