S O L U T I O N G U I D E A D D E N D U M 1 .
.
Solution Guide for Payment Card Industry (PCI) Partner Addendum
Vormetric Addendum to VMware Solution Guide
for
Payment Card Industry Data Security Standard
The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire®,
a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire’s results are based on detailed document inspections
and interviews with the vendor’s technical teams. Coalfire’s guidance and recommendations are consistent with PCI DSS control intent
generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and
high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at
www.coalfire.com.
S O L U T I O N G U I D E A D D E N D U M 2 .
.
Solution Guide for Payment Card Industry (PCI)
Table of Contents
1. INTRODUCTION...................................................................................................................................................... 3
2. CLOUD COMPUTING .............................................................................................................................................. 8
3. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS............................................................... 12
4. VORMETRIC PCI COMPLIANCE SOLUTION ............................................................................................................ 15
5. VORMETRIC PCI REQUIREMENTS MATRIX (OVERVIEW) ....................................................................................... 16
S O L U T I O N G U I D E A D D E N D U M 3
Solution Guide for Payment Card Industry (PCI)
1. Introduction
Safeguarding Data with Privileged User Access Controls
The Flaw in the System
Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their
security architecture. The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high
level computer operator – and their data access rights. These users have always had access to every aspect of a system –
software installation, system configuration, user creation, networking, resource allocation and more, as well as access to
all the data associated with the system.
These accounts exist because of the need for system maintenance and management. But, as systems have become
more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is
increased risk from privileged user accounts.
Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent
of new technologies and threats:
Rights too broadly assigned - Superuser privileges are often assigned to DBAs, application developers, SysAdmins
and others that don’t have a real “need” for this level of access to private and confidential data
Sharing of privileged accounts – Traditionally, many IT departments allowed unrestricted sharing of privileged user
accounts (logins and passwords), leading to a loss of personal accountability
Cloud, virtualization and big data expand the threat - With each new technology layer used as part of system
deployment and management new privileged user roles are created
Advanced Persistent Threat (APT) attacks target privileged accounts –Attackers have now found that if you want
access to everything, you want to compromise privileged user accounts and their system and data access rights.
Though they may initially enter through less sensitive accounts – privileged user credentials are a primary target.
S O L U T I O N G U I D E A D D E N D U M 4
Solution Guide for Payment Card Industry (PCI)
Figure 1: Vormetric Data Firewall™ Solution Overview
The Solution – The Vormetric Data Firewall™
Allow Privileged Users to manage systems without risk to protected data
The tasks performed by privileged users to maintain, repair and initiate systems are not optional – these roles exist in
order to meet essential requirements for all enterprise environments. What’s needed is to enable these users to
perform their tasks, while removing their ability to access private and confidential data. And when a category of account
has a legitimate need for access to this sensitive data, to have the information available that allows identification of
anomalous usage patterns that may indicate that the account has been compromised.
Transparent – The Vormetric Data Firewall™ meets these needs with a transparent solution - enabling critical system processes to continue, without exposing data.
Strong – The Vormetric solution firewalls your data – using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured or unstructured data process, user, time and other parameters.
Efficient – Vormetric provides a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors.
Easy – Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand.
S O L U T I O N G U I D E A D D E N D U M 5
Solution Guide for Payment Card Industry (PCI)
Meet Critical Enterprise Requirements
Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical
requirements:
Meet Compliance Requirements
Prevent Data Breaches
Safeguarding Intellectual Property
Figure 2: Vormetric Data Firewall™ for PCI Compliance
Access Policies and Privileged User Control – Vormetric provides fine-grained, policy-based access controls that restrict
access to data –ensuring that data is available only for authorized users and processes.
Encryption and Key Management – Vormetric provides the strong, centrally managed, encryption and key management
that enables compliance and is transparent to processes, applications and users.
Security Intelligence – Vormetric logs capture all access attempts to protected data, providing high value security
intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify
compromised accounts and malicious insiders.
Automation – For fast rollouts and integration with existing infrastructure, both web and command line level APIs
provide access to the Vormetric Data Security environment for policy management, deployment and monitoring.
