Download PCI COMPLIANCE - Network Security – Next Generation Firewalls

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
Document related concepts

Network tap wikipedia , lookup

IEEE 1355 wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

PC/104 wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Airborne Networking wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
PCI
COMPLIANCE
Streamline PCI Compliance With Next-generation Security
How Palo Alto Networks Enterprise Security Platform Enables
Unparalleled Network Segmentation and Protection of
Cardholder Data.
Palo Alto Networks | White Paper
Table of Contents
I.
Executive Summary
3
II.
Fundamental Challenges with PCI Compliance
3
III. Getting the Most Out of a Network Segmentation Solution
5
IV. The Palo Alto Networks Enterprise Security Platform
5
V.
Delivering Robust Network Segmentation
6
VI. Meeting and Exceeding Multiple Requirements
7
VII. Providing Next-Generation Protection and Prevention 8
VIII. Conclusion
9
IX. Appendix 1: PCI Security Requirements Supported by the Palo Alto Networks Enterprise Securit Platform
10
Palo Alto Networks | White Paper
2
I. EXECUTIVE SUMMARY
Establishing, maintaining, and demonstrating compliance with the Payment Card Industry Data Security Standard
(PCI DSS) is a necessity for “… all entities involved in payment card processing—including merchants, processors,
acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data
(CHD) and/or sensitive authentication data (SAD)1.” With approximately three hundred individual requirements to
address, organizations subject to the standard have their work cut out for them.
The Palo Alto Networks® enterprise security platform—with our market-leading next generation firewall (NGFW) at
its core—supports PCI compliance in three ways:
• By providing an incomparably robust set of capabilities for segmenting off one’s cardholder data
environment (CDE) and effectively reducing the scope of all related compliance activities;
• By enabling security and compliance teams to simultaneously satisfy numerous individual requirements
with a single, tightly integrated solution; and,
• By going above and beyond the minimum requirements to not only provide more effective protection
against today’s threats, but also deliver a future-proof solution capable of meeting PCI DSS requirements
even as they continue to evolve.
Organizations that leverage the Palo Alto Networks enterprise security platform to reduce their total cost of
PCI compliance also benefit from being able to: maintain complete visibility and tight control over the use of
applications, especially those critical to running their business; confidently pursue new technology initiatives; and
thoroughly protect the organization from the most basic to sophisticated cyber attacks.
II. FUNDAMENTAL CHALLENGES WITH PCI COMPLIANCE
With global losses from payment card fraud
exceeding $16.31 billion in 2014, the need for
the PCI DSS has never been more apparent2.
According to a poll in the Wall Street Journal, 45%
of Americans say they or a household member have
been notified by a card issuer, financial institution,
or retailer that their credit card information had
possibly been stolen as part of a data breach.3
Offsetting the value of the PCI security standards,
however, are a handful of related challenges. These
include the substantial amount of effort and
investment required to achieve compliance in the
first place, along with the unfortunate reality that
being compliant does not necessarily translate into
an organization being adequately defended from
advanced cyber attacks.
PCI Compliance Is a Baseline
“Our viewpoint has always been that the PCI DSS is a
baseline, an industry-wide minimum acceptable standard,
not the pinnacle of payment card security. [...] A PCI DSS
assessment can uncover important security gaps that should
be fixed, but it is no guarantee that your customer’s data and
your reputation are safe. Of all the data breaches that our
forensics team has investigated over the last 10 years, not a
single company has been found to be compliant at the time
of the breach — this underscores the importance of PCI DSS
compliance.”
