vormetric addendum to vmware solution guide for...

S O L U T I O N G U I D E A D D E N D U M 1 .

.

Solution Guide for Payment Card Industry (PCI) Partner Addendum

Vormetric Addendum to VMware Solution Guide

for

Payment Card Industry Data Security Standard

The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire®,

a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire’s results are based on detailed document inspections

and interviews with the vendor’s technical teams. Coalfire’s guidance and recommendations are consistent with PCI DSS control intent

generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and

high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at

www.coalfire.com.

http://www.google.com/url?sa=i&rct=j&q=vormetric&source=images&cd=&cad=rja&docid=B3Ucrb7RENG02M&tbnid=CzisjN4XAzJ7kM:&ved=0CAUQjRw&url=http://www.csfi.com/thirdParty.cfm&ei=WQvbUfWvHaasyAHhpoH4DA&bvm=bv.48705608,d.aWc&psig=AFQjCNGCY8cQa9E91GuRNN2962vhYVGlSw&ust=1373396181033977

http://www.coalfire.com/


.

Solution Guide for Payment Card Industry (PCI)

Table of Contents

1. INTRODUCTION...................................................................................................................................................... 3

2. CLOUD COMPUTING .............................................................................................................................................. 8

3. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS............................................................... 12

4. VORMETRIC PCI COMPLIANCE SOLUTION ............................................................................................................ 15

5. VORMETRIC PCI REQUIREMENTS MATRIX (OVERVIEW) ....................................................................................... 16

S O L U T I O N G U I D E A D D E N D U M 3


1. Introduction

Safeguarding Data with Privileged User Access Controls

The Flaw in the System

Since the introduction of multi-user computer systems over 40 years ago, there has been a fundamental flaw in their

security architecture. The flaw? - The concept of a Root User, Domain Administrator, System Administrator or other high

level computer operator – and their data access rights. These users have always had access to every aspect of a system –

software installation, system configuration, user creation, networking, resource allocation and more, as well as access to

all the data associated with the system.

These accounts exist because of the need for system maintenance and management. But, as systems have become

more closely interlinked and with increasing amounts of private and confidential data accessible to them, there is

increased risk from privileged user accounts.

Compounding this are the ways that many enterprise IT departments have traditionally done business, and the advent

of new technologies and threats:

Rights too broadly assigned - Superuser privileges are often assigned to DBAs, application developers, SysAdmins

and others that don’t have a real “need” for this level of access to private and confidential data

Sharing of privileged accounts – Traditionally, many IT departments allowed unrestricted sharing of privileged user

accounts (logins and passwords), leading to a loss of personal accountability

Cloud, virtualization and big data expand the threat - With each new technology layer used as part of system

deployment and management new privileged user roles are created

Advanced Persistent Threat (APT) attacks target privileged accounts –Attackers have now found that if you want

access to everything, you want to compromise privileged user accounts and their system and data access rights.

Though they may initially enter through less sensitive accounts – privileged user credentials are a primary target.



Figure 1: Vormetric Data Firewall™ Solution Overview

The Solution – The Vormetric Data Firewall™

Allow Privileged Users to manage systems without risk to protected data

The tasks performed by privileged users to maintain, repair and initiate systems are not optional – these roles exist in

order to meet essential requirements for all enterprise environments. What’s needed is to enable these users to

perform their tasks, while removing their ability to access private and confidential data. And when a category of account

has a legitimate need for access to this sensitive data, to have the information available that allows identification of

anomalous usage patterns that may indicate that the account has been compromised.

Transparent – The Vormetric Data Firewall™ meets these needs with a transparent solution - enabling critical system processes to continue, without exposing data.

Strong – The Vormetric solution firewalls your data – using a policy driven approach, linked to LDAP and system accounts, that provides granular access to protected structured or unstructured data process, user, time and other parameters.

Efficient – Vormetric provides a high performance, low overhead solution, leveraging the AES NI hardware encryption built into Intel x86 processors.

Easy – Deployments in days to weeks, not weeks to months, across physical systems, cloud, big data, and virtualized environments that are easy to manage, easy to understand.



Meet Critical Enterprise Requirements

Organizations that need to protect data from the inherent risks of privileged users must do so in order to meet critical

requirements:

Meet Compliance Requirements

Prevent Data Breaches

Safeguarding Intellectual Property

Figure 2: Vormetric Data Firewall™ for PCI Compliance

Access Policies and Privileged User Control – Vormetric provides fine-grained, policy-based access controls that restrict

access to data –ensuring that data is available only for authorized users and processes.

Encryption and Key Management – Vormetric provides the strong, centrally managed, encryption and key management

that enables compliance and is transparent to processes, applications and users.

Security Intelligence – Vormetric logs capture all access attempts to protected data, providing high value security

intelligence information that can be used with a Security Information and Event Management (SIEM) solution to identify

compromised accounts and malicious insiders.

Automation – For fast rollouts and integration with existing infrastructure, both web and command line level APIs

provide access to the Vormetric Data Security environment for policy management, deployment and monitoring.

Multi-Tenancy – Secure data in commingled and multi-tenant environments enabling end users to control policies and keys specific to their own data.


.


VMware’s Approach to PCI Compliance

Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud

computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are

designed for specific use cases. These use cases address questions like “How to be PCI compliant in a VMware Private

Cloud” by providing helpful information for VMware architects, the compliance community, and third parties.

The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vCloud, vCloud Networking and Security,

vCenter Operations (vCOPs) and View. These product suites are described in detail in this paper. The use case also

provides readers with a mapping of the specific PCI controls to VMware’s product suite, partner solutions, and

organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its Partners can provide a

solution that addresses over 70% of the PCI DSS requirements.

Figure 3: PCI Requirements



Figure 4: VMware + Vormetric Product Capabilities for a Trusted Cloud


.


Figure 5: Help Meet Customers’ Compliance Requirements to Migrate Business Critical Apps to a VMware vCloud

2. Cloud Computing

Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications

and even whole datacenters to the “cloud”, although few people can succinctly define the term “cloud computing.”

There are a variety of different frameworks available to define the cloud, and their definitions are important as they

serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing

as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html):

“Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual

infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized

computers which can provide users with the ability to start and stop servers or use compute cycles only when needed,

often paying only upon usage.”

There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below:

Private Cloud – The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise.

Public Cloud – The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services.

http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html



Hybrid Cloud – The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise.

Community Cloud – The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise.

To learn more about VMware’s approach to cloud computing, review the following:

http://www.vmware.com/solutions/cloud-computing/index.html#tab3 - VMware Cloud Computing Overview

http://www.vmware.com/cloud-computing/cloud-architecture/vcat-toolkit.html - VMware’s vCloud

Architecture Toolkit

When an organization is considering the potential impact of cloud computing to their highly regulated and critical

applications, they may want to start by asking:

Is the architecture a true cloud environment (does it meet the definition of cloud)?

What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)?

What deployment model will be adopted?

Is the cloud platform a trusted platform?

The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer’s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware’s vCloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications.

To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware’s vCenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000MJsMAAW

http://www.vmware.com/solutions/cloud-computing/index.html#tab3

http://www.vmware.com/cloud-computing/cloud-architecture/vcat-toolkit.html

https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000MJsMAAW

S O L U T I O N G U I D E A D D E N D U M 1 0


Figure 6: Vormetric Data Firewall™ Blocks Privileged Users

For additional information on VMware compliance solutions for PCI, please refer to the VMware Solution Guide for PCI .

http://www.vmware.com/files/pdf/VMware-Payment-Card-Industry-Solution-Guide.pdf

S O L U T I O N G U I D E A D D E N D U M 1 1 .

.


Figure 7: VMware Cloud Computing Partner integration


.


Figure 8: Vormetric Cloud Computing Integration

Achieving PCI compliance is not a simple task. It is difficult for many organizations to navigate the current landscape of

information systems and adequately fulfill all PCI DSS requirements. Vormetric, working with VMware, is continuing its

leadership role in the industry by providing data firewall and data security solutions from the data center to the cloud,

to help clients meet their compliance needs.

3. Overview of PCI as it applies to Cloud/Virtual Environments

The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express,

Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require

through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and

service providers are required to validate their compliance by assessing their environment against nearly 300 specific

test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines,

penalties, or inability to process credit cards in addition to potential reputational loss.



The PCI DSS has six categories with twelve total requirements as outlined below:

Table 1: PCI Data Security Standard

The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These

guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud.

