Using NetIQ to Address PCI Compliance on the iseries Platform White Paper March, 2008

Transcription

1 Contents Using NetIQ to Address PCI Compliance on the iseries Platform White Paper March, 2008 Overview... 1 About the PCI Data Security Standard... 1 How NetIQ Can Help Assure PCI Compliance on iseries... 3 Other NetIQ Solutions for PCI Compliance... 7 Summary... 9 About NetIQ Corporation The iseries platform often hosts some of the most important data for an organization, including credit card information that is subject to certain Payment Card Industry (PCI) Data Security Standards. These requirements apply to all members, merchants and service providers that store, process or transmit cardholder data for Visa or MasterCard. Additionally, these security requirements apply to all system components, which is defined as any network component, server or application included in, or connected to, the cardholder data environment. Many controls, such as detailed audit logging at the file and field level, are simply not possible with native iseries operating system tools and configurations. Though iseries is considered a relatively secure platform, these additional controls must be implemented to achieve PCI compliance. This white paper provides an overview of how certain applicable PCI requirements translate to iseries controls, and how NetIQ s Security Solutions for iseries provide the tools you need to implement those controls. Also included is information on how NetIQ can help assure compliance across the other platforms that iseries/i5 can support, including AIX 5L UNIX, Windows and Linux for iseries.

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time NetIQ Corporation, all rights reserved. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Check Point, FireWall-1, VPN-1, Provider-1, and SiteManager-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 Overview The IBM eserver iseries platform is one of the most robust and adaptable hardware platforms available today, and as such houses many mission-critical applications, including those used to manage credit card and cardholder information. The performance, availability and security of those applications and the servers that they run upon must be assured. The Payment Card Industry Data Security Standards (PCI DSS) affect organizations that utilize or process credit information and cardholder data, specifically that which is facilitated through Visa and MasterCard. Consisting of twelve key requirements with which member organizations of Visa and MasterCard must comply, PCI requires tighter security controls, infrastructure and practices to ensure the confidentiality, security and availability of cardholder information. By the nature of their design, the native operating systems of the iseries platform, namely OS/400 and its latest variant i5/os, can be configured to be very secure. However, their default installation implements little, if any, of the security controls that are required for compliance with the PCI Data Standard. This whitepaper provides a brief overview of PCI and introduces how NetIQ can help organizations assure the security of their iseries servers and meet the requirements set forth within the PCI Data Security Standards. It provides a brief overview of PCI and its standards and introduces how NetIQ can help organizations assure compliance with PCI. About the PCI Data Security Standard The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data. Using NetIQ to Address PCI Compliance on the iseries Platform 1

4 PCI Data Security Requirements These security requirements apply to all system components, which is defined as any network component, server or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy and NTP. Applications include all purchased and custom applications, including internal and external (web) applications. The rules for protecting credit card data are broken up into six categories and twelve requirements. These categories and requirements are: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 2 White Paper

5 How NetIQ Can Help Assure PCI Compliance on iseries NetIQ Security Solutions for iseries focus on helping a security administrator provide security assurance and timely detection of unauthorized acquisition, use or disposition of cardholder information or related information hosted on an iseries machine. NetIQ Security Solutions for iseries can ensure that users have access to only the information they need to perform their necessary job duties and that all access to cardholder-related data is monitored and logged and that those logs are available for review. NetIQ Security Solutions for iseries provide numerous reports and controls that are not available from the native OS. These reports and controls include: Exit point programs Extensive reporting at the system, application and user levels Privilege management File- and field-level auditing Automated and assisted user-profile management Inactive session monitoring Object authority management Secure file editing Exit Point Programs External requests are sent to the iseries by other iseries machines as well as PCs and are serviced by various servers residing on iseries. These servers include, but are not limited to, FTP, Remote SQL, DDM and TELNET. In the absence of an exit program, these servers execute the external requests according to the values specified in network attribute parameters DDMACC and PCSACC. However, in the presence of an exit program, these servers must obtain the permission from their respective exit programs to execute them. This allows the administrator to control the access to the iseries and allow/reject requests for access. This prevents unauthorized access, a control clearly required by the PCI Data Security Standards. The exit point programs offered by NetIQ allow the administrator to control remote access to iseries data by OS/400 (or i5/os) user and group profile, library and object and network address, as well as with calendars. Having remote exit programs installed and configured will help with compliance on the category of building and maintaining a secure network. An exit program solution, like NetIQ Security Solutions for iseries, maps to the following PCI requirements: 1.2 Build a firewall configuration that denies all traffic from untrusted networks/hosts, except for: o Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443) Using NetIQ to Address PCI Compliance on the iseries Platform 3

