Dark background with blue code overlay

Blog

How to Cover 6 Core Areas of PCI Compliance with Armis and Akamai

Akamai blue wave

Written by

Marco Raffaelli

May 12, 2022

PCI-data.png
Cybercriminals are financially motivated

It’s well-known that sophisticated cybercriminals are financially motivated. Given the eye-popping amounts organizations pay to restore systems and data, ransomware continues to dominate headlines. But organizations that process consumer and payment card industry (PCI) data need to worry about a lot more than ransomware; they need to be ready for any form of attack that could enable malicious actors to access sensitive information.

To meet a standard of security in the PCI space, enterprises have traditionally deployed IT controls that comply with the payment card industry data security standard (PCI-DSS) to ensure they have strong access controls, vulnerability assessment, file integrity monitoring, log monitoring, antivirus features, and other controls. These controls work well for more conventional conditions. But in the midst of digital and wireless transformation, migration to the cloud, and the proliferation of Internet of Things (IoT)–enabled devices, attackers are focused on a new front of vulnerability. This includes a new breed of unmanaged devices that is always on, always connected, and contains many options for transferring data.

Armis and Akamai Segmentation help you meet PCI-DSS compliance requirements

Armis, a unified asset intelligence platform, and Akamai Segmentation, a Zero Trust host-based network segmentation platform, can help you meet PCI-DSS compliance requirements. Our joint solution can document, monitor, and enforce policy on all devices in the cardholder data environment, including those that are beyond the reach of traditional controls, such as endpoint security or network firewalls.

Here are six ways our combined solution supports PCI-DSS compliance requirements:

1. Building and maintaining a secure network

Using the combined Armis and Akamai solution, organizations can identify all connections among the cardholder data environment and other networks. This includes the systems that process and store the data, whether in the cloud or on-premises, as well as network connectivity paths, such as wired, Wi-Fi, Bluetooth, and common IoT protocols. This helps organizations identify all unintended connections, including connections to rogue access points, network bridging, and direct device-to-device connections or pairing.

To help maintain your firewall configuration, Akamai’s intuitive policy management features let you manage the security policy for every asset, connection, and workload in your environment (including the IoT assets seen by Armis) from one UI. Akamai’s host-based firewall extends its security capabilities to the data center and cloud servers, ensuring that sensitive cardholder data remains protected as it moves through your environment. By segmenting your network down to the process level and leveraging sophisticated breach detection features, the data centers maintaining the cardholder data are closely monitored for malicious behavior, and the attack surface reduction measures significantly limit the possibility of cardholder data being exposed. 

Leveraging these network visibility and policy enforcement features makes it easy to maintain a secure network and firewall configuration while taking comprehensive actions to significantly reduce your attack surface. 

2. Protecting cardholder data

The joint offering provides a complete solution for protecting cardholder data both when stored and when in transit. You can deploy Akamai’s agent in a wide variety of environments and on nearly any operating system. Whether you’re storing cardholder data in a bare-metal server or in a public cloud environment, such as AWS, GCP, or Azure, Akamai provides visibility into and security of the data.

When sensitive data is transmitted across your environment, the DSS requirement mandates that wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. Armis can detect and alert you to unencrypted Wi-Fi traffic within the cardholder data environment, while Akamai’s process-level visibility at layer 7 provides additional detail into encryption status. Combined, the joint solution provides full coverage of this DSS requirement. 

3. Maintaining a vulnerability management program

The Armis platform includes a risk analysis engine that highlights which assets in your environment, both on and off your network, are vulnerable. The numerical risk score ranges from 1 to 10 and is based on factors such as asset type, behavior, operating system, connections, reputation, version, and other factors. The scope includes all assets in your environment, including noncomputing assets, such as point-of-sale assets, building automation assets, routers, switches, and more.

