SDN and PCI DSS Compliance: Conversations with the PCI Auditor

Payment Card Industry Data Security Standard (PCI DSS) compliance applies to all types of businesses that process, store, or transmit credit card data. Consistently protecting personal data, credit card information, and customer identities can present a considerable challenge for any organization.

Whenever we engage with a PCI auditor, aka Qualified Security Assessor (QSA), it quickly becomes apparent that many businesses believe becoming compliant is the end goal. In reality, maintaining PCI DSS compliance is an ongoing endeavor.

If your network isn’t continuously protected, you run the risk of making headlines like the credit reporting firm Equifax that exposed the data of 143 million US consumers. While some enterprises have enough resources to weather the fallout from such negative publicity, many others just won’t make it.

As reported by Verizon, if you’re not maintaining PCI DSS standards on an ongoing basis, there’s a higher probability you’ll be breached.

QSAs are looking for evidence of the following:

  • Enhanced network protection
  • Consistent maintenance of a secure network
  • Cardholder data protection
  • Vulnerability management programs
  • Deployment of strong control measures
  • Regular testing and monitoring of networks
  • Consistent maintenance of a robust information security policy and best practices

As technology evolves, IT leaders have to continuously explore how they can maintain PCI DSS compliance. This means that the real challenge comes after obtaining the certificate as you must keep the data safe to maintain your customer’s trust.

This same security framework can be applied to protect other sensitive data such as Social Security numbers, trade secrets, and financial records.

Cisco’s Software Defined Access (SD-Access) presents a viable solution to keep sensitive data safe and address the scaling issues we are experiencing with traditional VLAN network segmentation. It can enable enhanced network protection to maintain security and compliance, while at the same time vastly simplify the administrative burden of provisioning the network and maintaining security.

Restrict Connections from Untrusted Networks

To maintain data security, restrict connections to system components in the cardholder data environment and all untrusted networks. Sounds simple, right?  Historically, this was achieved by building a firewall and configuring routers with lots of complex access lists to restrict access.

In a PCI scenario, an untrusted network can be described as any network segment that does not carry credit card data.  Over time, we have seen a sharp rise in the number of network segments making it increasingly difficult to reduce our attack surface against malware, ransomware, and other viruses.  Adding to this difficulty is the rapid rise in the number of devices some firms add to their networks.

Developments such as BYOD and IOT have grown the number of network endpoints faster than we can reduce our segment sizes. Attempting to create more network segments with theoretically fewer endpoints on each has driven up operational complexity. This is because of the need to maintain complex and longer access lists in router and firewall configurations.  Long-term, this becomes unwieldly and expensive to manage. Furthermore, as source or destination devices are removed from or changed in the network, corresponding entries in access control lists may or may not be removed/changed potentially leaving the network vulnerable to exploitation.

In these situations, the best approach is to micro-segment these applications and apply firewall-style restrictions between them. This type of zero-trust approach with granular control is only possible with software-defined networks (SDNs).

SDN addresses these issues by placing all network devices and users in groups.  Policies (think access-lists) are built using these groups (and not IP addresses) that permit or deny traffic/communications between the groups.  Further granularity, or segmentation, can be achieved by permitting or denying traffic/communications between objects in the same group.  This policy-based (not IP based) approach allows for greater insight and manageability of the network.

The creation of many isolated network segments isn’t required by PCI DSS, but it goes a long way to protect the cardholder data environment. This is because any malicious intrusions that gain a foothold in the network will try to attack sensitive data. So, if the network can be compromised, the risk is greater that the intruder will ultimately get to the more isolated card holder data.

This means you can no longer follow the traditional data center design philosophy that places firewalls on the outside and all the sensitive data inside. Instead, all applications need to be treated just like public cloud providers treat each one of their tenants – isolated and untrusted in their own network segment.  Imagine the implications of managing such an environment.  SDN can make managing a policy-based environment on an application-by-application basis easy and practical.

Enhanced Cryptography and Security Protocols

When transmitting sensitive data outside of your network, businesses need to employ strong encryption protocols to keep that data safe.  Increasingly, this also includes internal networks to reduce risk and further protect data from external or internal threats.

In 2017, we saw a rise in ransomware attacks and this trend is expected to continue in this year. As these threats evolve, the PCI Security Standards Council will also respond to it by updating their data security standards.

Maintaining PCI DSS compliance with SDNs creates innovative opportunities to restrict untrusted networks, enable micro-segmentation, and maintain encryption on all related networks.

Our conversations with PCI assessors consistently reaffirm the potential of SDN to provide a robust network protection strategy.  This strategy will not only help firms obtain compliance certification, but it will also lay down a strong foundation that will ensure the protection of sensitive data going forward.

To learn more about security threats in 2018, reach out to Acadia Technology Group. We can be your partner in creating an agile, cost effective, and secure network.

Threat Matrix 2018