1 WHITE PAPER DECEMBER 2015 Addressing PCI Compliance Through Privileged Access Management
2 2 WHITE PAPER: ADDRESSING PCI COMPLIANCE Executive Summary Challenge Organizations handling transactions involving credit or debit cards are facing increasing pressure to meet regulatory compliance mandates. In particular, they must comply with the Payment Card Industry Data Security Standard (PCI DSS) version 3, which went into effect in January of PCI DSS v3 established various requirements for safeguarding an organization s relevant systems and networks, comprising the Cardholder Data Environment (CDE). With requirements for strong authentication and access control to the CDE, organizations are challenged with the difficult tasks of implementing multi-factor authentication, access control and activity reporting tools or practices, particularly for privileged or administrative access to these systems. Opportunity The PCI DSS requirements pertaining to privileged access management indicate the risks associated with misuse of privileged accounts and the access they provide to critical business assets. Virtually all recent security incidents point to privileged users or credentials as a major attack vector in the successful execution of a breach. An effective privileged access management approach allows an organization to restrict, log and monitor all activity performed by privileged accounts, such as network, system and database administrators. As a result, they gain better control and visibility over privileged users and their super user access to the crown jewels of the business. Without it, many organizations not only struggle to meet the PCI DSS v3 identification, authentication and access control requirements, they also fall short in minimizing their risk exposure to breaches and attacks. Benefits A defense in depth approach to privileged access management delivered in an easy to deploy solution, such as CA Privileged Access Manager, can help organizations to address PCI DSS v3 requirements and better protect not only their CDEs but also their entire hybrid IT enterprise spanning across their network, server, virtual and cloud environments. As a result, organizations gain better security against breaches and reduced risk for PCI DSS compliance failures or violations.
3 3 WHITE PAPER: ADDRESSING PCI COMPLIANCE Section 1: The Need for Privileged Access Management The need for privileged access management has never been greater. Study after study shows the systematic failure of traditional security defenses. Some even suggest that virtually every organization has at least one active compromise at any given time. 2 The media regularly reports on major data breaches such as the Target breach in late 2013, the Home Depot breach in 2014 and the Office of Personnel Management breach in 2015 that involve stolen credentials used by third parties. In fact, the Verizon 2014 Data Breach Investigations Report cited use of stolen credentials as the leading threat against organizations. 3 Organizations are often unaware of the dangers posed by their privileged accounts and the sheer number of privileged accounts they may have. Privileged accounts are not just used by an organization s employees but also by third parties such as vendors, contractors and others who perform technical support for systems, network devices and applications. A single enterprise could have thousands or even tens of thousands of privileged accounts, each imposing its own security risk to the organization. The idea behind privileged access management is to provide greater accountability and visibility for administrator actions. The traditional model has been to completely trust all administrators, but this naïve point of view overlooks two major problems: the possibility of a disgruntled administrator becoming an insider threat and the aftermath of an administrative account being compromised by an external attacker, especially when the administrator in question is a vendor or other third party. One way to overcome this is by adopting a zero trust model, an approach CA Privileged Access Manager (formerly Xceedium Xsuite), a key component of privileged access management solutions from CA Technologies, takes where administrators are not assumed to be fully trusted. Under this model, the number of breaches will be reduced, as will the severity of the breaches that still occur. The PCI DSS requirements reflect this zero trust model to some extent, such as with requirement 7.1.2, Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. However, while PCI compliance provides a solid foundation for securing CDEs, simply checking the box and meeting just the minimum requirements is not a sufficient defense against today s threats. Privileged access management goes above and beyond the PCI requirements to better safeguard an organization s CDE. In addition to achieving PCI compliance, other major reasons why privileged access management is needed include: interrupting the kill chain, mitigating insider threats, logging and monitoring commands and eliminating hard-coded passwords.