Version 2.0 of the Data Security Standard (DSS) specifically mentions the term “virtualization” (previous versions did not

use the word “virtualization”). This was followed by an additional document explaining the intent behind the PCI DSS

v2.0, “Navigating PCI DSS”. These documents were intended to clarify that virtual components should be considered as

“components” for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they

address virtual and cloud specific guidance in an Information Supplement, “PCI DSS Virtualization Guidelines,” released

in June 2011 by the PCI SSC’s Virtualization Special Interest Group (SIG).

Figure 9: Navigating PCI DSS



The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers)

and remains product agnostic (no specific mentions of vendors and their solutions).

* VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations

that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal,

business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine

what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to

provide legal advice and is provided “AS IS”. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein.

Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel.

Figure 10: VMware PCI Compliance Products



4. Vormetric PCI Compliance Solution

Vormetric Data Firewall™ is a comprehensive solution providing privileged user control, centralized key and policy

management, encryption of data at rest, and comprehensive security intelligence. Vormetric offers strong data security

controls that leverage policy-based access controls, separation of duties, and auditing capabilities, all of which can be

managed through a centralized management console. In addition, in highly virtualized environments Vormetric provides

automatic installation, configuration, and dynamic policy enhancements based on real-time threats. Vormetric has

mapped its products against the PCI standard. The table provides a product description of the Vormetric Solutions and

how they relate to the PCI standard.

Table 2: Vormetric Solutions

Solution Description

Vormetric Data Firewall™

Vormetric Data Security Manager Vormetric Data Security Manager integrates key management, data security policy management, and event log collection into a centrally managed cluster that provides high availability and scalability to thousands of Vormetric Agents. This enables data security administrators to easily manage standards-based encryption across Linux, UNIX, and Windows operating systems in both centralized and geographically distributed environments. The Data Security Manager stores the data security policies, encryption keys, and audit logs in a hardened appliance that is physically separated from the Agents. Security teams can enforce strong separation of duties over management of the Vormetric system by requiring the assignment of key and policy management to more than one data security administrator so that no one person has complete control over the security of data. Vormetric Data Security Manager is accessed from a secure Web-management console and supports multiple Vormetric Agents. As a rack-mountable Federal Information Processing Standard (FIPS) 140-2, the Data Security Manager functions as the central point for creating, distributing, and managing data encryption keys, policies, and host data security configurations.

Vormetric Agents Vormetric Agents are software agents that insert above the file system logical volume layers. The agents evaluate any attempt to access the protected data and apply predetermined policies to either grant or deny such attempts. The agents maintain a strong separation of duties on the server by encrypting files and leaving their metadata in the clear so IT administrators can perform their jobs without directly accessing the information. The agents perform the encryption, decryption, and access control work locally on the system that is accessing the data at rest in storage. This enables encryption to be distributed within the data center and out to remote sites, while being centrally managed via the Data Security Manager cluster. Vormetric Agents are installed on each server where data requires protection. The agents are specific to the OS platform and transparent to applications, databases (including Oracle, IBM, Microsoft, Sybase, and MySQL) file systems, networks, and storage architecture. Current OS support includes Microsoft Windows, Linux, Sun Solaris, IBM AIX, and HP-UX.


.


5. Vormetric PCI Requirements Matrix (Overview)

Vormetric’s PCI DSS Compliance Solution includes extensive data security and firewalling technology. When properly deployed and configured the Vormetric solution either fully meets or augments the following PCI DSS requirements:

Table 3: Vormetric PCI DSS Requirements Matrix

PCI DSS REQUIREMENT NUMBER OF PCI REQUIREMENT S

NUMBER OF CONTROLS MET OR AUGMENTED BY VORMETRIC

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

25

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

24

Requirement 3: Protect stored cardholder data

33 13

Requirement 4: Encrypt transmission of cardholder data across open, public networks

9

Requirement 5: Use and regularly update anti-virus software or programs

6

Requirement 6: Develop and maintain secure systems and applications

32

Requirement 7: Restrict Access to cardholder data by business need to know

7 7

Requirement 8: Assign a unique ID to each person with computer access

32 2

Requirement 9: Restrict access to cardholder data by business need to know

28

Requirement 10: Track and monitor all access to network resources and cardholder data

29 18

Requirement 11: Regularly test security systems and processes.

24 1

Requirement 12: Maintain a policy that addresses the information security for all personnel.

