Solution Guide for Payment Card Industry (PCI) Partner Addendum RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire®, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire’s results are based on detailed document inspections and interviews with the vendor’s technical teams. Coalfire’s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at www.coalfire.com. If you require more information specific to this solution guide, you may contact us here: www.coalfire.com/rsa SOLUTION GUIDE ADDENDUM 1 Solution Guide for Payment Card Industry (PCI) Table of Contents 1. INTRODUCTION ..................................................................................................................................................... 3 2. CLOUD COMPUTING .............................................................................................................................................. 8 3. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS ...............................................................12 4. RSA PCI COMPLIANCE SOLUTION..........................................................................................................................15 5. RSA PCI REQUIREMENTS MATRIX (OVERVIEW).....................................................................................................16 SOLUTION GUIDE ADDENDUM 2 Solution Guide for Payment Card Industry (PCI) 1. Introduction RSA, the security division of EMC, is an expert in information-centric security offering industry-leading solutions in identity assurance and access control; encryption and key management; governance and risk management; compliance and security information management; and fraud protection. Solutions from RSA include:  RSA Archer eGRC - Build an efficient, collaborative enterprise governance, risk, and compliance (eGRC) program across IT, finance, operations, and legal domains. With RSA Archer, you can manage risks, demonstrate compliance, and automate business processes for PCI Compliance.  RSA NetWitness – Actively monitor the network to solve a wide range of challenging information security problems including insider threats, zero-day exploits and targeted malware, advanced persistent threats, fraud, espionage, data leakage and continuous monitoring of security controls.  RSA Data Loss Prevention (DLP) - Discover and monitor the location and flow of sensitive data such as customer credit card data, employee PII, or corporate intellectual property. Educate end users and enforce controls to prevent loss of sensitive data through email, web, PCs, smartphones in PCI environments.  RSA enVision - Centralize log-management service and enable organizations to simplify compliance programs and optimize security-incident management.  RSA SecurID – Establish an enterprise-wide authentication policy that protects the most valuable applications, resources and information in PCI environments. Using the VMware platform, RSA allows organizations to not only extend virtualization into environments containing sensitive data, but also leverage virtualization technologies to increase security and further reduce risk. RSA technologies can accelerate an organization’s journey towards a 100% virtual environment with confidence. Through the integration with VMware, RSA solutions enable organizations to secure and protect enterprise information, and reduce the cost of compliance in a virtual environment while deploying the latest technologies. With the help of RSA, organizations can accelerate complete adoption of VMware technologies with integrated security controls, adapt security policies to both physical and virtual IT environments, and advance endpoint security through centrally managed virtual capabilities. Performance and Reporting of Controls This document provides the first phase of a VMware led project that will culminate in the creation of a fully lab tested and Coalfire verified reference architecture. Customers will be provided with an actionable prescriptive list of products, product features and the specific PCI requirements (controls) that those features map to, as well as configuration guidance for PCI compliance. SOLUTION GUIDE ADDENDUM 3 Solution Guide for Payment Card Industry (PCI) With the assurance that these feature/control mappings have been independently verified, customers will have detailed guidance for the reliable re-creation of an infrastructure where applicable controls are covered. It should be noted that the main focus of this document is the performance of controls, meaning how those controls are provisioned, enforced and detected. It can be seen that several controls cannot be performed programmatically either due to their broad scope, inherent manual nature, or they fall outside of the scope of features offered by any particular product or vendor. This “white space” of non-performed controls can be reduced with the addition of other products in the overall reference architecture ecosystem, but it may not be possible to eliminate completely. However, in an environment where the Archer GRC platform is deployed, it will be possible to orchestrate and report upon all of the PCI DSS controls, whether or not there is any automated performance deployed. With the Archer GRC platform, controls can be managed and reported upon regardless of what mechanism is employed to perform them. This provides complete visibility into the status of controls because this holistic visualization and integration into a broader GRC program cannot be provided any other way. SOLUTION GUIDE ADDENDUM 4 Solution Guide for Payment Card Industry (PCI) VMware Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases. These use cases address questions like “How to be PCI compliant in a VMware Private Cloud” by providing helpful information for VMware architects, the compliance community, and third parties. The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vCloud, vCloud Networking and Security, vCenter Operations (vCOPs) and View. These product suites are described in detail in the VMware Solution Guide for PCI. The use case also provides readers with a mapping of the specific PCI controls to VMware’s product suite, partner solutions, and organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its partners can provide a solution that addresses over 70% of the PCI DSS requirements. Figure 1: PCI Requirements SOLUTION GUIDE ADDENDUM 5 Solution Guide for Payment Card Industry (PCI) Figure 2: VMware + RSA Product Capabilities for a Trusted Cloud SOLUTION GUIDE ADDENDUM 6 Solution Guide for Payment Card Industry (PCI) Figure 3: Help Meet Customers’ Compliance Requirements to Migrate Business Critical Apps to a VMware vCloud SOLUTION GUIDE ADDENDUM 7 Solution Guide for Payment Card Industry (PCI) 2. Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the “cloud”, although few people can succinctly define the term “cloud computing.” There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html): “Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage.” There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below:  Private Cloud – The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise.  Public Cloud – The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services.  Hybrid Cloud – The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise.  Community Cloud – The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise. To learn more about VMware’s approach to cloud computing, review the following:  http://www.vmware.com/solutions/cloud-computing/index.html#tab3 - VMware Cloud Computing Overview  http://www.vmware.com/cloud-computing/cloud-architecture/vcat-toolkit.html - VMware’s vCloud Architecture Toolkit SOLUTION GUIDE ADDENDUM 8 Solution Guide for Payment Card Industry (PCI) When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking:  Is the architecture a true cloud environment (does it meet the definition of cloud)?  What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)?  What deployment model will be adopted?  Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer’s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware’s vCloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications. To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware’s vCenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000MJsMAAW Find more information on VMware compliance solutions for PCI, please visit http://www.vmware.com/solutions/datacenter/cloud-security-compliance/protect-critical-applications.html SOLUTION GUIDE ADDENDUM 9 Solution Guide for Payment Card Industry (PCI) Figure 4: VMware Cloud Computing Partner Integration SOLUTION GUIDE ADDENDUM 10