“How can we reduce the scope of PCI DSS Scope?” is a questions I get in most of the consulting / auditing engagements. Some of them were looking for network segmentation and others were looking for segmentation in the software components.
Here are some thoughts on segmentation as a method to reduce the PCI DSS Scope
Network Segmentation for PCI Scope reduction can be achieved if the PCI assets or the Cardholder Data Environment (CDE) are physically or logically segregated from non-PCI assets.
To segregate physically, one can build separate isolated networks which ensures that there is no logical connection between the CDE and non-CDE environments. However, this may not be a practical solution for large organizations. This leads to the implementation of Logical Network Segmentation to address the PCI scope reduction.
The existing network can be segregated using firewalls and virtual LANs (VLAN). Mere creation of a VLAN is not enough segmentation for scope reduction. Instead, you will have to use access controls lists (ACLs) to ensure the access restrictions between the CDE and non-CDE systems
For example, if you have 2 VLANs, one for CDE and another for non-CDE systems, then the following are expected
- An access list with limited access between these two VLANs
- No access to the cardholder data from the non-CDE to the CDE
- No “allow all” or “permit any any” between the VLANs. (Yes, you cannot have all the 65535 ports open from non-CDE to CDE systems. If so, we see it as a cable.)
- Allow only the required network ports between the networks. Document the business justification for keeping these ports open. Monitor the access to these ports.
I have read somewhere that an acceptable segmentation should have three type of controls; which are preventative, detective and corrective controls.
- Preventive controls are the VLAN segmentation, firewall rules, ACLs etc and periodic review of the ACLs / Firewall Logs.
- Detective controls are the monitoring part of the implementation. Monitor the traffic between the CDE and non-CDE. Review the firewall logs, VLAN access logs etc.
- Corrective controls are the actions to be performed as result of the , in most cases, preventive and detective controls.
Let us take an example.
VLAN1 (192.168.0.0/24) is the CDE with 5 applications and DBs. VLAN2 (192.168.1.0/24) is the non-CDE network.
Sample Preventive controls
Allow 192.168.1.2 > 192.168.0.2 port 443
Deny any any
Quarterly / half yearly firewall rule base review is another preventive control you need to practice to have an effective ACL / rule base
Sample Detective Controls
Review of the Firewall Logs and ACL logs daily either real time or post fact
Integrating the logs with a SIEM solution for recording
Sample Corrective Controls
Based on the periodic firewall rule base review and daily log reviews, make changes to the preventive and detective controls
Once you decide on the controls to be implemented, then the next important step is to document the controls and how it is implemented to segment the CDE from rest of the network. Two key components of the documentation are (1) Management Approval for the open ports (2) Risk Assessment about the open ports.
Hope this gives you a fair understanding about network segmentation as a method to reduce the PCI Scope.