40

Requirement A.1: Shared hosting providers must protect the cardholder data environment

8

TOTAL

297

41


.


Vormetric Data Firewall™

The following matrix maps the PCI DSS controls to the functionality of the Vormetric Data Firewall™. Vormetric provides an enterprise class platform that provides privileges user control, strong encryption, centralized key management, and comprehensive auditing. In addition, automation and multi-tenant capabilities are designed into the platform. It is designed to address an ever-changing landscape of threats and challenges, with a full suite of capabilities.

Vormetric provides solutions to support or meet PCI DSS controls. Additional policy, process or technologies may be needed to be used in conjunction with Vormetric’s solutions to fully comply with PCI DSS.

Table 4: Applicability of PCI Controls to Vormetric Data Firewall™

PC I DSS V2.0 APPLICA BILITY MATRIX

REQUIREMENT CONTROLS ADDRESSED

DESCRIPTION

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

N/A No controls in this PCI requirement are addressed by the Vormetric solution.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Requirement 3: Protect stored cardholder data

3.4, 3.4.1, 3.5.1, 3.5.2, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5., 3.6.6, 3.6.7, 3.6.8

Vormetric meets or augments the following specific controls:

Vormetric directly supports testing procedure 3.4 by protecting stored data by encrypting and controlling access to the files or volumes where PANs reside. Vormetric’s ability to encrypt structured and unstructured data means that it can protect the data whether it is in audit files or in databases. Additionally, Vormetric offers Backup Encryption Expert to secure backup media. Vormetric encrypts data using strong encryption algorithms, such as TripleDES and AES (128- and 256 bit lengths). PANs are protected using policy-based encryption so that only authorized users and services can encrypt and decrypt the protected files.

Vormetric directly supports testing procedure 3.4.1 by using file-level and volume-level encryption, not disk encryption. Cryptographic keys are not tied to user accounts, but are contained within the Vormetric system. Vormetric performs the encryption/decryption functions, as opposed to granting authorized and authenticated users access to the key.



PCI DSS V2.0 APPLICA BILITY MATRIX


DESCRIPTION

Vormetric directly supports testing procedure 3.5.X by ensuring encryption keys are securely stored on a FIPS- 140 Level 2 validated security server (hardware appliance). Level 3 is available with the HSM. The security server has its own local users that are decoupled from Active Directory users to maintain separation of duties. When encryption keys are stored locally to eliminate network latency performance hits, Vormetric securely wraps the keys to protect against access by root administrators.

Vormetric directly supports testing procedure 3.5.1 by ensuring cryptographic keys are centrally

generated and stored by the Data Security Manager cluster. Best practice also dictates that custodians store cryptographic keys off-site. When cryptographic keys are backed-up for off-site storage, the Data Security Manager encrypts them with a split wrapping key.

Vormetric directly supported testing procedure 3.5.2 by ensuring that all data encryption keys are stored encrypted within the Data Security Manager.

Vormetric directly supports testing procedure 3.6 through an architecture where the Data Security Manager is the central repository for cryptographic keys and policies managed via a secure web management console, a command line interface over SSH, or a direct console connection. Keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have direct access to key material.

Vormetric directly supports testing of procedure 3.6.1 by ensuring cryptographic keys are centrally generated by the Data Security Manager appliance and are fully compliant with FIPS standards.

Vormetric directly supports testing of procedure 3.6.2 by ensuring data encryption keys are wrapped and then securely distributed via HTTPS to Vormetric agents configured to protect the PANs residing on file, app, or database servers.

Vormetric directly supports testing of procedure 3.6.3 by ensuring cryptographic keys are centrally stored within the Data Security Manager. Customers have the option to store

cryptographic keys on the host server. Vormetric’s highly secure agents protect these keys from unauthorized access, even from root administrators.

Vormetric directly supports testing of procedure 3.6.4 by providing facilities for changing both

Data Security Manager master keys and data encryption keys as defined by the organization’s





DESCRIPTION

security policy.

Vormetric directly supports testing of procedure 3.6.5 with the Data Security Manager as the central repository for cryptographic keys. When a key is retired by a custodian it can either be permanently deleted or made available only for decryption operations.

