Software-defined wide area networking (SD-WAN) technologies are transforming the way enterprises approach connectivity and the implementation of security functions for branch and retail locations. These technologies give organizations greater flexibility, visibility and control of both satellite location networks and their connections to enterprise resources. At the same time, they can minimize wide area network (WAN) costs by reducing the reliance on expensive multiprotocol label switching (MPLS) circuits.
Simply, SD-WAN provides an opportunity to improve security and performance while reducing cost. As entities with Payment Card Industry Data Security Standard (PCI DSS) compliance obligations re-engineer their networks to obtain compliance or update technologies within an existing payment card industry validated environment, they should seriously consider the potential benefits and impacts of SD-WAN.
Consider SD-WAN for Every Branch or Store Refresh
Rather than using traditional methods for branch network design, security and network teams should consider a strategic approach focused on SD-WAN technologies. Satellite locations are no longer limited to MPLS circuits for connectivity or the internet service provider’s (ISP) router implementation for security, which has historically been a source of complexity in PCI compliance programs. Now, SD-WAN edge devices can be deployed to stores or branches to create a transport-independent secure network overlay that is managed and orchestrated through a centralized console.
The edges can utilize multiple public circuits, such as cable, digital subscriber line (DSL) or cellular connections, to establish the overlay network. Alternatively, a combination of public and private circuits can be used to establish a hybrid network. This means that bandwidth requirements for pricey MPLS circuits can be reduced, or MPLS can be completely removed while the SD-WAN technology actively leverages all available transport.
Many SD-WAN solutions offer security services at the edge and in the cloud that can be easily provisioned and integrated into the overlay network. For example, next-generation firewall capabilities can be enabled on the edge device to support PCI network segmentation, and non-PCI internet browsing traffic can be steered to cloud-based web security providers for inspection.
Some SD-WAN solutions allow traffic shaping and steering with very granular application-based policies. Such functions can support an organization’s PCI compliance posture and improve performance by eliminating the need to backhaul internet or cloud-bound traffic to the data center.
SD-WAN Technologies Are Just Additional System Components
The most important aspect of a PCI compliance program is to accurately define and maintain the scope of the compliance obligation. According to the PCI DSS 3.2, “The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment.”
In this respect, the use of SD-WAN technologies within a PCI-relevant environment merely introduces additional system components that must be considered as part of the compliance approach. Entities must understand the role each component plays, as well as how the edges, cloud gateways and orchestrator could impact PCI compliance scope or status.
Leverage the SD-WAN Edge to Reduce Scope and Enforce PCI Requirements
The SD-WAN edge device can form the boundary of the cardholder data environment (CDE) through its native next-generation firewall capabilities or by running a virtualized firewall on the device from within its partner ecosystem. Segmentation of PCI-relevant network segments, such as those with point-of-sale (POS) terminals or ATMs, from the rest of the network can help reduce PCI compliance scope. Additionally, the ability to make application-based traffic-steering decisions provides direct control of data flows and, therefore, an opportunity to shape the intended PCI scope.
The core function of an SD-WAN is to establish a secure overlay between edge devices at branches, data centers and any cloud gateways. Ensure that the underlying encryption algorithm aligns with an industry standard such as the Advanced Encryption Standard (AES). In this way, PCI requirements for protecting cardholder data in transit can easily be addressed, since all traffic from the branch edge can be secured using strong cryptography that is decoupled from the underlying ISP’s implementation. This facilitates the consistent application of security controls, simplifying the PCI validation process. Depending on the business model in place, such an enforcement of security controls independent of WAN transport could provide some autonomy to the satellite locations in the form of an optional bring-your-own-broadband program.
Like all system components, edge devices must be protected from physical tampering and support relevant PCI DSS requirements, including those for secure configuration, access control and logging. If relying on the edge device to define the boundary of the CDE, evaluate the native firewall capabilities and determine whether additional third-party services are required for functions such as intrusion prevention.
SD-WAN edges typically perform some type of WAN performance remediation. It is important to validate whether such functions might result in cardholder data being written to flash memory or disk. If so, ensure compliance with requirements for the secure storage of cardholder data. Smaller edge form factors might include onboard wireless radios, which must be disabled if not in use or included within the overall compliance architecture.
Finally, depending on the SD-WAN vendor, the edge may be deployed as a hardware appliance, or in a virtual form factor on an existing hypervisor or network device. If deploying a virtual edge, evaluate the PCI implications for the underlying host and other hosted virtual machines.
Understand the Impact of Cloud Gateways
Proper PCI scope definition requires a detailed understanding of the step-by-step flow of cardholder data, including where encryption and decryption occurs. This does not change in an SD-WAN architecture. As part of their service offering, SD-WAN vendors may use multitenant cloud gateways to steer traffic to the internet or optional cloud-based security services, provide direct access to cloud infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) resources, or connect edges to sites without another edge device.
In each of these cases, the cloud gateway terminates the secure tunnel from the branch and, depending on the destination, may establish a standard internet protocol security (IPsec) tunnel to connect to a site without an SD-WAN edge device. If used for PCI-relevant data flows, this type of transition may have scoping consequences, since the cloud gateway device is temporarily processing cleartext cardholder data in memory.
The gateway would be considered a PCI system component within a CDE. Because it is managed by the SD-WAN vendor, this may establish a PCI service provider relationship, drastically increasing the complexity of the compliance obligation and validation process. This issue can be avoided by ensuring that cardholder data is directly passed between SD-WAN edges or by encrypting cardholder data end-to-end at the application layer for traffic routed through the cloud gateways. In any case, it is critical to understand the technical details of each data flow to appropriately determine PCI impacts.
Decide on the Orchestration Layer Format
The brains behind the SD-WAN overlay is the orchestration layer, typically comprised of a web-based console and associated network controllers. Because these components can impact the configuration and security of the SD-WAN environment, they would also be considered in PCI scope. The centralized nature of the orchestrator can make PCI-mandated governance processes such as firewall rule-set reviews and the consistent application of configuration standards more efficient.
Depending on the provider, these components might be deployed on-premises or in a vendor-managed single or multitenant format, each of which has its own PCI implications. In vendor-managed scenarios, the controllers may be the same devices as the cloud gateways mentioned previously. This means that the cloud gateways are potentially used for control-plane and data-plane communications, both of which must be considered when determining PCI scope. Depending on the format and configuration options chosen, the SD-WAN vendor may be considered a PCI service provider. As such, responsibilities for compliance with PCI requirements must be clearly defined between the service provider and the SD-WAN customer.
Don’t Forget About P2PE
Regardless of the WAN architecture, merchants should always consider using PCI-validated point-to-point encryption (P2PE) solutions to protect payment transactions and drive scope reduction. In an environment that only supports data flows originating from a point-of-interaction device at the point of sale, the use of an approved P2PE solution may remove the SD-WAN technology from the scope. In this case, the financial, performance and security benefits of the SD-WAN technology can be leveraged outside of the compliance mandate.
In practice, even the use of P2PE technologies may not descope other branch infrastructure, particularly in complex environments with various data flows. In such cases, the SD-WAN solution might become part of the CDE, or support the security of the CDE and cardholder data. It would then be subject to PCI requirements.
Start an SD-WAN Pilot Today
SD-WAN is an exciting technology that can reduce costs while improving security and supporting PCI compliance. The first step in an SD-WAN transformation is to create a financial business case, then start a pilot on a sample of representative satellite locations. A consulting and integration partner that has experience with this emerging technology, and is also a PCI Qualified Security Assessor Company, can help you throughout this process.
Senior Managing Consultant, IBM