When Hudson Group found that their virtualization platform could not fulfill key PCI requirements, it chose HyTrust to provide the controls and audit trail needed to demonstrate compliance. The global retailer later expanded its HyTrust deployment to protect critical financial systems not subject to PCI compliance, establishing privileged user accountability and separation of duties for those workloads while maintaining user productivity. Hudson ultimately decided to use HyTrust to secure access to all of its other mission critical and production workloads.

“HyTrust gave us the controls and compliance data we were looking for without getting in the way of the virtualization team’s day-to-day responsibilities.” Edmond Olukere, CISO, Hudson Group.

A Leading Retailer Addresses Virtualization Compliance and Governance

With more than 600 stores in airports and other transportation terminals, Hudson Group is the largest “duty–paid” travel retailers in North America. Its award-winning retail concepts have some of the highest customer recognition in its industry. Hudson News, the world’s largest airport newsstand retailer, is Hudson Group’s most visible business.

As a major retailer, Hudson Group is obligated to protect the integrity of its cardholder data environment (CDE) and ensure compliance with PCI DSS v2.0 regulations. Administrative security requirements are prominent in PCI DSS v2.0; one major section of the standards requires organizations to “Implement Strong Access Control Measures”. Consequently, Hudson Group must strictly control access to the virtualization platform that hosts its in-scope financial applications and data. It must also compile the entire virtual infrastructure log data needed to prove PCI compliance and pass its compliance audits quickly and efficiently.

Beyond compliance, Hudson Group needs to ensure sound governance of the virtual environment and all the sensitive information it contains that is outside the scope of PCI. Sound governance includes establishing separation of duties, least privilege access, and privileged user accountability.

Challenge: Gaps in Virtualization Platform Visibility and Security                       

Edmond Olukere, Chief Information Security Officer of Hudson Group, is responsible for keeping the company’s virtualized in-scope financial systems PCI compliant. Hudson Group’s virtualization infrastructure is based on the VMware vSphere platform. While the company’s traditional IT infrastructure had been PCI compliant for years, Olukere knew in 2010 that virtualization had created new security and compliance challenges.

“The biggest issue was the extent of the privileges vSphere users receive by default,” said Olukere. “They can clone, power off, or delete a VM (virtual machine) running a production application in seconds, with just a few clicks. It doesn’t have to be malicious – you can bring down a system or lose data with either a mistake or a deliberate attack. And since vSphere users have the power to conduct almost any admin operation, separation of duties is practically unenforceable.”

Olukere was also concerned about the virtualization platform’s limited visibility into privileged user activity and its large logging gaps. Hudson Group’s PCI Qualified Security Assessor (QSA) and its financial controls auditor had told the company it needed to provide specific usage logs and other data to prove PCI compliance in the virtual environment. After assessing the requirements, Hudson Group determined that the vSphere platform did not provide all the necessary information to meet audit requirements. Moreover, the company discovered that privileged users could bypass vSphere logging mechanisms completely by using certain infrastructure access methods.

A prime example of missing PCI compliance data was the lack of a unique user ID for every operation recorded in the logs. Another hole was the platform’s inability to ensure an audit trail of activity by every individual with root access, because vSphere allows root account sharing. Other data that Hudson Group needed for compliance or forensic analysis that wasn’t available from vSphere logs included source IP address of the user, basic details about resource reconfigurations, and records of failed or denied administrative operations.

In light of these security and compliance gaps, Olukere concluded that the virtualization platform could not provide all the controls and audit-quality logs Hudson Group needs for PCI compliance.

PCI Solution: Fill Gaps and Secure Virtualized PCI Workloads with HyTrust           

Olukere determined that a solution to the company’s PCI compliance problem in the virtual environment had to meet key technical requirements:

• Fill the virtualization platform’s logging gaps and provide the complete audit trail needed for PCI compliance
• Log all user activity regardless of the management interface used to access the virtual infrastructure
• Associate a unique user ID with every attempted operation, log all denied requests, and record virtual resource reconfiguration details.

Hudson Group chose HyTrust to enable compliance for its virtualized PCI workloads. HyTrust had become the de facto standard for access policy enforcement, compliance, and logging in the virtual environment, and HyTrust Appliance met all of Hudson Group’s key purchase criteria.

“HyTrust’s functionality and user experience had the best fit with our needs. The product gave us the controls and log data we were looking for without getting in the way of the virtualization team’s day-to-day responsibilities,” said Olukere.

