At the 2012 PCI Community Meetings, the PCI SSC made a presentation titled ‘PCI Standards Updates and Future Insights’. Embedded in that presentation were a series of slides titled ‘Scoping & Segmentation Clarified’. A number of writers have given reference to this clarification, but I have yet to see a discussion regarding the content of these slides. So I felt someone should share with the world the content of these slides so that we are all on the same page.
“PCI DSS requirements apply to all system components, defined as any network component, server, or application that is included in or connected to the CDE [cardholder data environment]”
The first thing discussed are the misconceptions about PCI DSS scoping and what “connected to” really means. Those examples of misconceptions pointed out as FALSE included:
- Encrypted cardholder data (CHD) is always out of scope
- “Connected to connected to” systems are not in-scope
- Only systems that connect directly to the cardholder data environment are in-scope
- Only inbound connections are in-scope
- Directly connected to systems are not in-scope if they pass through an in-scope firewall
Encrypted CHD Is Out Of Scope
The only way encrypted cardholder data is ever considered out of scope is if, and only if, the organization being assessed does not have the ability to decrypt the data. That said, it is up to the organization or their QSA to prove that the organization does not have access to the keys by documenting the assessment procedures that were performed to determine that the encryption keys could not be accessed and the cardholder data could not be decrypted. So even though it may eventually be judged out of scope, there must be some form of investigation that proves that fact.
“Connected to connected to” Systems Are Not In-Scope, et.al.
The remaining four examples given as false are all related. The guidance being provided by the PCI SSC should have been common sense to any security professional and QSA, but apparently was not as clear as we all thought. As a result, the PCI SSC documented their thought process and provided this “guidance.”
“If a system can impact the security of the CDE (whether it is directly or indirectly connected), it is in-scope.
To be considered entirely out of scope, a network or system must be isolated from, with no connectivity into, the CDE (such that even if the system is compromised, it cannot impact the security of the CDE).
Restricting access by IP or port may limit the exposure of the CDE but does not automatically remove systems/networks from scope since there is still connectivity.
If connections are limited to specific ports or services, those systems are included in the PCI DSS scope to verify applicable controls are in place.”
Talk about opening a can of worms. To a lot of people, this definition sounded a lot like Stalin’s “Doctor’s Plot.” Exactly where do you draw the line on a network and what is connected to what? To a lot of hard-line QSAs and some participating organizations (POs), this clarification essentially put everything back in-scope for PCI compliance because, in theory, any device on the internal network can be used to ultimately compromise the CDE. To all of you out there that think this, take a pill and chill. That is not what the clarification is saying unless there are no systems on your network that are truly isolated from the CDE.
The PCI SSC has left this decision to your QSA/ISA to determine where the boundaries of your CDE get drawn. And that is based on the risk presented and how you have controlled access for the outliers on your network. So, while in theory any device sitting on a network could be used as a staging point or beachhead to ultimately compromise the CDE, it all depends on the controls in place to minimize that potential risk.
As an easy example of what the PCI SSC is getting at with this clarification, any systems with access to the CDE are in-scope for PCI compliance. According to the PCI SSC, a lot of QSAs were ruling systems out of scope such as backup systems, domain controllers, DHCP and DNS servers, management consoles and anything else used to manage, monitor or control devices inside the CDE. The bottom line is that should any of these systems be compromised, the CDE is also likely compromised. Limited access or not, these systems have access to the CDE and are therefore in-scope for the assessment.
The other part of the clarification is about just because a system has access to the CDE does not imply that all PCI requirements apply. There are big differences between the access a backup system may have from a call center operators’ or an accountants’ PCs may have to the CDE. As a result, it is up to the QSA/ISA to determine what PCI requirements are relevant based on the risk presented by the system and how it accesses the CDE. At a bare minimum, any PC that has access to the CDE needs to be properly configured and security hardened, patched current, have anti-virus and anti-malware software and a firewall implemented. If the PC has direct access to the CDE through something other than HTTPS as with a backup server or domain controller, then you should be treating these devices no different than a device inside the CDE. Whether or not additional requirements may be required will depend on the assessment of the PC and how it accesses the CDE.
Given this clarification, what should you be doing to determine the boundaries of the CDE? Here are some of my ideas.
- Scan you network for cardholder data (CHD) using OpenDLP, custom queries of databases and similar tools. Document all systems that are found with actual CHD. Make sure to check that the data found is actually CHD and not just 15 – 16 digit numbers that happen to pass a Luhn check. We have encountered a lot of random log data from firewalls and intrusion detection/prevention solutions over the years that upon further inspection turned out to not be CHD. The purpose of doing this scanning is so that you are reasonably certain that CHD does not exist on systems you did not know about.
- Review your virtual LANs (VLAN) and related access control lists (ACL) and document what controls are in place to isolate systems from the CDE. If ports are open between the CDE and a network segment, document why they are open. A lot of times this sort of review results in discovery of systems that do not need CDE access but were granted access just in case. The purpose of this review is to make sure that the CDE is truly isolated from the rest of the networks. If not isolated, it may be possible to move systems into a few VLAN segments and isolate those segments to minimize your total CDE.
- If possible, locate critical servers such as domain controllers, backup servers, etc. inside the CDE. A lot of organizations have located one or two domain controllers inside their CDE and then limited communications to/from those domain controllers and domain controllers outside the CDE. While the domain controllers outside the CDE are still in-scope if they communicate with the CDE domain controllers, such a move puts the majority of the risk on the CDE domain controllers. In today’s SAN world, putting a backup server with a fiber channel connection back to the SAN used for virtual tape allows you to isolate your CDE backup process.
- For those organizations that have virtual desktop technology implemented, consider creating virtual systems for providing access to the CDE. A lot of organizations with virtual desktop technology have segregated this technology onto servers that only provide access to the CDE therefore limiting what virtual servers are in-scope. Depending on the controls of the virtual environment will determine how much of that environment is necessary to be included in the assessment. These virtual desktops should be built from a standard image and be strictly locked down so that new software cannot be installed by the user as well as they should be configured to log all user actions. When using this approach, the user must have authentication credentials (i.e., user identifier and password) different from their other credentials. You are also going to want some form of firewall between these virtual systems and the rest of the network and granting access to those systems that require access.
- Another opportunity to minimize the CDE is the use of “jump boxes” on the network. Jump boxes are accessed via remote desktop technologies to then gain access to the CDE and are typically used for network and server administration and management. The jump box is configured so that any user’s activities are recorded and logged for later review. Jump boxes are no different than the virtual desktop solution other than jump boxes are typically physical devices versus virtual devices. The reason for using a physical device versus a virtual device is the jump box can be physically accessed if necessary in emergencies. As with the virtual desktop solution, users of jump boxes must have user identifiers and passwords different from their other credentials and you will also need a firewall protecting the jump box.
- For systems that have access to virtual desktops or jump boxes, these should still be security hardened, have anti-virus and anti-malware with current signatures and should also be timely patched.
A lot of people would think a virtual private network (VPN) over SSL, TLS, SSH or IPsec solution would also meet the requirement of isolation. The problem with the VPN solution is that there is no isolation or gap between the system used to access the general network and the CDE. The VPN does provide isolation of data transmissions but, if the system is compromised, the CDE is also likely compromised. With the other solutions there are multiple ways that the CDE systems are isolated from the rest of the network.
Now we should all be on the same page.