- Verizon 2015 PCI Compliance Report
Substantial Effort Required
For all system components included in or connected to the CDE, organizations must comply with more than
three hundred requirements. It is in every organization’s best interest, therefore, to take advantage of network
segmentation provisions stated in the PCI DSS to effectively isolate their CDE and thereby shrink the amount of
infrastructure that is considered in scope. Doing so not only decreases the cost and complexity of PCI compliance
in several predictable ways, but also has the potential to deliver additional operational and security benefits. For
example, when armed with an appropriate solution, organizations can use network segmentation to:
• Reduce both the number of system components that must be brought into compliance in the first place
and any derivative impact doing so might have (such as the need to re-architect portions of the network or
re-design certain applications and systems)
• Reduce the number of system components that must be maintained in compliance, both on a regular basis
and whenever the PCI requirements are updated
• Reduce the number of system components and processes that must be periodically audited to
demonstrate compliance
• Reduce and simplify management of the policies, access control, and threat prevention rules that apply to
the CDE
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf
3
Source: Poll Shows Broad Impact of Cyberattacks, Wall Street Journal December 2014, http://www.verizonenterprise.com/pcireport/2014
1
2
Palo Alto Networks | White Paper
3
• Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations
• Greatly improve the organization’s ability to contain and limit the spread of threats
Non-segmented network using ACLs
• All servers and associated traffic may
fall within the scrope of PCI audit
D
Se ev
rv elo
er p
s m
en
t
In
Se fra
rv st
er ru
s ct
ur
e
P
N alo
et A
w lt
or o
ks
F
U ina
se n
rs ce
P
C
IZ
on
e
D
Se ev
rv elo
er p
s m
en
t
E
W nd
or U
ks se
ta r
ti
on
s
In
Se fra
rv st
er ru
s ct
ur
e
C
Se ard
rv ho
er ld
s e
r
C
Se ard
rv ho
er ld
s e
r
WAN and Internet
Segmented network with Palo Alto Networks isolates
cardholder data
• Access to PCI Zone is limited to finance users based
on User-ID (i.e. Active Directory security groups) and
App-ID (i.e. limit internal and Internet applications).
• Scope of PCI audit is reduced to cardholder segment
and finance users
Figure 1: Comparison of flat vs segmented network.
Segmentation-based Scope Reduction Only Goes So Far
Leveraging the best practice of network
segmentation to reduce the amount of
infrastructure subject to DSS requirements will
only get an organization so far. For the CDE that
remains, it is still necessary to address more than
three hundred requirements. The challenge of
successfully navigating this process is sharply
revealed by the Verizon finding that only 11.1
percent of organizations were determined
to be fully compliant at the time of their
baseline assessments4.
Need Better Firewalls
“One of the criticisms that we made of DSS 3.0 in our 2014
report is that it still refers to stateful-inspection firewalls,
a technology that most security professionals consider
outdated. Malware and hacker attacks that can bypass
stateful-inspection access controls have been common for
nearly a decade. While other security standards have moved
on, PCI DSS has not. […] Their ability to monitor activity at
the application level, deal with the explosive growth in the
number of devices, and block increasingly sophisticated
threats make next-generation firewalls a must-have.”
Attempting to comply with all three hundred
requirements by tackling them one at a time is
-Verizon 2015 PCI Compliance Report
impractical and will result in unnecessary costs
and complexity. It is also unwise from a security
perspective as this might result in a highly
fragmented security architecture where there is substantial
potential for significant events to “slip through the cracks.”
Although no single vendor/solution can deliver complete compliance, organizations would be well served by
solutions and processes that allow them to simultaneously address multiple requirements, ideally in a tightly
integrated manner.
Compliance is Necessary, but Not Sufficient
By its own admission, the PCI DSS provides “a baseline of technical and operational requirements” for protecting
cardholder data.” Not only do the specified countermeasures represent a minimum standard of due care, but also—as
a result of the now 3-year period between revisions—they often lag behind significant changes to the technology and
threat landscapes.
One self-acknowledged example of this situation is provided by the requirement (5.1) to “deploy anti-virus
software on all systems commonly affected by malicious software (particularly personal computers and
servers).” In this case, the DSS explicitly mentions the consideration of “additional anti-malware solutions … as
a supplement to the anti-virus software”—presumably in recognition of the poor track record such as software
has at stopping modern, polymorphic malware and zero-day exploits.
4
http://www.verizonenterprise.com/pcireport/2014
Palo Alto Networks | White Paper
4
A second example comes from the requirement (1.3.6) to “implement stateful inspection” technology as part of
the solution to “prohibit direct public access between the Internet and any system component in the cardholder
data environment.” Verizon’s commentary on this requirement says it all: “The DSS still specifies statefulinspection firewalls, first launched in 1994. As the threats to the CDE become more complex, these devices are
less able to identify all unauthorized traffic and often get overloaded with thousands of out-of-date rules. To
address this, vendors are now offering ‘next generation’ firewalls that can validate the traffic at layers 2 to 7,
potentially allowing far greater levels of granularity in the rules.5”
Specific examples aside, the key point to realize here is that it’s typically necessary—if not imperative—for
security and compliance teams to go above and beyond the DSS requirements in order to establish a security
architecture that more effectively addresses modern/ emerging threats and more closely aligns with their
organization’s tolerance for risk.
