Fortinet black logo

SD-Branch Retail Playbook

Home FortiGate / FortiOS 6.4.0 SD-Branch Retail Playbook

PCI Risk Assessment

6.4.0
6.4.0
Copy Link
Copy Doc ID 2e714811-545f-11eb-b9ad-00505692583a:867834
Download PDF

PCI Risk Assessment

In the retail environment, PCI compliance and risk assessment are integral to the operations of the organization. PCI auditors look for evidence of:

  • Repeatable & consistency processes

  • Proactive Monitoring

  • Risk Awareness & Reporting

Unfortunately, many organizations are not able to meet PCI compliance due to the reasons above. Other compliance issues are:

  • Failed security processes (change management, logging & monitoring)

  • System not secured out of the box

  • Weak user access management

These gaps may lead to identity theft, data theft and other forms of lost data. The top three reasons are symptoms of a larger problem. As digital adoption expands at a rapid pace, the balance between driving strategic growth in sales and managing regulatory risk become competing priorities. Silo teams begin to form as security decisions are decentralized and applied on different equipment and devices.

A CISO must maintain balance between the customer experience and the accountability of customer's data, ensuring that fast access to data is accompanied by a priority in securing the data in motion and at rest. Customer data needs to be secured and integrated with identity and access control, whether they are using the cloud, local wireless hotspots. or between wired networks.

Furthermore, a CISO must reduce inconsistent and decentralized management, and design a process for standardized baseline images and configurations for devices. Finally, the CISO must produce adequate stakeholder reporting and awareness to continually identify gaps and remediation plans for the system.

The steps outlined below provide the initial start to building a sustainable solution that meets the compliance requirements and strategic needs of the organization. It is not intended to be an end-to-end compliance solution. However, by leveraging the Fortinet Security Fabric and processes outlined in previous chapters, the goal is to drive more consistency and improvements through automation, centralized management, and monitoring.

Step 1. Planning: Understand what needs to be protected

Step 2. Baseline: Enable automation and continuous audits of configuration templates

Step 3. Deploy: Centralize configurations and deployment

Step 4. Monitor: Report on risk and compliance issues

Step 1. Planning

Using a gas station as an example, what do we need to protect?

By identifying the various devices and groups, we also identify how they need to be protected and their risk profiles. We can further segment these groups into zones, such as Customer zone, Application zone, and zone. Security controls can then be applied, limiting access between zones.

Zone

What do we need to protect?
Customer
  • WiFi
  • Rewards App
  • Bank ATM
  • Fuel, Groceries, and Supplies
Application
  • POS
  • Network store Ops (Inventory, staffing, etc)
Security
  • Video Monitoring
  • Access control
  • Logging Database/PVR

A basic way to accomplish this would be using Address Objects and Firewall Policies. Group together branch assets into address groups, then apply firewall policies between zones to enforce access control.

Having an integrated WiFi and switch controller on the FortiGate also increases the granularity in which access control and segmentation can be accomplished. As introduced in the previous Integrated Wireless and Integrated Segmentation chapters, wireless authentication and Guest management help identify users connecting to your network. Furthermore, device detection provides insights into the type of devices used, and NAC policies can help automate which devices need to be placed on which VLAN on the switch for access control.

In a broader scope, each branch may access external resources in the Data center, Cloud and Internet. In the Secure SD-Branch chapter, we reviewed how SD-WAN provides the infrastructure to dynamically and securely balance your traffic amongst multiple WAN connections.

Lastly, Identity and Access Management can be centralized with FortiAuthenticator, providing the means to control access to sensitive data. To learn more, see the following links.

Step 2. Baseline

Building a baseline configuration helps enable automation and continuous audits of your branches. In Step 1. Planning, we considered the business needs of an individual branch. This step addresses the need to meet compliance requirements.

Using the Security Rating feature on the FortiGate, we can discover any residual security and compliance gaps after the initial configuration. As part of the Security Fabric, Security Rating can analyze the Security Posture of your Fabric devices, review your Fabric coverage and suggest Optimizations to improve your deployment. The report is able to provide recommendations based on Fortinet Security Best Practices (FSBP) or in PCI terms, allowing customers to take action based on these requirements.