Multi-Tenancy – Secure data in commingled and multi-tenant environments enabling end users to control policies and keys specific to their own data.
S O L U T I O N G U I D E A D D E N D U M 6 .
.
Solution Guide for Payment Card Industry (PCI)
VMware’s Approach to PCI Compliance
Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud
computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are
designed for specific use cases. These use cases address questions like “How to be PCI compliant in a VMware Private
Cloud” by providing helpful information for VMware architects, the compliance community, and third parties.
The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vCloud, vCloud Networking and Security,
vCenter Operations (vCOPs) and View. These product suites are described in detail in this paper. The use case also
provides readers with a mapping of the specific PCI controls to VMware’s product suite, partner solutions, and
organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its Partners can provide a
solution that addresses over 70% of the PCI DSS requirements.
Figure 3: PCI Requirements
S O L U T I O N G U I D E A D D E N D U M 7
Solution Guide for Payment Card Industry (PCI)
Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud
S O L U T I O N G U I D E A D D E N D U M 8 .
.
Solution Guide for Payment Card Industry (PCI)
Figure 5: Help Meet Customers’ Compliance Requirements to Migrate Business Critical Apps to a VMware vCloud
2. Cloud Computing
Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications
and even whole datacenters to the “cloud”, although few people can succinctly define the term “cloud computing.”
There are a variety of different frameworks available to define the cloud, and their definitions are important as they
serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing
as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html):
“Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual
infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized
computers which can provide users with the ability to start and stop servers or use compute cycles only when needed,
often paying only upon usage.”
There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below:
Private Cloud – The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise.
Public Cloud – The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services.
S O L U T I O N G U I D E A D D E N D U M 9
Solution Guide for Payment Card Industry (PCI)
Hybrid Cloud – The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise.
Community Cloud – The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise.
To learn more about VMware’s approach to cloud computing, review the following:
http://www.vmware.com/solutions/cloud-computing/index.html#tab3 - VMware Cloud Computing Overview
http://www.vmware.com/cloud-computing/cloud-architecture/vcat-toolkit.html - VMware’s vCloud
Architecture Toolkit
When an organization is considering the potential impact of cloud computing to their highly regulated and critical
applications, they may want to start by asking:
Is the architecture a true cloud environment (does it meet the definition of cloud)?
What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)?
What deployment model will be adopted?
Is the cloud platform a trusted platform?
The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer’s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware’s vCloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications.
To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware’s vCenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000MJsMAAW
S O L U T I O N G U I D E A D D E N D U M 1 0
Solution Guide for Payment Card Industry (PCI)
Figure 6: Vormetric Data Firewall™ Blocks Privileged Users
For additional information on VMware compliance solutions for PCI, please refer to the VMware Solution Guide for PCI .
S O L U T I O N G U I D E A D D E N D U M 1 1 .
.
Solution Guide for Payment Card Industry (PCI)
Figure 7: VMware Cloud Computing Partner integration
S O L U T I O N G U I D E A D D E N D U M 1 2 .
.
Solution Guide for Payment Card Industry (PCI)
Figure 8: Vormetric Cloud Computing Integration
Achieving PCI compliance is not a simple task. It is difficult for many organizations to navigate the current landscape of
information systems and adequately fulfill all PCI DSS requirements. Vormetric, working with VMware, is continuing its
leadership role in the industry by providing data firewall and data security solutions from the data center to the cloud,
to help clients meet their compliance needs.
3. Overview of PCI as it applies to Cloud/Virtual Environments
The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express,
Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require
through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and
service providers are required to validate their compliance by assessing their environment against nearly 300 specific
test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines,
penalties, or inability to process credit cards in addition to potential reputational loss.
S O L U T I O N G U I D E A D D E N D U M 1 3
Solution Guide for Payment Card Industry (PCI)
The PCI DSS has six categories with twelve total requirements as outlined below:
Table 1: PCI Data Security Standard
The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These
guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud.