4 4 WHITE PAPER: ADDRESSING PCI COMPLIANCE Figure A: The scope of PCI DSS requirements PCI DSS v3 requires measures to safeguard the Cardholder Data Environment (CDE) Merchant Site Retail Storefront/POS VLAN Website/Order Entry System Web Server Order Entry Firewall/IPS Router Edge Router Corporate Data Center Segmented/Out-of-Scope POS Workstations Router VPN Firewall/IPS POS Server VLAN Server Firewall/IPS VPN VPN Firewall/IPS Processing Center Services/Management VLAN Box Office VLAN Internet Card Data System Directory Data Base Telephone/Order Entry VLAN Application Servers Workstations = CDE Cardholder Data Environment Desktops Interrupting the Kill Chain The basic concept of a kill chain is that an attacker follows a repetitive pattern of gaining access to a system (or expanding that access), then elevating privileges. Those privileges are then used to gain access to another system or expand existing access, then elevate privileges again and continue this chain of exploitation until the final target is reached. If this chain of exploitation can be broken at any point in the cycle, the attack can be stopped before it reaches its ultimate target. CA Privileged Access Manager provides the capabilities that help interrupt the kill chain. For example, CA Privileged Access Manager supports multifactor authentication for privileged accounts, making them much harder to compromise, because an attacker needs to compromise multiple credentials for a single account. Also, the use of least privilege when it comes to which commands each privileged account can issue on each CDE component reduces access to sensitive information, making it more difficult for an attacker to gain unauthorized access to data of interest. Another way CA Privileged Access Manager helps interrupt the kill chain is its support of network segmentation. This restricts which subnets a particular privileged account can access and which systems on each subnet can be administrated. Network segmentation helps to limit the lateral spread of attacks from one system to another and also restricts attacker visibility into an organization s network. Similarly, CA Privileged Access Manager offers a socket filter agent (SFA), which prevents an administrator from opening an unauthorized network connection to another system, such as attempting to SSH or telnet to a host not authorized by CA Privileged Access Manager policy. All of these CA Privileged Access Manager capabilities are specifically recommended by sources such as Mandiant for reducing credit card fraud. 4
5 5 WHITE PAPER: ADDRESSING PCI COMPLIANCE Mitigating Insider Threat Although the PCI requirements focus on external attackers, they also recognize the importance of insider threats which are a pressing concern for organizations today. One study indicated over 10 percent of employees had either stolen their employer s information for profit or knew someone else who had. 5 CA Privileged Access Manager helps mitigate insider threat in multiple ways. First, its implementation of least privilege principles severely restricts which commands an insider can issue and against which CDE components such commands can be issued. This, in effect, minimizes the damage an insider can cause. Second, the logging and monitoring of all privileged account activities provides a detailed record is kept of all commands issued, with traceability back to a particular person, not a generic (shared) ID. Logging and Monitoring Commands No matter how strong security controls are, weaknesses will remain, so breaches are inevitable in every environment. Because CA Privileged Access Manager logs and monitors all activities involving privileged accounts, it greatly simplifies the forensic processes for determining what a successful attacker did using unauthorized administrative credentials. Eliminating Hard-Coded Passwords Many software developers, administrators and others have long followed the practice of hard-coding passwords in scripts, source code and elsewhere. This is an important vulnerability because software developers, testers and others can access these passwords and attackers also know to look for them when they infiltrate a system so they can use them to gain access to other systems, such as cardholder databases. CA Privileged Access Manager provides application-to-application authentication capabilities that eliminate the need to hard-code passwords. Section 2: How Privileged Access Management Can Help With PCI Compliance As discussed above, privileged access management is a critical part of addressing PCI compliance. A multitude of PCI requirements simply cannot be met in typical enterprise environments without employing a privileged access management solution. For example, one large retailer was facing $100,000 a month in fines because of its failure to meet PCI requirements for identification, authentication and access control. By adding CA Privileged Access Manager to its portfolio of security solutions, the retailer was able to meet the missing requirements and avoided further fines. CA Privileged Access Manager addresses each of the following PCI requirements. 6 Requirement 2: Do not use vendor-supplied defaults to system passwords and other security parameters. CA Privileged Access Manager addresses this requirement in two ways. First, when used during system deployment, it can take control of default privileged accounts and provide that all default passwords for these accounts are reset. Second, it restricts what protocols may be used for remote administrative access, such as SSH or SSL/TLS. This prevents performing system administration over networks using non-secure protocols.
