Streamline PCI Compliance With Next-generation Security

(1)

(2)

Executive Summary

Establishing, maintaining, and demonstrating compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a necessity for “… all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD)1_{.” With} approximately three hundred individual requirements to address, organizations subject to the standard have their work cut out for them.

The Palo Alto Networks®_{enterprise security platform—with our market-leading next generation firewall} (NGFW) at its core—supports PCI compliance in three ways:

• By providing an incomparably robust set of capabilities for segmenting off one’s cardholder data environment (CDE) and effectively reducing the scope of all related compliance activities;

• By enabling security and compliance teams to simultaneously satisfy numerous individual requirements with a single, tightly integrated solution; and,

• By going above and beyond the minimum requirements to not only provide more effective protection against today’s threats, but also deliver a future-proof solution capable of meeting PCI DSS requirements even as they continue to evolve.

Organizations that leverage the Palo Alto Networks enterprise security platform to reduce their total cost of PCI compliance also benefit from being able to: maintain complete visibility and tight control over the use of applications, especially those critical to running their business; confidently pursue new technology initiatives; and thoroughly protect the organization from the most basic to sophisticated cyber attacks.

Fundamental Challenges with PCI Compliance

With global losses from payment card fraud exceeding $11.2 billion in 2012, the need for the PCI DSS has never been more apparent2_.

According to the Verizon 2014 PCI Compliance Report, payment card data remains one of the easiest types of data to convert to cash—which is why 74 percent of attacks on retail, accommodation, and food services companies target precisely this type of information3_.

Offsetting the value of the PCI security standards, however, are a handful of related challenges. These

include the substantial amount of effort and investment required to achieve compliance in the first place, along with the unfortunate reality that being compliant does not necessarily translate into an organization being adequately defended from advanced cyber attacks.

Substantial Effort Required

For all system components included in or connected to the CDE, organizations must comply with more than three hundred requirements. It is in every organization’s best interest, therefore, to take advantage of network segmentation provisions stated in the PCI DSS to effectively isolate their CDE and thereby shrink the amount of infrastructure that is considered in scope. Doing so not only decreases the cost and complexity of PCI compliance in several predictable ways, but also has the potential to deliver additional

PCI COMPLIANCE CHALLENGES

“Our DBIR research found that organizations that suffered a data breach were less likely to be PCI-DSS-compliant at the time of their breach—even if compliant at the time of their last assessment—than the average of companies assessed. While no set of security standards or technologies can eliminate the risk of a data breach entirely, we believe that organizations with security controls in place as part of complying with PCI Security standards improve their chances, both of avoiding a breach in the first place, and of minimizing the resulting damage if they are breached.”

(3)

operational and security benefits. For example, when armed with an appropriate solution, organizations can use network segmentation to:

• Reduce both the number of system components that must be brought into compliance in the first place and any derivative impact doing so might have (such as the need to re-architect portions of the network or re-design certain applications and systems)

• Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever the PCI requirements are updated

• Reduce the number of system components and processes that must be periodically audited to demonstrate compliance

• Reduce and simplify management of the policies, access control, and threat prevention rules that apply to the CDE

• Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations

• Greatly improve the organization’s ability to contain and limit the spread of threats

Segmentation-based Scope Reduction Only Goes So Far

Leveraging the best practice of network segmentation to reduce the amount of infrastructure subject to DSS requirements will only get an organization so far. For the CDE that remains, it is still necessary to address more than three hundred requirements. The challenge of successfully navigating this process is sharply revealed by the Verizon finding that only 11.1 percent of organizations were determined to be fully compliant at the time of their baseline assessments4_. Attempting to comply with all three hundred requirements by tackling them one at a time is impractical and will result in unnecessary costs and complexity. It is also unwise from a security perspective as this might result in a highly fragmented security architecture where there is substantial potential for significant events to “slip through the cracks.”

Although no single vendor/solution can deliver complete compliance, organizations would be well served by solutions and processes that allow them to simultaneously address multiple requirements, ideally in a tightly integrated manner.