By taking the recommendations to harden your device, you can produce a baseline branch template that meets your compliance requirements. This baseline configuration template can be replicated on other branches to produce a consistent and repeatable process for branch configurations. The Security report also helps track the trend on the device, producing a score that enables you to evaluate the Security Posture, Fabric Coverage, and Optimization between different branches.

To learn more about Security Rating, and about other Best practices for hardening your FortiGate, visit the links below:

Step 3. Deploy

To provision the baseline configuration template, it must first be configured on the FortiManager. There may be many components to a branch configuration, including:

  • System configurations
  • Policy and objects
  • Tunnel configurations
  • SD-WAN configurations
  • FortiSwitch
  • FortiAP and more

Where applicable, you must decide on the proper orchestration method to provision the configurations as outlined in the SD-WAN Orchestration chapter.

FortiManager provides the framework for change management, and provisioning configurations using a repeatable and consistent process. By adding additional 3rd party automations as explained in the Zero Touch Provisioning chapter, the process can be streamlined to provide cost savings and reduce mistakes caused by human errors.

To learn more about how configurations can be provisioned with various templates, visit the following links.

Topic

Description
Provisioning Templates This section includes System, Threat Weight, Certificate, and IPsec tunnel templates.
Adding a model device by using device template This section describes how to add a FortiGate model device to FortiManager by using a device template.
Firewall Policy and Objects The Policy & Objects pane enables you to centrally manage and configure the devices that are managed by the FortiManager unit.
Central VPN Management When central VPN management is enabled, you can use the VPN Manager pane to configure IPsec VPN settings that you can install to one or more devices.
Using FortiSwitch Manager for central management This chapter describes how to connect to the GUI for FortiManager and configure FortiManager, provides an overview of adding devices to FortiManager, as well as configuring and monitoring managed device.
WiFi profiles for central management The WiFi Profiles pane allows you to create and manage SSIDs, and AP, Wireless Intrusion Detection System (WIDS), Bluetooth, Quality of Service (QoS), and Bonjour profiles that can be assigned to managed FortiAP devices.

Step 4. Monitor

PCI requires a centralized facility to manage all devices across the network to identify any type of fault arising in any branch location and in any particular segment.

FortiManager provides these centralized monitoring capabilities and offers change management for all the security settings. Furthermore, FortiAnalyzer provides the central analysis necessary to analyze and build reports of threats, risks and indication of compromises related to devices on your network.

FortiGate's built-in security rating offers visibility into the state of the security posture on each branch as described in step Step 2. Baseline.

Resources

For more on FortiManager and FortiAnalyzer's monitoring and reporting capabilities, visit the following links.

Topic Description
Monitoring managed devices Review the different options for monitoring managed devices, inlcuding the quick status bar, device dashboard, device configurations, and more.
AP Manager Health Monitor The Health Monitor displays information about AP Status, Client Count Over Time, Top Client Count, and Top Wireless Interference.
Monitoring Devices and Network Traffic on Wireless Manager (FortiWLM) Monitor the network as well as individual devices in the network
FortiSwitch Manager Monitor The FortiSwitch Manager Monitor pane shows a graphical representation of the connected FortiSwitch devices.
Monitoring SD-WAN on SD-WAN Manager The SD-WAN Monitor evaluates whether the interface is meeting performance SLA criteria.
Monitoring SD-WAN on SD-WAN Orchestrator The SD-WAN Orchestrator monitors the global network as well as individual devices in the network by using the Monitor tree menu.

Monitoring IPsec VPN tunnels

View the list of IPsec VPN tunnels. You can also bring the tunnels up or down.

FortiAnalyzer Situation Awareness Report

This Situation Awareness Report identifies issues on the NIST CyberSecurity framework and provides recommended actions.

