PCI DSS AND THE A10 SOLUTION How Cloud Service Providers Can Achieve PCI Compliance with A10 Thunder ADC and vThunder

WHITE PAPER

WHITE PAPER

PCI DSS and the A10 Solution

The Challenge of PCI Compliance While the Payment Card Industry Data Security Standards (PCI DSS) pertain to secure processing and storage of cardholder data, these standards can apply to any cloud service provider (CSP) as a framework for constructing a safe cloud environment. Achieving the stamp of PCI compliance is an important advertisement to customers, as one of the biggest marketing challenges for CSPs is promising data security in the cloud. It also allows CSPs to set concrete security measures internally, giving them a way to specify procedures for quality assurance engineers and IT staff. However, in such dynamic environments where CSP-client boundaries can be fluid, CSPs can only achieve PCI compliance starting at the application infrastructure level. Given these goals, the question for most CSPs is this: how do they uphold security while maintaining rapid delivery of services to their clients? With the A10 Networks® solution, you won’t have to compromise one for the other.

2

WHITE PAPER

PCI DSS and the A10 Solution

Table of Contents Overview of PCI DSS..........................................................................................................................................................................................................................4 Virtualization and the PCI Dilemma.........................................................................................................................................................................................5 The A10 Solution.................................................................................................................................................................................................................................5 Thunder ADC.........................................................................................................................................................................................................................................6 vThunder Virtual ADC.......................................................................................................................................................................................................................7 Conclusion...............................................................................................................................................................................................................................................7 About A10 Networks.........................................................................................................................................................................................................................7

Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and conditions.

3

WHITE PAPER

PCI DSS and the A10 Solution

Overview of PCI DSS

PCI DSS consists of 12 high-level requirements that merchants and processors should implement to protect card holder data.

The Payment Card Industry (PCI) Council was formed in 2006 by leading credit card companies (American Express, Discover, JCB International, MasterCard, and Visa), who established PCI DSS as a set of rules for payment industries to prevent credit card fraud, hacking, and other security threats.1 These standards apply to any company that stores, processes, or transmits Primary Account Numbers (PANs), cardholder data, expiration codes, or service codes. These standards apply to all system components such as servers, network components, applications, and all virtualized parts (virtual machines [VMs], hypervisors, and so on).2 Over time, these standards have also become a reference guide for IT professionals to devise procedures for building safe application infrastructures and ensuring sound data security practices. PCI DSS consists of 12 high-level requirements that merchants and processors should implement to protect card holder data. In PCI DSS version 3.0—released in 2013, the PCI Security Standards Council included considerations and tools for cloud services, offering ways to measure PCI compliance for specific cloud layers and components. These standards (displayed in the table below) are intended to provide a general framework for discussion. Supplemental information on how CSPs can comply with these standards is provided in the PCI DSS Cloud Computing Guidelines. CSPs can refer to the supplemental guidelines for further tools to assess their PCI compliance. These tools include questions for defining requirements, which differ based on role (CSPs vs. their clients) at every cloud layer, outlined for various service models (SaaS, PaaS, or IaaS). Table 1: PCI DSS Requirements and Standards3 Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel

1 Source: “Information Supplement: PCI D SS Cloud Computing Guidelines,” PCI Council, February 2013. Pg. 50 2 Source: “PCI DSS Requirements and Security Assessment Procedures, Version 2.0,” PCI Council, October 2010. Pg. 7-10 3 Source: “PCI DSS Requirements and Security Assessment Procedures, Version 3.0,” PCI Council, November 2013

4

WHITE PAPER

PCI DSS and the A10 Solution

Virtualization and the PCI Dilemma Importantly, PCI DSS v3.0 suggests that different virtualization structures will demand different security solutions.4 There is no ‘one-size fits all’ solution to PCI compliance for CSPs, because the differing needs of private, public, and hybrid clouds demand customized approaches to security.

Furthermore, full compliance is not possible without full cooperation of both the CSP and the client. This makes it necessary for CSPs to define the scope of security controls for the CSP vs. their client. Scope can vary, but as PCI DSS explains, there are some common considerations that hold for most CSPs. PCI DSS provides an explanation illustrating security controls for clients and CSPs at every cloud layer for different service models. As illustrated in the diagram below, certain trends emerge for CSPs to consider. One trend is that for all service models, it is a given that CSPs will be held accountable for full control of security starting from the physical data center level to the hypervisor level. For IT, this is a relatively straightforward component. It primarily involves selecting hardware with appropriate capacity, scalability, and data-loss prevention.

. . . elements of virtual network infrastructure, solution stack, applications, and interfaces are more vulnerable parts of a CSP model to security breaches.