III. GETTING THE MOST OUT OF A NETWORK SEGMENTATION SOLUTION
A derivative challenge is that of selecting an ideal solution for network segmentation. Although the PCI
DSS mentions the possibility of using “a number of physical or logical means, such as properly configured
internal network firewalls, routers with strong access control lists, or other technologies that restrict access
to a particular segment of the network,” not all options are created equal. In fact, many of these traditional
alternatives fail to meet the qualifying statement that a proper segmentation solution should be able to keep
compromised out-of-scope components from impacting the security of the CDE.
One major problem is the lack of granularity with which traditional solutions enforce access control. Because
many modern applications can share the same network level attributes, relying solely on ports, protocols, and
IP addresses for access control results in network segmentation that is too loose—that allows far too much
unwanted and unauthorized traffic to pass through. A second issue is that many of these solutions provide no
means to scan allowed traffic for embedded threats and, as a result, simply allow them to “come along for the
ride” with authorized applications.
In addition, attempts to fix these legacy products have largely failed. Bolting-on deep packet inspection
technology doesn’t work because the resulting solution still depends on port/protocol attributes for the
initial classification and disposition of all traffic. And deploying separate firewall “helper products,” many of
which exhibit the same shortcoming, often yields only incremental gains in exchange for considerably greater
infrastructure complexity, latency, cost of ownership, and effort required to establish proof of compliance and
generate related reports.
For maximum effectiveness with minimum impact and cost, what organizations require instead is a network
segmentation solution that simultaneously provides:
• true, least privileges access control;
• prevention for both known and unknown threats;
• full, in-depth traffic inspection without performance degradation;
• flexible deployment options that minimize the need for network architecture changes; and,
• simple, straightforward proof of policy controls.
SQLIA
SQLIA
EMR, Dev Tools,
Trading Apps
EM
EMR,
MR, Dev
De Tools,
TTrading Apps
EMR, Dev Tools,
Trading Apps
Figure 2: Applications, users and content—all under your control
5
http://www.verizonenterprise.com/pcireport/2014
Palo Alto Networks | White Paper
5
IV. THE PALO ALTO NETWORKS ENTERPRISE SECURITY PLATFORM
Unlike traditional solutions, the Palo Alto Networks enterprise security platform natively classifies all traffic,
regardless of port, protocol, or encryption. This complete visibility into network activity allows customers to
substantially reduce their attack surface, block all known threats with an integral threat prevention engine, and
quickly discover and protect against unknown threats using the WildFire™ cloud-based sandbox analysis service.
Next-generation endpoint security capable of stopping unknown threats and automated coordination among the
natively integrated solution components complete the picture. The net result is a truly innovative platform that
delivers maximum protection for an organization’s entire computing environment while greatly reducing the need for
costly human intervention and remediation.
NEXT-GENERATION
THREAT INTELLIGENCE CLOUD
AUTOMATED
NEXT-GENERATION
FIREWALL
PO
O
RK
D
NET W
NATIVELY
INTEGRATED
IN T
CLOUD
EN
EXTENSIBLE
NEXT-GENERATION
ENDPOINT
Figure 3: Palo Alto Networks enterprise security platform.
More importantly, at least with regard to PCI compliance, the Palo Alto Networks platform simultaneously delivers
unparalleled network segmentation capabilities, coverage for multiple PCI requirements, and a level of protection
for cardholder data that goes well beyond the baseline capabilities specified in the PCI DSS.
V. DELIVERING ROBUST NETWORK SEGMENTATION
The Palo Alto Networks platform uniquely ensures maximum isolation of an organization’s cardholder data
environment with a robust set of natively integrated security capabilities, including:
• Control of all traffic at the application level: At the heart of our platform, innovative App-ID™ technology
accurately identifies and classifies all traffic by its corresponding application, regardless of ports and
protocols, evasive tactics such as port hopping, or encryption. In highly sensitive or specialized zones of the
network like the CDE, this provides the best possible control by allowing security administrators to deny all
traffic except the few applications that are explicitly legitimate.