FortiAnalyzer SOC View - FSBP Summary Dashboard

The Best Practices Overview monitor shows aggregated security rating results based on different geographical regions (EMEA, APAC, North America, and South/Latin America).

Previous
Next

PCI Risk Assessment

In the retail environment, PCI compliance and risk assessment are integral to the operations of the organization. PCI auditors look for evidence of:

  • Repeatable & consistency processes

  • Proactive Monitoring

  • Risk Awareness & Reporting

Unfortunately, many organizations are not able to meet PCI compliance due to the reasons above. Other compliance issues are:

  • Failed security processes (change management, logging & monitoring)

  • System not secured out of the box

  • Weak user access management

These gaps may lead to identity theft, data theft and other forms of lost data. The top three reasons are symptoms of a larger problem. As digital adoption expands at a rapid pace, the balance between driving strategic growth in sales and managing regulatory risk become competing priorities. Silo teams begin to form as security decisions are decentralized and applied on different equipment and devices.

A CISO must maintain balance between the customer experience and the accountability of customer's data, ensuring that fast access to data is accompanied by a priority in securing the data in motion and at rest. Customer data needs to be secured and integrated with identity and access control, whether they are using the cloud, local wireless hotspots. or between wired networks.

Furthermore, a CISO must reduce inconsistent and decentralized management, and design a process for standardized baseline images and configurations for devices. Finally, the CISO must produce adequate stakeholder reporting and awareness to continually identify gaps and remediation plans for the system.

The steps outlined below provide the initial start to building a sustainable solution that meets the compliance requirements and strategic needs of the organization. It is not intended to be an end-to-end compliance solution. However, by leveraging the Fortinet Security Fabric and processes outlined in previous chapters, the goal is to drive more consistency and improvements through automation, centralized management, and monitoring.

Step 1. Planning: Understand what needs to be protected

Step 2. Baseline: Enable automation and continuous audits of configuration templates

Step 3. Deploy: Centralize configurations and deployment

Step 4. Monitor: Report on risk and compliance issues

Step 1. Planning

Using a gas station as an example, what do we need to protect?

By identifying the various devices and groups, we also identify how they need to be protected and their risk profiles. We can further segment these groups into zones, such as Customer zone, Application zone, and zone. Security controls can then be applied, limiting access between zones.

Zone

What do we need to protect?
Customer
  • WiFi
  • Rewards App
  • Bank ATM
  • Fuel, Groceries, and Supplies
Application
  • POS
  • Network store Ops (Inventory, staffing, etc)
Security
  • Video Monitoring
  • Access control
  • Logging Database/PVR

A basic way to accomplish this would be using Address Objects and Firewall Policies. Group together branch assets into address groups, then apply firewall policies between zones to enforce access control.

Having an integrated WiFi and switch controller on the FortiGate also increases the granularity in which access control and segmentation can be accomplished. As introduced in the previous Integrated Wireless and Integrated Segmentation chapters, wireless authentication and Guest management help identify users connecting to your network. Furthermore, device detection provides insights into the type of devices used, and NAC policies can help automate which devices need to be placed on which VLAN on the switch for access control.

In a broader scope, each branch may access external resources in the Data center, Cloud and Internet. In the Secure SD-Branch chapter, we reviewed how SD-WAN provides the infrastructure to dynamically and securely balance your traffic amongst multiple WAN connections.

Lastly, Identity and Access Management can be centralized with FortiAuthenticator, providing the means to control access to sensitive data. To learn more, see the following links.

Step 2. Baseline

Building a baseline configuration helps enable automation and continuous audits of your branches. In Step 1. Planning, we considered the business needs of an individual branch. This step addresses the need to meet compliance requirements.

Using the Security Rating feature on the FortiGate, we can discover any residual security and compliance gaps after the initial configuration. As part of the Security Fabric, Security Rating can analyze the Security Posture of your Fabric devices, review your Fabric coverage and suggest Optimizations to improve your deployment. The report is able to provide recommendations based on Fortinet Security Best Practices (FSBP) or in PCI terms, allowing customers to take action based on these requirements.

