Demo

You are here

Reduce Time, Effort, and Cost Associated with Compliance Audits

Compliance Audits Can be Painful

The software-defined data center is gaining ground as virtualization of data centers becomes mainstream. Organizations benefiting from the flexibility and economic advantages of virtualization also have to consider the impact of virtualization on compliance. Most organizations still handle compliance requirements as a standalone project with dedicated resources. Each compliance standard and mandate is analyzed and broken down into individual control objectives. For each of those the organization that manually validates whether controls are in place and gather proof that the control indeed functioned as intended. While this approach may get you through an audit, it is a very time-consuming and costly way of addressing compliance requirements and associated audits. atbird® provides continuous cloud compliance -- automated, monitored, enforced, and proven. Government agencies, financial institutions, healthcare and other regulated organizations are increasingly being tasked with addressing regulatory compliance requirements upfront when mapping out their deployment strategies. By identifying and addressing compliance challenges early on, plans can continue on schedule and new data centers can be even more secure than traditional ones.

Catbird – automated control monitoring and enforcement

Virtualized security can bring significant assistance to achieving compliance. The benefits of encapsulation and isolation have enabled Catbird to provide the monitoring and control that make compliance more attainable, and the auditing to help provide proof of compliance. Catbird’s compliance-aware approach automatically validates the compliance requirements, providing demonstrable evidence of compliance. Catbird offers the broadest set of automated compliance measurements in the industry as well as auditor-ready reports and visualization. Catbird Secure includes default policies for the following compliance frameworks:

PCI DSS 3.0 

All merchants and financial institutions that store, process or transmit payment cardholder data must comply with the Payment Card Industry Data Security Standard (PCI DSS) 3.0. This includes virtualization technology and the use of private clouds. Traditional physical security components that are usually deployed at the network edge make it difficult if not impossible to effectively monitor and control virtual components. It is vital for organizations using virtual technology in the Cardholder Data Environment (CDE) to adopt a software-defined security technology like Catbird Insight and Catbird Secure to protect cardholder data within that environment.

"If I had Catbird last year, it would have saved us $2M in audit costs." CISO at Top 10 Financial Institution

How Catbird Helps PCI Compliance

Catbird Insight and Catbird Secure form a unique solution engineered to automate seamless, comprehensive security and PCI DSS compliance for organizations with a virtual CDE. Catbird provides three major benefits:

1. Segments the Cardholder Data Environment

Catbird Insight enables easy segmentation of CDE in a virtual environment with its logical zoning containers called Catbird TrustZones. By dragging and dropping virtual assets on the data plane that relate to the CDE you create one or more PCI specific Catbird TrustZones. 

2. Automatically maps & manages all virtual assets in the CDE

With Catbird TrustZones, Catbird provides precise visibility and management of all virtual networks, network devices and system components. This includes a perfect inventory of all assets as they are turned on or off in the dynamic virtual environment – including mapping capability that diagrams all cardholder data flows across systems and networks. This is a new requirement in PCI DSS 3.0 (1.1.3) and is fulfilled only by Catbird for organizations with a virtual CDE. 

3. Automatically enforces & Documents PCI DSS Policies

With Catbird Secure, security policies are automatically assigned to all virtual assets placed in Catbird TrustZones. By selecting the pre-defined PCI policy for the Catbird TrustZones that make up your virtual CDE, Catbird automatically and deterministically enforces those policies to protect cardholder data wherever it may be processed, stored or transmitted in the virtual CDE. For example, Catbird Secure automatically executes virtual firewall policies such as blocking, alerting and quarantining according to PCI DSS requirements. Catbird Secure policies use the same control framework as PCI Qualified Security Assessors, so its virtual network diagrams, NetFlow maps and operational reports instantly provide “audit-ready” documentation whenever you need it.

 

Catbird logically organizes all CDE assets into Catbird TrustZones, assigns and enforces security policies, and automatically maps Net-Flow for PCI DSS compliance.

