By: Brien M. Posey
Companies that accept credit card payments are required to comply with a set of regulations collectively known as the Payment Card Industry Security Standard, or PCI. The PCI regulations establish requirements for how organizations must protect cardholder data, and what those organizations must do to keep their networks secure.
From an IT perspective, maintaining PCI compliance can be quite challenging, given the scope of the regulatory requirements. This is especially true in larger companies because of the sheer volume of IT resources they must protect. VMware’s vRealize Network Insight, which provides visibility into networks, can help with this challenge.
The Enterprise Edition of vRealize Network Insight features a PCI Compliance dashboard that compares an organization’s NSX environment against the PCI requirements. This can help an organization detect network-level compliance deficiencies.
The PCI Compliance Dashboard
You can access the PCI Compliance dashboard by going to the Plan & Assess menu, and then on to PCI Compliance. From there, you simply choose the required scope, the entry you want to examine, and the appropriate duration; then click the Assess button, and you’ll be taken to the PCI Compliance dashboard (see Figure 1).
The PCI Compliance dashboard provides access to information related to your compliance initiatives. The information accessible from this screen includes:
- A network flow diagram provides a graphical view of the relevant data flows, connections, firewalls, and other details.
- A list of the flows that appear in the Network Flow diagram
- Network flows with clear-text protocols
- Virtual machine security groups
- The number of virtual machines included in each security group
- The number of virtual machines to which a specific security tag has been applied
- The firewall rules that have been applied to internal traffic flowing between virtual machines (within the selected scope)
- The firewall rules that have been applied to traffic flowing between the virtual machine within the selected scope and virtual machines that fall outside of the selected scope
- Any changes that have been made to security tags
- Any changes that have been made to security groups
- Any changes that have been made to firewall rules
Creating a PDF Report
As helpful as the information from the Compliance dashboard may be, there’s more to maintaining PCI compliance than just searching for deficiencies. Larger organizations are usually required to prove that their IT resources are configured in a compliant manner.
With vRealize Network Insight, administrators can put all the information presented in the Compliance dashboard into a PDF file, which can be used as a historical record of an organization’s compliance initiatives. It can also be given to auditors as evidence of an organization’s compliance.
Creating this PDF file is a relatively simple process. From the PCI Compliance dashboard, click the Export to PDF link. This will open a display window that lists all of the various properties you can include in the report. Make your selections, add a title to the report, click the Preview button, and then the Export PDF button.
The process for creating a PCI compliance-related PDF file is simple and relatively intuitive, but there are a few limitations. For example, the title you assign the report can’t exceed 200 characters (this probably won’t be an issue for most people).
More importantly, when you’re creating a PCI compliance report, you’ll generally need to be selective about the information you include. You can select a maximum of 20 properties for inclusion, and the report can’t exceed 50 pages. This means that if you have a large network, you may need to select fewer than the maximum allowable number of properties, just to keep the report from exceeding its maximum page count.
One last thing you need to know about the report creation process is that there are some widgets for which there are no properties to select. If you want to include data from one of these widgets in your report, you’ll simply need to specify the number of entries you want to export. You can export up to 100 entries.
Keep the Auditors Happy
As you can see, vRealize Network Insight can be a useful tool for maintaining PCI compliance. It can help you spot potential compliance issues, while also giving you the ability to generate PDF reports you can share with auditors.
Try vRealize Network Insight Cloud free for 30 days as a VMware Cloud Service today!
New to vRealize Network Insight? Learn more here.