(4)

Compliance is Necessary, but Not Sufficient

By its own admission, the PCI DSS provides “a baseline of technical and operational requirements” for protecting cardholder data.” Not only do the specified countermeasures represent a minimum standard of due care, but also—as a result of the now 3-year period between revisions—they often lag behind significant changes to the technology and threat landscapes.

One self-acknowledged example of this situation is provided by the requirement(5.1) to “deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).” In this case, the DSS explicitly mentions the consideration of “additional anti-malware solutions … as a supplement to the anti-virus software”—presumably in recognition of the poor track record such as software has at stopping modern, polymorphic malware and zero-day exploits.

A second example comes from the requirement(1.3.6) to “implement stateful inspection” technology as part of the solution to “prohibit direct public access between the Internet and any system component in the cardholder data environment.” Verizon’s commentary on this requirement says it all: “The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering “next generation” firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in the rules.5_”

Specific examples aside, the key point to realize here is that it’s

typically necessary—if not imperative—for security and compliance teams to go above and beyond the DSS requirements in order to establish a security architecture that more effectively addresses modern/ emerging threats and more closely aligns with their organization’s tolerance for risk.

With PCI DSS 2.0 expiring at the end of 2014, all references made in this paper to specific requirements are based on version 3.0 of the standard. Issued in November of 2013, PCI DSS 3.0 is already being used for validation assessments and becomes mandatory on January 1, 2015.

Getting the Most Out of a Network Segmentation Solution

A derivative challenge is that of selecting an ideal solution for network segmentation. Although the PCI DSS mentions the possibility of using “a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of the network,” not all options are created equal. In fact, many of these traditional alternatives fail to meet the qualifying statement that a proper segmentation solution should be able to keep compromised out-of-scope components from impacting the security of the CDE.

One major problem is the lack of granularity with which traditional solutions enforce access control. Because many modern applications can share the same network level attributes, relying solely on ports, protocols, and IP addresses for access control results in network segmentation that is too loose—that allows far too much unwanted and unauthorized traffic to pass through. A second issue is that many of these solutions provide no means to scan allowed traffic for embedded threats and, as a result, simply allow them to “come along for the ride” with authorized applications.

NEED BETTER FIREWALLS

“The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To address this, vendors are now offering “next generation” firewalls that can validate the traffic at layers 2 to 7, potentially allowing far greater levels of granularity in the rules.”

— Verizon 2014 PCI Compliance Report

(5)

In addition, attempts to fix these legacy products have largely failed. Bolting-on deep packet inspection technology doesn’t work because the resulting solution still depends on port/protocol attributes for the initial classification and disposition of all traffic. And deploying separate firewall “helper products,” many of which exhibit the same shortcoming, often yields only incremental gains in exchange for considerably greater infrastructure complexity, latency, cost of ownership, and effort required to establish proof of compliance and generate related reports. For maximum effectiveness with minimum impact and cost, what organizations require instead is a network segmentation solution that simultaneously provides:

• true, least privileges access control;

• prevention for both known and unknown threats;

• full, in-depth traffic inspection without performance degradation;

• flexible deployment options that minimize the need for network architecture changes; and, • simple, straightforward proof of policy controls.

The Palo Alto Networks Enterprise Security Platform

Unlike traditional solutions, the Palo Alto Networks enterprise security platform natively classifies all traffic, regardless of port, protocol, or encryption. This complete visibility into network activity allows customers to substantially reduce their attack surface, block all known threats with an integral threat prevention engine, and quickly discover and protect against unknown threats using the WildFire™_{cloud-based sandbox analysis service. Next-generation} endpoint security capable of stopping unknown threats and automated coordination among the natively integrated solution components complete the picture. The net result is a truly innovative platform that delivers maximum protection for an organization’s entire computing environment while greatly reducing the need for costly human intervention and remediation.

