5 Ways that PCI DSS Microsegmentation Can Help You Achieve Compliance

As regulations for compliance become increasingly stringent, the consequences for failing an audit go far beyond a bureaucratic headache. As well as damage to your public image, you could be subject to financial penalties and even a halt to your business operations altogether until safety measures have been put into place.

Relying on a security solution that employs microsegmentation can be a powerful tool that provides unparalleled control over the traffic cross your hybrid IT ecosystem. The right approach will be able to isolate and segment all applications, monitoring and routing all traffic, including east-west. By doing this, microsegmentation can effortlessly check boxes for your compliance regulations, whether that’s PCI-DSS, HIPAA, or others.

When it comes to PCI DSS, microsegmentation can support you in reducing scope. The compliance regulations are very clear. “To be considered out of scope for PCI DSS, a system component must be properly isolated from the cardholder data environment (CDE), such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.” A similar rule is found for HIPAA compliance, but this time regarding Protected Health Information (PHI).

It is likely that some systems can be physically separated from your CDE or PHI. In the past, firewalls could enforce network zones, as could virtual LANs with strong ACLs. However, more complex architecture such as cloud-based VMs or containers have this made this difficult. Even simple compliance regulations, such as placing a firewall, become a challenge. Additionally, dynamic workloads mean you need granular visibility of where changes are happening within the CDE in real-time. This has encouraged businesses to look for a solution that allows for continuous process or identity level detail and control.

Ensuring that you have rich visibility into the flow of traffic is number one on the list for any auditor. This has two benefits. Firstly, it shows the regulatory board that you have a strong understanding of the data and access in your network. Secondly, it proves that you can automatically detect a threat or breach if the worst happens.

Once you have established visibility, controlling traffic to isolate and resolve an attack should be next on the agenda. By starting with broad microsegmentation policies and then creating more specific layers you can achieve the right balance between under and over segmenting your network. This should be done gradually, allowing you to gain the perfect amount of control without losing functionality and flexibility. Because the policies you build for microsegmentation are application-aware, you can use them to enforce system access to specific regulated data, such as PHI for HIPAA compliance. Even if a breach happens to your perimeter, a hacker would not be able to move from an out of scope area to one that threatens compliance posture. Companies that only focus on protecting their perimeter between external and internal systems are behind the times. If attackers get through your perimeter, your entire data center or network is up for grabs. For PCI-DSS, microsegmentation can provide a deeper level of security on all the important systems on your network. It can also stop attackers from making lateral moves within your network, pivoting dangerously from an out of scope area to one which can reach your CDE or PHI.

Another benefit for HIPAA or PCI DSS, microsegmentation can meet the requirement of maintaining a vulnerability management program. For this to work best, your solution needs to work in tandem with a strong breach detection and mitigation solution, protecting your system against malware. Micro-segmentation works with the principle of least privilege, perfect for verticals like healthcare dealing with HIPAA compliance, where 70% of organizations cite employee negligence as the most worrying reason for breaches.

Another important element to keep in mind for compliance is having separate development and testing environments from production environments. Top tip: Make sure that scanning and auditing is done in a continuous cycle, not just periodically.

PCI DSS dictates that more in-depth security features should be implemented for what they call “insecure” services, daemons or protocols. An example of this could be using a VPN for file sharing. Using a flexible policy engine is an important element of a compliance-ready microsegmentation approach. This can enable you to validate administrative access to each system, and restrict specific protocols to using additional security measures.

Another element of compliance is ensuring that only one primary function can be implemented on each server. This means that functions with different security levels cannot be on the same server, preventing lateral moves from weaker entry points. By implementing PCI DSS microsegmentation, process level policies can be enforced so that only necessary services are making connections, and only one secure function is implemented per server.

As well as showing that you’ve created zones in your network, nearly all compliance regulations will expect you to have visibility into the traffic that moves among them and the ability to log this information for later. Traditionally, companies have had visibility into north-south traffic which moves between client and server. The best approaches can now analyze and monitor east-west traffic, also known as server to server traffic, from within the data center itself. The policies that you define for your microsegmentation approach can be used as documentation of your compliance, and the granular detail of east-west traffic serves as proof that you have a strong security posture that meets regulations.

Many businesses struggle to prove the systems that they have deemed out of scope actually are separate from their CDE or PHI, especially when dynamic boundaries are part of their IT infrastructure. If you choose a PCI microsegmentation approach with labeling functionality, you can examine the PCI or PHI environments and inspect the flows and communications in granular detail. Filtering where necessary can allow you to drill down to specific protocols at process level, granting you unparalleled levels of control in comparison to traditional network segmentation.

There are many requirements for ongoing compliance, and companies will need to have various security controls in place to establish they are meeting the regulations of complex standards like PCI DSS or HIPAA. For example, when you’re employing PCI DSS microsegmentation to meet regulations, you will need a distributed firewall to separate the CDE from other applications, as well as file integrity monitoring on your CDE itself. For mapping and documentation you’ll benefit from powerful process level visibility on traffic and data flows.

Lastly, especially important in compliance-heavy industries like healthcare where attacks are so common, your microsegmentation approach should integrate with tools that allow you to secure the environment and maintain overall vulnerability control. These could include powerful breach detection tools like honeypots and malware detection. Choose a solution that covers many requirements in one, and you’ll take on less risk and management overall, simplifying the road to ongoing compliance.

For more information on microsegmentation, visit our Microsegmentation Hub.