6 6 WHITE PAPER: ADDRESSING PCI COMPLIANCE Requirement 6: Develop and maintain secure systems and applications. An important part of this requirement is proper handling of credentials and separation of duties in development, test and production environments. CA Privileged Access Manager enforces role-based access control for privileged accounts in all these environments, supporting separation of duties while also facilitating easy removal of development, test and other accounts that are no longer needed as a system or application is deployed. Requirement 7: Restrict access to cardholder data by business need to know. CA Privileged Access Manager enables organizations to implement the least privilege principle for privileged access, an often-overlooked area. Specifically, CA Privileged Access Manager s zero trust model enforces fine-grained access control for individual privileged users or groups of such users (e.g. database administrators). This restricts which system components each privileged user or group may access such as servers, network devices and applications and which commands may be run by each privileged user or group on each of those components. CA Privileged Access Manager can integrate with Active Directory, LDAP and other enterprise directories to reuse their role and group definitions. Requirement 8: Identify and authenticate access to system components. Nearly all the parts of Requirement 8 are explicitly supported by CA Privileged Access Manager. CA Privileged Access Manager requires a unique ID for each privileged user, provides all standard password management features and supports a wide variety of single-factor and multi-factor authentication technologies. Specifically, CA Privileged Access Manager supports Requirement 8 as follows: 8.1: CA Privileged Access Management provides for unique identification of each privileged user, even when organizations are using shared accounts for certain infrastructure components, such as routers. Enforces separation of duties among privileged users. It provides standard features for immediately terminating revoked access privileges, disabling inactive privileged accounts and enforcing lockout policies for failed authentication attempts and re-authentication policies for idle sessions. 8.2: It integrates with many authentication methods, requiring authentication of all privileged users. It stores passwords and other credentials (e.g., private cryptographic keys) in a strongly encrypted vault and transmits them only over encrypted channels. Enforces standard password length, strength, aging and reuse policies. 8.3: It supports numerous multi-factor authentication methods and RADIUS, X.509 certificates and smart cards. 8.5, 8.6: It allows organizations to use shared accounts behind the scenes while requiring each privileged user, including third parties, to be uniquely identified and authenticated. This unique identification includes the use of smart cards, digital certificates, cryptographic tokens and other non-password forms of credentials. 8.7: It restricts direct cardholder database access to only authorized database administrators. Offers application-to-application support to ensure individuals cannot access or reuse application credentials. Requirement 10: Track and monitor all access to network resources and cardholder data. Like Requirement 8, CA Privileged Access Manager supports nearly all the parts of Requirement 10. CA Privileged Access Manager logs and records all activities performed using each privileged account.
7 7 WHITE PAPER: ADDRESSING PCI COMPLIANCE This includes both syslog-format audit records and DVR-like recordings of administrator sessions, with tags in the recordings indicating potential policy violations to expedite review. CA Privileged Access Manager supports Requirement 10 as follows: 10.1: CA Privileged Access Manager links each instance of privileged access to a specific person. Provides audit trails for each person for privileged access to all system components. 10.2: It uses both native logging and syslog to generate automated audit trails that record every action every privileged user takes on servers, network devices and databases and other applications. Includes all identification and authentication activities for privileged accounts. It restricts access to audit trails so only authorized users can review them and logs all such reviews. 10.3: It records all the PCI-mandated fields for each logged event, including user identification, type of event, date and time, success or failure, event origin and identity of affected resource (hostname, etc.). 10.4: It uses time synchronization technology (i.e., Network Time Protocol [NTP]) to perform clock synchronization. 10.5: It uses hashing techniques to identify any tampering with audit logs and recordings. Provides syslog forwarding to back up audit records to centralized log storage. 10.7: It uses syslog and supports syslog forwarding, so audit records can be maintained for as long as desired. Requirement 10: Maintain a policy that addresses information security for all personnel. CA Privileged Access Manager enables the capture and enforcement of privileged user policies. Also, CA Privileged Access Manager logs all attempted policy violations, which are natural inputs to a risk assessment process. Protecting the CDE: From a Server Control Perspective CA Technologies Privileged Access Management also addresses additional requirements for localized, very fine-grained access control at the host to further protect high-value resources, including the CDE. CA Privileged Access Manager Server Control provides a critical additional layer of security protection across server platforms, enabling fine-grained access control, policy-based management and the secure auditing essential for safeguarding electronic assets. Access policies can be designed to regulate access to server resources, programs, files and processes using a variety of criteria. Section 3: Changes from PCI DSS v2 to v3 When PCI DSS was updated from v2 to v3, significant protections were added for the CDE, including the following: Implement network segmentation for the CDE to better isolate portions of the CDE from each other. This includes ensuring all data flows among system components are documented and auditing all activities performed by privileged users. Perform CDE perimeter penetration testing. Manage credentials and implement least privilege access control and auditing for all CDE access. Tighten security controls for service providers. 7