SQLIA

APPLICATIONS, USERS AND CONTENT – ALL UNDER YOUR CONTROL

SQLIA

Authorized Finance User

Authorized Sales User

Authorized User

(6)

More importantly, at least with regard to PCI compliance, the Palo Alto Networks platform simultaneously delivers unparalleled network segmentation capabilities, coverage for multiple PCI requirements, and a level of protection for cardholder data that goes well beyond the baseline capabilities specified in the PCI DSS.

Delivering Robust Network Segmentation

The Palo Alto Networks platform uniquely ensures maximum isolation of an organization’s cardholder data environment with a robust set of natively integrated security capabilities, including:

• Control of all traffic at the application level: At the heart of our platform, innovative App-ID™_{technology accurately identifies and classifies all traffic by its corresponding} application, regardless of ports and protocols, evasive tactics such as port hopping, or encryption. In highly sensitive or specialized zones of the network like the CDE, this provides the best possible control by allowing security administrators to deny all traffic except the few applications that are explicitly legitimate.

• Definitive, least privileges access control. Along with App-ID, User-ID™_{and Content-ID}™ enable organizations to tightly control access to the CDE based on an extensive range of business-relevant attributes, including the specific application and individual functions being used, the actual identity of individual users and groups, and the specific elements of data being accessed (e.g., credit card or social security numbers). The result is a definitive implementation of least privileges access control where administrators can create straightforward security rules to allow only the absolute minimum, legitimate traffic in the zone while automatically denying everything else.

• Advanced threat protection. A combination of anti-virus/malware, intrusion prevention, and advanced threat prevention technologies (Content-ID and WildFire) filter all allowed traffic for both known and unknown threats.

• Flexible data filtering. Administrators can allow necessary applications yet still block unwanted file transfer functionality, block unwanted file types, and control the transfer of sensitive data— such as credit card numbers or custom data patterns in application content or attachments.

CLOUD

N

ET

_W

ORK

_EN

DP

OI

NT

NATIVELY

INTEGRATED

NEXT-GENERATION FIREWALL

NEXT-GENERATION THREAT INTELLIGENCE

CLOUD

NEXT-GENERATION ENDPOINT EXTENSIBLE

AUTOMATED

(7)

Meeting and Exceeding Multiple Requirements

Reducing the scope of compliance with effective network segmentation is only one way the Palo Alto Networks enterprise security platform supports organizations in their efforts to achieve PCI compliance. As detailed below and in Appendix 1, it also helps by addressing many of the individual requirements specified in the DSS.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

The Palo Alto Networks enterprise security platform directly satisfies several sub-requirements in this section, while helping with many others. Select sub-requirements and how they are addressed include:

• 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. Definitive, least privileges access control. • 1.3 Prohibit direct public access between the Internet and any system component in the

cardholder data environment. Robust network segmentation deployed in a DMZ configuration. Notably, this requirement is not specifying the need for proxy based gateways; only that connections to the Internet be intermediated by a DMZ.

• 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Definitive, least privileges access control and flexible data filtering.

• 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. Our next generation firewall not only meets the requirement for stateful inspection by only allowing “established” connections into the network; it also exceeds the requirement by providing far more granular control than port-based inspection firewalls over which connections get established in the first place.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Palo Alto Networks next generation endpoint security picks up where legacy anti-virus software leaves off, providing much-needed protection from the steadily increasing stream of unknown malware and zero-day exploits that confound ordinary signature and behavior-based detection mechanisms.

Requirement 7: Restrict access to cardholder data by business need to know

Definitive, least privileges access control and support for an extensive collection of user authentication and authorization mechanisms enables the Palo Alto Networks platform to address the heart of this requirement, which is to “establish an access control system for systems components that restricts access based on a user’s need to know, and is set to ‘deny all’ unless specifically allowed.”

