Security and Compliance for Financial Services
Automating regulatory compliance assurance, audit control, and asset protection in private clouds
Financial services institutions are among the most heavily regulated in the world. Laws and regulations covering this sector govern many aspects of business operations. The Sarbanes-Oxley Act (SOX) requires strict controls for IT systems used to process financial information for auditors and public reports. The Gramm-Leach-Bliley Act (GLBA) requires protection of sensitive consumer financial and account data. The PCI Data Security Standard requires protection of consumer cardholder data. The Health Insurance Portability and Accountability Act (HIPAA) requires protection of personally identifiable health data. And there are many others. Financial institutions have implemented many IT security controls to address these requirements, but there’s a new requirement that traditional IT controls are unable to address with certainty: protecting sensitive data in the cloud.
Challenges of Compliance for Virtual Environments
Most financial institutions are rapidly adopting virtualization technology for hardware consolidation, reducing costs and speeding deployment of applications. The use of virtualization to create private clouds, however, also poses challenges for security and compliance. Traditional physical security components that are usually deployed at the network edge are difficult if not impossible to effectively monitor and control virtual components. This complicates virtual data protection, makes continuous monitoring difficult, and prevents the ability to deterministically enforce policies in the cloud for compliance. For these reasons, it is vital for financial institutions using virtual technology to adopt a tool like Catbird vSecurity to protect cardholder data within that environment.
Benefits of Catbird for Compliance
Catbird vSecurity is a unique solution engineered to automate seamless, comprehensive security and compliance for organizations with sensitive data in virtual environments. Catbird provides three major benefits:
- Segments Environments with Sensitive Data Catbird vSecurity enables easy segmentation of sensitive data in a virtual environment with its logical zoning container called a TrustZone. By dragging and dropping virtual assets on the data plane into TrustZones, the assets automatically inherit security policies set for the containers (similar to how Microsoft Active Directory assigns policies to its objects).
- Automatically Maps & Manages All Virtual Assets With TrustZones, Catbird provides precise visibility and management of all virtual networks, network devices and system components. This includes a perfect inventory of all assets as they are turned on or off in the dynamic virtual environment – including mapping capability that diagrams all sensitive data flows across systems and networks.
- Automatically Enforces & Documents Compliance Policies Security policies are automatically assigned by Catbird vSecurity to all virtual assets placed in TrustZones, which enables the solution to automatically and deterministically enforce those policies to protect cardholder data wherever it may be processed, stored or transmitted in the virtual environment. For example, Catbird automatically executes virtual firewall policies such as blocking, alerting and quarantining according to respective regulatory framework. Catbird vSecurity uses the same control frameworks as auditors, so its virtual network diagrams, Net Flow maps and operational reports instantly provide “audit-ready” documentation whenever you need it.
How Catbird Helps Businesses Meet Audit Requirements
Catbird vSecurity maps the compliance posture of a virtual data center to PCI security controls and produces real-time audit diagrams.
Catbird vSecurity automatically maps its security and enforcement policies to frameworks relevant to financial institutions, including:
- Control Objectives for Information Related Technology (COBIT) used for Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley Act (GLBA) compliance.
- Payment Card Industry (PCI) Data Security Standard (DSS) v.3.0 used for PCI compliance.
- The U.S. Dept. of Health and Human Services Privacy and Security Framework used for Health Insurance Portability and Accountability Act (HIPAA) compliance.
These policies are automatically assigned by Catbird vSecurity to all virtual assets placed in TrustZones, which enables the solution to automatically and deterministically enforce those policies and protect sensitive data wherever it may be processed, stored or transmitted in the virtual environment.
Catbird vSecurity uses the same control frameworks as auditors, so its virtual network diagrams, Net Flow maps and operational reports instantly provide “audit ready” documentation whenever you need it.
Learn More About Catbird and Compliance Requirements
From ISACA (formerly Information Systems Audit and Control Association)
From the PCI Security Standards Council
From the U.S. Dept. of Health and Human Services
Privacy and Security Framework - Overview
Contact us for more information.
Take a test drive of Catbird vSecurity.