Vormetric directly supports testing of procedure 3.6.6 by following a “no knowledge” approach in

which the keys never leave the Data Security Manager in the clear. Custodians can create keys, but do not have access to the key material. The Data Security Manager supports an “n of m” sharing scheme. A specific number of shares must be provided in order to restore the encrypted contents of the Data Security Manager archive into a new or replacement Data Security Manager.

Vormetric directly supports testing of procedure 3.6.7 through cryptographic key policy and usage defined and managed by the custodian of the Data Security Manager, thereby prohibiting unauthorized substitution of cryptographic keys by developers, database administrators, or any other unauthorized users. Further, the Vormetric solution provides robust separation of duties, such that one administrator may create a key but a separate administrator must activate or apply that key to protect data.

Vormetric directly supports testing of procedure 3.6.8 with the Data Security Manager as the key

central repository for cryptographic keys, and forms can be distributed easily to the Data Security Manager custodians.

Requirement 4: Encrypt transmission of cardholder data across open, public networks


Requirement 5: Use and regularly update anti-virus software or programs


Requirement 6: Develop and maintain secure systems and applications






DESCRIPTION


7.1.1., 7.1.2., 7.1.3., 7.1.4., 7.2.1., 7.2.2., 7.2.3.


Vormetric directly supports testing procedure 7.1.X by adding a layer of access control on top of the native operating system access control. It also can harden the access control defined at the OS layer and prevent root administrators and privileged users from accessing or viewing cardholder data.

Vormetric directly supports testing of procedure 7.1.1 by ensuring that data cannot be viewed by

system administrators who do not have a “need to know,” while simultaneously ensuring that there is no interruption to data backup processes. By leaving metadata in the clear, but encrypting the underlying data, administrators can identify the files that require backup without providing them access to the file itself.

Vormetric directly supports testing of procedure 7.1.2 by enforcing policies that ensure individuals, applications and processes are provided access to the cardholder data based on their classification and functions, thereby restricting access based on “need to know.”

Vormetric directly supports testing of procedure 7.1.3 by providing audit records to assist with the monitoring of privileges. Any change made to the access control policies is always audited. Any changes to authorizations can be reviewed.

Vormetric directly supports testing of procedure 7.1.4 by providing a granular, policy-based system that restricts access based on individual, role, process, time of day, and location of data. Available rights for Vormetric policies include release of encrypted contents for backup, decryption of contents based on need to know, and control of writes to the data file.

Vormetric directly supports testing of procedure 7.2.X by setting access control policies that define a list of authorized users and applications. Only users and applications that are part of this list can access the data in clear text. (Administrators are given access to the cardholder data, but data is not decrypted for them.)

Vormetric directly supports testing of procedure 7.2.1 by protecting the cardholder data at rest anywhere on the server.

Vormetric directly supports testing of procedure 7.2.2 by enforcing policies help enforce policies that ensure individuals, applications and processes are provided access to the cardholder data





DESCRIPTION

based on their classification and functions, thereby restricting access based on “need to know.”

Vormetric directly supports testing of procedure 7.2.3 through default settings as “deny-all” for all access control policies.

Requirement 8: Assign a unique ID to each person with computer access

8.4, 8.5.16 Vormetric meets or augments the following specific controls:

Vormetric augments testing procedure 8.4 by providing the ability to ensure that all passwords can be encrypted during storage.

Vormetric directly supports testing procedure 8.5.16 by preventing privileged user access from the operating system from access information stored in databases.



Requirement 10: Track and monitor all access to network resources and cardholder data

10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.6, 10.2.7, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4.1, 10.5.1, 10.5.2, 10.5.3, 10.5.5


Vormetric directly supports testing of procedure 10.1 by providing a detailed auditing at the File

System level. Any read/write request for sensitive data can be audited and the trails contain

information to track access back to a specific user, application and time.

Vormetric directly supports testing of procedure 10.2.X by providing logging and flexible policy

options to audit access and changes to Vormetric infrastructure and protected resources.

Vormetric directly supports testing of procedure 10.2.1 by including flexible policy options to audit access and changes to protected resources. Policies can be constructed to monitor individual ac-

cess to cardholder data.

Vormetric directly supports testing of procedure 10.2.2 by constructing policies to monitor individual access to cardholder data. Policies can also prevent privileged users from accessing

data in the clear without interfering with their ability to perform their day-to-day administrative

duties. Both failed and successful attempts to view card data are logged.

