Professional Documents
Culture Documents
Best Practices For Pci Dss 3 Network Security Compliance White Paper PDF
Best Practices For Pci Dss 3 Network Security Compliance White Paper PDF
0
NetworkSecurityCompliance
January2015
www.tufin.com
TableofContents
PreparingforPCIDSSV3.0Audit.........................................................3
ProtectingCardholderDatawithPCIDSS..................................................3
ComplyingwithPCIDSSNetworkSecurityChallenges.............................4
SevenPCIBestPracticesforNetworkSecurity.....................................5
SettingHighSecurityStandardforOngoingSuccess............................6
QuickPCIDSSNetworkSecurityChecklist...........................................8
2/9
PreparingforPCIDSSV3.0Audit
Creditcardfraudisagrowingthreattobothfinancialinstitutionsandretailorganizations.Different
methodsandtechnologiesweredevelopedthroughouttheyearstomitigatethisrisk.In2004,the5
majorUScreditcardcompaniescooperatedtoimplementastandardtocounterthethreattogether.
ThenewunitedstandardiscalledPaymentCardIndustryDataSecurityStandard(PCIDSS).
ThegoalofPCIDSSistoencourageandenhancecardholderdatasecurityandfacilitatethebroad
adoptionofconsistentdatasecuritymeasuresglobally.Itprotectsagainstcreditcardfraudand
securitythreatsbyprovidingabaselineoftechnicalandoperationalrequirementsdesignedto
protectcardholderdata.
ThemostrecentversionofthestandardisV3.0,replacingV2.0thatendslifeinDecember2014.
Therefore,plansforcomplyingwiththeupgradedstandardandensuringthattheenterprisenetwork
isauditreadyisapressingconcernofmanyITmanagersandPCIinternalauditorstoday.
ThispaperprovidesinformationtoITmanagersandPCIinternalauditorsforunderstandingnetwork
securityneedsandbestpracticesaroundcreditcardthreatsandtherelatedrequirementsforPCIDSS
V3.0audits.TufinsnetworksecurityexpertiseenablesexcellentsupportforPCIinternalauditors,IT
managersandtheirnetworkoperationteamstodesign,planandintegratethechangesrequiredfor
PCIDSScomplianceintobusinessasusualactivities.TufinssolutionsupportsITmanagersandPCI
internalauditorstolessentheircomplianceheadache.
ProtectingCardholderDatawithPCIDSS
ThePCIDSSdefines12highlevelrequirements,groupedinto6controlobjectives.Tocomply,PCI
internalauditorsorITmanagersperformperiodicauditsevery6months(3monthsrecommended).
Auditsdemonstratecompliancevianumeroustestingproceduresandsubrequirements,asseenin
thetable:
PCIDSSControlObjectivesRequirementDescription
BuildandMaintainaSecure 1.Installandmaintainafirewallconfigurationtoprotectcardholderdata
Network
2.Donotusevendorsupplieddefaultsforsystempasswordsandothersecurity
parameters
ProtectCardholderData 3.Protectstoredcardholderdata
4.Encrypttransmissionofcardholderdataacrossopen,publicnetworks
MaintainaVulnerability 5.Protectallsystemsagainstmalwareandregularlyupdateantivirussoftwareor
ManagementProgram programs
6.Developandmaintainsecuresystemsandapplications
ImplementStrongAccess 7.Restrictaccesstocardholderdatabybusinessneedtoknow
ControlMeasures
8.Identifyandauthenticateaccesstosystemcomponents
9.Restrictphysicalaccesstocardholderdata
RegularlyMonitorandTest 10.Trackandmonitorallaccesstonetworkresourcesandcardholderdata
Networks
11.Regularlytestsecuritysystemsandprocesses
3/9
MaintainanInformation 12.Maintainapolicythataddressesinformationsecurityforallpersonnel
SecurityPolicy
ThemainPCIDSSprinciple:Cardholderdataisonlyassecureasthepathwaysthatprovideaccessto
it.Ontheonehand,PCIDSSrequirementsaredesignedtoensurethatnetworksecuritypractices
eliminateorminimizeknownrisks.Ontheotherhand,theyensurethattheorganizationdefineswell
structuredpolicies,proceduresandpracticesthatcanbetrackedandaudited.Toensurebothsecure
datapathwaysandadherencetostrictnetworksecuritypolicies,PCIDSSrequires:
Specificguidelinesforprocessingcardpaymentstohelppreventcreditcardfraud,skimming
andothersecuritythreats
Aligningwiththeindustrybestpracticestoincreasethetrustofbothcustomersand
partners
Limitingexternalnetworkaccesstosensitivedata,combinedwithaformalprocessfor
monitoringallchangestofirewallconfiguration
Trackingandauditingoffirewalloperationsregularly,includingcleardefinitionsofrolesand
responsibilities
Strictlylimitinginternalorganizationalaccesstosensitivedata
Documenting,enforcingandauditingalloperationalproceduresandpractices
Insummary,PCIDSSdemandsthatorganizationsmaintaincontinuouscompliancethroughan
ongoingprocessof:Assess,RemediateandReport.1Tocomply,yourITorganizationmusthavean
accuratepictureofyourcomplianceposture,thetoolstoaddressissues,andtheabilityto
demonstratecompliancethroughinternalandexternalaudits.