Version 2.0 of the Data Security Standard (DSS) specifically mentions the term “virtualization” (previous versions did not
use the word “virtualization”). This was followed by an additional document explaining the intent behind the PCI DSS
v2.0, “Navigating PCI DSS”. These documents were intended to clarify that virtual components should be considered as
“components” for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they
address virtual and cloud specific guidance in an Information Supplement, “PCI DSS Virtualization Guidelines,” released
in June 2011 by the PCI SSC’s Virtualization Special Interest Group (SIG).
Figure 9: Navigating PCI DSS
S O L U T I O N G U I D E A D D E N D U M 1 4
Solution Guide for Payment Card Industry (PCI)
The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers)
and remains product agnostic (no specific mentions of vendors and their solutions).
* VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations
that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal,
business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine
what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to
provide legal advice and is provided “AS IS”. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein.
Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel.
Figure 10: VMware PCI Compliance Products
S O L U T I O N G U I D E A D D E N D U M 1 5
Solution Guide for Payment Card Industry (PCI)
4. Vormetric PCI Compliance Solution
Vormetric Data Firewall™ is a comprehensive solution providing privileged user control, centralized key and policy
management, encryption of data at rest, and comprehensive security intelligence. Vormetric offers strong data security
controls that leverage policy-based access controls, separation of duties, and auditing capabilities, all of which can be
managed through a centralized management console. In addition, in highly virtualized environments Vormetric provides
automatic installation, configuration, and dynamic policy enhancements based on real-time threats. Vormetric has
mapped its products against the PCI standard. The table provides a product description of the Vormetric Solutions and
how they relate to the PCI standard.
Table 2: Vormetric Solutions
Solution Description
Vormetric Data Firewall™
Vormetric Data Security Manager Vormetric Data Security Manager integrates key management, data security policy management, and event log collection into a centrally managed cluster that provides high availability and scalability to thousands of Vormetric Agents. This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed environments. The Data Security Manager stores the data security policies, encryption keys, and audit logs in a hardened appliance that is physically separated from the Agents. Security teams can enforce strong separation of duties over management of the Vormetric system by requiring the assignment of key and policy management to more than one data security administrator so that no one person has complete control over the security of data. Vormetric Data Security Manager is accessed from a secure Web-management console and supports multiple Vormetric Agents. As a rack-mountable Federal Information Processing Standard (FIPS) 140-2, the Data Security Manager functions as the central point for creating, distributing, and managing data encryption keys, policies, and host data security configurations.
Vormetric Agents Vormetric Agents are software agents that insert above the file system logical volume layers. The agents evaluate any attempt to access the protected data and apply predetermined policies to either grant or deny such attempts. The agents maintain a strong separation of duties on the server by encrypting files and leaving their metadata in the clear so IT administrators can perform their jobs without directly accessing the information. The agents perform the encryption, decryption, and access control work locally on the system that is accessing the data at rest in storage. This enables encryption to be distributed within the data center and out to remote sites, while being centrally managed via the Data Security Manager cluster. Vormetric Agents are installed on each server where data requires protection. The agents are specific to the OS platform and transparent to applications, databases (including Oracle, IBM, Microsoft, Sybase, and MySQL) file systems, networks, and storage architecture. Current OS support includes Microsoft Windows, Linux, Sun Solaris, IBM AIX, and HP-UX.
S O L U T I O N G U I D E A D D E N D U M 1 6 .
.
Solution Guide for Payment Card Industry (PCI)
5. Vormetric PCI Requirements Matrix (Overview)
Vormetric’s PCI DSS Compliance Solution includes extensive data security and firewalling technology. When properly deployed and configured the Vormetric solution either fully meets or augments the following PCI DSS requirements:
Table 3: Vormetric PCI DSS Requirements Matrix
PCI DSS REQUIREMENT NUMBER OF PCI REQUIREMENT S
NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
25
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
24
Requirement 3: Protect stored cardholder data
33 13
Requirement 4: Encrypt transmission of cardholder data across open, public networks
9
Requirement 5: Use and regularly update anti-virus software or programs
6
Requirement 6: Develop and maintain secure systems and applications
32
Requirement 7: Restrict Access to cardholder data by business need to know
7 7
Requirement 8: Assign a unique ID to each person with computer access
32 2
Requirement 9: Restrict access to cardholder data by business need to know
28
Requirement 10: Track and monitor all access to network resources and cardholder data
29 18
Requirement 11: Regularly test security systems and processes.
