RedSeal

PCI DSS Compliance

Introduction

According to VeriSign, nearly two-thirds of their customers fail their PCI DSS Requirement 1 assessments.  What's more, VeriSign determined that this one requirement ranks among the top 5 reasons for overall assessment failure.

Why do so many organizations fail to comply with DSS Requirement 1? And, more specifically, why does this requirement represent such a major challenge to compliance?

One core reason for high failure rates is the nature of DSS Requirement 1. As you'll see in this white paper, the requirement creates a significant obstacle by requiring you to fully identify access across your network.

Identifying access across your network is essential, of course, because it's often what you don't know about your network that allows attackers to penetrate it without detection. Yet all too many IT teams adopt cumbersome manual approaches and other ineffective solutions such as analyzing network traffic or individual network devices. This white paper explains why these various PCI DSS compliance methods fall short — and demonstrates how RedSeal offers an automated compliance solution that:

• Delivers a 100% accurate view of your network access to prevent assessment failures
• Reduces the high cost and complexity of reviewing compliance performance
• Offers a flexible, cost-effective way to automate ongoing compliance

What you know vs. what you don't

Of the 12 high-level requirements included in the Payment Card Industry Data Security Standard, it's DSS Requirement 1 that seems to cause IT managers significant grief.

The requirement itself seems straightforward enough: "Install and maintain a firewall configuration to protect cardholder data." Indeed, because the network is the primary infrastructure that attackers use to access cardholder data, merchants must maintain a network architecture that secures this data and prevents theft.

Many IT executives begin addressing this requirement by documenting what they know about their networks — not an easy task for today's complex infrastructures. While at first glance, that approach may seem logical, it's actually the unknown access that could pose the biggest risk to your enterprise.

In fact, the objective of DSS Requirement 1 does not call for documenting what you already know about your network, but to ensure that network access is restricted to what is absolutely necessary for your business. Given the size and complexity of most networks, it is unrealistic to expect your firewall and network administrators to have the required level of detail readily available or easily obtainable.

Identifying security gaps: An automated approach to solving two challenges

RedSeal security analytics software automatically analyzes network device configuration data to determine access and exposure, delivering an in-depth understanding of overall security posture, actionable steps for risk remediation and metrics to demonstrate progress. One reason RedSeal is such an effective solution for eliminating high cost and complexity and reducing assessment failures is its ability to solve two fundamental compliance challenges:

• Correctly determining allowed access between network zones that may not be immediately apparent in an expensive manual review
• Enforcing proper network segmentation without the need to manually review firewall rules one by one

A closer look at these two challenges clearly shows how an automated approach to compliance can save thousands of hours of time, reduce costs, and most importantly, prevent assessment failures.

Documenting allowed access between zones

Why observing traffic is ineffective

Documenting access across the enterprise, especially between network zones, is an essential part of DSS Requirement 1. To meet this requirement, some companies take the approach of monitoring or observing the traffic on their network. Unfortunately, this approach is not comprehensive enough.  

Indeed, just as observing the traffic through the front door of your house won't alert you to intruders entering through the back door, you can't get a complete view of your security stance by merely observing the traffic on your network. This is because:

Observed traffic is not the same as allowed traffic

While observing traffic provides a clear view of how applications communicate; it is not an effective way to detect lax access. In fact, there may be exposed services on your network that attackers can use to gain access to cardholder data. But if that security hole is not currently being exploited it's unlikely that you'll detect this gap.

For example, a traffic monitoring solution that reports that there is only HTTP traffic between two network segments will not inform you that FTP and NetBIOS are also allowed between those segments.

Poor visibility into network segments

Just as traffic monitoring solutions only provide information on observed traffic, they also confine your view to reports on traffic over network segments on which you implement them.

Given the complexity and size of today's networks, it's easy to overlook paths on your network that could provide an attacker with access to your cardholder data environment.

Analyzing access, not just traffic

A better approach to maintain PCD DSS compliance is to analyze network access—not just network traffic—to determine the services allowed between each network zone.

