Hytrust VM
Hytrust VM
Hytrust VM
Passing Compliance Audit: Virtualize PCI-compliant Workloads with the Help of HyTrust and Trend Micro Deep Security
TOC
Contents
Virtualization in PCI DSS 2.0 PCI Requirements and Controls that are reported upon Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Conclusion 3 6
8 9
10
11
12
13 14
15 16
Impact/Need
HyTrust Virtual Security Appliance Automated hypervisor hardening and monitoring Physical access restriction with root password vaulting Two-factor authentication Separation of duties, version monitoring and complete log of activities for all hypervisor management channels
Hypervisor & components Hardens VMs to reduce the must be hardened risk of attacks from VMs to Restrict physical access the hypervisor Security patches applied ASAP Multi-factor authentication for admin functions Enforce separation of duties Logging and monitoring of hypervisor environment system events No change from physical servers; no impact Requires role-based access control (RBAC) Roles based access control supported for all Deep Security Administrative functions IDS/IPS supports firewall and VLAN controls by providing visibility into inter-VM traffic
Provides Role Based, Object based and Category based access control for least privilege access Logical partitioning of shared infrastructure per port-group and per host provides the isolation required to support mixed-mode VM deployments VMs that do not meet policy cannot be powered on Restricts what snapshots can be taken
In order for in-scope and out-of-scope VMs to co-exist on the same hypervisor the VMs must be isolated from each other Access to dormant VMs or snapshots should be restricted Ensure that only authorized VMs are added and removed Recognize that VMs are dynamic and state cannot be assumed
Deep Securitys Agentless solution provides continuous and automated protection for existing and new VMs. Even VMs that have been paused or dormant are automatically protected using the latest protection eliminating the possibility of security gaps.
Traditional tools do not monitor inter-VM traffic Virtualization specific tools are still immature compared to their physical counterparts
VM specific IDS/IPS protection provides visibility into inter-VM traffic Integrity Monitoring provides visibility into unauthorized changes to guest-VMs Log Inspection provides visibility into security events occurring to guest-VMs
Monitors the operations with virtual machines and the stack Monitors hypervisor configuration
Information leakage
IDS/IPS provides visibility Provides separation into inter-VM traffic of duties and need to Integrity Monitoring know mechanism for provides visibility into the authorized users of unauthorized changes to virtualization guest-VMs Log Inspection provides visibility into security events occurring to guest-VMs Automated discovery of the infrastructure and proactive enforcement of policies
Defense in depth
Traditional security New VMs automatically appliances cannot protect protected with a default virtualized environments security profile Traditional software Four protection based security products technologies (AV, IDS/ can impact performance IPS, Integrity Monitoring, and functionality Log Inspection) in dynamic VM integrated into a single environments comprehensive solution designed specifically for virtualized environments No gap in the protection of dormant VMs brought back online Protection for physical, server VMs, VDI, hybrid cloud and public cloud
VM Hardening
Harden VMs (OS & Apps) by disabling unnecessary services, ports, interfaces, and devices Send logs off-board in near real-time Establish limits on VM resource usage
New VMs automatically protected with a default security profile No gap in the protection of dormant VMs brought back online IDS/IPS shields unpatched vulnerabilities from attack Integrity Monitoring provides visibility into unauthorized changes to guest-VMs in real-time Log Inspection provides visibility into security events occurring to guest-VMs & forwards in real-time Protects VMs regardless of their state or location Can protect VMs in enterprise, hybrid cloud and public cloud environments Makes per-tenant infrastructure logs available
Cloud Computing
Cloud service provider must provide sufficient assurance that the scope of PCI compliance is sufficient Cloud service provider must provide the means for the customer to audit the environment Customer is required to provide additional necessary controls
Virtualization Considerations
Examine multiple virtual layers. Use specialized solutions to monitor and restrict traffic. Ensure roles and responsibilities are assigned and enforced correctly. Be aware of dynamic network boundaries. Do not locate trusted and untrusted systems on the same hypervisor.
1. 2. 3. 4. 5. 6.
Firewall Active Firewall rules assigned Number of firewall events Intrusion Detection active Intrusion Detection rules assigned Intrusion Detection mode
Describe your virtual firewall capabilities. Describe the process for determining where your solution places virtual firewalls in the network system. How does your solution enforce infrastructure segmentation based on policies? Does your solution provide protection from VM escape or VM hopping? Does your solution provide cardholder data protection on the network packet level, for example, how does it discriminate against inappropriate and/or malicious traffic using networking communications effective for the environment (e.g., if bridging is used instead of routing). How does your solution prevent tampering with and/or disabling virtual firewalls? Describe how your solution prevents the accidental or non-authorized act of turning power off on servers running virtual firewalls? How does your solution integrate with legacy firewalls and firewall management systems? Provide details of your role-based management capability for virtual firewalls.