8 8 WHITE PAPER: ADDRESSING PCI COMPLIANCE These protections underscore the need to have a privileged access management solution such as CA Privileged Access Manager in place to protect the CDE and address PCI requirements. For most environments, privileged access management is the only way to effectively implement both the principle of least privilege for administrator-level access control and the granular logging of administrator activities. In addition, privileged access management can be invaluable in implementing network segmentation and monitoring all activities involving data flows between network segments. The update of the PCI DSS contained other changes related to privileged access management. Primarily, Requirement 8 on identification and authentication was heavily restructured so that at first glance it appears the requirement has been massively changed. However, the changes mainly involved a restructuring of the requirement. The most significant change is the addition of requirement 8.6: When using authentication mechanisms other than passwords, such as cryptographic tokens or smart cards, the authentication mechanism must only be available to one user; shared authentication mechanisms are not permitted. CA Privileged Access Manager addresses this new requirement as discussed in the previous section. Section 4: Benefits Organizations implementing privileged access management solutions gain an increased level of security, reduced risk from both external and insider threats and improved compliance with regulations including PCI DSS. More specifically, CA Privileged Access Manager can help organizations in the following ways, not only to address compliance with PCI DSS, but also to improve their overall security posture in the most costeffective manner: Cost Reduction. CA Privileged Access Manager can help significantly reduce the cost of PCI DSS audits, especially by providing a simple and very cost-efficient way to logically segment an organization s network. It is a proxy-like device that works at the application layer of the network and controls which privileged users are able to access systems. Logical segmentation of the management plane enables organizations to maintain existing physical network topologies while segregating systems with cardholder data into islands that are tightly access controlled. With this approach, CA Privileged Access Manager enables organizations to logically isolate systems with cardholder data, thereby limiting the scope of PCI audits without incurring the large cost required to physically segment networks. Improved Security. CA Privileged Access Manager s defense in depth approach to security helps enterprises to implement a comprehensive set of controls to reduce privileged user risks and provide greater protection against external threats, preventing breaches from happening or minimizing their impact. Faster Time to Protection and Management. Ease of deployment and management from within a single platform allows accelerated and improved control of privileged access and protection of credentials to systems across the entire hybrid enterprise from traditional datacenters, virtualized environments, public clouds or any combination thereof without the unnecessary overhead typically associated with alternative approaches.
9 9 WHITE PAPER: ADDRESSING PCI COMPLIANCE Section 5: Conclusions Privileged Access Management is an imperative to addressing PCI compliance. Yet its importance extends beyond just meeting PCI compliance requirements as it allows an organization to improve its overall security posture against today s external and internal threats. CA Privileged Access Manager provides an effective way to implement privileged access management in support of PCI compliance and other security needs. By utilizing CA Privileged Access Manager organizations can better: Reduce their PCI compliance costs by addressing many PCI requirements with a single off-the-shelf solution that seamlessly integrates with the organization s existing solutions. Save breach-related expenses and preserve an organization s reputation by preventing many data breaches and by minimizing the impact of any breaches that still occur. Connect with CA Technologies at CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at. 1 PCI DSS v3.0, 2 Cisco 2014 Annual Security Report, gist_ty2_asset/cisco_2014_asr.pdf 3 Verizon 2014 Data Breach Investigations Report, zonenterprise.com/dbir/2014/reports/rp_verizon-dbir-2014_en_ xg.pdf 4 M-Trends 2014: Beyond the Breach, library/wp_m-trends2014_ pdf 5 Data Leakage Worldwide: The High Cost of Insider Threats, loss-prevention/white_paper_c pdf 6 PCI DSS v3.0, dards/documents.php?agreements=pcidss&association=pcidss 7 PCI DSS Summary of Changes v2.0 to v3.0, ystandards.org/documents/pci_dss_v3_summary_of_changes.pdf Copyright 2015 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. CS _1215