Here’s a simple, single-question poll. Choose only the best answer.
Your household contains many small, high-value items — rare postage stamps, gaudy diamonds, an original copy of Action Comics #1, Hank Aaron’s 755th home run ball, etc. How would you secure them?
- Display items prominently throughout your abode; lock your house doors and windows each night.
- Display items prominently in multiple rooms throughout the house; install high-security locks and surveillance for individual rooms.
- Lock items in a secure safe located in a discreet location of your house, bringing them out only for the occasional show-and-tell session.
- Outsource the security — lock that stuff up at the bank!
The risk of losing any of these items would undoubtedly put a dent in your net wealth, so it’s an important choice. “A” is the riskiest solution. It places too much of the security burden on the perimeter of your home. “B” adds valuable additional layers of security, but also requires you to install the requisite tech and monitor multiple locations within the household. “C” and “D” are far better options simply because they reduce the scope of your operation by isolating the prized assets.
OK, here’s the part where I spell out the analogy, assuming the title of the post hasn’t already spoiled it: The above scenario broadly mirrors the right (C & D) and wrong (A & B) strategies for protecting sensitive data stored or processed on a network.
But there’s a problem. Too many organizations are choosing data security strategies that look a lot like A & B, making compliance and robust information security way more difficult (and expensive) than it needs to be.
Consider PCI DSS, the compliance standards for safeguarding credit cardholder data. Any organization that stores, processes or transmits this sensitive data must adhere to 12 core standards (and many more sub-standards) covering items like establishing firewalls, access controls, clearly defined policies and vulnerability management. Those that fail to adhere risk incurring major fines from their credit card company and bank, or worse yet, suffer a data breach that tanks their brand and puts consumers at risk.
The easiest way to knock off most items on the PCI DSS list follows our examples in C and D — it’s all about efficient isolation.
PCI and Network Isolation — Why it Works
Points of weakness for a data breach can occur anywhere in the network chain. Without proper isolation, that makes identifying and monitoring entry points for unauthorized access a huge operational headache.
Remember, PCI applies to the entire cardholder data environment (CDE). The CDE includes all people, processes and system components (servers, network devices, apps, etc.) that interact with the sensitive data.
So we have a choice: Make sure the whole house (which includes everyone in it or with access to it) can pass a PCI DSS audit or segment the data to a highly restricted, isolated room of the house where snooping children and guests can’t enter.
The first option is simply not practical — it’s too expensive, too risky, and too unwieldy to monitor and manage. An isolated compute and storage environment protected by firewalls from other areas of the network and internet is the simplest option for applications and databases touching cardholder data.
PCI, Hosted Private Clouds and Managed Security
So what about building your own fully isolated environment on-premise — like in option C?
It’s a viable solution, but with high downsides. Maintaining these standards in a rapidly evolving cybersecurity threat landscape requires carefully designed infrastructure and best-practice management protocols. Even if your organization is willing to take on the capital expenditures required to run this part of your data center, managing an isolated PCI DSS environment requires headcount, additional security technologies and a lot of time.
Rather than attempt to meet each one of the 200-plus sub-requirements by yourself, opting for a hosted private cloud and managed security service partner solves for substantial portions of PCI DSS. INAP customers save dozens of hours preparing for an audit, all the while benefiting from an enterprise compute environment tailored to their workload performance demands.
Updated: January 2019