Requirement 2: Do not use vendor-supplied defaults for system pass words and other security parameters
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Trying default passwords is the easiest way for hackers to access your cardholder data environment. Some vulnerability management tools can spot the use of default passwords, but their capability may stop with virtual environments where entire networks of virtual machines are hidden from legacy solutions. The use of virtualization in the cardholder data environment also requires password controls for hypervisor and virtual infrastructure management utilities.
Virtualization Considerations
Use specialized hardening standards and methods across all virtualization layers. Be aware of security parameters specific to virtualization technology. Be aware of out of band non-console access to virtualized elements such as individual VMs, appliances and other hosted components and additional risk introduced by the new virtual components.
Best practice questions to ask for Requirement 2: What is reported on by the solution
1. Hosts with remote root login enabled 2. Number of controls for all host configurations 3. Number of configuration scans 4. Remediation mode 5. Number of rules configured for VMConsole access
Describe how your solution provides root password vaulting to eliminate the need for our administrators to know root passwords. How does your solution support the implementation and assurance of a secure configuration baseline for the hypervisor hosts? Describe how your solution uses industry best practices to govern how it hardens hosts and VM containers. How does your solution monitor configuration drift in the hardening posture of any virtual device? Explain the automation processes controlling remediation of non-compliant hosts. Requirement 2.2.1 notes: Where virtualization technologies are in use, implement only one primary function per virtual system component. Does your solution comply with this requirement? If not, explain how your solution will comply as a Compensating Control.
Virtualization Considerations
Be aware of the dormant and off-line VMs, VM snapshots, and cached memory images that may maintain critical data. Separate logical access to encrypted files and protect privileged accounts that may expose cryptographic keys. Do not store the keys on the same hypervisor as encrypted data. Do not virtualized key management functions. Be aware that encryption may be applied against multiple virtualization layers.
1. Integrity Monitoring active 2. Integrity Monitoring real time 3. Integrity Monitoring rules assigned
How does your solution address the problem of remnants of stored cardholder data on virtual resources? For example, memory that was previously stored only as volatile memory can, in virtual systems, be written to disk as stored by taking snapshots of systems. Describe how your solution knows that there are no remnants of stored data in virtual systems. How does your solution protect data exposed on internal networks, such as memory data transmitted during VMotion or on the connections to distributed storage such as NFS. How are cardholder data in virtual memory resources and other shared virtual resources protected from unauthorized access? Describe how your solution prevents unauthorized snapshotting of VMs in the cardholder data environment. Explain how your solution ensures deletion of cardholder data stored on virtual systems that are powered off.
Virtualization Considerations
Multiple anti-malware protection mechanisms may be required to protect guests and hypervisors. Ensure that the selected anti-virus mechanism does not interfere with virtualization function and provides adequate protection.
Best practice questions to ask for Requirement 5: What is reported on by the solution
How does your solution distinguish whether virtual system components in the cardholder data environment are commonly affected by viruses and other malware, or if they are not susceptible to those risks? How does your solution identify virtual systems that have changed configurations, and require an anti-virus software or signature update? Describe how your solution ensures that anti-virus software on virtual system components in the cardholder data environment is properly configured and running the most recent version of software and signatures? What process does your solution follow for distributing patches to virtual system components? How does your solution protect VM management servers in the cardholder data environment? How will implementing your solution for updating anti-virus software or programs affect performance of our virtual infrastructure?
10
Patching may require specialized tools to address multiple virtualization layers and stack elements. Development/test systems and data could be inadvertently moved to production.
1. Integrity Monitoring active 2. Integrity Monitoring real time 3. Integrity Monitoring rules assigned
How does your solution address the problem of VM Sprawl, which is creating more VMs than are necessary? Specify how your solution controls the building, copying, placement, and deletion of virtual images in the cardholder data environment? Explain how your solution controls who can power off VMs, move VMs to different hosts, and connect VMs to different networks. How does your solution support backup up of cardholder data in virtual systems? Describe how your solution supports the virtual systems component of disaster recovery and business continuity.
11
Virtualization Considerations
Access controls and least privilege principle need to be implemented across multiple layers. Use specialized tools for effective and granular assignment of privileges including access to individual hosted components.
