In his Dark Reading post, John Sawyer points out that PCI is not an end goal, but a process. I could not have said it any better. As part of the Palo Alto Network marketing team, I get countless requests by our sales team to describe our PCI solution story. “We need a PCI datasheet!” Or “I need a PCI presentation!” And no matter how many times we tell them that PCI compliance is a combination of technology and best practices, the demands continue. Until recently that is.
The October 2008 update to the PCI DSS documentation states that companies can reduce the cost and complexity of PCI compliance by using network segmentation to isolate the cardholder data in a secure segment. So what you ask?
Well sure, many technologies can segment the network and the way we do it is through the use of security zones as a logical container for physical interfaces, IP address ranges, VLANs and so on. And this is where we are very different than any other security technology out there. We are the only firewall that can control which specific applications (not ports) have access to the zone that contains the cardholder data. And we can do this based on the user info in Active Directory. Here too, no other firewall can do this—they all still use IP addresses or rely on a secondary piece to perform the user control.
What does this mean to me and my marketing colleagues? It simplifies our lives and it presents us with a huge opportunity. It means that our sales team can talk to a customer in a very specific and intelligent manner about their PCI compliance and how we can help. The customer can use our firewall to isolate the cardholder data using security zones. Policies are then applied to control access based on the application (such as Oracle, Sybase, SQL Server) and the user. Optionally, high speed, inline threat prevention and data filtering can be applied to the zone with the cardholder data as an added layer of security. We are not a PCI compliance solution – no one is – but we can help in a more specific and granular manner than any other firewall on the market. Learn more about it here.
Thanks for reading.