With this approach network administrators analyze the firewall and router configurations that control access between each zone (including access rules/ACLs, NAT/PAT statements, and routing) and allow or disallow services accordingly.

Unfortunately, a manual solution for conducting this type of analysis adds significant overhead to network management, which is why more IT executives have turned to RedSeal's automated approach. RedSeal software automatically determines access between zones which IT managers use as a baseline for performing a gap analysis against DSS Requirement 1. With RedSeal, you'll easily identify and restrict services exposed between zones that have no business justification.

For example, RedSeal makes it easy to determine whether Internet traffic is limited to IP addresses within the DMZ and whether the cardholder data environment has been properly restricted to comply with DSS Requirement 1.

Enforcing network segmentation

How firewall-centric management creates serious security gaps

A single network firewall may be easy enough to manage, but today's intricate networks often include hundreds of routers and dozens of firewalls.

Network traffic passes through multiple devices, creating a confusing set of thousands of interacting rules that must be analyzed. This rapidly multiplies the complexity of maintaining PCI DSS compliance.

DSS Requirement 1 calls for dividing your network into four zones. These include untrusted networks, the DMZ, the cardholder data environment, and wireless networks. Analyzing your network in this framework is so complex that it can take hundreds or even thousands of hours to properly review all your firewalls and routers and get a clear picture of all the allowed services between these zones.

Beyond firewall rules: Automating reviews to avoid high cost and complexity

Reviewing one firewall at a time cannot provide a complete view of your security stance. Only by understanding the access resulting from the interacting rules of all network devices — not just firewalls, but routers, switches, load balancers — can you ensure compliance with DSS Requirement 1. Approaching the problem by only analyzing a single firewall or network device does not provide enough information on the relationships across devices, which makes it impossible to answer some of the questions contained within DSS Requirement 1:

• Are there any direct inbound or outbound routes for traffic between the Internet and the cardholder data network?
• Is Internet traffic limited to only IP addresses with the DMZ?
• Is outbound internet traffic from the cardholder data environment to the Internet required to use DMZ proxy servers?
• Are internal addresses allowed to pass from the Internet into the DMZ?

The device-by-device approach is so complex and burdensome that it's easy to miss potential gaps. And it's why organizations are failing their PCI assessments at an alarming rate. Without understanding the resulting access across firewalls and routers, compliance becomes nearly impossible.

RedSeal's security analytics software automatically analyzes your entire enterprise to determine access across all network devices and between any two points in the network. With RedSeal's automated solution to address these issues, you'll save hundreds or thousands of hours of time and sharply reduce the risk of a failed assessment.

Managing a complex changing infrastructure

How to ensure continued DSS compliance

Many organizations view adopting DSS Requirement 1 as a one-time project — either during an initial PCI DSS compliance effort or as a new project that's launched when an assessment reveals security deficiencies.

Typically, this project requires allocating resources, creating a project plan, and executing a gap analysis to manually review the firewall and router configurations.

Once that compliance initiative is complete, you know your security stance. But what about tomorrow? Next week? Next month? Any significant changes to the network infrastructure may cause hidden, yet serious, security gaps requiring yet another major initiative to evaluate and remediate your network.

This approach to validating compliance is extremely time consuming, highly disruptive to ongoing operations, and makes it impossible to quickly deploy new services or change existing ones.

Solving this challenge requires incorporating PCI DSS compliance analysis into day-to-day operations.

Automating PCI DSS analysis: A day-to-day solution for managing change

Many organizations do not evaluate the impact of changes to firewalls and routers with respect to DSS compliance. Since that may require a complete review of all network access, such a review can be time consuming, extremely expensive and, if performed manually, may not even provide an accurate view of compliance implications.

RedSeal's automated solution for evaluating PCI DSS compliance is easily incorporated into ongoing daily operations. RedSeal integrates with your firewall, routers, and network device management software to automatically retrieve configuration data and present it in way that clearly shows whether any changes violate DSS Requirement 1.

With RedSeal security analytics, companies can maintain and verify compliance on a daily basis, while at the same time reducing cost and complexity.

