Anatomy of a Data Breach: Part II
Don’t be the Next Victim
Even as the latest breach headline fades away, we all know there is another waiting in the wings (read Part I of my blog). How can organizations protect themselves? There is no panacea for securing a payment environment, and implementing advanced technology alone will not make an organization compliant with the Payment Card Industry (PCI) Data Security Standard (DSS). The PCI DSS provides a solid foundation for a security strategy that covers payment and other types of data, but overall security does not begin and end with PCI compliance. Therefore, an organization’s security strategy should employ best practices and an architecture that will not only facilitate PCI compliance, but also help secure the cardholder environment, prevent identity theft, reliably protect brand image and assets, mitigate financial risk, and provide a secure foundation for new business services.
Segmentation and Scoping: Start with Best Practices
As we’ve seen from recent breaches, the stakes associated with noncompliance are high. At the same time, each organization’s network, storage, and security infrastructure, as well as processes and business requirements, are unique and complex.
Segmenting is a best practice in any environment that can improve network performance, increase security, simplify compliance, and limit the extent of a potential compromise. In network segmentation, each network exists within a “boundary of trust.” Anything that crosses the boundary must be checked to make sure it can be trusted, whether the traffic consists of devices, packets, protocols, applications, or users. Checks must be applied to both incoming and outbound traffic.
Segmentation can be difficult to achieve in large complex networks. Many large organizations’ networks have grown over time and include proprietary systems, disjointed architectures, legacy applications, and IP protocols that make it difficult, or impossible, to segment for meeting PCI DSS requirements and still function as required for the rest of the business.
Scoping is another best practice. In the context of PCI, scoping is the process of identifying all system components, people, and processes to be included in a PCI DSS assessment. The first step of a PCI DSS assessment is to accurately determine the scope of the review.
The Cisco® PCI Solution 2.0 solution helps organizations secure cardholder data, customer privacy, and business assets at every point: from the data center, to branches, and across e-commerce sites and payment processors. The Cisco PCI Solution 2.0 is built on network security best practices, proven Cisco products, Cisco Services, and partner solutions that are validated for compatibility with Cisco PCI Solution architectures. See www.cisco.com/go/pci to learn more about the Cisco PCI Solution 2.0 and to download the latest Design and Implementation Guide.
A critical element of the Cisco approach to PCI compliance is network architecture and validated network designs. More than just printed diagrams, these designs are deployed and tested in Cisco labs and evaluated by PCI auditors, such as Verizon Business. With this input, Cisco provides architectural designs that incorporate end-to-end PCI security recommendations. Organizations can use these design guidelines for their own networks as they address PCI compliance.
There are many benefits of an architectural approach to PCI compliance. Consistent, validated architectures deliver:
- Simplification of all aspects of the network, from foundation addressing to routing, and troubleshooting
- Standardization to help ensure repeatability of critical processes
- Operational efficiency to minimize downtime and simplify manageability
- Scalability to grow and adapt as business needs change
- A secure foundation that builds in strong security to create a robust platform that can adapt as threats, standards, and business needs evolve
In a recent interview, Bob Carr, CEO of Heartland Payment Systems who suffered a breach in 2009, provides a perspective on data breaches. “To be PCI compliant does not mean you can’t be breached,” Carr says. “Any of us that process PII (personally identifiable information) should be humble… Anyone that thinks they’re not going to be breached is being naive.”
Given this reality, Cisco solutions and Cisco Services can help organizations simplify PCI compliance and build robust, secure architectures and solutions for everything from the data center to branches and branch locations of all sizes and to the network edge.