addressing pci dss in cloud and virtual environments wp (en) v3 jun142013 web
TRANSCRIPT
-
8/13/2019 Addressing PCI DSS in Cloud and Virtual Environments WP (en) v3 Jun142013 Web
1/5
Addressing PCI DSS in Cloud and Virtual Environments Whitepaper
IntroductionWhile many organizations find the Payment Card Industry Data Security Standard (PCI DSS)
requirements challenging, most organizations recognize that security and compliance are
part of a successful risk management strategy that requires continual enhancements as their
IT operations evolve. For example, organizations are taking advantage of the operational and
cost benefits provided by virtualized and public cloud infrastructures, but face challenges
when trying to protect cardholder data and maintain compliance in these environments.
The Payment Card Industry Security Standards Council (PCI SSC) has updated their guidance
on the standard to support these data center consolidation and cloud migration trends by
publishing specific requirements for virtualization and cloud in advance of the next major
release of PCI DSS. The guidelines are a critical part of any PCI DSS assessment performedby Internal Security Assessors (ISA) and Qualified Security Assessors (QSA) when creating an
annual Report on Compliance (ROC) for an organizations cardholder data environment.
Protecting Cardholder Data in Virtual WorkloadsA critical requirement of PCI DSS is protection of stored cardholder data with strong
encryption and key management best practices. However, it can be difficult to address these
requirements and achieve comprehensive protection in virtualized environments, where virtua
image snapshots are created and automated operations routinely backup or move virtual
workloads to other host systems. Maintaining control of cardholder data, regardless of where
virtual workloads are moved, and being able to respond quickly and effectively in the event
of a data breach are critical to achieving security and compliance of cardholder data residing
in virtual machines (VM). This is especially important when organizations work with cloud
service providers (CSP): The PCI SSC has emphasized that simply working with a compliant
CSP does not result PCI DSS compliance for the client.
Addressing PCI DSSin Cloud and Virtual EnvironmentsProtecting cardholder data in virtual workloadsWHITEPAPER
Use of a PCI DSS compliantCSP does not result in PCI DSScompliance for the clients. Theclient must still ensure theyare using the service in acompliant manner, and is alsoultimately responsible for thesecurity of their cardholderdata (CHD) outsourcing
daily management of a subsetof PCI DSS requirementsdoes not remove the clientsresponsibility to ensure CHD isproperly secured and that PCIDSS controls are met.-Information Supplement: PCIDSS v2.0 Cloud ComputingGuidelines, March 2013
-
8/13/2019 Addressing PCI DSS in Cloud and Virtual Environments WP (en) v3 Jun142013 Web
2/5
Addressing PCI DSS in Cloud and Virtual Environments Whitepaper
The PCI DSS virtual and cloud guidelines focus on several characteristics of cloud
environments that can make cardholder data stored in these environments vulnerable.
The guidelines highlight cloud security concerns when sensitive data is contained in VM
images, clones and backups. Sensitive data inadvertently replicated in VMs as a result of
these cloud maintenance functions or remnant data left in terminated VMs needs to be
protected in accordance with the guidelines. Specific considerations detailed in the guidance
include preventing unauthorized access to sensitive data captured as VMs are moved or
copied, protecting data remnants that may exist in terminated VMs (sensitive data may stillremain in swap and OS partitions), separating the management of cryptographic keys from the
encrypted data and purging data from VMs in the event of a data breach or termination of the
CSP agreement.
SafeNet ProtectV and SafeNet KeySecure can address these requirements and many others
the PCI SSC has specified for achieving PCI DSS compliance in cloud and virtual environments
Maintaining Compliance with SafeNet ProtectV and SafeNet KeySecureSafeNet enables organizations to leverage the business benefits of virtualization and cloud
services, while addressing their governance, compliance, and data protection requirements.
With SafeNet ProtectV, organizations can encrypt and secure entire virtualized machines,
consistently enforce security policies, and protect cardholder data from theft or exposure.
ProtectV enables organizations to address the specific security and compliance requirements
in cloud environments. With ProtectV, these organizations can isolate, track and report on VMs
containing cardholder data. As a result, they can eliminate costly compensating controls that
may be in place for VM protection that complicate PCI DSS assessments.
ProtectV is deployed with SafeNet KeySecure, a robust key management solution. KeySecure
features an optional FIPS 140-2 level 3 validated hardware security module. In addition,
SafeNet offers Virtual KeySecure, a hardened virtual appliance that offers additional
flexibility in cloud environments. ProtectV and KeySecure deliver robust high-availability
capabilities that enable organizations to scale deployments in highly dynamic virtual and
cloud environments.
Following are more details on these solutions key capabilities.