6 o System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN)) o Other protocols required by the business (e.g., for ISO 8583) 1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include: o Restricting outbound traffic to that which is necessary for the payment card environment 1.4 Prohibit direct public access between external networks and any system component that stores cardholder information (e.g., databases) o Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic o Restrict outbound traffic from payment card applications to IP addresses within the DMZ 2.2 Develop configuration standards for all system components. Make sure these standards address all known security vulnerabilities and industry best practices o o Disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function) Configure system security parameters to prevent misuse Extensive Reporting for Compliance System-Level Reports Many of the system-level settings required by PCI DSS can be audited through NetIQ Security Solutions for iseries and NetIQ Secure Configuration Manager, along with the ability to provide audit results through standard reports. The reports available through these NetIQ products, and the PCI Standards to which they map, are shown below. Available NetIQ Report Minimum Password Length Password Requires Numeric Character Password Character Restriction Passwords That Are Reused Sign-On Maximum Attempts Maximum Sign-On Attempts Action Password Validation Program PCI Data Security Requirement Require a minimum password length of at least seven characters Use passwords containing both numeric and alphabetic characters Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used Limit repeated access attempts by locking out the user ID after not more than six attempts Set the lockout duration to thirty minutes or until administrator enables the user ID 4 White Paper

7 User-Level Reports User-level reporting and monitoring is an integral part of the PCI Data Security Requirements and is provided through the NetIQ Security Solutions for iseries and NetIQ Secure Configuration Manager solutions. The reports available through these NetIQ products, and the PCI Data Security Requirements to which they map, are shown in the table below. Available NetIQ Report Weak or Easily Guessed Password Password Equals Profile Users Not Signed On in X Days User Profile Creation Date Profile and Password Manager (Auto disablement and deletion of old accounts) Group Profiles with Passwords Group Profiles Last Sign-On Date PCI Data Security Requirement 2.1 Always change the vendor-supplied defaults before you install a system on the network (e.g., passwords, SNMP community strings and elimination of unnecessary accounts) 6.3 Develop software applications based on industry best practices and include information security throughout the software development life cycle. Include the following: Removal of test data and accounts before production systems become active Removal of custom application accounts, usernames and passwords before applications become active or are released to customers 8.1 Identify all users with a unique username before allowing them to access system components or cardholder data 8.5 Ensure proper user authentication and password management for non-consumer users and administrators, on all system components: Control the addition, deletion and modification of user IDs, credentials and other identifier objects Verify user identity before performing password resets Set first-time passwords to a unique value per user and change immediately after first use Immediately revoke accesses of terminated users Remove inactive user accounts at least every 90 days Enable accounts used by vendors for remote maintenance only during the time needed Do not use group, shared or generic accounts/passwords Using NetIQ to Address PCI Compliance on the iseries Platform 5

8 Privilege Management Privilege Manager is a change control solution that lets you control access to a managed server by escalating privileges. Offering built-in auditing and reporting as well as a rich escalation model, Privilege Manager enables you to meet your compliance objectives and allows you to: Implement effective change control on servers Run object access failure reports to assure policy and regulatory compliance Increase operational security of your servers using just-in-time authorities and granular access control Ensure required changes are implemented and validated Privilege Manager provides the escalated privilege solution you need to limit widespread authorities, show continuous regulatory compliance and increase operational integrity. Using Privilege Manager, you can limit regular access to your sensitive servers to a onetime event or regularly scheduled maintenance window and assign the task to a specific user or user group. File- and Field-Level Auditing File- and Field-level tracking is a capability within the Data Auditing and Reporting feature of NetIQ Security Solutions for iseries. This feature is designed to track changes and access to any iseries file at the field level, and report on only those files and fields that you specify. Without this information, auditors would be unable to determine if a transaction had been altered directly at the field level, after it had been properly entered into the system through an application. Automated/Assisted User Profile Management User Profile Management allows you to automatically disable and delete unused user profiles after predefined time periods and reallocate any owned objects to other profiles. This eliminates potential security vulnerabilities on the machine. User accounts should be disabled as soon as they are no longer needed; however, IT is not always provided this information in a timely manner. Disabling a user account after 60 or 90 days of inactivity is a mitigating control that reduces the risk of someone using that account to gain unauthorized access. These stale accounts represent a higher degree of risk because they usually belong to a terminated employee and because use of the account at a later date would likely go unnoticed for an extended period of time. In addition, they cause unnecessary clutter on the system, reducing your ability to effectively manage user access. Check Old Passwords for User This function enables a security administrator or help desk employee to verify that a given password for a user actually was an earlier password for him/her. This old password can then be used to reset the current password (perhaps one the user forgot) to the previous password (or the one he remembers). 6 White Paper

