Questions to Ask to Ensure Compliance With Zerto

Incorporating Zerto as the BC/DR solution in a virtualized environment increases the complexity of PCI compliance, by the simple fact that another set of components has been added to the environment. Answering the following questions will help clarify the level of compliance.

What Does Zerto Access?

Zerto replicates the CDE systems. The access to Zerto and the replicated copy of the systems must be clearly defined.

How Does Zerto Manage Changes?

Zerto includes comprehensive auditing, both for the whole system and for specific groups of protected VMs. Further, Zerto provides a set of permissions at the administrator level that control what can and cannot be done within Zerto.

What is Zerto Logging?

Section 10 of the PCI DSS has specific logging and monitoring requirements for all systems in the CDE. Zerto provides full audit trails of all operations done within Zerto as well as the operations Zerto performs in the protected and recovery sites.

How is Encrypted Data at Rest and in Transit Managed?

PCI DSS requires data at rest as well as in transit to be encrypted. Zerto leverages encryption throughout the environment to ensure that information cannot be compromised:

Access to the Zerto User Interface can be via the vSphere Client console, relying on the security access to this console.
Communication between the ZVM and the hypervisor management tool, such as VMware vCenter Server or Microsoft SCVMM, is encrypted (HTTPS).
Communication between the ZVM and the hosts is encrypted (HTTPS).

Communication across networks can be encrypted using network encryption software such as VPN and IPsec. Zerto does not natively encrypt the data across the WAN.