HP Networking

By Sanjay Raja, Product Marketing, Virtualization Security, Security Products Group, HP Networking

First a little background: A new version of the Payment Card Industry Data Security Standard (PCI DSS), established by the Payment Card Industry Security Standards Council (PCI-SSC), provides new requirements against which businesses establish payment card security policies and protection of customer data related to payment cards.

So a lot of the folks in IT management I speak with are realizing that there are new PCI requirements that were published as part of PCI-DSS 2.0. The key point: For the first time, this new document highlights that security requirements apply to both physical and virtual environments and also discusses some of the inherent security risks with virtualization and cloud infrastructures.

The new standard reference multiple risks that include:

• Hypervisor is now at risk: The hypervisor can have vulnerabilities that can be exploited and needs to be protected and patched similar to operating systems and applications.
• VM sprawl: Virtualization features and benefits like high availability (HA), disaster recovery services (DRS) and resource optimization means that virtual machines (VMs) can be moved and spread across different hosts, clusters or data centers. This means that a highly critical application might share the same host as a less critical application.
• Separation of duties: Multiple administrators could potentially need access to a particular host. This includes application, server, network and security administrators.
• Potential lack of visibility: How data is accessed (which includes the network configuration and security policy management and enforcement) needs to be documented.
• Public cloud = lack of control: I no longer have as much visibility into the network topology and security since my infrastructure is hosted elsewhere.

To go even further, the requirements specifically call out the need for virtual firewalls to provide segmentation across different workloads and applications. In addition, the requirements discuss the need for visibility into the network environment and providing Intrusion Prevention System (IPS) capabilities for inspection. The standard alludes to the concept that security for virtual machines ideally should be identical to security in physical environments.

It even goes so far as to indicate that security and server/virtualization administrators should have different access controls, where security administrators have separation of duties in controlling the security for virtual machines Migration to the public cloud increases the complexity in ensuring that PCI requirements, especially around protecting data, are being met appropriately.  Thus far, due to the complexity involved, I haven’t seen a solution that is wholly suitable for public cloud environments from a customer perspective that provides all the visibility you need.

So the question that comes up is. . . what is out there that helps me with this new PCI standard?

Extending HP TippingPoint’s industry-leading, IPS-powered DVLabs security research capabilities into the virtual world

The HP TippingPoint Secure Virtualization Framework (SVF) is a purpose-built software solution designed to enable the physical TippingPoint IPS platform to enforce full data center firewall segmentation and provide IPS inspection between trust zones for physical hosts, virtual machines (VMs), and even mobile VMs. The vController component intercepts all packets within the hypervisor and, based upon user-defined policies, permits traffic, blocks traffic, or tunnels packets to a TippingPoint IPS N-Series for inspection. SVF has been designed to work with VMware deployments. This fulfills the requirements around protecting the hypervisor, firewall segmentation and inspection and monitoring of sensitive data traffic that may include customer information.

In addition, the HP TippingPoint vController security solution is completely managed by our Virtual Management Center (VMC) that plugs into VMware’s vCenter Management. vMC gives IT security personnel complete visibility of the virtualized data center helping them control and secure the sprawl of VMs. Virtualization makes it easy to create, copy, and roll-back VMs creating an environment where VMs can propagate without proper oversight and security controls. vMC working with vController gives IT security personnel the tools to properly control and secure these previously uncontrolled environments. So increase visibility and control are also addressed by SVF. This is a vital part of the PCI requirements in securing virtual and cloud environments.

As for VM sprawl, as touched upon in the PCI new standards, virtualization of data center infrastructure creates new challenges for security personnel due to the ease with which VMs can move from host to host and even data center to data center, regardless of criticality or sensitivity of data being accessed. However, SVF not only gives IT administrators the tools to easily maintain visibility into the location and state of every VM, but also can automatically apply the appropriate security policies are regardless of the VM state (on, off, or in motion).

Lastly, vMC works with the HP TippingPoint Security Management System (SMS), making it easy to keep all security management functions contained and available only to IT security personnel and no one else. This means that security and network administrators have visibility into the network topology and control over security policies that can be applied to virtual network components independent of server and virtualization administrators so that separation of duties can be maintained.

So you can see that the HP TippingPoint Secure Virtualization Framework is already ahead of the curve in helping you achieve or continue to maintain PCI compliance requirements and audits.

>> HP TippingPoint Virtual Controller and Virtual Management Center Solution Brief

>> Learn more about HP Networking products and solutions.

>> Follow HP Networking on Twitter and Google+ | Join HPN LinkedIn Community | Like us HPN Facebook