In a recent post, we discussed many of the challenges with attesting to PCI DSS compliance, including a description of some of the factors that are often overlooked when defining the cardholder data environment (CDE). See “Common Misconceptions around the Payment Card Industry Data Security Standard (PCI DSS)” from our recent series of blogs on PCI DSS-related topics for more information. This post will explain how network segmentation can help isolate the CDE and, as a result, reduce scope and the costs associated with managing the CDE.
The payment ecosystem is comprised of all systems and networks that store, process, and/or transmit cardholder data (CHD) as well as any system that can impact the security of the CDE. The easiest way to reduce the risk of a breach and to obtain and maintain compliance is to reduce the scope of compliance.
Regulatory and compliance requirements often drive which initiatives are prioritized and funded, but simply ‘checking the box’ to meet compliance shouldn’t be the objective. If an organization is handling sensitive cardholder data, then protecting the customers’ data, the organization’s reputation, and ultimately the bottom line should be the primary factors that drive priority and funding of projects. West Monroe believes that compliance should be the result of those efforts; not the objective.
Does the PCI DSS actually require network segmentation?
The short answer is no. Applying network segmentation or isolating the cardholder data environment from the remainder of an organization’s network is not an actual PCI DSS requirement.
However, limiting the scope of the CDE with isolation not only reduces an organization’s risk exposure, it also reduces the effort required to implement controls designed to meet other PCI DSS requirements. Understanding how to define the cardholder data environment and isolate it can have a significant impact on an organization’s ability to manage their CDE efficiently.
If it’s not a requirement, why bother?
The PCI DSS has over 230 requirements that all merchants must meet. Each of the systems that are in scope for compliance must address all 230+ requirements, which can be a daunting task. Understanding how to isolate the CDE from the rest of the network will help streamline the effort required and set you on a path towards successful compliance assessments.
While merchants and service providers may understand which systems store, process, or transmit cardholder data, many overlook the other systems that are connected and could impact the security of the CDE. Any system that has network connectivity to an in-scope PCI DSS system presents an attack vector and therefore a risk to that system.
Segmenting the CDE with VLANs or firewall rules may make it more difficult for an attacker to compromise the CDE, but if they are able to gain access to a server that monitors or provisions access to core systems in the CDE, the attacker can elevate their access and still gain access to cardholder data. This is why it is important to understand the difference between segmentation and true isolation.
Truly isolating the CDE so that any supporting systems are not accessible by other networks accomplishes two primary objectives:
- Reduces the overall risk of cardholder data loss
- Reduces the cost associated with PCI DSS compliance
Maintaining a PCI DSS compliant environment comes with a price tag, so reducing the scope of the CDE avoids needing to apply security controls to systems that do not interact with CHD simply for the sake of compliance. For example, things like multi-factor authentication (MFA), Identity and Access Management (IAM), File Integrity Monitoring (FIM), and software licensing costs for other security tools can require significant investment.
Sounds like a good idea; how do I get started?
There is more to isolation than merely adding a barrier between your internal organization and the outside world. A firewall may be part of the solution, but it alone is rarely the complete solution. It also means segmentation within your internal operations and letting the Principle of Least Privilege be your guide. In other words, it’s also about isolating the network and supporting processes from other areas within your organization.
To highlight the benefits that segmentation or isolation can have, let’s consider an example of a very basic CDE. We recognize that most networks have additional complexities to consider but the example below should help highlight the isolation principle as you begin defining your CDE. To begin, let’s look at a simple network diagram that demonstrates how segmentation with firewall rules alone does not necessarily reduce the scope of the CDE:
In this case, the CDE would be defined as the entire network.
- Items in red above contain cardholder data.
- Servers 1 & 2 are on the same VLAN as Servers 3 & 4; Systems 1 & 2 are on the same VLAN as Systems 3 & 4.
- All systems are in scope because they are not isolated from systems that store, process, or transmit CHD.
- Placing servers 3 & 4 behind a separate access switch alone does not remove them from scope. Without VLAN segmentation, they are still able to communicate with the systems containing CHD.
There are costs associated with applying the same PCI DSS controls to the systems and servers that do not contain CHD, so why not isolate them? It reduces risk exposure and is fiscally responsible.
Now let’s look at the same environment with isolation applied, reducing the scope of the CDE:
With strong access control lists ACLs in place, VLANs 10 & 20 are isolated and the CDE is reduced. Servers 3 & 4 and Systems 3 & 4 now reside in newly created VLANS 30 & 40 respectively.
- Let’s assume that Server 2 is used for provisioning access to Systems 1 & 2 and Server 1 in this example. Therefore, Server 2 will remain in scope.
- Although Server 2 does not contain CHD, it is still within the CDE and in scope for PCI DSS compliance.
- There are ways to avoid having Server 2 included in the CDE. However, this level of isolation alone has cut the scope of the CDE in half.
By reducing the number of systems that are considered to be in scope for PCI DSS compliance through network segmentation, organizations can simplify compliance efforts and reduce the risk of the CDE being compromised. For details on how we accomplished isolation of the CDE for a recent client migrating to Microsoft Azure, refer to “Securing Cloud Networks” from our Secure Cloud Migration blog series.