 

Learn More About Catbird and PCI Compliance 

From the PCI Security Standards Council

From Catbird

 

HIPAA 

Health Insurance Portability and Accountability Act (HIPAA) compliance requires a combination of trained staff and management, together with strong policies and industry leading technology. The Department of Health and Human Services (HHS) has provided a framework of control objectives for measuring HIPAA compliance. Virtualization brings positive advantages to supporting HIPAA controls and for measuring HIPAA compliance. 

HIPAA compliance is a requirement. By choosing Catbird, we’re keeping money in the company – avoiding fines and bad press.” Matthew Barrett, Jefferson Radiology

How Catbird Helps HIPAA Compliance

Catbird complements virtualization technologies by providing comprehensive support for the key controls required by the HIPAA framework and hence brings major benefits to achieving HIPAA compliance.

1. Access Controls and Virtual Administration

Virtualization collapses traditional data center roles and potentially increases the risks associated with inadequate segregation of duties. Catbird provides dual controls to support strong segregation of duties within the virtual infrastructure environment, supporting the creation of specific roles for Operations, Security, and Audit personnel. These roles are then enforceable by zone and policy.

2. Monitoring and Reporting

Catbird Insight and Catbird Secure include detailed and multi-layered device, system, service, and Internet web-application monitoring capabilities and provide standard and customizable thresholds for applicable service levels. Reports can be published for individual services, groups of services, or for all services. Real-time monitoring for service and virtual machine availability together with network flow reports may be used to inspect virtual network topologies.

3. Integrity Management

Catbird Secure provides policy-driven security with configuration baselines. This includes security services, alerts, and reporting to monitor events, detect attacks, validate configurations, and protect against unauthorized changes and unauthorized use.

4. Risk Assessment

Support for continuous and periodic assessment of quantitative technical risks to the IT infrastructure assists in the provision of risk reporting. These assessments are available by asset, asset type, zone, site, or any other custom portfolio.

5. Test Environments

Catbird supports manual and automated controls with monitoring and reporting of the integrity of test environments. Catbird TrustZones may be configured to simplify comparison of production and development environments to ensure configuration consistency and integrity.

Catbird is the only product that addresses the key HIPAA controls needed for HIPAA compliance. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and enabling optional quarantine of offending virtual machines. No other vendor can deliver the breadth and depth necessary for HIPAA compliance from within the virtual infrastructure.

Catbird includes the following features supporting HIPAA compliance in the virtual data center:

  • Default HIPAA specific policies and reports built upon Catbird Secure technical controls that are automatically mapped to the appropriate HIPAA controls. Catbird monitors, audits and enforces more HIPAA controls than any other vendor.
  • Enforcement of network access and traffic flow controls even in a flat network—significantly reducing the scope and cost of audit and compliance requirements.
  • Automatic quarantine of out-of-policy or compromised Virtual Machines to prevent breach of data center security.
  • Network segmentation.
  • Continuous vulnerability management.
  • Continuous monitoring and configuration validation of Catbird TrustZones.
  • Change audit and compliance enforcement.
  • Specific HIPAA security policies designed for optimal protection of the management network and other hypervisor management components.

For more information:

 

FISMA

U.S. Federal agencies are embracing virtualization as a way to cut costs and comply with the government mandate toward greener computing. But U.S. Federal agencies are also subject to regulations and controls that are impacted by virtualization. The Federal Information Security Management Act (FISMA) reinforces the security of federal information systems, networks, and information. FISMA lays out a specific set of security best practices and guidelines from authoritative security sources like the National Institute of Standards and Technology (NIST). NIST SP 800-53 rev3 requires each federal agency to develop, document, and implement an agency-wide program for information security. For virtualization projects within Federal agencies, compliance with established SP 800-53 risk management processes and controls is required by FISMA.

The latest NIST update (SP 800-53 rev4) is focused on a continuous monitoring approach, which is perfectly matched with Catbird real-time and continuous compliance monitoring. For more information, watch our webinar New NIST Guidelines for Virtualization Security.