ComplyingwithPCIDSSNetworkSecurityChallenges
About40%ofPCIDSSisrelatedtonetworksecurity,butthisisreallythecruxoftheheadache,
pitfallsanddisturbanceforPCIinternalauditors,ITmanagersandtheirteams.
Fornetworksecurityteamstointegratearepeatablecomplianceprocedurethatdoesntdisrupt
businessasusual,itssimplynotfeasibleforITmanagersandPCIinternalauditorstomanually
manageandtest.ThemanyITtasksinvolvedindocumenting,trackingandauditingnetworksecurity
proceduresmanuallycantakeweeks.Thenumeroussecuritydevices(firewalls,routersandothers),
witheachdevicemanaginghundredstothousandsofrulesmakesforanextremelycomplex
enterprisenetworkenvironment.Toensurecompliance,theteammusthaveaclearvisibilitytothe
networktopology,theroutingflowofdataaroundthenetwork,andthesettingofallsecuritydevices
(astherearemanypathstomovebetweennetworksegments,andallpathsshouldbeconfigured
basedonthedesiredpolicy).Therefore,PCIDSScompliancerequirestherightsetoftoolsand
automatedsolutionsforvisibility,alertingandquickbreachfixes.
1
https://www.pcisecuritystandards.org/security_standards/getting_started.php
4/9
SevenPCIBestPracticesforNetworkSecurity
SincePCIDSSisthedefactostandardthatanycompanyprocessingcreditcardsmustcomplyto,IT
managersandPCIinternalauditorscontinuallyaligntheirenterprisesecurityprogramtoachievethis
goal.
BeforegettingintothePCIDSSrequirementdetails,itsgoodtolookatwhatsworkedatmany
enterprisestoenforceandremediatePCInetworksecuritycompliance.Tufinnetworkingexperts
gatheredvaluablelearningandbestpracticesfromtheirPCIimplementationexperience.IfIT
managersandPCIinternalauditorsdoitright,theirworkonPCIcompliancecanalsobeaspringboard
fortheirorganizationintocontinuousnetworksecurityandmoreeffectiveworkprocesses.
Tufins7bestpracticesfornetworksecuritycomplianceare:
1) CreateaclearseparationofPCIdata,PCIapplication,andPCIwebwithinthenetwork(DMZ,
InternalandInternet)
2) EnsurethatyouhaveanetworkchangeworkflowprocessinplacethatmeetsPCI
requirements
3) Ensurethateverynetworkchangehasacompleteaudittrailwiththewho,what,when,
andwhy
4) Validateeverynetworkchangewiththefollowing:
a. Analyzethechangeforrisksasdefinedinyoursecuritypolicy
b. Getapprovalbythebusinessowner
c. EnsurethechangesareimplementedaccordingtothePCIcompatiblenetwork
changeworkflow
5) EnsurethatfirewallsprotectingPCIzonesworkwiththefollowingguidelines:
a. Everyrulehasacomment
b. Everyrulehasalog
c. NoruleswithAnyintheSrc,Dest,andSrv
d. Noruleswithriskyservices(unencrypted)
e. Deleteunusedrules
6) Ensureeveryfirewallruleisdocumentedproperlywiththefollowinginfo:
a. Businessjustification
b. Businessowner
c. Applicationname
7) Ensurethatyoukeepfirewalllogsforatleast12months
5/9
SettingHighSecurityStandardforOngoingSuccess
PCIDSSV3.0compliancecanbeagreatopportunitytogetthebuyinandbudgetstoensure
networksecurityisgearedforongoingsuccessForITmanagersandPCIinternalauditorstoset
high,sustainablesecuritystandards,Tufinexpertssuggestpayingspecialattentiontofivesub
requirementswithinPCIDSSrequirement1.