24 1
Requirement 12: Maintain a policy that addresses the information security for all personnel.
40
Requirement A.1: Shared hosting providers must protect the cardholder data environment
8
TOTAL
297
41
S O L U T I O N G U I D E A D D E N D U M 1 7 .
.
Solution Guide for Payment Card Industry (PCI)
Vormetric Data Firewall™
The following matrix maps the PCI DSS controls to the functionality of the Vormetric Data Firewall™. Vormetric provides an enterprise class platform that provides privileges user control, strong encryption, centralized key management, and comprehensive auditing. In addition, automation and multi-tenant capabilities are designed into the platform. It is designed to address an ever-changing landscape of threats and challenges, with a full suite of capabilities.
Vormetric provides solutions to support or meet PCI DSS controls. Additional policy, process or technologies may be needed to be used in conjunction with Vormetric’s solutions to fully comply with PCI DSS.
Table 4: Applicability of PCI Controls to Vormetric Data Firewall™
PC I DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement 3: Protect stored cardholder data
3.4, 3.4.1, 3.5.1, 3.5.2, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5., 3.6.6, 3.6.7, 3.6.8
Vormetric meets or augments the following specific controls:
Vormetric directly supports testing procedure 3.4 by protecting stored data by encrypting and controlling access to the files or volumes where PANs reside. Vormetric’s ability to encrypt structured and unstructured data means that it can protect the data whether it is in audit files or in databases. Additionally, Vormetric offers Backup Encryption Expert to secure backup media. Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128- and 256 bit lengths). PANs are protected using policy-based encryption so that only authorized users and services can encrypt and decrypt the protected files.
Vormetric directly supports testing procedure 3.4.1 by using file-level and volume-level encryption, not disk encryption. Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system. Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key.
S O L U T I O N G U I D E A D D E N D U M 1 8
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
Vormetric directly supports testing procedure 3.5.X by ensuring encryption keys are securely stored on a FIPS- 140 Level 2 validated security server (hardware appliance). Level 3 is available with the HSM. The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties. When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators.
Vormetric directly supports testing procedure 3.5.1 by ensuring cryptographic keys are centrally
generated and stored by the Data Security Manager cluster. Best practice also dictates that custodians store cryptographic keys off-site. When cryptographic keys are backed-up for off-site storage, the Data Security Manager encrypts them with a split wrapping key.
Vormetric directly supported testing procedure 3.5.2 by ensuring that all data encryption keys are stored encrypted within the Data Security Manager.
Vormetric directly supports testing procedure 3.6 through an architecture where the Data Security Manager is the central repository for cryptographic keys and policies managed via a secure web management console, a command line interface over SSH, or a direct console connection. Keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have direct access to key material.
Vormetric directly supports testing of procedure 3.6.1 by ensuring cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards.
Vormetric directly supports testing of procedure 3.6.2 by ensuring data encryption keys are wrapped and then securely distributed via HTTPS to Vormetric agents configured to protect the PANs residing on file, app, or database servers.
Vormetric directly supports testing of procedure 3.6.3 by ensuring cryptographic keys are centrally stored within the Data Security Manager. Customers have the option to store
cryptographic keys on the host server. Vormetric’s highly secure agents protect these keys from unauthorized access, even from root administrators.
Vormetric directly supports testing of procedure 3.6.4 by providing facilities for changing both
Data Security Manager master keys and data encryption keys as defined by the organization’s
S O L U T I O N G U I D E A D D E N D U M 1 9
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
security policy.
Vormetric directly supports testing of procedure 3.6.5 with the Data Security Manager as the central repository for cryptographic keys. When a key is retired by a custodian it can either be permanently deleted or made available only for decryption operations.