• Definitive, least privileges access control. Along with App-ID, User-ID™ and Content-ID™ enable
organizations to tightly control access to the CDE based on an extensive range of business-relevant
attributes, including the specific application and individual functions being used, the actual identity of
individual users and groups, and the specific elements of data being accessed (e.g., credit card or social
security numbers). The result is a definitive implementation of least privileges access control where
administrators can create straightforward security rules to allow only the absolute minimum, legitimate
traffic in the zone while automatically denying everything else.
• Advanced threat protection. A combination of anti-virus/malware, intrusion prevention, and advanced
threat prevention technologies (Content-ID and WildFire) filter all allowed traffic for both known and
unknown threats.
• Flexible data filtering. Administrators can allow necessary applications yet still block unwanted file transfer
functionality, block unwanted file types, and control the transfer of sensitive data— such as credit card
numbers or custom data patterns in application content or attachments.
Palo Alto Networks | White Paper
6
VI. MEETING AND EXCEEDING MULTIPLE REQUIREMENTS
Reducing the scope of compliance with effective network segmentation is only one way the Palo Alto Networks
enterprise security platform supports organizations in their efforts to achieve PCI compliance. As detailed below
and in Appendix 1, it also helps by addressing many of the individual requirements specified in the DSS.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
The Palo Alto Networks enterprise security platform directly satisfies several sub-requirements in this section,
while helping with many others. Select sub-requirements and how they are addressed include:
• 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment,
and specifically deny all other traffic. Definitive, least privileges access control.
• 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data
environment. Robust network segmentation deployed in a DMZ configuration. Notably, this requirement is
not specifying the need for proxy based gateways; only that connections to the Internet be intermediated by
a DMZ.
• 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Definitive, least privileges access control and flexible data filtering.
• 1.3.6 Implement stateful inspection, also known as dynamic packet filtering. Our next generation firewall
not only meets the requirement for stateful inspection by only allowing “established” connections into the
network; it also exceeds the requirement by providing far more granular control than port-based inspection
firewalls over which connections get established in the first place.
Figure 4: Policy example that isolates and protects cardholder data.
Requirement 2: Protect stored cardholder data
This requirement focuses on reducing the amount of cardholder data stored and ensuring that stored data is
appropriately masked and encrypted. Despite rigorous encryption techniques, the cardholder data must often
exist in an unencrypted state in memory, which has become a frequent point of attack. Furthermore, encryption
keys must be properly protected, which poses challenges for many businesses. Not only do businesses need to
store, protect, back up and track keys, they must also deal with interoperability issues, a lack of management
standards, and multiple locations where encryption is employed, whether endpoint devices, databases, or
storage systems. Given these management challenges, encryption alone may be sufficient to meet compliance
requirements, but often does not provide adequate security for cardholder data.
Compromising the storage and distribution of encryption keys or making unauthorized key substitutions places
the organization at risk. Furthermore, encryption alone does not protect against malware that scrapes the
unencrypted cardholder data from memory. Traps prevents exploits and malware from launching malicious
code that would try to compromise encryptions keys or cardholder data. By preventing exploits and malware,
businesses are in a better position to protect stored cardholder data and the related encryption keys. If key
management processes do break down, Traps provides an effective compensating control for PCI DSS Section 3.6.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Palo Alto Networks® Traps Advanced Endpoint Protection is an innovative endpoint protection technology that
prevents exploits and malware, both known and unknown. Because PCI DSS was established before advanced
endpoint protection technology existed, the standard still calls for outdated antivirus scanning techniques without
any ability to prevent unknown exploits.
Palo Alto Networks | White Paper
7
Despite this fact, companies focused on not only compliance, but also strong security posture are finding that
Traps can be employed as a highly effective compensating control that not only meets, but also exceeds, the
original PCI DSS requirement, resulting in a much stronger security and compliance posture. For example, prior to
Traps technology, patching was the only way to ensure protection from known vulnerabilities and there was no
reliable method to protect systems from unknown vulnerabilities or those with no available patch. The availability
of Traps allows PCI system operators to significantly enhance security and exceed PCI DSS requirements by not
only eliminating known vulnerabilities, but also protecting systems from exploitation of unknown vulnerabilities.
Some Palo Alto Networks customers reported that their PCI QSA approved the use of Traps as a compensating
control for unpatched / unpatchable systems.
