With nearly every week bringing news of a new data breach, network security remains a high priority for organizations. Security spending is expected to increase 8.7 percent, reaching $124 billion in 2019, according to Gartner. To ensure sensitive credit and debit card information is secure, the Payment Card Industry Data Security Standards (PCI DSS) standards recommend network segmentation as a means to simplify compliance.
To streamline network segmentation and regulatory compliance, organizations are turning to Cisco SD-Access, which eliminates much of the manual work involved in network segmentation and allows for granular microsegmentation. Microsegmentation simplifies PCI DSS compliance and improves security for all your sensitive data.
PCI DSS Guidance on Network Segmentation
Network microsegmentation facilitates compliance with the PCI DSS requirement to implement strong access control measures. Specifically, these requirements are to:
- Limit access to cardholder data, based on need-to-know access levels.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
PCI DSS doesn’t require network segmentation, but it does strongly recommend it. According to their guidelines, incorporating network segmentation may reduce:
- The scope of costly PCI DSS assessments.
- The difficulty and cost of implementing and maintaining PCI DSS controls
- The overall risk to your organization of data breaches.
Without adequate segmentation, the entirety of your network may fall under the scope of your PCI DSS assessment. For system components to be considered out of scope, they shouldn’t have access to any system in the cardholder data environment.
Simplify PCI DSS Compliance and Assessments with SD-Access
Network segmentation is a powerful tool for compliance and security. Traditionally, it has taken a significant amount of manual labor and oversight to apply and enforce policies. Enterprises are incorporating SD-Access to simplify network segmentation and make policy enforcement a seamless, automated process.
SD-Access weaves together your network into a single fabric. It replaces manual configurations with controller-led, policy-based tools that are simple to operate. For network segmentation, SD-Access relies on two primary tools:
- Scalable group tags (SGTs): SGTs are represented by a 16-bit group identifier and grouped according to business roles or by device.
- Virtual networks (VNs): Virtual networks within SD-Access provide isolation between traffic and devices.
Depending on your needs, SD-Access for enterprises allows you to use SGTs within one or more virtual networks. For PCI DSS purposes, organizations may choose the isolation of a virtual network. Placing all devices that collect, transmit, and store credit and debit card transactions within a virtual network should limit the scope of your PCI assessment significantly.
SGTs with appropriate communication policies can meet compliance standards as well. Using SGTs in conjunction with VNs allows for microsegmentation, allowing you to easily create policies and contracts that restrict communications, even between devices attached to the same switch. Ultimately, many organizations use a combination of SGTs and VNs to meet their PCI compliance needs.
An Identity-Based Solution
Cisco SD-Access offers a robust network visibility and segmentation solution that simplifies regulatory compliance. This four-part solution includes:
- Cisco TrustSec—TrustSec is built into SGTs, facilitating a role-based approach to policy enforcement. In other words, no more manual IP address whitelisting. Traffic from endpoints, servers, and users can be assigned an SGT for enforcement.
- Cisco IOS NetFlow—NetFlow is embedded into Cisco routers, switches, and other networking devices, and it allows you to track the details of network conversations, including the source, timing, destination, and protocol.
- Cisco Stealthwatch—Stealthwatch analyzes the data collected from NetFlow, giving you a comprehensive picture of your network. You can use Stealthwatch insights to determine where you need microsegmentation and then monitor its effectiveness.
- Cisco Identity Services Engine (ISE)—ISE is a secure access control platform. It serves as a controller for defining and enforcing segmentation.
These tools work together to simplify and streamline microsegmentation and harden your network security. To take full advantage of Cisco’s network visibility and segmentation tools, enterprises are using Cisco’s DNA Center.
DNA Center: Compliance Without the Headache
Cisco’s DNA Center brings together Cisco tools into an intuitive dashboard. It includes tools for:
- Management—You have complete control from a single dashboard, providing you a high-level view of your entire network.
- Automation—DNA Center offers automated device discovery, drag-and-drop policy creation, and zero-touch device deployment. Policies are automatically applied, keeping your network secure and in compliance.
- Security—DNA Center integrates Stealthwatch and ISE, facilitating identity-based security.
- Assurance—Segmentation is only as effective as your network. DNA Center Assurance proactively monitors your network, alerting you to opportunities for optimization.
With the tools that DNA Center provides, enterprises can effectively limit the scope of PCI DSS compliance. Any scoping needs to be verified, of course, and for segmentation and scoping to be effective, organizations should take the time to do careful planning, design, and implementation as well as monitoring.
To ensure you’re on the right path to compliance, many organizations choose to work with a trusted third party. At Acadia Technology Group, we’re experienced in Cisco network and security solutions. We provide real-world solutions to the technology challenges you face. Contact us today to find out more about microsegmentation and compliance.