9 Maintain User Profile Based on Template This program allows authorized users to change User Profiles. The Change User Profile functions are restricted through the User Profile Template Authority definitions. A *SECOFR-type user can grant or revoke the Change User Profile authorities for any user, thereby controlling the capability of that user to edit a user profile. Inactive Session Monitor The Inactive Session Monitor is a feature within NetIQ Security Solutions for iseries that periodically checks the status of all of the interactive jobs in your system. In particular, it looks for jobs that are waiting for user input. When it detects one of these jobs, the Inactive Session Monitor determines how long the job has been waiting. If the wait period exceeds the time limit set by you, the offending job is signed off, disconnected or held. Object Authority Management NetIQ Security Solutions for iseries provide an Object Authority Manager which helps organizations enforce and audit security at the object level. Objects within a library are compared to the template for the specified type and an exception report is produced showing objects out of compliance with the template standard. An option is available to force all objects to comply with the template, or to bring objects into compliance on an individual basis. Objects out of compliance represent items that have a high probability of unauthorized changes or non-standard parameters that could be insecure. NetIQ Secure File Editor The Secure File Editor in NetIQ Security Solutions for iseries automatically creates a detailed log whenever a file alteration is made. This provides complete audit capabilities, both online and in report form, for any change made to a secured file. Secure File Editor eliminates the drudgery of manipulating files to test new programs, correct data entry errors or search for values. Other NetIQ Solutions for PCI Compliance NetIQ provides additional solutions that help organizations comply with PCI Data Security Requirements. The following section provides a high-level overview of key NetIQ products that can assist in assuring compliance with the PCI Data Security Requirements (as well as other regulations). Further information, as well as fullyfunctional product trials, can be obtained via the NetIQ web site at VigilEnt Policy Center NetIQ s VigilEnt Policy Center is a web-based application that provides the ability to electronically create, distribute, track and manage policy documents throughout an organization. The product contains a library of over 1,000 customizable policy document templates that can be used to create electronic versions of corporate policies, distribute them to end users and validate and test the users policy comprehension. Using NetIQ to Address PCI Compliance on the iseries Platform 7

10 In regard to PCI compliance, VigilEnt Policy Center can document how the controls have been assessed and what, if any, policies and procedures will be used to remedy any control deficiencies. For organizations implementing PCI or moving from the Visa CISP standard to PCI, VigilEnt Policy Center can be used to issue an assessment questionnaire to verify compliance with the new or updated polices and procedures across all twelve requirements of the PCI Data Standard. For more information on NetIQ s VigilEnt Policy Center, as well as the ability to download a fully-functional trial, visit NetIQ Secure Configuration Manager NetIQ Secure Configuration Manager proactively ensures that you are identifying the latest system vulnerabilities, complying with corporate and regulatory policies and managing security risks across a heterogeneous environment. You can baseline your current security posture, download the latest vulnerability knowledge and correct exposures before they result in security breaches, failed audits or costly downtime. NetIQ Secure Configuration Manager enables companies to implement a policy-based set of internal controls across a wide variety of technologies, in accordance with Section 404. NetIQ Secure Configuration Manager allows you to manage your iseries, Windows and UNIX environments from a centralized management console. Customized policy templates are run against multiple servers simultaneously in order to discover possible vulnerabilities. Once vulnerabilities are discovered, you are able to take action from the console and have it propagate across multiple platforms. Some of the common reports include: system reports, user/group reports, file/directory reports and internet/network reports. For more information on NetIQ Secure Configuration Manager, as well as the ability to download a fully-functional trial, go to NetIQ Security Manager NetIQ Security Manager provides the tools you need to identify and manage security incidents as they happen. Incident detection, response and log management are required activities within the PCI Data Security Requirements. While measures should be taken to prevent issues with cardholder information, it is understood that not everything can be avoided. Therefore, controls must be in place to detect incidents that slip past the preventative controls. Once an incident has been detected, it must be properly managed and documented. NetIQ Security Manager, which includes the core capabilities of Incident Management, Event Management, Correlation and Log Management, provides a comprehensive solution for: Detecting a security breach Consolidating security events across all devices and platforms in your enterprise Correlating events across multiple platforms and across time Providing comprehensive audit trails and forensics analysis For more information on NetIQ Security Manager, as well as the ability to download a fully-functional trial, go to 8 White Paper

11 Summary With many iseries platforms being utilized to manage and process cardholder data, appropriate security controls to meet the PCI Data Security Requirements are required. While security is inherent within OS/400 and its latest variant i5/os, much of this security is not configured or operational by default and ensuring that appropriate security controls for compliance and risk management are in place requires expert knowledge. With a long history of providing security solutions for iseries, NetIQ is well-placed to help organizations with their security and compliance needs across their iseries platforms, and is the only vendor able to provide compliance support across all the operating systems supported by the new iseries/i5 platform. NetIQ Security Solutions for iseries provide simplified compliance auditing, security monitoring and real-time protection for iseries systems, especially the latest iseries/i5 platform. When NetIQ Security Solutions for iseries are deployed alongside NetIQ s security management and configuration & vulnerability management solutions NetIQ Security Manager and NetIQ Secure Configuration Manager organizations are able to assure security coverage and regulatory compliance across their iseries servers, as well as other heterogeneous platforms and devices. NetIQ products incorporate detailed knowledge on security management and configuration & vulnerability management across heterogeneous environments. By providing the ability to know what is required as well as the technology to deliver that information to administrators and operations personnel, NetIQ products have proven their ability to dramatically decrease the time that administrators traditionally spend in developing, configuring and maintaining appropriate security controls to assure compliance with the PCI Data Security Standard. About NetIQ Corporation NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximise IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organisations demand. NetIQ's best-of-breed solutions help IT organisations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control and Enterprise Administration. For more information, please visit Using NetIQ to Address PCI Compliance on the iseries Platform 9