RedSeal Security Analytics

An automated, less expensive solution for maintaining PCI compliance

As we've seen, a manual approach to complying with DSS Requirement 1 on a complex network represents a commitment of significant time in reviewing thousands of firewall rules one by one — not just once, but every time you make a change to your infrastructure.

What's worse is that even with that commitment of time and resources, the chance of failing your next assessment remains just as high. Because DSS Requirement 1 addresses relationships that span multiple devices, inaccurate manual reviews make it easy to miss detecting hidden security gaps that cause assessment failures and data theft.

RedSeal security analytics software offers an innovative, automated approach to establishing and maintaining compliance with DSS Requirement 1.

By automatically conducting a network-wide analysis of router configurations, firewall configurations, and rules, RedSeal software provides an accurate analysis of potential gaps, workflow reports that document approved services, and standardized reports on assessment results.

RedSeal offers IT managers a cost-effective solution that:

• Establishes a baseline for evaluating end-to-end network access
• Automatically generates an exportable network access diagram
• Accurately maps existing network access into the four PCI-specific zones
• Documents service protocols currently allowed between the four zones
• Clearly identifies protocols that are prohibited or those that require justification
• Provides tracking and justification mechanisms to support compliance reporting

Key capabilities: Automating compliance through comprehensive tools and reports

RedSeal's advanced analysis engine enables network administrators to quickly assess compliance with DSS Requirement 1 through capabilities that include:

Complete network topology diagram

By collecting and analyzing network configuration data, RedSeal produces a network diagram of the entire network infrastructure, including wireless networks.

An improved view of defined network zones

Evaluating the relationships between the four primary zones addressed by DSS Requirement 1 is essential to passing a PCI assessment.

As shown in this example, RedSeal automatically identifies untrusted subnets in the network and evaluates the extent of DMZ exposure. Viewing your network in the context of these zones ensures that the network is compliant, confirms that it meets original design specs, and proves that the scope for the assessment has been correctly identified.

Automated analysis of network architecture

While DSS Requirement 1 calls for evaluating the types of application traffic allowed between each zone, the complexity and size of most networks makes it difficult to manually read firewall rules and router ACLs with enough accuracy.

RedSeal automates this process by analyzing the entire network architecture to determine the allowed application traffic between every two points in the network. With a zone-by-zone diagram that summarizes this analysis, network managers save time and enjoy an unprecedented level of visibility into their networks.

Whitelist approvals for network services

DSS Requirement 1 calls for examining applications currently allowed on the network, identifying those not necessary for business, and creating an appropriate whitelist of justifications.

RedSeal software provides a powerful mechanism for entering, managing and maintaining this critical information. What's more, once an audit is completed, you can use the same data to re-evaluate the network whenever changes are made to determine if any new access impacts PCI compliance.

Automated compliance reports

RedSeal software automatically generates and delivers comprehensive reports of your current compliance standing. These reports confirm how your network measures up against each DSS section 1 sub-requirement, and, more importantly, shows which steps are required to maintain compliance.

Summary

Achieving Compliance with Less Risk, Cost and Complexity

RedSeal's security analytics software offers network managers an excellent solution for achieving and maintaining compliance with benefits that include:

Greater accuracy and fewer failed audits

With more accurate information and an improved view of network access, ongoing assessments needn't cause massive disruption. Quick access to a full set of reports available to internal and external assessment teams dramatically reduces the risk of an audit failure.

Cost and time savings

Once the DSS Requirement 1 process is automated, it is easily repeated to immediately identify changes that impact compliance. With no need to manually review thousands of rules for each assessment, your IT teams will spend more time addressing key strategic objectives and less on compliance issues.

Improved overall security

Integrating automated PCI testing into ongoing operations provides even more powerful tools for tracking the state of security defenses. While traditional network design may only be validated at the design phase, RedSeal helps ensure the ongoing protection of all critical data.

Achieving PCI compliance is not enough. Maintaining it is essential to avoiding operational disruptions and protecting sensitive data. That's why more organizations are turning to RedSeal as an effective solution to save time, avoid tedious manual analysis, and prevent compliance failures.