WhenITmanagerstakeabroaderlookatPCIrequirement1,notjustwithaneyeongettingPCI
compliance,theserequirementsopenthedoorforimplementingongoingnetworksecuritysolutions.
Otherwise,theytendtobeproblematicsincetheyrelyonmanualprocessesthatnolongerscaleto
meettheneedsofthebusinessanincreasinglycommonscenario.
Inanycase,merchantswithlargefirewallestatesneedtoautomatefirewalloperationstomeet
businessreality.Whilelargescaledeploymentsarealwaysintense,introducingsomelongterm
improvementsthatalignPCIcomplianceeffortswithyourorganization'sspecificsecurityneedscan
beagoodwaytomaketheeffortevenmoreworthwhileandhavelongtermeffectontheenterprise.
ToovercomethecommonnetworksecurityandPCIDSScompliancechallenges,ITmanagersandPCI
internalauditorscangaininsightsbydrillingdowninto5requirements.Additionalbestpracticesfor
focusingeffortsonachievingbothcomplianceandongoingsuccessarerevealed:
1.1Verifythatthereisaformalprocessfortestingandapprovalofallnetworkconnectionsand
changestofirewallandrouterconfigurations.
PCIinternalauditorsneedtoshowthataclearlydefined,enforceablechangeprocessforfirewall
policiesexists.ThePCIexternalauditorwillasktoseeachangereportwithafullaudittrail,andthen
selectsomerandomchangesandrequesttoseethesignoff.
TheChallenge:Manyorganizationsstilldon'thaveachangeprocessinplaceor,iftheydo,itstoo
looseorreliesongoodwillratherthanformalprocedures.
BestPractice:Thebestwaytoimplementformal,auditablechangeprocessesistobyusingan
adequatetoolforthetask.
1.1.5Documentationandbusinessjustificationforuseofallservices,protocols,andportsallowed,
includingdocumentationofsecurityfeaturesimplementedforthoseprotocolsconsideredtobe
insecure.Examplesofinsecureservices,protocols,orportsincludebutarenotlimitedtoFTP,Telnet,
POP3,IMAP,andSNMP.
Thissubrequirementisconcernedwiththreemainrisks:
1. Aretheconnectionsrequiredforbusinessknown?
2. ArefirewallsimplementingthePrincipleofLeastPrivilege?Allowingonlyconnectionsthat
arerequiredforbusiness?
3. Areanyoftheseconnectionsinsecure?Docompensatingcontrolsforthemexist?
TheChallenge:Mostorganizationsdon'thaveanuptodatelistofservicesthatarerequiredfor
business.Inthebestcase,documentationperfirewallruleexists.Mostlikelysomeconnections
containinsecureservices(NOTE:ForPCI,thelistisopentointerpretationbytheauditor).
BestPractice:ITmanagersneedtomakesuretheyknowabouteachoftheseservicesinadvance
withrelevantjustificationsfromasecurityperspective.
1.1.6Requirementtoreviewfirewallandrouterrulesetsatleasteverysixmonths
6/9
ITmanagersandPCIinternalauditorsneedtohaveproofthataprocessexistsandworkingtomeet
thisrequirement.Complyingwiththisrequirementusuallyentailshavingareporttoshowrulesets
wereinfactreviewed,andthatanyquestionablerulesfromthelastauditwereaddressed,andthat
anychangestorulessincethelastauditweredealtwithproperly(i.e.oldornoncompliant
rules/objectsweredealtwith).
