Solution Guide for Payment Card Industry (PCI)
Partner Addendum
Trend Micro
– VMware Solution Guide Summary
for
Payment Card Industry Data Security Standard
The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire®, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire’s results are based on detailed document inspections and interviews with the vendor’s technical teams. Coalfire’s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at www.coalfire.com.
Table of Contents
1. INTRODUCTION... 3
2. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS... 4
3. TREND MICRO’S DEEP SECURITY PCI COMPLIANCE SOLUTION ... 5
4. TREND MICRO DEEP SECURITY PCI REQUIREMENTS MATRIX (OVERVIEW) ... 6
1. Introduction
As a global leader in cloud security, Trend Micro develops Internet content security and threat management solutions that make the world safe for businesses and consumers to exchange digital information. With more than 20 years of experience, Trend Micro is recognized as the market leader in server security for delivering top-ranked client, server, and cloud-based security solutions that stop threats faster and protect data in physical, virtualized, and cloud environments. Using the VMware platform, Trend Micro Deep Security allows organizations to not only extend virtualization into environments containing sensitive data, but also leverage virtualization technologies to increase security and further reduce risk. Trend Micro Deep Security technologies can accelerate an organization’s journey towards a 100 percent virtual environment with confidence.
Through integration with VMware, Trend Micro’s Deep Security solution enables organizations to assure protection and trust of enterprise information, and reduced compliance costs in a virtual environment while deploying the latest technologies. With the help of Trend Micro, organizations can accelerate complete adoption of VMware technologies with integrated security controls; adapt security policies to both physical and virtual IT environments, and advance endpoint security and protection using centrally managed virtual capabilities.
Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss.
The PCI DSS has six categories with twelve total requirements as outlined below:
Table 1: PCI Data Security Standard
3. Trend Micro’s Deep Security PCI Compliance Solution
Trend Micro Deep Security provides advanced server security for physical, virtual, and cloud servers. It protects
enterprise applications and data from breaches and business disruptions. Deep Security helps assure the PCI compliance and overall security of critical business servers and endpoints with a single, centrally managed solution that minimizes your operational costs. Deep Security provides core PCI security controls with a unique approach that economically solves the toughest compliance challenges.
Deep Security provides the most comprehensive Agentless security controls for PCI in the market delivering significantly more efficient resource utilization and higher VM densities of traditional security solutions. Deep Security’s integration with VMware vCenter and vCloud enables automated compliance protection of existing and newly added VMs ensuring that all VMs maintain their compliance posture regardless of their state or location. Deep Security also supports Agent-based security controls for physical servers that have not yet been virtualized or for workloads running in the cloud. Deep Security delivers comprehensive, adaptive, highly efficient agentless and agent-based protection that enable PCI compliance, including:
Anti-Malware
Integrates with VMware environments for agentless or agent-based malware protection
Integrity Monitoring
Monitors critical operating system, application files, and configuration files and alerts personnel to unauthorized changes
Firewall
Decreases the attack surface of your virtual servers and enables isolation of VMs to reduce audit scope
Intrusion Detection and Prevention
Shields unpatched vulnerabilities from attack and to monitor traffic within the virtualized CDE
Log Inspection
Provides visibility into important security events buried in log files and forwards events to a centralized logging server
Web Reputation
Strengthens protection against web threats for servers and virtual desktops
Web Application Protection
4. Trend Micro Deep Security PCI Requirements Matrix (Overview) Table 2: PCI DSS Requirement Summary Table
P C I D S S R E Q U I R E M E N T N U M B E R O F P C I R E Q U IR E M E N T S D E E P S E C U R IT Y
Requirement 1: Install and maintain a firewall configuration to protect cardholder
data 25 14
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters 9 2
Requirement 5: Use and regularly update anti-virus software or programs 6 6 Requirement 6: Develop and maintain secure systems and applications 32 4 Requirement 10: Track and monitor all access to network resources and cardholder
data 29 4
Requirement 11: Regularly test security systems and processes. 24 5
TOTAL
5.