Requirement 7: Restrict access to cardholder data by business need to know
Definitive, least privileges access control and support for an extensive collection of user authentication and
authorization mechanisms enables the Palo Alto Networks platform to address the heart of this requirement,
which is to “establish an access control system for systems components that restricts access based on a user’s
need to know, and is set to ‘deny all’ unless specifically allowed.”
Requirement 10: Track and monitor all access to network resources and cardholder data
Here is another example where the Palo Alto Networks enterprise security platform directly satisfies several subrequirements, while helping with many others. Select sub-requirements and how they are addressed include:
• 10.1 Implement audit trails to link all access to system components to each individual user. User-ID ties all
network activities to specific user identities. Instead of meaningless IP addresses, actual identity information
also populates the reports regularly consumed by auditors for establishing PCI compliance.
• 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity.
Native logging, reporting, and visualization capabilities support daily reviews, ad-hoc troubleshooting, and
detailed forensic analyses.
Requirement 11: Regularly test security systems and processes
Sub-requirement 11.4 is met by the native inclusion in the Palo Alto Networks security platform of an intrusion
prevention system (IPS) that organizations can employ to “detect and/or prevent intrusions into the network.”
Those security teams interested in going above and beyond the baseline specification also have the option of
taking advantage of WildFire to solidify their defenses against unknown malware, zero-day exploits, and Advanced
Persistent Threats (APTs).
VII. PROVIDING NEXT-GENERATION PROTECTION AND PREVENTION
Several examples have already been provided where the Palo Alto Networks platform goes above and beyond
PCI DSS requirements to deliver the greater levels of protection today’s organizations actually need, including:
• the core next generation firewall that enables definitive least privileges access control to actually block/deny
all users, applications, and content except that which is absolutely necessary within the CDE;
• advanced threat protection that extends coverage to account for elusive or unknown threats that attempt
lateral moves to propagate within the network; and,
• next generation endpoint security that compensates for the proven deficiencies of legacy anti-virus software.
Another way our solution delivers next-generation protection that exceeds the DSS’s baseline requirements
is by providing extensive information sharing and coordination among elements of the platform. For example,
new protections developed from WildFire’s real-time threat intelligence are automatically distributed to our
customer’s systems within as little as 30 minutes. The net result of natively integrated threat prevention
capabilities is a closed-loop architecture that delivers unparalleled threat response without the need for manual
and time-consuming interventions by an already overwhelmed security team.
Palo Alto Networks has also established strategic partnerships that augment its ability to address PCI DSS
requirements. For example, the Splunk App for Palo Alto Networks delivers customers cross-infrastructure
event correlation, threat analysis, and compliance reporting, while also providing a powerful set of supplemental
threat detection mechanisms. Relationships with AlgoSec, Tufin and other Network Configuration and Risk
Management vendors similarly yield a solution that goes above and beyond the basics by ensuring that security
teams are able to efficiently and effectively manage their firewall configurations and guarantee the integrity of
the corresponding rule sets.
Palo Alto Networks | White Paper
8
Compliance Capabilities
PCI DSS REQUIREMENT
NEXT GEN
FW
WILDFIRE
Requirement 1:
TRAPS
WF
TR
WF
TR
WF
TR
WF
TR
WF
TR
WF
TR
WF
TR
Install and maintain a firewall configuration to protect cardholder data
Requirement 2:
Do not use vendor-­‐supplied defaults for system passwords and other
security parameters
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder data across open, public networks
Requirement 5:
Protect all systems against malware and regularly update anti‐virus software
or programs
Requirement 6:
Develop and maintain secure systems and applications
Requirement 7:
Restrict access to cardholder data by business need to know
Requirement 8:
Identify and authenticate access to system components
Requirement 9:
Restrict physical access to cardholder data
Requirement 10:
Track and monitor all access to network resources and cardholder data
Requirement 11:
Regularly test security systems and processes
Requirement 12:
Maintain a security policy that addresses information security for
all personnel
Figure 4: Enterprise Security Platform PCI DSS Compliance Capabilities
VIII. CONCLUSION
No single vendor or solution can provide complete compliance with the Payment Card Industry Data Security
Standard. What organizations require instead is a thorough set of policies, processes, and practices—including
network segmentation—supported by an essential set of technological countermeasures to enforce them. In
this regard, the Palo Alto Networks enterprise security platform is an invaluable solution that delivers:
• definitive, least privileges access control and other essential security capabilities for effectively
segmenting off the cardholder data environment and thereby reducing the scope and cost of achieving PCI
DSS compliance;
• support for a considerable cross-section of the PCI DSS requirements; and,
• capabilities that go above and beyond the standard’s baseline specifications to more thoroughly protect
cardholder data—and the remainder of your organization’s computing environment—from the latest
generations of unknown malware and advanced threats.