BestPractice:Aroundonethirdofcompaniesfailtoprovidetherequireddocumentationtosatisfy
thePCIexternalauditoronthispointbecauseofpoorprocesses.Therefore,ensureyourprocesses
areuptodateandfunctioning.
1.2.1Restrictinboundandoutboundtraffictothatwhichisnecessaryforthecardholderdata
environment
UsuallythePCIexternalauditorislookingforasetofrulesthatpermitspecificPCIservices(approved
knownprotocolsusedbythePCIservers)followedbyanexplicitdropruleforallothertraffic.
Exceptionsmustincludeproperdocumentation(suchasrulecomments)thatmakessensetothe
auditor.
BestPractice:Aroundonequarterofbusinessesfinditdifficulttocorrectlyrestrictinboundaccess;
settingexplicitdroprulesismucheasier.ProperdefinitionofPCIservicesandPCIzonesmake
compliancemuchsimpler.SoitsimportanttoensurethatthePCIexternalauditoragreestothe
contentsofPCIservicesandPCIzones.
IfITmanagersandPCIinternalauditorscanprovethatanactivealertingmechanismtopreventnon
compliantchangesexists,theenterpriseisauditready.
1.3.2LimitinboundInternettraffictoIPaddresseswithintheDMZ
ITmanagersneedtoallowtrafficfromtheInternettospecificservers(IPAddresses)intheDMZ
everythingelseshouldbedropped.ProperdefinitionoftrafficthatisInternet(i.e.allnonlocalIP
addresses)andproperdefinitionoftheaccessibleIPswithintheDMZarecriticalforcompliance.Plus,
thePCIexternalauditormustagreethatdefinitionsarecorrect.
BestPractice:Ifdefinitionsareinplace,anactivealertmechanismforunauthorizedtrafficiswhats
neededforITmanagerstoensurenetworksecurity.
1.3.3DonotallowanydirectconnectionsinboundoroutboundfortrafficbetweentheInternetand
thecardholderdataenvironment
Todothis,networkoperationteamsneedtoproperlydefinethe'Internet'and'cardholderdata'
environments,orinotherwords,createnetworksegmentationsthatcanbeisolated.ThePCI
externalauditorwantstoseethatthereisnodirectaccessbetweentheseentities,andthatthereis
properevidenceforthis.
BestPractice:IfITmanagersdocumentandmanageaccesswiththerighttools,PCIDSSauditing
becomespartoftheeverydayITandbusinessactivities:
1) Ensuredocumentationisready
2) Proveseriousaboutmaintainingcompliance
7/9
QuickPCIDSSNetworkSecurityChecklist
ITmanagersandPCIinternalauditorscanusethePCIDSSNetworkSecurityChecklistforpreparing
foraudits.ThechecklistsummarizesthePCIDSSrequirementsrelatedtonetworksecurity.Ifbest
practicesfornetworksecurityhavebeenimplementedintheorganization,thePCIDSSaudit
becomesahealthyroutineversusacomplianceheadache.
TomeetthePCIDSSrequirementsrelatedtonetworksecurityinanefficient,quick,manageableway
forongoingsuccess,TufinsPCIDSSV3.0Solutionhelpsgrowingorganizations:
PCIDSSObjectiveNetworkSecurityChecklist TufinsPCIDSSSolution
1.1Establishandimplementfirewalland routerconfiguration Automates&documentsall
Buildandmaintaina
securenetwork standardsthatincludethefollowing:Inspectthefirewalland firewall&routerconfiguration
routerconfigurationstandardsandotherdocumentation changes,PCIfirewall&router
specifiedbelowandverifythatstandardsarecompleteand checks,PCIrequirements
implementedasinsubrequirements deviationdetection&reporting
1.1.1Aformalprocessforapproving andtestingallnetwork Automates&documentsall
connectionsandchangestothefirewallandrouter firewall&routerconfiguration
configurations changes
1.1.2Currentnetworkdiagramthatidentifiesallconnections PCIzonemapping&network
betweenthecardholderdataenvironmentandother topologymap
networks,includinganywirelessnetworks
1.1.4Requirementsforafirewallat eachInternetconnection PCIfirewall&routerchecks,PCI
andbetweenanydemilitarizedzone(DMZ)andtheinternal requirementsdeviationdetection
networkzone &reporting
1.1.6Documentation andbusiness justificationforuseofall
PCIcompliancereport
services,protocols,andportsallowed,including
documentationofsecurityfeaturesimplementedforthose
protocolsconsideredtobeinsecure.