Vormetric directly supports testing of procedure 10.2.3 by enabling administrators of the Data

Security Manager that are assigned the role of “audit officer” to access audit trails, which are

centrally stored. Vormetric recommends that audit/log data be sent to a centralized log server safeguarded by Vormetric. All access and access attempts to Vormetric logs are audited.





DESCRIPTION

Vormetric directly supports testing of procedure 10.2.4 through configuration to audit all denied

access requests.

Vormetric directly supports testing of procedure 10.2.6 by logging the initialization of Vormetric

logs.

Vormetric directly supports testing of procedure 10.2.7 by logging all custodian activity.

Vormetric directly supports testing of procedure 10.3.1 by generating audit entries that include

the username and group membership.

Vormetric directly supports testing of procedure 10.3.2 by generating audit entries that include the type of event.

Vormetric directly supports testing of procedure 10.3.3 by generating audit entries that include

the date and time.

Vormetric directly supports testing of procedure 10.3.4 by generating audit entries that include a

success or failure indication. In the case of a permitted action, the event data also includes

whether the access was to clear text or to encrypted data.

Vormetric directly supports testing of procedure 10.3.5 by generating audit entries that note the

origination of the event.

Vormetric directly supports testing of procedure 10.3.6 by generating audit entries that include the host and the full path to the file that was the target of the access request.

Vormetric directly supports testing of procedure 10.4.1 through synchronization with an NTP

server.

Vormetric directly supports testing of procedure 10.5.1 by limiting the viewing of audit trails to

those individuals with job-related need.

Vormetric directly supports testing of procedure 10.5.2 by ensuring that audit trails cannot be modified while they reside on the Vormetric Data Security Manager. If log and audit files are sent

to a centralized log server, this external log repository can be protected and safeguarded with





DESCRIPTION

Vormetric encryption and access control.

Vormetric directly supports testing of procedure 10.5.3 by providing an extensive set of log and audit capabilities to track and monitor access to cardholder data. These files can be sent to a

customer’s centralized log server or event management solution via syslog. In addition, this

external log repository can be protected and safeguarded with the Vormetric solution.

Vormetric directly supports testing of procedure 10.5.5 by ensuring log files cannot be modified

while they reside on the Vormetric Data Security Manager. Further, customers may use the

Vormetric solution to block or monitor changes to log files and other audit trails.

Vormetric augments testing of procedure 10.6 by generating log reports for monitoring of daily

activity.

Requirement 11: Regularly test security systems and processes.

11.5 Vormetric meets or augments the following specific controls:

Vormetric augments testing of procedure 11.5 by generating audit information for unintended

direct access to card data and can be configured to generate alerts.

Requirement 12: Maintain a policy that addresses the information security for all personnel.


Requirement A.1: Shared hosting providers must protect the cardholder data environment



.


Acknowledgements:

VMware would like to recognize the efforts of the VMware Center for Policy & Compliance, VMware Partner Alliance,

and the numerous VMware teams that contributed to this paper and to the establishment of the VMware Compliance

Program. VMware would also like to recognize the Coalfire VMware Team www.coalfire.com/Partners/VMware for

their industry guidance. Coalfire, a leading PCI QSA firm, provided PCI guidance and control interpretation aligned to PCI

DSS v. 2.0 and the Reference Architecture described herein.

The information provided by Coalfire and contained in this document is for educational and informational purposes only.

Coalfire makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information

contained herein.

About Coalfire

Coalfire is a leading, independent information technology Governance, Risk and Compliance (IT GRC) firm that provides

IT audit, risk assessment and compliance management solutions. Founded in 2001, Coalfire has offices in Dallas, Denver,

Los Angeles, New York, San Francisco, Seattle and Washington, D.C., and completes thousands of projects annually in

retail, financial services, healthcare, government and utilities. Coalfire has developed a new generation of cloud-based

IT GRC tools under the Navis® brand that clients use to efficiently manage IT controls and keep pace with rapidly

changing regulations and best practices. Coalfire’s solutions are adapted to requirements under emerging data privacy

legislation, the PCI DSS, GLBA, FFIEC, HIPAA/HITECH, NERC CIP, Sarbanes-Oxley and FISMA/FedRAMP.

For more information, visit www.coalfire.com.

http://www.coalfire.com/Partners/VMware

http://www.coalfire.com/

vormetric addendum to vmware solution guide for...

Documents