Trend Micro Deep Security PCI Requirements Matrix (Details)
PC I DS S V 2. 0 AP P LI C A B I LI TY M ATR IX RE QU IR EM E NT CON TR OL S A D DR E SS E D D E SCR I PT IO N D E E P S E C URI T Y F IR E W A LL Requirement 1: Installand maintain a firewall configuration to protect cardholder data 1.1.3.a, 1.1.4, 1.1.5.a, 1.1.5.b, 1.1.6.a, 1.2.1.a, 1.2.1.b, 1.2.2, 1.3.2, 1.3.3, 1.3.5, 1.3.6, 1.4.a, 1.4.b
Trend Micro Deep Security Firewall facilitates network segmentation through stateful firewall implementation.
Trend Micro Deep Security Firewall provides capabilities for managing network firewall configuration standards for process, procedure and testing approvals, as well as network management roles and
responsibilities and requirements for periodic review of standards and configurations.
Trend Micro Deep Security Firewall provides capabilities for defining standards related to confidential or sensitive information of what can or cannot be disclosed to authorized or unauthorized third parties, such as private IP address or routing information.
Requirement 2: Do not
use vendor-supplied defaults for system passwords and other security parameters
2.2.2.a, 2.2.2.b Trend Micro Deep Security Firewall provides capabilities to validate only necessary services are enabled and functionality for administrators to review any enabled insecure services.
Requirement 5: Use and
regularly update anti-virus software or programs
5.1, 5.1.1, 5.2.a, 5.2.b,
5.2.c, 5.2.d Trend Micro Deep Security Anti-Malware provides capabilities for fully documenting policy and procedure requirements for maintaining anti-virus software and definitions on systems commonly affected by malware. Anti-Malware is capable of detecting, blocking or removing all known types of malicious software.
Trend Micro Deep Security Anti-Malware automatically updates from a known, trusted source and cannot be disabled or removed from protected systems.
Trend Micro Deep Security Anti-Malware provides full function, state of the art Anti-Virus/Anti-Malware protection for registered devices.
Requirement 6: Develop
and maintain secure systems and applications
6.5.1, 6.5.2, 6.5.7, 6.5.9
Trend Micro Deep Security Web Reputation provides capabilities for URL filtering effectively blocking access to known malicious web site. The module is fully configurable providing the ability to add web sites as needed or desired.
Trend Micro Deep Security Deep Packet Inspection provides web
application protection by intercepting web requests based on the OWASP top 10 vulnerabilities including Injection, Cross Site Scripting (XSS), HTTP(S) protocol violations. Deep Security blocks malicious requests from reaching the web server preventing these vulnerabilities to be exploited.
Requirement 10: Track
and monitor all access to network resources and cardholder data
10.5.3, 10.5.5, 10.6.a Trend Micro Deep Security Integrity Monitoring provides active monitoring of critical files, folders, applications and registry settings for unauthorized changes.
Requirement 11:
Regularly test security systems and processes.
11.4.a, 11.4.b, 11.4.c Trend Micro Deep Security Deep Packet Inspection provides configurable Intrusion Detection/Intrusion Prevention protection for the environment.
Requirement 11:
Regularly test security systems and processes.
11.5.a, 11.5.b Trend Micro Deep Security Integrity Monitoring provides configurable and active monitoring of critical files, folders, applications and registry settings. Changes are reported to the Deep Security manager facilitating analysis and appropriate action by administrators
Acknowledgements:
VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance, and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance Program. VMware would also like to recognize the Coalfire VMware Team www.coalfire.com/Partners/VMware for their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI DSS v. 2.0 and the Reference Architecture described herein.
The information provided by Coalfire and contained in this document is for educational and informational purposes only. Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein.
About Coalfire
Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver, Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based IT GRC tools under the Navis® brand that clients use to efficiently manage IT controls and keep pace with rapidly changing regulations and best practices. Coalfire’s solutions are adapted to requirements under emerging data privacy legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP.