Partition Encryption
Policies and regulations often require enterprises to guarantee that, even if a storage node is
compromised, sensitive data retained on that node will remain unreadable. To address this
requirement, ProtectV provides partition encryption, a key mechanism for protectioneven
when other defenses are breached. This feature offers multiple permissions for controlling
disk access to the virtual partition. By using the solutions combination of volume access
controls and decryption key rights, security administrators can ensure that only authorized
users gain access to encrypted data.
ProtectV encrypts the entire data partition in a non-intrusive manner, so there is no need to
backup data, reformat the partition prior to encryption, and restore the data after encryption.
In addition, ProtectV offers a partition recovery feature that allows the resumption ofencryption mid-cycle, even after interruption by power outages and other unexpected events.
Boot Management
Many VM security and compliance requirements cover the copying and cloning of images
within the virtual or cloud environment. ProtectV StartGuard provides organizations with
critical control over the boot process. As a result, ProtectV protects VMs from unauthorized
boot, even when they are moved, dormant, offline, or archived.
ProtectV enforces boot management controls through a mechanism that coordinates activities
between the ProtectV manager and its associated ProtectV client nodes.
The following are key criteria
for protecting virtual workloads
and addressing PCI DSS cloud
compliance requirements:
Ensure the entire VM can beencrypted, including OS, swap,
and data partitions
Prevent unauthorized usersfrom starting VMs containingsensitive data, even thosethat have been moved, cloned,terminated or archived
Separate administration andaccess of cryptographic keysfrom encrypted data
Maintain ownership ofcryptographic keys and retain
the ability to delete themin case of a breach (or CSPagreement termination) torender data in VMs unreadable
Log and report onadministrative activities andevents associated with VMscontaining cardholder data
-
8/13/2019 Addressing PCI DSS in Cloud and Virtual Environments WP (en) v3 Jun142013 Web
3/5
Addressing PCI DSS in Cloud and Virtual Environments Whitepaper
When the ProtectV client is installed on a node, a dual-phase boot loader is also installed. This
splits the boot process into two separate phases: bootstrapping and networking is separated
from loading the operating system (OS). Once this dual-phase loader is installed, the client
asks the ProtectV manager for permission to proceed with an OS load. The manager performs
this check based on a unique identifier for each node. If that particular node is registered to
allow automatic booting, the OS loads normally. If not, the OS remains unloaded until explicit
boot permission is granted by a user ProtectV management console.
An immediate benefit of dual-phase boot is that it offers protection against data being
exposed through intentional or unintentional VM copying and cloning. If a VM is cloned, the
resulting unique identifier will not be registered with the ProtectV manager, so the second
boot phase will be denied. For cases where boot authorization is required, the cloned VM can
be registered, either programmatically or with a few mouse clicks.
Group, Role, and User Policy Management
ProtectV offers group, role, and user editors that enable auditing and compliance by
procedurally enforcing separation of duties and security policies.
Following are more details on these editors:
Group editor.ProtectV allows administrators to place VMs in one or more groups. Each
group has an assigned policy. For example, a policy may require that all volumes containedin a group are encrypted. Also, a group-based policy may grant or deny automatic reboot.
Role editor. ProtectV offers an editor for creating, modifying, and deleting roles with
detailed controls. Each role consists of a unique set of permissions for dozens of
operations, enabling organizations to enforce highly granular administrator roles and
separation of duties. ProtectV ships with several useful roles predefined, including three
distinct administration roles.
User editor. With ProtectV, administrators can manage user policies, including assigning
names, passwords, and default roles.
Fig. A -Through the ProtectV console, administrators can assign VMs, create new groups, and also assign a VM to severaldifferent groups simultaneously.
Fig. B- ProtectV features a sophisticated role editor that enables organizations to enforce separation of duties as requiredby PCI DSS
Fig. A
Fig. B
-
8/13/2019 Addressing PCI DSS in Cloud and Virtual Environments WP (en) v3 Jun142013 Web
4/5
Addressing PCI DSS in Cloud and Virtual Environments Whitepaper
ProtectV Addresses PCI DSS Cloud and Virtualization Guidance
PCI DSS v2.0 Cloud Computing Guidelines Addressed by ProtectV
PCI DSS Section Requirement* ProtectV/KeySecure Capabilities
Protect Cardholder Data How are VM images, snapshots, and backups
managed to prevent unnecessary capture of
sensitive data?
ProtectV controls who can start VMs and
encryption protects sensitive data captured in
backups and snapshots.
How is data securely deleted [..] and stored
images? Will data remnants exist interminated VMs?
With ProtectV, organizations can delete all the
a keys associated with data, OSs, and swappartitions. This renders all the sensitive data in the
VM unreadable.
Is all client data securely purged from all CSP
systems upon termination of the agreement?
