– Randal Asay, Chief Technology Officer, Catbird, says:
The advent of virtualization technology brings greater flexibility and scalability to data processes. Consequently, an emerging trend is for financial institutions to move their payment systems to private clouds. These institutions stand to increase hardware productivity and lower their IT management and support costs.
These are significant plusses, to be sure, but difficulties arise as financial institutions make the shift to private clouds. To begin with, it immediately becomes clear that cardholder data cannot be adequately secured by standard network perimeter security. To continue, these institutions must stay up to date with a myriad of security regulations while making sure that they are enforced and that compliance is documented. It now becomes clear that this complex situation calls for a multi-layer security approach.
The Benefits of Virtual Assets
Servers, network adapters, switches, routers, personal computers and more can be virtualized via software to create fully functioning IT assets that run on a single high-powered server. These assets are known as virtual machines (VMs) and have their own distinct operating system and application. A hypervisor is another software component, acting like an air traffic controller to oversee the computing resources for each VM.
Because they don’t need the standard infrastructure that physical hardware does, virtual assets provide an organization with all of their respective functional benefits for IT operations. It’s standard operating procedure in a physical data center to allocate one or more servers to a single application. This procedure isolates applications, protecting them, but rendering them underused. These servers, of course, cost the same amount to maintain and manage as their fully used counterparts. Therefore, organizations can typically save 40 percent or more on overall IT costs when they virtualize these physical assets. Likewise, companies can lower operational costs by using a private cloud that either resides within the organization’s firewall or with a service provider like Rackspace or Amazon Web Services. As financial institutions search for ways to more efficiently process payments, data center consolidation projects will continue to rise.
Payment processing in the cloud faces strict compliance requirements. The law dictates that sensitive information such as cardholder data, personally identifiable information (PII) and other financial account data, must be protected by their respective financial institutions. Additionally, documentation is critical to provide evidence of control as prescribed by regulatory compliance frameworks, such as:
- The Gramm-Leach-Billey Act (GBLA)
- The Sarbanes-Oxley (SOX) Act
- Payment Card Industry Data Security Standard (PCI DSS)
Several documents have been created by the PCI Security Standards Council (SSC)
to help organizations understand the technical and process options for virtualized payment systems: the PCI DSS Virtualization Guidelines and PCI DSS Cloud Computing Guidelines.
Cardholder data, PII and other sensitive information must be protected in the cloud, a task that traditional perimeter security is just not up to. Asset management, policy enforcement, and data segmentation require tools that reside inside virtualized infrastructure. Software-defined solutions, especially those deployed at the hypervisor level, can provide effective zone-based security and contextual awareness when properly configured.
Virtualization Brings New Requirements
Financial institutions are required to create a secure and compliant virtualized cardholder data environment (CDE). To do this successfully, they must adhere to four significant requirements in PCI DSS Version 3.0:
- Data flows diagrams: For virtualized CDEs, a new PCI DSS sub-requirement was added: “Current diagram that shows all cardholder data flows in a dynamic virtual CDE will be nearly impossible without automation.”
- What “out-of-scope” means: All of the CDE’s virtualization technology is subject to a PCI DSS assessment. The following was added to PCI DSS under Network Segmentation for the purposes of an audit: “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
- Inventory discovery and management: A new PCI DSS requirement reads: “Maintain an inventory of system components that are in scope for PCI DSS.” Due to the dynamic nature of virtual components, using an automated inventory discovery and management system will assist financial institutions in complying with this requirement.
- Identifying all connections: A PCI DSS sub-requirement and its test procedures were modified: “Current network diagram that identifies all connections between the cardholder data environment and other networks, including wireless networks.” Use of an automated network diagramming solution will help provide complete, round-the-clock visibility into security and compliance.
Security and Compliance in Layers
While some financial institutions have tried repurposing traditional physical security tools to protect private clouds, results have been mixed. As cloud environments expand and VMs move, adapting physical tools becomes cumbersome and risky. Financial institutions are already a prime target for breach attacks. In fact, a comprehensive assessment by Verizon suggests that 2013 was a transitional year from geopolitical attacks to large-scale attacks on payment card systems.
PCI compliance is an important aspect of a security strategy, but it is by no means the entire strategy. Securing data based on classification needs to be sophisticated enough that assets have layers of security, ultimately protecting and securing the asset based on the attributes of that asset’s workloads. Sensitive data needs to be encapsulated by its own unique security policy.
Financial institutions need to provide full visibility into the virtual environment, and in order to accomplish this, they need to implement the appropriate technical tools.
A properly configured asset discovery solution with network visualization can enable full analysis of traffic and ensure proper workload segmentation.
Hiding internal network activity from external attackers, called segmentation or zoning, is the bedrock of enterprise security. Using this strategy, any breach that occurs will be confined to IT assets and data that lie within that segment. By automatically applying security and compliance policies to virtual assets and data in the cloud, segments can also improve manageability.
It’s equally critical to continuously monitor activity. With proper visibility at the right levels of the network, breaches can be detected, prevented, logged, and reported in real time. Active enforcement of policies is also necessary to mitigate the severity of breaches.
Meeting compliance standards becomes a simpler task when these preventative layers of protection are in place. Including a tool within this architecture that maps security controls to compliance frameworks can significantly reduce audit scope by providing an automated method of providing evidence of control. The entire layered solution positions IT to attain an optimized level of security and compliance.
Winning Trust Via Automated Tools
The benefits of virtualization are clear: greater flexibility, scalability, cost savings and operational efficiencies. It makes sense for financial institutions to migrate their payment processing into private clouds in order to enjoy these real benefits. However, they must take care to ensure that they are complying with the many regulations regarding security. To do this, financial institutions need to maintain control of sensitive data in the cloud, and automated tools created just for virtual environments are here to help. These tools will provide auditors with proof of compliance and institutions with peace of mind. Data center consolidation via virtualization, alongside perimeter controls, will protect data in the cloud and engender trust among customers. In this era of security breaches, trust is golden.
Randal Asay joined Catbird in 2013 with over 15 years of experience in network security, architecture, implementation, and security best practices in commercial and government environments. Prior to Catbird, Randal served as Director of Engineering at Walmart Stores Inc., developing industry-leading code analysis practices to support security and compliance initiatives as well as addressing enhancements to perimeter and network security and overall policy enforcement. He led the E-commerce Infrastructure teams through extensive growth, delivering capacity management and technology refresh methods impacting network design, storage capacity and database tuning. Prior to Walmart, he applied his security expertise to the Information Assurance division of the United States Air Force. Randal holds Masters degrees in Information Technology Management and Business Administration from Webster University as well as a Bachelor of Science degree from Weber State University.