Akamai Segmentation ingests these risk scores from the Armis risk analysis engine and enables you to isolate assets or kill connections if a device is seen as high risk. You can granularly segment all systems and assets, even if they are not high risk, to help maintain a minimized attack surface and mitigate malicious lateral movement. This allows you to execute software-defined segmentation policies that keep these systems safe without negatively affecting business productivity. Additionally, the flexibility of the Akamai agent, which you can deploy on any type of environment, whether its on-premises, hybrid cloud, or multicloud, gives you the option to migrate systems to the cloud and scale your PCI infrastructure with ease.

4. Using intrusion detection and prevention techniques to stop malicious access

Unlike many segmentation offerings available today, Akamai provides numerous intrusion prevention and threat mitigation capabilities. The host-based solution continually monitors environments for the latest malware and vulnerabilities served up from Akamai Threat Labs. This includes:

  • Dynamic deception capabilities that identify attacker methods without disrupting the performance of your cloud or data center

  • Reputation analysis capabilities that recognize suspicious domain names and IP addresses within data flows

  • Instant recognition of unauthorized communications and traffic based on policy violations

Additionally, you can automate responsive measures based on this information by:

  • Exporting incidents of compromise to block and contain attacks

  • Easily updating segmentation policies to remediate policy violations

  • Suspending or disconnecting virtual machines to prevent lateral movement of malware

Armis complements these capabilities by monitoring network traffic to detect anomalies in asset behavior based on intelligence from the world’s largest device knowledge base, which monitors the behavior of more than 2 billion devices on an ongoing basis. Deviations may be related to device misconfigurations; a policy violation; abnormal behavior, such as inappropriate connection request; unusual software running on a device; or threat intelligence that indicates that the device has been compromised.

5. Regularly monitoring and testing networks

Logging mechanisms and the ability to track user activities are critical for effective

forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs.

The full picture of your environment provided by the Armis and Akamai integration helps to check this compliance box as well. Get a clear picture of all the connections to servers, devices, and more, and make adjustments to your security policy as needed to maintain the integrity of the environment. 

Researchers are always discovering vulnerabilities that are being introduced by new software. That’s why it’s so important to frequently test system components, processes, and custom software to be sure security controls continually reflect an evolving environment. 

Armis continuously monitors the local airspace and automatically detects and alerts you to the presence of any unauthorized access points on or near to the enterprise network. Rogue access points near the enterprise network represent a very high risk as they could provide a path for data exfiltration that bypasses traditional network firewalls and PCI controls. Armis also monitors for a wide variety of intrusion techniques, bridges, or unsafe connections that could expose cardholder data. 

The Armis platform can automatically implement incident response procedures in the event that unauthorized wireless access points are detected — including alerting administrators and/or blocking unauthorized communication. It can also automatically isolate unauthorized wireless access points that are either connected to the enterprise network or near the enterprise network. The latter condition represents a much higher risk as it could be a direct path for data exfiltration that bypasses traditional network firewalls.

6. Maintaining an information security policy

Although the design and enforcement of an infosec policy is best left in the hands of the team running the environment, Akamai and Armis can be an essential part of the security stack that helps maintain this policy. Maintaining the integrity of customer data is paramount to keeping the trust of your customers, as even a small breach or exposure of this data can negatively impact your organization’s reputation and relationship with customers.

Limiting the possibility of malicious lateral movement across the organization is a core capability of Akamai Segmentation, and greatly reduces the possibility of a widespread breach or a ransomware attack that unravels throughout the majority of your environment. Combined with the visibility the Armis platform provides into all IoT assets, servers, and connections — along with the ability of the administrator to kill connections that are unwarranted and restrict user access as needed — the joint Armis and Akamai capabilities provide robust protections. Guided by a Zero Trust approach, and the default assumption that any connection or user might have bad intentions, segmenting the environment down to the process level keeps harmful events isolated. Much like the compartments of a ship protect an entire ship from flooding and subsequently sinking, Akamai’s granular network segmentation keeps breaches contained. 

To learn more about how Akamai and Armis work in tandem to protect your PCI systems and environments, check out the detailed solution brief.



Akamai blue wave

Written by

Marco Raffaelli

May 12, 2022