(8)

Requirement 10: Track and monitor all access to network resources and cardholder data

Here is another example where the Palo Alto Networks enterprise security platform directly satisfies several sub-requirements, while helping with many others. Select sub-requirements and how they are addressed include:

• 10.1 Implement audit trails to link all access to system components to each individual user. User-ID ties all network activities to specific user identities. Instead of meaningless IP addresses, actual identity information also populates the reports regularly consumed by auditors for establishing PCI compliance.

• 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity. Native logging, reporting, and visualization capabilities support daily reviews, ad-hoc troubleshooting, and detailed forensic analyses.

Requirement 11: Regularly test security systems and processes

Sub-requirement 11.4 is met by the native inclusion in the Palo Alto Networks security platform of an intrusion prevention system (IPS) that organizations can employ to “detect and/or prevent intrusions into the network.” Those security teams interested in going above and beyond the baseline specification also have the option of taking advantage of WildFire to solidify their defenses against unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs).

Providing Next-Generation Protection and Prevention

Several examples have already been provided where the Palo Alto Networks platform goes above and beyond PCI DSS requirements to deliver the greater levels of protection today’s organizations actually need, including:

• the core next generation firewall that enables definitive least privileges access control to actually block/deny all users, applications, and content except that which is absolutely necessary within the CDE;

• advanced threat protection that extends coverage to account for elusive or unknown threats that attempt lateral moves to propagate within the network; and,

• next generation endpoint security that compensates for the proven deficiencies of legacy anti-virus software.

Another way our solution delivers next-generation protection that exceeds the DSS’s baseline requirements is by providing extensive information sharing and coordination among elements of the platform. For example, new protections developed from WildFire’s real-time threat intelligence are automatically distributed to our customer’s systems within as little as 30 minutes. The net result of natively integrated threat prevention capabilities is a closed-loop architecture that delivers unparalleled threat response without the need for manual and time-consuming interventions by an already overwhelmed security team.

Palo Alto Networks has also established strategic partnerships that augment its ability to address PCI DSS requirements. For example, the Splunk App for Palo Alto Networks delivers customers cross-infrastructure event correlation, threat analysis, and compliance reporting, while also providing a powerful set of supplemental threat detection mechanisms. Relationships with AlgoSec, Tufin and other Network Configuration and Risk Management vendors similarly yield a solution that goes above and beyond the basics by ensuring that security teams are able to efficiently and effectively manage their firewall configurations and guarantee the integrity of the corresponding rule sets.

(9)

Conclusion

No single vendor or solution can provide complete compliance with the Payment Card Industry Data Security Standard. What organizations require instead is a thorough set of policies, processes, and practices—including network segmentation—supported by an essential set of technological countermeasures to enforce them. In this regard, the Palo Alto Networks enterprise security platform is an invaluable solution that delivers:

• definitive, least privileges access control and other essential security capabilities for effectively segmenting off the cardholder data environment and thereby reducing the scope and cost of achieving PCI DSS compliance;

• support for a considerable cross-section of the PCI DSS requirements; and,

• capabilities that go above and beyond the standard’s baseline specifications to more thoroughly protect cardholder data—and the remainder of your organization’s computing environment—from the latest generations of unknown malware and advanced threats. For more information regarding the Palo Alto Networks enterprise security platform and its component technologies, please visit www.paloaltonetworks.com

Footnotes:

1_{https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf}

2 _{http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1023} 3-5_{http://www.verizonenterprise.com/pcireport/2014}

(10)

PCI DSS REQUIREMENT SUPPORTED SUB-REQUIREMENTS DESCRIPTION OF CAPABILITIES

Requirement 1:

Install and maintain a firewall configuration to protect cardholder data

1.2, 1.2.1, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8

The Palo Alto Networks portfolio of hardware and virtual next-generation firewalls enables definitive least privileges access control (i.e., deny all applications, users, and content except for that which is necessary) for all networks involving cardholder data. Palo Alto Networks supports all sub-requirements pertaining to DMZ implementations intended to prohibit direct public access between the Internet and any CDE system.

