Financial institutions, lured by virtualization’s promise of scalability, are increasingly migrating their payment systems to private clouds. This enables them to increase the productivity of their hardware and reduce IT management and support costs as they consolidate data center and network infrastructures.

This transition is not without its challenges, though. As financial institutions move to the cloud, it becomes apparent that network perimeter security is not capable of securing cardholder data alone. A greater challenge is trying to juggle multiple security regulations while enforcing and documenting compliance for them all. As financial institutions consider how to address these issues, they should research and plan for a layered security approach.

Guest article by Randal Asay, Chief Technology Officer, Catbird

Virtualization’s Functional and Financial Benefits

Virtualization uses software to create fully functioning IT assets (such as servers, personal computers, network adapters, switches and routers) that each, in turn, run on a single high-powered server. Known as virtual machines (VMs), these assets have their own distinct operating system and application. A hypervisor is another software component, acting like an air traffic controller to oversee the computing resources for each VM.

Virtual assets, without requiring the typical infrastructure of physical hardware, provide an organization with all of their respective functional benefits for IT operations. It’s standard operating procedure in a physical data center to allocate one or more servers to a single application. This procedure isolates applications, protecting them, but rendering them underused. These servers, of course, cost the same amount to maintain and manage as their fully used counterparts. Therefore, organizations can typically save 40 percent or more on overall IT costs when they virtualize these physical assets. Likewise, companies can lower operational costs by using a private cloud that either resides within the organization’s firewall or with a service provider like Rackspace or Amazon Web Services. As financial institutions search for ways to more efficiently process payments, data center consolidation projects will continue to rise. 

Compliance Challenges in the Cloud

There are unique problems that arise with payment processing in the cloud. By law, sensitive information such as cardholder data, personally identifiable information (PII), and other financial account data, must be protected by their respective financial institutions. Additionally, documentation is critical to provide evidence of control as prescribed by regulatory compliance frameworks, such as:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Gramm-Leach-Billey Act (GBLA)
  • The Sarbanes-Oxley (SOX) Act

To help organizations parse through technical and process options for virtualized payment systems, the PCI Security Standards Council (SSC) has created PCI DSS Virtualization Guidelines and PCI DSS Cloud Computing Guidelines.

Traditional perimeter security is unable to easily and comprehensively protect cardholder data, PII, and other sensitive information inside the cloud. Asset management, policy enforcement, and data segmentation require tools that reside inside virtualized infrastructure. Software-defined solutions, especially those deployed at the hypervisor level, can provide effective zone-based security and contextual awareness when properly configured.

New Requirements for Virtualization

In order to successfully virtualize a secure and compliant cardholder data environment (CDE), financial institutions must adhere to four significant requirements in PCI DSS Version 3.0:

  1. An inventory of system components: Due to the dynamic nature of virtual components, using an automated inventory discovery and management system will assist financial institutions in complying with this requirement. A new PCI DSS requirement reads: “Maintain an inventory of system components that are in scope for PCI DSS.”
  2. Diagram identifying connections: Use of an automated network diagramming solutions will help provide complete, round-the-clock visibility into security and compliance. A PCI DSS sub-requirement and its test procedures were modified: “Current network diagram that identifies all connections between the cardholder data environment and other networks, including wireless networks.”
  3. Diagram of data flows: For virtualized CDEs, a new PCI DSS sub-requirement was added: “Current diagram that shows all cardholder data flows in a dynamic virtual CDE will be nearly impossible without automation.”
  4. Out-of-scope definition: All virtualization technology in the CDE is susceptible to a PCI DSS assessment. The following was added to PCI DSS under Network Segmentation for the purposes of an audit: “To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

A Layered Security and Compliance Approach

Many organizations have attempted to adapt traditional physical security tools to protect their private clouds. These efforts are met with mixed results. As cloud environments expand and VMs move, adapting physical tools becomes cumbersome and risky. Financial institutions are already a prime target for breach attacks. In fact, a comprehensive assessment by Verizon suggests that 2013 was a transitional year from geopolitical attacks to large-scale attacks on payment card systems.

While PCI DSS guidelines are a good place to start, compliance is only a small piece of the security posture puzzle essential to protecting customer data. Securing data based on classification needs to be sophisticated enough that assets have layers of security, ultimately protecting and securing the asset based on the attributes of that asset’s workloads. Sensitive data needs to be encapsulated by its own unique security policy.

First and foremost, financial institutions need to implement technical tools that provide full visibility into the virtual environment. A properly configured asset discovery solution with network visualization can enable full analysis of traffic and ensure proper workload segmentation.

Segmentation or zoning is the bedrock of enterprise security, concealing internal network activity from external attackers. Using this strategy, any breach that occurs will be confined to IT assets and data that lie within that segment. By automatically applying security and compliance policies to virtual assets and data in the cloud, segments can also improve manageability.

Just as important, continuous monitoring of activity is critical. With proper visibility at the right levels of the network, breaches can be detected, prevented, logged, and reported in real time. Active enforcement of policies is also necessary to mitigate the severity of breaches.

With these preventative layers of protection in place, meeting compliance standards becomes a simpler task. Including a tool within this architecture that maps security controls to compliance frameworks can significantly reduce audit scope by providing an automated method of providing evidence of control. The entire layered solution positions IT to attain an optimized level of security and compliance.

Accelerating Business Securely

Financial institutions are recognizing operational and economic advantages as they adopt virtualization and migrate payment processing into private clouds. Security and compliance are critical for these institutions, so it is important to have granular control of sensitive data such as PII within the cloud. Fortunately, there are automated tools developed specifically for virtual environments. These tools used along with perimeter controls will help protect cloud-based data as well as give auditors the evidence needed to prove compliance with regulations. Forward-leaning financial institutions seeking to accelerate operations through data center consolidation, can also win the trust of their customer base by adopting disruptive security solutions that protect cardholder data. This is a boon to their brand and possibly even to their bottom line.

For more about security and compliance, read Simplifying IT Security and PCI DSS Compliance in Retail, Hospitality and other Multi-Site, Remote Store Scenarios

Randal AsayRandal Asay joined Catbird in 2013 with over 15 years of experience in network security, architecture, implementation, and security best practices in commercial and government environments. Prior to Catbird, Randal served as Director of Engineering at Walmart Stores Inc., developing industry-leading code analysis practices to support security and compliance initiatives as well as addressing enhancements to perimeter and network security and overall policy enforcement. He led the E-commerce Infrastructure teams through extensive growth, delivering capacity management and technology refresh methods impacting network design, storage capacity and database tuning. Prior to Walmart, he applied his security expertise to the Information Assurance division of the United States Air Force. Randal holds Masters degrees in Information Technology Management and Business Administration from Webster University as well as a Bachelor of Science degree from Weber State University.