Extended Solution: Secure Financial Systems Not Subject to PCI

At the time Hudson Group was addressing compliance in the virtualized environment, it was not being pressed to ensure the integrity of the finance workloads that are outside the scope of PCI. As time went on, however, the requirements for ensuring appropriate access to those critical resources increased.

In 2012, Olukere realized that the solution to Hudson Group’s evolving needs was the same one that had solved his PCI compliance challenges.  He had seen that HyTrust Appliance could automatically enforce role-based access control (RBAC) policies granular enough to provide true separation of duties and least privilege access while maintaining his vSphere users’ productivity. He also knew the solution could ensure strict accountability by preventing root account sharing.

Comprehensive Solution: Secure All Other Mission Critical and Production Workloads

As virtualization of higher tier, non-financial systems increased in Hudson Group’s data center, Olukere became concerned that vSphere’s access control and audit trail limitations presented risks to all virtualized workloads. He concluded that the risk of costly downtime of any virtualized mission critical application due to administrative error or abuse needed to be mitigated.

Later in 2012, Hudson Group decided to add HyTrust protection to every Tier 1 virtualized workload. In addition to the visibility and policy enforcement benefits he was already familiar with, Olukere recognized the value of the Secondary Approval functionality recently added to HyTrust Appliance. Secondary Approval would give Hudson Group a simple process for one-time management approval or denial of specific high impact operations attempted by selected vSphere administrative roles, such as external business partners.

“Having an efficient way to manage potentially destructive events like deleting a virtual machine is a useful option and something we didn’t find anywhere else,” said Olukere.

Implementation: Rapid Deployment and Transparent Operation

HyTrust and Reliant Security, Hudson Group’s security strategy and operations service partner, helped Hudson Group achieve a smooth and rapid roll out of HyTrust Appliance in each phase of adoption. Product technical support was handled remotely by HyTrust, highlighting the solution’s ease of deployment. HyTrust and Reliant collaborated with Hudson Group staff to configure the HyTrust virtual appliance for the company’s virtual network. They also worked with Hudson Group to define tiers of roles based on least privilege permissions and to map vSphere privileged users to those roles.

Mark Weiner, Managing Partner of Reliant Security, was impressed with the HyTrust solution. “We kept Hudson Group employees and contractors fully productive during the implementation phases, and since then the solution has been pretty painless and transparent to the users. It’s required little if any change in behavior. In other words, HyTrust has mitigated virtualization risks and enabled PCI compliance without burdening the organization. There are no time-consuming processes and it doesn’t require users to jump through hoops.”

Results: Gaps Filled, Compliance Achieved, Access Risks Mitigated

Hudson Group passed both its PCI assessment and audit quickly and without any significant access control or audit trail issues. The virtualization team now operates with clear separation of duties and works as efficiently as it did prior to the implementation of HyTrust controls. Most importantly, Hudson Group is confident it has effectively mitigated the clearest risks to its virtualized infrastructure.

“HyTrust has been a cost-effective investment for Hudson Group in terms of risk mitigation, compliance, and I.T. governance,” said Olukere. “On top of providing a complete audit trail, it’s an effective solution for preventing expensive breaches and downtime. Our vSphere users don’t have unnecessarily extensive privileges anymore, just the capabilities they need to do their jobs.”

SUMMARY

INDUSTRY:     Retail

OBJECTIVE:    Fill gaps in virtualization platform’s ability to

• Ensure PCI compliance
• Provide user accountability and audit trail
• Maintain separation of duties across the data center
• Establish sound governance for sensitive data and critical financial applications

APPROACH:     Deploy HyTrust Appliance to:

• Log all user operations and deliver all the audit-quality data needed to show PCI compliance
• Provide least privilege access to the virtual infrastructure
• Prevent anonymous user activity based on root account sharing
• Implement controls that are transparent to users

TECHNOLOGY IMPROVEMENTS:

• Automate and centralize VMware vCenter and host audit log reporting
• Enforce granular role- and resource-based access control policies
• Gain Secondary Approval ability to provide oversight of highest impact infrastructure operations

PROJECT OUTCOMES:

• Passed PCI assessment and audit quickly and easily
• Maintained vSphere user productivity while securing infrastructure
• Established separation of duties, user accountability, and sound governance of the virtual environment