Many of my recent conversations with Security and Network Architects have centred on PCI-DSS, and how segmentation plays an essential part in the initial and on-going security of Cardholder Data Environments.

A few things struck me about these exchanges, but one common difficulty was brought up by all of the people I spoke to. This was the act of scoping the CDE – and the implications this has both on the ability to be certified; but also the length of time it takes for any assessment to occur.

For us at Illumio, this would be something we’d refer to as visibility – the ability to map and navigate IT environments. Showing in plain, easily-understood language (to both the administrators of the network, but also external PCI QSAs who may not be as familiar with the details of a given environment), how the PCI CDE is configured, it’s dependencies, routes into the CDE from non-PCI parts of the infrastructure – and critically of course; tightly define the in-scope systems for assessment.

This critical step reduces the following efforts when securing the CDE – reliable and ongoing awareness of the precise scope of the environment, the ability to easily output evidence for a QSA to show the segmentation in place and prevention of traffic flows, and alerting of any new or attempted access into the CDE from the rest of the network.

From here with Illumio it is then trivial to put in place application-centric polices that allow only the required communication with the CDE, from simple environmental separation, to more stringent Zero-Trust models.

At Illumio we’ve put significant effort into going beyond the dry technical implications of the standard, and uncovering the real implications of the various controls and methods for certification. This can really help organisations cut down the time it takes to scope environments accurately, and segment them from the rest of the infrastructure.

To this end, we put together a three-part series – easily digestible, which covers the mapping of PCI DSS controls, scoping and segmentation solutions, and design considerations for implementation of Illumio ASP with regards to PCI DSS:-

Mapping to PCI DSS Controls: An Illumio and Protiviti research project

Challenges and Solutions for PCI scoping and segmentation

Best Practices and Design Considerations form Implementing Illumio ASP for PCI