REQUIREMENT 2:

Do not use vendor-supplied defaults for system passwords and other security parameters

2.3 All components of the Palo Alto Networks enterprise security platform require user authentication and implement strong encryption for all non-console and remote administration sessions, whether the component is accessed directly or via the corresponding central management system (e.g., Panorama). REQUIREMENT 3: Protect stored cardholder data n/a n/a REQUIREMENT 4: Encrypt transmission of cardholder data across open, public networks

4.1, 4.2 Standards-based IPSec VPNs are supported for secure site-to-site connectivity, while GlobalProtect delivers secure remote access for individual users via either an SSL or IPSec protected connection. With its unique application, user, and content identification technologies, the Palo Alto Networks solution is also able to thoroughly and reliably control the use of potentially risky end-user messaging technologies (e.g., email, instant messaging, and chat) down to the level of individual functions (e.g., allow messages but disallow attachments and file transfers).

REQUIREMENT 5:

Protect all systems against malware and regularly update anti-virus software or programs

n/a The Palo Alto Networks enterprise security platform includes advanced endpoint protection that provides a much-needed complement to legacy anti-virus solutions that are largely incapable of providing protection against unknown malware, zero-day exploits, and advanced persistent threats (APTs).

REQUIREMENT 6:

Develop and maintain secure systems and applications

6.6 As a fully application aware solution, the Palo Alto Networks next-generation security platform is capable of preventing a wide range of application-layer attacks that have, for example, taken advantage of improperly coded or configured web apps.

REQUIREMENT 7:

Restrict access to cardholder data by business need to know

7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users, and content regardless of the user’s device or location enables organizations to implement definitive least privileges access control that truly limits access to cardholder data based on business need to know, with “deny all” for everything else. Tight integration with Active Directory and other identity stores, plus support for role based access control, enables enforcement of privileges assigned to individuals based on job classification and function.

Appendix 1: PCI Security Requirements Supported by the Palo Alto Networks Enterprise Security Platform

The Palo Alto Networks platform supports many of the three hundred individual requirements specified in the PCI DSS, as itemized in the following table.

(11)

4401 Great America Parkway Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788

Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document PCI DSS REQUIREMENT SUPPORTED SUB-REQUIREMENTS DESCRIPTION OF CAPABILITIES

REQUIREMENT 8:

Identify and authenticate access to system components

8.1, 8.1.1, 8.1.3, 8.1.4, 8.1.6, 8.1.7, 8.1.8, 8.2, 8.2.1, 8.2.3, 8.2.4, 8.2.5, 8.3, 8.5, 8.6

Native capabilities and tight integration with Active Directory and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate revocation for terminated users, culling of inactive accounts, lockout after a specified number of failed login attempts, lockout duration, idle session timeouts, and password reset and minimum strength requirements. Support is also provided for several forms of multi-factor authentication, including tokens and smartcards.

REQUIREMENT 9:

Restrict physical access to cardholder data

n/a n/a

REQUIREMENT 10:

Track and monitor all access to network resources and cardholder data

10.1, 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4, 10.6, 10.6.1, 10.6.2, 10.6.3,

The Palo Alto Networks enterprise security platform maintains extensive logs/audit trails for WildFire, configurations, system changes, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile (HIP) matches. The solution also supports both daily and periodic review of log data with both native, customizable reporting capabilities and the ability to write log data to a syslog server for archival and analysis by third-party solutions (including popular security event and information management systems, such as Splunk).

REQUIREMENT 11:

Regularly test security systems and processes

11.4 The Palo Alto Networks enterprise security platform fully inspects all allowed communication sessions for threat identification and prevention. A single unified threat engine delivers intrusion prevention (IPS), stream-based antivirus prevention, and block of unapproved file types and data. The cloud-based WildFire engine extends these capabilities further by identifying and working in conjunction with customer premise components to prevent unknown and targeted malware and exploits. The net result is comprehensive protection from all types of threat in a single pass of traffic.

REQUIREMENT 12:

Maintain a security policy that addresses information security for all personnel