For more information regarding the Palo Alto Networks enterprise security platform and its component technologies,
please visit: www.paloaltonetworks.com.
Palo Alto Networks | White Paper
9
IX. APPENDIX 1: PCI SECURITY REQUIREMENTS SUPPORTED BY THE PALO ALTO NETWORKS
ENTERPRISE SECURITY PLATFORM
The Palo Alto Networks platform supports many of the three hundred individual requirements specified in the
PCI DSS, as itemized in the following table. All references made in this paper to specific requirements are based
on PCI DSS 3.1.
PCI DSS REQUIREMENT
SUPPORTED SUBREQUIREMENTS
DESCRIPTION OF CAPABILITIES
Requirement 1:
Install and maintain a firewall
configuration to protect cardholder
data
1.2, 1.2.1, 1.2.3,
1.3, 1.3.1, 1.3.2,
1.3.3, 1.3.4, 1.3.5,
1.3.6, 1.3.7,
1.3.8
The Palo Alto Networks portfolio of hardware and
virtual next-generation firewalls enables definitive
least privileges access control (i.e., deny all applications,
users, and content except for that which is necessary)
for all networks involving cardholder data. Palo Alto
Networks supports all sub-requirements pertaining
to DMZ implementations intended to prohibit direct
public access between the Internet and any
CDE system.
Requirement 2:
2.3
The intent behind Requirement 2 is to implement
sufficient preventive controls to reduce the attack
surface. These controls include changing vendor
passwords; enabling only necessary services, protocols,
daemons; and removing unnecessary functionality,
such as scripts, drivers, features, subsystems, file
systems, and web servers. For a relatively complex
card holder data environment, there are potentially
thousands of instances in which unnecessary services,
unnecessary functionality, and insecure services
could operate.
Do not use vendor- supplied
defaults for system passwords and
other security parameters
Traps provides an automated preventive control
capability to reduce risks associated with threat vectors
or attack points. The unique approach employed
by Traps ensures that even if unnecessary services
are running, vulnerabilities in those services cannot
be exploited. Traps will block the exploit technique
and prevent any malicious activities from occurring.
Insightful forensics evidence is collected to support
incident response processes or further investigative
activities. With Traps operating in the CDE,
organizations can reduce their risk to a level more in
line with the business’ risk tolerance position.
Requirement 3:
n/a
This requirement focuses on reducing the amount
of cardholder data stored and ensuring that stored
data is appropriately masked and encrypted.
Encryption alone does not protect against malware
that scrapes the unencrypted cardholder data from
memory. Traps prevents exploits and malware
from launching malicious code that would try to
compromise encryptions keys or cardholder data. If key
management processes do break down, Traps provides
an effective compensating control for PCI DSS
Section 3.6.
4.1, 4.2
Standards-based IPSec VPNs are supported for
secure site-to-site connectivity, while GlobalProtect
delivers secure remote access for individual users via
either an TSL or IPSec protected connection. With its
unique application, user, and content identification
technologies, the Palo Alto Networks solution is also
able to thoroughly and reliably control the
use of potentially risky end-user messaging
technologies (e.g., email, instant messaging, and chat)
down to the level of individual functions (e.g., allow
messages but disallow attachments and file transfers).
n/a
The Palo Alto Networks enterprise security platform
includes advanced endpoint protection that provides
a much-needed complement to legacy anti-virus
solutions that are largely incapable of providing
protection against unknown malware, zero-day
exploits, and advanced persistent threats (APTs).
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder
data across open, public networks
Requirement 5:
Protect all systems against malware
and regularly update anti-virus
software or programs
Palo Alto Networks | White Paper
10
PCI DSS REQUIREMENT
SUPPORTED SUBREQUIREMENTS
DESCRIPTION OF CAPABILITIES
Requirement 6:
6.6
As a fully application aware solution, the Palo Alto
Networks next-generation security platform is capable
of preventing a wide range of application-layer attacks
that have, for example, taken advantage of improperly
coded or configured web apps.