Vormetric directly supports testing of procedure 3.6.6 by following a “no knowledge” approach in
which the keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have access to the key material. The Data Security Manager supports an “n of m” sharing scheme. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager.
Vormetric directly supports testing of procedure 3.6.7 through cryptographic key policy and usage defined and managed by the custodian of the Data Security Manager, thereby prohibiting unauthorized substitution of cryptographic keys by developers, database administrators, or any other unauthorized users. Further, the Vormetric solution provides robust separation of duties, such that one administrator may create a key but a separate administrator must activate or apply that key to protect data.
Vormetric directly supports testing of procedure 3.6.8 with the Data Security Manager as the key
central repository for cryptographic keys, and forms can be distributed easily to the Data Security Manager custodians.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement 5: Use and regularly update anti-virus software or programs
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement 6: Develop and maintain secure systems and applications
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
S O L U T I O N G U I D E A D D E N D U M 2 0
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
Requirement 7: Restrict access to cardholder data by business need to know
7.1.1., 7.1.2., 7.1.3., 7.1.4., 7.2.1., 7.2.2., 7.2.3.
Vormetric meets or augments the following specific controls:
Vormetric directly supports testing procedure 7.1.X by adding a layer of access control on top of the native operating system access control. It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data.
Vormetric directly supports testing of procedure 7.1.1 by ensuring that data cannot be viewed by
system administrators who do not have a “need to know,” while simultaneously ensuring that there is no interruption to data backup processes. By leaving metadata in the clear, but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself.
Vormetric directly supports testing of procedure 7.1.2 by enforcing policies that ensure individuals, applications and processes are provided access to the cardholder data based on their classification and functions, thereby restricting access based on “need to know.”
Vormetric directly supports testing of procedure 7.1.3 by providing audit records to assist with the monitoring of privileges. Any change made to the access control policies is always audited. Any changes to authorizations can be reviewed.
Vormetric directly supports testing of procedure 7.1.4 by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data. Available rights for Vormetric policies include release of encrypted contents for backup, decryption of contents based on need to know, and control of writes to the data file.
Vormetric directly supports testing of procedure 7.2.X by setting access control policies that define a list of authorized users and applications. Only users and applications that are part of this list can access the data in clear text. (Administrators are given access to the cardholder data, but data is not decrypted for them.)
Vormetric directly supports testing of procedure 7.2.1 by protecting the cardholder data at rest anywhere on the server.
Vormetric directly supports testing of procedure 7.2.2 by enforcing policies help enforce policies that ensure individuals, applications and processes are provided access to the cardholder data
S O L U T I O N G U I D E A D D E N D U M 2 1
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
based on their classification and functions, thereby restricting access based on “need to know.”
Vormetric directly supports testing of procedure 7.2.3 through default settings as “deny-all” for all access control policies.
Requirement 8: Assign a unique ID to each person with computer access
8.4, 8.5.16 Vormetric meets or augments the following specific controls:
Vormetric augments testing procedure 8.4 by providing the ability to ensure that all passwords can be encrypted during storage.
Vormetric directly supports testing procedure 8.5.16 by preventing privileged user access from the operating system from access information stored in databases.
Requirement 9: Restrict access to cardholder data by business need to know
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4.1, 10.5.1, 10.5.2, 10.5.3, 10.5.5
Vormetric meets or augments the following specific controls:
Vormetric directly supports testing of procedure 10.1 by providing a detailed auditing at the File
System level. Any read/write request for sensitive data can be audited and the trails contain
information to track access back to a specific user, application and time.
Vormetric directly supports testing of procedure 10.2.X by providing logging and flexible policy
options to audit access and changes to Vormetric infrastructure and protected resources.
Vormetric directly supports testing of procedure 10.2.1 by including flexible policy options to audit access and changes to protected resources. Policies can be constructed to monitor individual ac-
cess to cardholder data.