The other trend is that SaaS and PaaS models will have to assume almost 100 percent control over security at the application-related cloud layers, as little is left up to client control. The application component is where we see the more fluid parts of the CSP model, which have made it difficult for IT to judge compliance in the past. Either CSPs or clients will have to select the right security measures for safe application delivery. This makes it all the more necessary for these services, or their clients, to choose the best application delivery hardware, as elements of virtual network infrastructure, solution stack, applications, and interfaces are more vulnerable parts of a CSP model to security breaches. While PCI gives a general idea of what CSPs need to look for in selecting hardware/software solutions for virtualization, specific features are not described.5 PCI standards suggest implementing firewalls, tenant isolation, and encryption, but for network architects, this can mean a variety of options. An easy solution is to select the right application delivery controller (ADC) which covers a sizeable component of PCI compliance.

The A10 Solution What do you specifically need to create a PCI-compliant application infrastructure for cloud services with ADCs? You need a solution that can offer: • Multi-tenancy • Web Application Firewall (WAF) • SSL/TLS and STARTTLS encryption • DDoS protection • Flexible scripting technology • API management capability • Admin and network separation • Ability to work with third-party hypervisors

4 Source: “Information Supplement: PCI DSS Cloud Computing Guidelines,” PCI Council, February 2013. Pg. 6 5 Source: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

5

WHITE PAPER

PCI DSS and the A10 Solution

A10 Networks carries several hardware and software solutions that can help ensure PCI compliance for your network infrastructure. The A10 Thunder® ADC appliances as well as the vThunder® ADC line of virtual appliances are equipped with features that can help with tenant isolation and thwart network attacks, delivering advanced solutions beyond basic load balancing. Service Models

Cloud Layer

IaaS

PaaS

SaaS

Data Interface (APIs, GUIs) Applications Solution Stack (programming languages) Operating Systems (OS) Virtual Machines Virtual Network Infrastructure Hypervisors Processing and Memory Data Storage (hard drives, removable disks, backups, etc.) Network (interfaces and devices, communications infrastructure) Physical Facilities / Data Centers Client

CSP

Figure 1: Breakdown of security responsibilities by service

Thunder ADC A10 Networks award-winning Advanced Core Operating System (ACOS®), featured in the Thunder ADC appliances, essentially functions as an ‘ADC virtual system’, allowing easy deployment of Application Delivery Partitions (ADPs) to function as “virtual components” with ADC capability. ADPs meet PCI compliance by: • Enforcing strict network and administration separation through Layer 3 virtualization (L3V) (via ‘private partitions’) support (PCI DSS requirements 7 and 8) • Providing role-based access (RBA) control (PCI DSS requirements 7, 8, and 9) Additionally, all these solutions are equipped with: • DDoS protection (PCI DSS requirements 1, 5, and 6) • SSL and TLS encryption features, and STARTTLS for email encryption (PCI DSS requirements 3 and 4) • WAF, for protection against SQL attacks, CSRF and XSS breaches, and other threats (PCI DSS requirement 6.6) • Application Access Management (AAM) for robust, flexible authentication and authorization of end-user traffic (PCI DSS requirements 7, 8, and 9) A10 Thunder ADC is equipped with the aXAPI® REST-based API to allow custom management of traffic reporting and integration with third-party applications. aXAPI uses a REST-style XML API for custom management and integration of third-party hypervisors. Thunder ADC also provides aFleX®, a feature for deep packet inspection and Layer 4-7 scripting, which allows easy integration of applications with the A10 load-balancing solution.

6

WHITE PAPER

PCI DSS and the A10 Solution

vThunder Virtual ADC You can use our vThunder virtual ADC to deploy multiple virtual machines that run on a single hardware platform, offering complete device and service isolation with a third-party hypervisor. Our vThunder ADC is compatible with a variety of third-party hypervisors. These include VMware ESXi, Microsoft Hyper-V, KVM and Citrix XenServer. vThunder instances are strongly isolated and operate independently of one another. This isolation ensures maximum safety for client data. (PCI DSS requirements 1 and 2). Security feature support for WAF, encryption, and DDoS protection on the vThunder are all similar to support for these features on Thunder ADC hardware-based appliances as well. Therefore, you can take advantage of our multiple security features simply at the software level.

Conclusion . . . integrating A10 appliances within your network infrastructure can help with many of your security needs.

A10 Thunder ADC hardware appliances and vThunder virtual appliances help CSPs and their clients address the most challenging aspects of the PCI DSS through their out-of-the-box security and layer 3 virtualization capabilities. Hence, integrating A10 appliances within your network infrastructure can help with many of your security needs. For PCI DSS requirements 10 - 12, it is incumbent on the CSP to provide operational oversight and establish procedures for safe cloud building. However, A10 provides 24/7 technical assistance by phone for your A10 devices as part of our Gold Level Support. In short, building a PCI-compliant cloud has never been simpler than with A10. We deliver security without compromising performance.

About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com

Corporate Headquarters

Worldwide Offices

A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com

North America [email protected] Europe [email protected] South America [email protected] Japan [email protected] China [email protected]

Part Number: A10-WP-21121-EN-02 Apr 2016

Taiwan [email protected] Korea [email protected] Hong Kong [email protected] South Asia [email protected] Australia/New Zealand [email protected]

©2016 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks.

To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative.