Micro-segmentation in conquering PCI compliance

Micro-segmentation PCI compliance

PCI DSS compliance enhancement primarily depends on understanding the scope of compliance. This means it is necessary to define the perimeters of the Cardholder Data Environment (CDE) within the enterprise.

An organisation should make sure that CDE is isolated from the rest of the network so that they can justify – to auditors – that ‘out of the scope’ assets are genuinely separate. Through these steps, an enterprise can preserve CDE from illegal access and make sure that entire access is logged accurately and comprehensively.

PCI standard may destabilise due to the present challenges which are initiated in today’s virtualised and DevOps managed environments. Clustering, auto-scaling and dynamic provision of additional workloads are making it hard to meet the PCI standard.

Maintaining the risk assessment for the payment card industry is becoming a priority for CISOs. However, there are still many concerns regarding compliance management in a hybrid cloud environment.

Compliance is an important element when dealing with the auditors, showing that it isn’t done once a year, but it is a regular practice of the business.

To help to master PCI compliance, the security solution which uses micro-segmentation could be a powerful tool. It gives unparalleled control on the traffic crosses your hybrid IT ecosystem.

Acquirers now hold higher expectations for PCI compliance than before, says research

Global acquirers now hold higher expectations for PCI compliance than they did 12 months ago, showing a strong shift in the way businesses are viewing the regulation

There are three fundamental functions when micro-segmentation is used for compliance.

Let’s have a deeper look.

1- Zone Segregation

When considering compliance, separation of zones should be the first step.

This term generally pinpoints towards the requirement to confine the communication between systems which are inside the scope of compliance audit and those which are not within the scope of a compliance audit.

With this approach, the risk – to the systems within the scope of compliance – could be reduced. At some instance, these segments could be separate in the network, so there is no chance of communication between different zones. However, with the presence of hardware, software, and architectural hinderance, this is not always possible.

The ability to control traffic within your network is the main thing which the auditors want to see, and which is the required standard. According to compliance regulations, “To be considered out of scope for PCI DSS, a system component must be properly isolated from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised, it could not impact the security of the CDE.”

2- Locking Down the Compliance-Based System

It is not enough to separate zones from communicating with each other; the ports and sources should also be disallowed to communicate to systems. Also, it is important to explain why certain access to systems – inside the compliance zones – are even open to start with.

The PCI DSS micro-segmentation is really helpful in locking down systems. For insecure services, daemons or protocols, PCI DSS speaks that more in-depth security features should be placed. A VPN for file sharing could be a good example for this. Such a compliance-ready micro-segmentation approach could be achieved by using a flexible policy. Therefore, this approach can allow you to authenticate the administrative access to every system and to restrict certain protocols to use additional security measures.

One more element that improves compliance is to make sure that each server has only one primary function. With single function and not the different level functions on one server, the lateral moves from weaker entry points are prevented. Also, it is possible to implement process level policies by applying PCI DSS micro-segmentation to ensure that only vital services are making a connection and a single function is implemented on a server.

3- Logging the Access

Auditors will expect something more along with the network zone separation. Most compliance regulations want you to have visibility into the traffic which moves among the zones and the access to this information in the future.

Generally, the organisations have access to the north-south traffic which flows between server and client. However, now with the improved approach, companies can monitor and analyze east-west traffic which is often known as a server to server traffic. Therefore, your micro-segmentation policies can serve as the documentation for compliance and the granular information of east-west traffic play the part of the proof that you have a potential security structure which is according to the regulations.

Most organisations face difficulty in proving that the system – they have considered out of scope – are truly separated from their CDE or PHI. This mostly happens when dynamic boundaries are part of their IT infrastructure. However, you can inspect the PCI or PHI environment and check the traffic and communication in detail, by choosing PCI micro-segmentation approach.

A Comprehensive Solution

Most organizations neglect the importance of meeting PCI compliance regulations even for the highly valuable and mission-critical applications. Fortunately, a micro-segmentation solution can serve deep visualization for setting policies around specific applications and restrict unauthorized process-level communications.

Micro-segmentation can provide the flexibility to define various behaviors that are allowed, built-in threat intelligence and the forensics to specify the threat status (i.e., is it real or not).

With the dynamic nature of a hybrid environment, you can meet the development pace along with fulfilling regulatory obligations. A potential micro-segmentation approach and solution will assist you in achieving it.

Zehra Ali is a cyber security journalist

Related Topics