By taking the recommendations to harden your device, you can produce a baseline branch template that meets your compliance requirements. This baseline configuration template can be replicated on other branches to produce a consistent and repeatable process for branch configurations. The Security report also helps track the trend on the device, producing a score that enables you to evaluate the Security Posture, Fabric Coverage, and Optimization between different branches.

To learn more about Security Rating, and about other Best practices for hardening your FortiGate, visit the links below:

Step 3. Deploy

To provision the baseline configuration template, it must first be configured on the FortiManager. There may be many components to a branch configuration, including:

  • System configurations
  • Policy and objects
  • Tunnel configurations
  • SD-WAN configurations
  • FortiSwitch
  • FortiAP and more

Where applicable, you must decide on the proper orchestration method to provision the configurations as outlined in the SD-WAN Orchestration chapter.

FortiManager provides the framework for change management, and provisioning configurations using a repeatable and consistent process. By adding additional 3rd party automations as explained in the Zero Touch Provisioning chapter, the process can be streamlined to provide cost savings and reduce mistakes caused by human errors.

To learn more about how configurations can be provisioned with various templates, visit the following links.

Topic

Description
Provisioning Templates This section includes System, Threat Weight, Certificate, and IPsec tunnel templates.
Adding a model device by using device template This section describes how to add a FortiGate model device to FortiManager by using a device template.
Firewall Policy and Objects The Policy & Objects pane enables you to centrally manage and configure the devices that are managed by the FortiManager unit.
Central VPN Management When central VPN management is enabled, you can use the VPN Manager pane to configure IPsec VPN settings that you can install to one or more devices.
Using FortiSwitch Manager for central management This chapter describes how to connect to the GUI for FortiManager and configure FortiManager, provides an overview of adding devices to FortiManager, as well as configuring and monitoring managed device.
WiFi profiles for central management The WiFi Profiles pane allows you to create and manage SSIDs, and AP, Wireless Intrusion Detection System (WIDS), Bluetooth, Quality of Service (QoS), and Bonjour profiles that can be assigned to managed FortiAP devices.

Step 4. Monitor

PCI requires a centralized facility to manage all devices across the network to identify any type of fault arising in any branch location and in any particular segment.

FortiManager provides these centralized monitoring capabilities and offers change management for all the security settings. Furthermore, FortiAnalyzer provides the central analysis necessary to analyze and build reports of threats, risks and indication of compromises related to devices on your network.

FortiGate's built-in security rating offers visibility into the state of the security posture on each branch as described in step Step 2. Baseline.

Resources

For more on FortiManager and FortiAnalyzer's monitoring and reporting capabilities, visit the following links.

Topic Description
Monitoring managed devices Review the different options for monitoring managed devices, inlcuding the quick status bar, device dashboard, device configurations, and more.
AP Manager Health Monitor The Health Monitor displays information about AP Status, Client Count Over Time, Top Client Count, and Top Wireless Interference.
Monitoring Devices and Network Traffic on Wireless Manager (FortiWLM) Monitor the network as well as individual devices in the network
FortiSwitch Manager Monitor The FortiSwitch Manager Monitor pane shows a graphical representation of the connected FortiSwitch devices.
Monitoring SD-WAN on SD-WAN Manager The SD-WAN Monitor evaluates whether the interface is meeting performance SLA criteria.
Monitoring SD-WAN on SD-WAN Orchestrator The SD-WAN Orchestrator monitors the global network as well as individual devices in the network by using the Monitor tree menu.

Monitoring IPsec VPN tunnels

View the list of IPsec VPN tunnels. You can also bring the tunnels up or down.

FortiAnalyzer Situation Awareness Report

This Situation Awareness Report identifies issues on the NIST CyberSecurity framework and provides recommended actions.

FortiAnalyzer SOC View - FSBP Summary Dashboard

The Best Practices Overview monitor shows aggregated security rating results based on different geographical regions (EMEA, APAC, North America, and South/Latin America).

Previous
Next