All of us on the PCI Dream Team get the following question a lot as we consult with organizations on PCI scoping and network segmentation.
“With the guidance from the SSC at the Community Meeting regarding network isolation (they provided a slide that highlighted key concepts) we are expecting QSAs to dig deep into category 2 systems. PCI controls are not applied to servers that support infrastructure outside of the CDE on these category 2 systems. Is the council really suggesting we setup completely dedicated category 2 infrastructure for the CDE?”
For those readers that have forgotten what the PCI scoping categories are here is a quick refresher.
Category 1 systems are those that either: (a) directly process, store or transmit sensitive authentication data (SAD) or cardholder data (CHD), or (b) are on a network segment the same as or directly assessible to those systems that directly process, store or transmit SAD/CHD. Category 1 systems are those that exist in or create the cardholder data environment (CDE) and are always in scope for PCI compliance.
Category 2 systems are those that do NOT directly process, store or transmit SAD/CHD but provide services to Category 1 systems such as directory services, DNS, DHCP, SIEM, NTP, etc. and are segmented from and have controlled access from/to those Category 1 systems through a firewall and/or jump box. Category 2 is typically referred to as “Shared Services”, that is, services that are shared between Category 1, Category2 and Category 3 systems.
Category 2 systems include system administrator workstations that access Category 1 systems through a jump box. Another example of Category 2 systems are workstations that work with Category 1 systems over virtual desktop (VDI) technology. The reason is that the VDI is a Category 1 system therefore the workstations using the VDI are Category 2.
The bottom line though is that Category 2 systems are always in scope for PCI compliance because they can affect the security and controls of the CDE.
Category 3 systems are those that do not and never can access Category 1 systems in any way including via a jump box. Only Category 3 systems are out of scope for PCI compliance. . That said, Category 3 systems can be provided services by Category 2 systems and still be considered out of scope for PCI compliance.
The first part of the question I would like to address is:
“PCI controls are not applied to servers that support infrastructure outside of the CDE on these category 2 systems.”
Category 1 and Category 2 systems are deemed in scope for PCI compliance, so ALL relevant PCI controls are required to be applied to those devices. With Category 2 systems, there may be a very, very few controls that do not apply, but they will be very, very few if there are any at all. So, if you are not applying all PCI controls to Category 2 systems you are likely not in PCI compliance.
The next part of the question I would like to address is:
“… we are expecting QSAs to dig deep into category 2 systems.”
QSAs better be assessing Category 2 systems just as rigorously as Category 1 because they are, by definition, in scope for PCI compliance and no different from Category 1 systems.
Finally, there is this question.
“Is the council really suggesting we setup completely dedicated category 2 infrastructure for the CDE?”
If that is how you wish to approach the problem, that is your prerogative.
However, the QSAs I know would tell you to avoid that approach. That approach only adds complexity, introduces even more chances for human error and usually creates ever more bizarre controls and nonsense that does nothing to improve security.
That is not to say that I have not encountered instances where directory services, DNS, DHCP and other services servers are located inside an organization’s CDE. But they are connected to other services servers within the organization in Shared Services no different than any others to simplify management of those services. They are only inside the CDE because of performance or availability issues, not for security reasons.
This is the whole point of Category 2 is to provide an area where such services can be located to serve all categories of systems. Hence the name “Shared Services” because the services are shared between all of the categories.
That said, it is not unusual to have multiple shared services areas. I have clients that isolate their directory, DNS and DHCP servers in their own shared services environment. The SIEM is also isolated in its own area. The reason is to allow for further granularity of monitoring and control as well as limiting the number of administrative personnel that have access. They also have shared service areas for internal FTP and mainframe LPARs. How many shared services network segments your organization will need is all up to your organization and what makes sense. The bottom line though is to make sure you can monitor and control the shared devices and ensure that you are not putting CDE systems at risk.
PCI Guru 