Virtualization’s Impact on FISMA

A number of security and compliance gaps specific to FISMA compliance are introduced in the move from physical to virtual infrastructure. Those gaps include:

  • Loss of visibility on the virtualized network
  • Loss of separation of duties and secondary controls on the virtual network
  • The introduction of virtual machine mobility
  • Lack of network segmentation

The below table put together by Catbird specifically identifies and analyzes new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization effects many of FISMA's information security controls.

How Catbird Helps FISMA Compliance

Catbird Insight and Catbird Secure mitigate or remedy the FISMA compliance controls negatively impacted by virtualization. Catbird’s compliance monitoring and enforcement provides a real-time, ongoing, automated analysis of an agency’s FISMA compliance status with a risk impact score based on the effect of virtualization. Agencies may utilize this information, in conjunction with their own risk management framework, to determine the impact of virtualization on their own baseline security controls.

Catbird Inisght and Catbird Secure ease compliance with FISMA by:

  • Analyzing virtual (and physical) infrastructure against FISMA requirements, identifying any out-of-compliance settings.
  • Instantly taking “offline” any virtual machine deemed out of compliance with FISMA policy via Catbird’s automated quarantine mechanism.
  • Alerting IT to unauthorized or improper changes to virtual infrastructure that will negatively impact FISMA compliance.
  • Providing detailed, real-time reporting on FISMA compliance posture for agency directors, government regulators and IT staff.
  • Delivering third-party, documented proof of FISMA compliance for auditing purposes.

For more information, read our FISMA papers:

 

SOX

The Sarbanes–Oxley Act (SOX) is a US federal law that set new or enhanced standards for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the wilful destruction of evidence to impede a Federal investigation. The sections of the bill cover responsibilities of a public corporation's board of directors, adds criminal penalties for certain misconduct, and required the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. 

SOX compliance requires a combination of trained staff and management, together with strong policies, and industry leading technology. Most auditors have adopted the Control Objectives for Information Related Technology (COBIT) framework of control objectives, as the de facto framework for measuring SOX compliance.

How Catbird Helps SOX Compliance

Virtualization brings positive advantages to supporting compliance frameworks. Catbird provides comprehensive support for the key controls required by the COBIT framework and hence brings major benefits to achieving SOX compliance.

1. Access Controls and Virtual Administration

Virtualization collapses traditional data center roles and potentially increases the risks associated with inadequate segregation of duties. Catbird provides dual controls to support strong segregation of duties within the virtual infrastructure environment, supporting the creation of specific roles for Operations, Security, and Audit personnel. These roles are then enforceable by zone and policy.

2. Monitoring and Reporting

Catbird includes detailed and multi-layered device, system, service, and Internet web-application monitoring capabilities and provides standard and customizable thresholds for applicable service levels. Reports may be published for individual services, groups of services, or for all services. Real-time monitoring for service and virtual machine availability together with network flow reports may be used to inspect virtual network topologies.

3. Integrity Management

Catbird provides policy-driven security with configuration baselines. This includes security services, alerts, and reporting to monitor events, detect attacks, validate configurations, and protect against unauthorized changes and unauthorized use.

4. Risk Assessment

Support for continuous and periodic assessment of quantitative technical risks to the IT infrastructure assists in the provision of risk reporting. These assessments are available by asset, asset type, zone, site, or any other custom portfolio.

5. Test Environments

Catbird supports manual and automated controls with monitoring and reporting of the integrity of test environments. Catbird TrustZones may be configured to simplify comparison of production and development environments to ensure configuration consistency and integrity.

Catbird Insight and Catbird Secure addresses the key COBIT controls needed for SOX compliance. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and instituting an optional quarantine of offending virtual machines. No other vendor can deliver the breadth and depth necessary for SOX compliance from within the virtual infrastructure.