With ProtectV, the customer owns the keys, not the
CSP. As a result, organizations can delete keys and
effectively ensure encrypted assets are purged
when a CSP agreement
is terminated.
Where are encryption/decryption processes
being performed?
ProtectV does encryption in-place so data does
not have to be sent outside the protected VM to be
encrypted or decrypted.
Where are cryptographic keys stored, and who
controls the keys? Are data-encryption keys
stored and managed separately from the data
they protect?
ProtectV and KeySecure provide separation of
duties between key administration and virtual
infrastructure management. Keys are stored
separately in a secure vault.
Maintain a Vulnerability
Management Program
Are VMs protected from within the VM or from
the hypervisor?
ProtectV StartGuard offers pre-boot
authentication that can control who can launch a
VM or provide a challenge/response mechanismfor physical systems.
*Information Supplement: PCI DSS Cloud Computing Guidelines, February 2013
PCI DSS v2.0 Virtualization Guidelines Addressed by ProtectV
PCI DSS Section Requirement* ProtectV/KeySecure Capabilities
Protect Cardholder Data As well as being present in known locations,
cardholder data could exist in archived, off-line,
or dormant VM images, or be unknowingly
moved between virtual systems via dynamic
mechanisms such as live migration or storage
migration tools.
ProtectV encrypts entire instances
(including OS, swap, and data partitions), securing
dormant images from exposure.
Separating logical access to encrypted file
systems from accounts across all virtual layers
(including the host system, individual VMs,hypervisor accounts, etc.) adds additional levels
of complexity.
ProtectV enforces separation of duties to add an
additional level of protection to individual VMs.
Pre-boot authentication ensures administratorsare properly authorized to start systems.
Privileged accounts or processes running on the
host or hypervisor could inadvertently be granted
access to cryptographic keys from within a
hosted component.
ProtectV enforces separate encryption and VM
administration domains. System administrators
can not inadvertently be granted access to
encryption keys.
Specialized tools and processes may be needed
to locate and manage cryptographic keys stored
in archived, off-line, or relocated images.
ProtectV and KeySecure eliminate the need for
specialized tools and processes since keys are
never stored in archived, offline, or relocated
images. All keys are centrally managed in the
KeySecure appliance.
Do not virtualize critical resources used in the
generation of cryptographic keys (for example,
physical FIPS modules).
KeySecure provides a FIPS 140-2 level 3 validated
version of the appliance for secure key generation.
*Information Supplement: PCI DSS Virtualization Guidelines, June 2011
ConclusionProtectV and KeySecure address many of the requirements for protecting cardholder data in
virtual workloads as detailed in PCI DSS Cloud and Virtualization guidelines. By encrypting
entire virtual workloads and enforcing pre-boot authentication, organizations can take
advantage of the flexibility and lower cost operational models provided by virtualization and
cloud environments, while still maintaining security and compliance of payments data.
-
8/13/2019 Addressing PCI DSS in Cloud and Virtual Environments WP (en) v3 Jun142013 Web
5/5
Addressing PCI DSS in Cloud and Virtual Environments Whitepaper
Contact Us:For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: www.safenet-inc.com/connected
2013 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (EN)-06.14.13
Glossary of Key PCI DSS Specific Terms*
Cardholder Data At a minimum, cardholder data consists of the full PAN (primary account number). Cardholder
data may also appear in the form of the full PAN, plus any of the following: cardholder name,
expiration date and/or service code.
Cardholder Data Environment The people, processes and technology that store, process or transmit cardholder data or
sensitive authentication data, including any connected system components.
Compensating Controls Compensating controls may be considered when an entity cannot meet a requirement explicitly
as stated, due to legitimate technical or documented business constraints, but has sufficiently
mitigated the risk associated with the requirement through implementation of other controls.
Compensating controls must:
Meet the intent and rigor of the original PCI DSS requirement;
Provide a similar level of defense as the original PCI DSS requirement;
Be above and beyond other PCI DSS requirements (not simply in
compliance with other PCI DSS requirements); and
Be commensurate with the additional risk imposed by not adhering to the PCI
DSS requirement.
PAN Acronym for primary account number and also referred to as account number. Unique
payment card number (typically for credit or debit cards) that identifies the i ssuer and the
particular cardholder account.
QSA Acronym for Qualified Security Assessor, company approved by the PCI SSC to conduct PCI
DSS on-site assessments. Also referred to as ROC. Report containing details documenting an
entitys compliance status with the PCI DSS.
Report on Compliance Also referred to as ROC. Report containing details documenting an entitys compliance status
with the PCI DSS.
Scoping Process of identifying all system components, people, and processes to be included in a PCI
DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope
of the review.
*PCI DSS v2.0 Glossary of Terms, Abbreviations, and Acronyms, October 2010