Wednesday, December 2, 2015

Segmentation Checking for PCI Requirement 11.3.4

PCI 3.0 introduced Requirement 11.3.4: “If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.” The PCI DSS v3.0 Requirements and Security Assessment Procedures Testing Procedures specified for Requirement 11.3.4.a also states “Examine segmentation controls and review penetration-testing methodology to verify that penetration-testing procedures are defined to test all segmentation methods to confirm they are operational and effective, and isolate all out-of-scope systems from in-scope systems.” 

This requirement is intended to verify that network segments documented as out-of-scope are truly out-of-scope and that this has been verified by someone with a degree of technical expertise. The scary parts of this standard are the “All segmentation methods” and "all out-of-scope systems from in-scope systems.” That could be quite a task depending on the number of methods used to provide segmentation and the number of out-of-scope systems.

Fortunately, the Special Interest Group on Penetration Testing, of which I was honored to be the co-proposer and a lead contributor,  was in the midst of finalizing its guidance. Recognizing that, as written, this requirement could place an unrealistic burden on Merchants and Service Providers, we were able to work with the Council to provide the option for sampling. This excerpt from the guidance addresses 11.3.4:

Segmentation Checks
"PCI DSS Requirement 11.3.4 requires penetration testing to validate that segmentation controls and methods are operational, effective, and isolate all out-of-scope systems from systems in the CDE. Therefore, a robust approach to penetration testing is recommended to satisfy this requirement by actively attempting to identify routes and paths from networks outside the CDE into the CDE. All segmentation methods need to be specifically tested. In very large networks, with numerous internal LAN segments, it may be infeasible for the penetration tester to conduct specific tests from every individual LAN segment. In this case, the testing needs to be planned to examine each type of segmentation methodology in use (i.e., firewall, VLAN ACL, etc.) in order to validate the effectiveness of the segmentation controls. The level of testing for each segmentation methodology should provide assurance that the methodology is effective in all instances of use. In order to effectively validate the segmentation methodologies, it is expected that the penetration tester has worked with the organization (or the organization’s QSA) to clearly understand all methodologies in use in order to provide complete coverage when testing."

As long as the testing provides assurances that the segmentation methodology is effective, testing from every individual LAN segment is not necessary. My recommended approach is to perform testing from network segments where privileged users securely access the CDE and sample a reasonable number of all other segments for each type of segmentation methodology in use. This will meet the requirement without putting undue burden on the client while providing the assessor  or auditor with sufficient information on which to base a determination of segmentation effectiveness.