Catbird includes the following features for achieving SOX compliance in the virtual data center:

  • Default COBIT specific policies and reports built upon Catbird controls that are automatically mapped to the appropriate COBIT controls. Catbird monitors, audits, and enforces more COBIT controls than any other vendor.
  • Enforcement of network access and traffic flow controls even in a flat network—significantly reduce the scope and cost of audit and compliance requirements.
  • Automatic quarantine of out-of-policy or compromised Virtual Machines to prevent breach of data center security.
  • Network segmentation.
  • Continuous vulnerability management.
  • Continuous monitoring and configuration validation of Catbird TrustZones.
  • Change audit and compliance enforcement.

Specific COBIT security policies designed for optimal protection of the management network and other hypervisor management components.

 

DIACAP

The Department of Defense (DoD) is embracing virtualization as a way to cut costs and embrace the government mandate toward greener computing. But the DoD is also subject to regulation and control that is affected by virtualization’s transformation of the traditional data center. The DoD Information Assurance Certification and Accreditation Process (DIACAP) ensures that risk management is applied on information systems in the DoD and National Security Agency (NSA) agencies. While these agencies are also subject to FISMA compliance rules, the DoD has taken it one step further with DIACAP, prescribing defense-in-depth tactics which combine technology, along with processes, people and operations.

One specific concern of DIACAP is network protection, as enemy attacks are increasingly cyber-based. For virtualization projects within the Department of Defense, ensuring compliance with DIACAP is mandatory. But the complexities of DIACAP compliance are compromised by some of the very benefits of virtualization. With the right processes and tools, however, building a DIACAP-ready virtualized data center can be easier than traditional data centers. Catbird is specifically designed to pave the way.

Virtualization’s Impact on DIACAP

A number of security and compliance gaps specific to DICACAP are introduced in the move from physical to virtual infrastructure. Such gaps include:

  • A change in Access Control with the introduction of the virtual administrator: virtualization and virtualization management layers collapse traditional access controls and separation of duties, creating significant control failures.
  • An additional monitor test and audit of the new hypervisor layer: virtualization creates additional layers to the IT infrastructure, particularly the hypervisor and the virtualized network. This impacts DIACAP best practices and auditing/reporting. 
  • Change in DIACAP scope: network virtualization significantly broadens the assessment scope because virtualization deployments may flatten networks and increase the scope to include all virtualization hosts.
  • New tests for security systems and processes as physical devices become software: our research has identified and analyzed new risks which are introduced in the data center of federal agencies as a consequence of virtualization. Virtualization impacts over 25 DIACAP Controls, nearly half of which are considered critical.

To stay compliant, the virtualized data center in the DoD must adapt to address these major changes that have transformed IT.

How Catbird Helps DICAP Compliance

Catbird Insight and Catbird Secure address all DIACAP controls that are negatively affected by virtualization. Catbird goes beyond monitoring and audit by instantly identifying compromised assets, alerting appropriate personnel, and optionally quarantining offending virtual machines. No other vendor can deliver the breadth and depth necessary for DIACAP compliance from within the virtual infrastructure.

  • Catbird Secure includes default DIACAP-specific policies and reports built upon Catbird security controls that are automatically mapped to the appropriate severity. Catbird monitors, audits, and enforces more affected controls than any other vendor.
  • Catbird includes default Compliance, Security, and Operations dashboards that summarize control status. Catbird significantly reduces the effort required to achieve and maintain operational DIACAP compliance on virtual systems.

DIACAP compliance takes a combination of trained staff, strong policies, and industry leading technology. Catbird is an essential component in realizing this, delivering the DIACAP security controls and reporting required by Information Assurance and IT Operations Professionals to adapt to the challenges of virtualization.

Catbird Features to ease compliance with DIACAP by:

  • Analyzing virtual (and physical) infrastructure against DIACAP requirements, identifying any out-of-compliance settings.
  • Instantly taking “offline” any virtual machine deemed out of compliance with DIACAP policy via Catbird’s automated quarantine mechanism.
  • Alerting IT to unauthorized or improper changes to virtual infrastructure that will negatively impact DIACAP compliance.
  • Providing detailed, real-time reporting on DIACAP compliance posture for agency directors, government regulators and IT staff.
  • Delivering third-party, documented proof of DIACAP compliance for auditing purposes.