1.1.7Requirementtoreviewfirewall androuterrulesetsat
PCIcompliancereport
leasteverysixmonths
1.2Buildfirewallandrouter configurationsthatrestrict PCIfirewall&routerchecks,PCI
connectionsbetweenuntrustednetworksandanysystem requirementsdeviationdetection
componentsinthecardholderdataenvironment. &reporting
1.3ProhibitdirectpublicaccessbetweentheInternet and Centralnetworkmanagementfor
anysystemcomponentinthecardholderdataenvironment firewall&routertorestricttraffic
(1.3.11.3.8) betweenInternet&PCIzone
Donotusevendor 2.2.3Implementadditionalsecurity featuresforanyrequired
Checkseveryservicefor
supplieddefaultsfor services,protocols,ordaemonsthatareconsideredtobe
compliancewithregulationpolicy
systempasswords insecuree.g.,usesecuredtechnologiessuchasSSH,SFTP,
andothersecurity SSL,orIPSecVPNtoprotectinsecureservicessuchasNetBIOS,
parameters filesharing,Telnet,FTP,etc.
2.4Maintainaninventoryofsystem componentsthatarein CMDBlikecapabilitiesforserver
scopeforPCIDSS. networkconnectivity
2.6Sharedhostingprovidersmust protecteachentitys Automates&documentsall
hostedenvironmentandcardholderdata.Theseproviders firewall&routerconfiguration
mustmeetspecificrequirementsinAppendixA:AdditionalPCI changes,PCIfirewall&router
DSSRequirementsforSharedHostingProviders checks,PCIrequirements
deviationdetection&reporting
6.2Ensurethatallsystemcomponentsand softwareare
Developand Softwarecomparisonreport
protectedfromknownvulnerabilitiesbyinstallingapplicable
maintainsecure
vendorsuppliedsecuritypatches.Installcriticalsecurity
systemsand
applications patcheswithinonemonthofrelease.
10.1Implementaudittrailstolinkallaccesstosystem Firewall,router&loadbalancer
Trackandmonitorall
componentstoeachindividualuser. audittrail&changereports
accesstonetwork
8/9
10.5Secureaudittrailssotheycannotbealtered ReadOnly,encrypted
10.7Retainaudittrailhistoryforatleast oneyear,witha Backup,Storeaudittrail&
minimumofthreemonthsimmediatelyavailableforanalysis configurationchangesfor12
(e.g.,online,archived,orrestorablefrombackup). months,Reports
Insummary,TufinsPCIDSSV3.0SolutionbenefitsPCIinternalauditorsandITmanagersforPCI
DSScompliancewith:
OutoftheboxPCIDSSauditreport,makingiteasytopreparequicklyandthoroughlyforan
internalorexternalaudit
ITSMlikechangeandapprovalprocesses(integratedtoyourcurrentITSMprocess)
Uptodatepictureofthecompliancestatusofyourfirewallsandrouters
Continuouschangetrackingandalertingthatmonitorsallfirewallpolicychanges,andalertsto
potentialviolations
Simpleandflexibletodefinethenetworkzonesfornetworksegmentation
Identifymismatchbetweenfirewallrulesandthedesiredfirewallsecuritypolicy
Securityruledocumentationassociatingbetweensecuritypolicyrulesandtheirbusiness
justification
Completeaudittrailofwhomadeeachchangetoyournetworkdevices
Formoreinformationoranyquestions:
TufinsubjectmatterexpertsareopentotalkaboutyourpressingPCIDSSV3.0complianceconcerns.
FeelfreetodirectlycontactTufinsPCIexpertsatemail:PCIDSS@tufin.com.
LearnmoreaboutTufinsOrchestrationSuiteandTufinsPCIDSSV3.0Solutionatwww.tufin.com.
9/9