1. Number of rules for access 2. Number of users with access 3. Number of attempted policy violations 4. Number of users with access not subject to zone restriction 5. Number of users with SuperAdmin access 6. RSA configuration report 7. Root password vaulting configuration
How does your solution limit access to virtual system components and cardholder data only to those individuals whose job requires such access? Describe access controls provided by your solution for each virtual system component. Are they set to deny all unless specifically allowed? Detail the multi-factor authentication capability provided by your solution. Explain how your solutions access controls operate for different security zones in the virtual cardholder data environment. Specify granular capabilities for role-based and workload-based access and management. How does your solution control access by authorized administrators such that none are able to log into virtual systems as administrator or root? How does your solution enforce separation of duties for access to virtual servers as opposed to virtual networks? Ditto for separating virtual backup administration from management of virtual servers and management of virtual networks. Explain how your solution controls access to hypervisor management, particularly for restricting local access for administrators to hypervisor management via centralized console access only. Describe logging capabilities for every administrative access attempt (whether allowed or denied).
12
Virtualization Considerations
Unique IDs and secure authentication is required across multiple layers. Additional access controls and specialized tools may be required due to high impact of unauthorized hypervisor access. Dormant VMs and snapshots also need to be under access control.
How does your solution assign all users a unique user name before allowing them access to virtual system components or cardholder data? Specify the directory service used by your solution for authenticating administrator and user access to virtual systems in the cardholder data environment. What directory service is used when a virtual cardholder data environment is hosted by a cloud provider as opposed to a private cloud hosted on our in-house resources? Describe how your solution stores privileged account (root) passwords for all protected virtual hosts. Are these passwords perpetual or granted on a temporary basis to one individual at a time? Describe the multi-factor authentication used by your solution, and its integration capabilities with AD, RSA SecurID, and Smart Card.
13
Virtualization Considerations
Physical access to a single hypervisor is equivalent to physical access to all the virtualized components running on it. Additionally, dormant components and backup need to be under physical access protection and monitoring.
Describe how controls in your solution prevent access from a hypervisor to root passwords stored in the virtual cardholder data environments Identity and Access Management system.
14
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data.
Legacy network security systems are unable to track asset and infrastructure access events between virtualized components residing within individual hypervisor nodes. This will result in a critical visibility gap across the virtual data center. Legacy audit systems do not provide fine grained auditing and controls for hypervisor management events, nor do they support virtual system forensics. Traditional application and system logs must be securely maintained for the virtual cardholder data environment.
Virtualization Considerations
Logging mechanisms specific to the virtualization technology may be required to reconstruct the events required by PCI DSS Requirement 10.2. Specific system functions, API, objects and logs may be different for different technologies. Specialized tools may be required to capture and correlate audit log data. It may be difficult to capture, correlate or review logs in cloud-based deployments.
1. 2. 3. 4. 5. 6.
Log configuration report Hypervisor level access Attempted policy violations VMConsole access Number of obfuscated operations Number of time affecting operations 7. Number of unique IP address used for access
Describe how your solution logs all access to virtual systems in the cardholder data environment especially administrative access. Detail the types of data captured in logs, such as user identification, type of event, date and time, success or failure indication, origination of event, and identity or name of affected data, virtual system component or resource. What types of automated audit trails are created by your solution? Examples include all individual user accesses to cardholder data; all actions by any individual with root or administrative privileges to virtual systems; access to all audit trails; invalid logical access attempts; use of identification and authentication mechanisms; initialization of audit logs; creation and deletion of system-level objects. Where does your solution store log records? Describe the security controls protecting log records from alteration or deletion. Describe the time synchronization technology used by your solution. How does your solution comply with the requirement to retain audit trail history for at least one year, and to provide at least three months of history for immediate analysis?
15
Conclusion
CONCLUSION
The Right Data at Your Fingertips Clear, Simple, Measurable Compliance
By combining data from two cutting-edge products for VMware environments, Trend Micros Deep Security and HyTrusts Security Virtual Appliance, we give the end user a tool that provides clear, simple and measurable compliance for PCI. In addition to providing detailed reports on critical compliance data, we score each area of compliance, then tally these scores to provide a high-level view on overall PCI compliance. This provides both the granular visibility into areas of compliance that need addressing, as well as a view of ongoing compliance status that makes reporting to execs a snap.
2011 HyTrust, Inc. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of HYTRUST, Inc. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. HYTRUST, Inc. may make improvements in or changes to the software described in this document at any time. HyTrust, the HyTrust logo, and Virtualization Under Control are trademarks or registered trademarks of HYTRUST, Inc. or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. Part Number: WP-012-001
16