Vormetric directly supports testing of procedure 10.2.2 by constructing policies to monitor individual access to cardholder data. Policies can also prevent privileged users from accessing
data in the clear without interfering with their ability to perform their day-to-day administrative
duties. Both failed and successful attempts to view card data are logged.
Vormetric directly supports testing of procedure 10.2.3 by enabling administrators of the Data
Security Manager that are assigned the role of “audit officer” to access audit trails, which are
centrally stored. Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric. All access and access attempts to Vormetric logs are audited.
S O L U T I O N G U I D E A D D E N D U M 2 2
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
Vormetric directly supports testing of procedure 10.2.4 through configuration to audit all denied
access requests.
Vormetric directly supports testing of procedure 10.2.6 by logging the initialization of Vormetric
logs.
Vormetric directly supports testing of procedure 10.2.7 by logging all custodian activity.
Vormetric directly supports testing of procedure 10.3.1 by generating audit entries that include
the username and group membership.
Vormetric directly supports testing of procedure 10.3.2 by generating audit entries that include the type of event.
Vormetric directly supports testing of procedure 10.3.3 by generating audit entries that include
the date and time.
Vormetric directly supports testing of procedure 10.3.4 by generating audit entries that include a
success or failure indication. In the case of a permitted action, the event data also includes
whether the access was to clear text or to encrypted data.
Vormetric directly supports testing of procedure 10.3.5 by generating audit entries that note the
origination of the event.
Vormetric directly supports testing of procedure 10.3.6 by generating audit entries that include the host and the full path to the file that was the target of the access request.
Vormetric directly supports testing of procedure 10.4.1 through synchronization with an NTP
server.
Vormetric directly supports testing of procedure 10.5.1 by limiting the viewing of audit trails to
those individuals with job-related need.
Vormetric directly supports testing of procedure 10.5.2 by ensuring that audit trails cannot be modified while they reside on the Vormetric Data Security Manager. If log and audit files are sent
to a centralized log server, this external log repository can be protected and safeguarded with
S O L U T I O N G U I D E A D D E N D U M 2 3
Solution Guide for Payment Card Industry (PCI)
PCI DSS V2.0 APPLICA BILITY MATRIX
REQUIREMENT CONTROLS ADDRESSED
DESCRIPTION
Vormetric encryption and access control.
Vormetric directly supports testing of procedure 10.5.3 by providing an extensive set of log and audit capabilities to track and monitor access to cardholder data. These files can be sent to a
customer’s centralized log server or event management solution via syslog. In addition, this
external log repository can be protected and safeguarded with the Vormetric solution.
Vormetric directly supports testing of procedure 10.5.5 by ensuring log files cannot be modified
while they reside on the Vormetric Data Security Manager. Further, customers may use the
Vormetric solution to block or monitor changes to log files and other audit trails.
Vormetric augments testing of procedure 10.6 by generating log reports for monitoring of daily
activity.
Requirement 11: Regularly test security systems and processes.
11.5 Vormetric meets or augments the following specific controls:
Vormetric augments testing of procedure 11.5 by generating audit information for unintended
direct access to card data and can be configured to generate alerts.
Requirement 12: Maintain a policy that addresses the information security for all personnel.
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
Requirement A.1: Shared hosting providers must protect the cardholder data environment
N/A No controls in this PCI requirement are addressed by the Vormetric solution.
S O L U T I O N G U I D E A D D E N D U M 2 4 .
.
Solution Guide for Payment Card Industry (PCI)
Acknowledgements:
VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance,
and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance
Program. VMware would also like to recognize the Coalfire VMware Team www.coalfire.com/Partners/VMware for
their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI
DSS v. 2.0 and the Reference Architecture described herein.
The information provided by Coalfire and contained in this document is for educational and informational purposes only.
Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information
contained herein.
About Coalfire
Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides
IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver,
Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in
retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based
IT GRC tools under the Navis® brand that clients use to efficiently manage IT controls and keep pace with rapidly
changing regulations and best practices. Coalfire’s solutions are adapted to requirements under emerging data privacy
legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP.
For more information, visit www.coalfire.com.