7.2, 7.2.1, 7.2.3
Granular, policy-based control over applications, users,
and content regardless of the user’s device or location
enables organizations to implement definitive least
privileges access control that truly limits access to
cardholder data based on business need to know, with
“deny all” for everything else. Tight integration with
Active Directory and other identity stores, plus support
for role based access control, enables enforcement
of privileges assigned to individuals based on job
classification and function.
8.1, 8.1.1, 8.1.3,
8.1.4, 8.1.6,
8.1.7, 8.1.8, 8.2,
8.2.1, 8.2.3,
8.2.4, 8.2.5, 8.3,
8.5, 8.6
Native capabilities and tight integration with Active
Directory and other identity stores support a wide
range of authentication policies, including: use of
unique user IDs, immediate revocation for terminated
users, culling of inactive accounts, lockout after a
specified number of failed login attempts, lockout
duration, idle session timeouts, and password reset
and minimum strength requirements. Support is
also provided for several forms of multi-factor
authentication, including tokens and smartcards.
n/a
n/a
10.1, 10.2, 10.2.1,
10.2.2, 10.2.3,
10.2.4, 10.2.5,
10.2.6, 10.2.7,
10.3,
10.3.1, 10.3.2,
10.3.3, 10.3.4,
10.3.5, 10.3.6,
10.4, 10.6, 10.6.1,
10.6.2, 10.6.3,
The Palo Alto Networks enterprise security platform
maintains extensive logs/audit trails for WildFire,
configurations, system changes, alarms, traffic
flows, threats, URL filtering, data filtering, and Host
Information Profile (HIP) matches. The solution also
supports both daily and periodic review of log data
with both native, customizable reporting capabilities
and the ability to write log data to a syslog server for
archival and analysis by third-party solutions (including
popular security event and information management
systems, such as Splunk).
11.4
The Palo Alto Networks enterprise security platform
fully inspects all allowed communication sessions
for threat identification and prevention. A single
unified threat engine delivers intrusion prevention
(IPS), stream- based antivirus prevention, and block
of unapproved file types and data. The cloud-based
WildFire engine extends these capabilities further by
identifying and working in conjunction with customer
premise components to prevent unknown and targeted
malware and exploits. The net result is
comprehensive protection from all types of threat in a
single pass of traffic.
n/a
n/a
Develop and maintain secure
systems and applications
Requirement 7:
Restrict access to cardholder data
by business need to know
Requirement 8:
Identify and authenticate access to
system components
Requirement 9:
Restrict physical access to
cardholder data
Requirement 10:
Track and monitor all access
to network resources and
cardholder data
Requirement 11:
Regularly test security systems
and processes
Requirement 12:
Maintain a security policy that
addresses information security for
all personnel
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:+1.866.320.4788
Support:+1.866.898.9087
www.paloaltonetworks.com
© 2016 Palo Alto Networks, Inc. Palo Alto Networks is a
registered trademark of Palo Alto Networks. A list of our
trademarks can be found at http://www.paloaltonetworks.
com/company/trademarks.html. All other marks mentioned
herein may be trademarks of their respective companies.
PCI-Compliance-Security-Platform-011916
Related documents
About Target Discovery, Inc
About Target Discovery, Inc
ALTO PRODUCTS CORP NEW PRODUCT ANNOUNCEMENT
ALTO PRODUCTS CORP NEW PRODUCT ANNOUNCEMENT
201940 GM/BMW GA6L45R/E Filter
201940 GM/BMW GA6L45R/E Filter
203940 Toyota/Lexus A960E Filter
203940 Toyota/Lexus A960E Filter
Mercruiser Oil Pan / Alto # 023358
Mercruiser Oil Pan / Alto # 023358
039670 MAZDA RC4AEL, ISUZU JR405E Molded Piston Kit
039670 MAZDA RC4AEL, ISUZU JR405E Molded Piston Kit
PCI Compliance - Aug 2009 - Commonwealth Business Travel
PCI Compliance - Aug 2009 - Commonwealth Business Travel
Name: Questions: (Total points = 135) Due by 11:59 PM 2/27/2017
Name: Questions: (Total points = 135) Due by 11:59 PM 2/27/2017
Click here for full listing
Click here for full listing
Percutaneous Coronary Intervention (PCI)
Percutaneous Coronary Intervention (PCI)