Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Transcription

1 edmz Introduces Achieving PCI Compliance for: & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC February 2010 C o p y r ig h t e - D M Z S e c u r i t y, LL C. A l l R ig h t s R e s e r v e d. w w w. e D M Z. c o m

2 Achieving PCI Compliance A White Paper by e-dmz Security, LLC OVERVIEW: Though PCI compliance is not a government driven requirement such as Sarbanes Oxley and HIPAA, noncompliance under PCI can have a devastating impact on any enterprise that relies on credit card transactions. Your contract with credit card companies requires that as an organization you comply with PCI. Non-compliance with PCI can result in specific contractual penalties and/or revocation of your rights as an enterprise to process credit card transactions. Like all compliance and regulatory requirements, there is no single product or policy/procedure that will assure your compliance. THERE IS NO SILVER BULLET for PCI COMPLIANCE. PCI compliance requires that your enterprise deploy many security technologies, and have specific policies and procedures in place. This white paper focuses on the unique issues and solutions associated with both privileged password management and remote vendor access in meeting PCI compliance requirements. Many of the requirements highlighted cannot be resolved or adequately addressed by existing enterprise security technologies such as firewalls, VPN and IDS solutions. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under PCI., control and audit of both shared/privileged account passwords and critical remote third party and administrative level connections is mandatory in meeting PCI requirements and other growing regulatory, compliance and best practice security needs. The chart below (see Appendix A, pg.5) is based on a review of the Payment Card Industry Data Security Standard Security Audit Procedures Version 1.1 September The chart illustrates the particular PCI issues that are addressed through the deployment of our eguardpost or Auto Repository (PAR) solutions. COMPLIANCE-DRIVEN PASSWORD MANAGEMENT The Auto Repository (PAR) was uniquely designed to solve enterprise security and compliance issues associated with the management and control of shared privileged passwords such as root and administrator. The issue of privileged password management and the unique features of PAR contribute directly and/or indirectly to many specific PCI requirements as outlined in Appendix A. Fundamentally, the compliance audit concerns in the area of shared privileged password management center on ACCOUNTABILITY and AUDIT. Given the level of access and shared nature of accounts like root and administrator, internal and external PCI audits are taking a close look at existing enterprise controls. In most cases, the existing manual based policy/procedure solutions (e.g. Safe envelope) or internally developed technical solutions are not standing up to PCI compliance audits. Under audit scrutiny existing in-house solutions are failing to deliver assured accountability and adequate audit. PAR, winner of SC Magazine s 2006 Readers Trust Award for, provides a purpose-built appliance with no client or host based software requirements to resolve your security and compliance concerns for shared/privileged account, service account and hard-coded password management

3 The unique capabilities of PAR can help your organization obtain and maintain PCI compliance for many PCI security requirements as reflected in Appendix A. At a high level, the core features, functions and capabilities provided under PAR that help drive PCI compliance include: User Accountability Account Access Control Dual Release Controls (Requestor/Approver(s)) Automated Change (time based and last use based) Strong Generation Secure Storage As is shown in the PAR Access Diagram below, administrators connect to PAR via a standard web browser via https. PAR supports role-based access and connections for requestors, approvers and various admin and auditor functions. From a requestor/approver standpoint, PAR securely stores, releases and changes privileged account passwords for a heterogeneous enterprise system environment including Unix, Windows, Databases and other network devices (firewalls, CISCO), AS400 and mainframes. Provided proper authorization (i.e. approval if under dual control) PAR will deliver the current privileged account password to the administrator. Once authorized release window expires or client expires release window, PAR will automatically change the privileged account password. Connections to back-end systems are also clientless using native system protocols. More information on PAR and a live demonstration can be found on our website at: REQUESTOR APPROVERS ADMINISTRATOR AUDITOR ISA MOZILLA FIREFOX IE NETSCAPE PAR Access Diagram RELEASE PASSWORD DEFINE SYSTEMS/USERS AUDIT CHANGE & VERIFY PASSWORDS SYSTEM ADMINISTRATOR HTTPS PAR RPC WINDOWS UNIX LINUX FIREWALLS ROUTERS SSH BACKUP PATCHES/MAINT. NETWORK CONFIG. DB CLIENT ORACLE SYBASE MSSQL COMPLIANCE-DRIVEN THIRD PARTY ACCESS eguardpost was designed to specifically address the enterprise security and compliance concerns associated with allowing remote third party (vendors, suppliers, consultants, etc.) and administrative access into enterprise networks and resources. Unlike remote employee connections, the enterprise does not have the same level of physical or technical controls - 2 -

4 over remote third party connections yet under PCI the enterprise has the same liability exposure should such access (authorized or not) result in the release or exposure of consumer credit card information. For these reasons, both internal and external PCI audits are focusing on how the enterprise secures, controls and audits third party, administrative and other sensitive remote connections. eguardpost working independently or in conjunction with PAR (eguardpost includes PAR functionality or can integrate with independent PAR appliance) can help the enterprise meet the intention of many PCI Security Standards as is shown in Appendix A. At a high level, the areas of audit under PCI directly addressed with eguardpost include: Vendor accounts monitored Logging all action to root and administrator Monitor, control and limit access HTTPS Full VCR Like Session Recording & Playback: SSH UNIX/ LINUX eguardpost TERMINAL SERVICES/VNC WINDOWS Technically many of these issues are easily addressed for employees through the deployment of an enterprise VPN, firewall, virus software and IDS. These issues become more challenging when working with remote third party vendors given the lack of ownership and control of the end client system, network and environment. eguardpost delivers a compliance-driven solution to the critical audit issues associated with remote third party connections including: Remote Session RECORDING: Including keystrokes, mouse movements and all screen changes Session Proxy: No direct connection to back-end servers, accounts or applications Clientless secure encrypted communication via https The unique session recording capabilities and VCR-like playback of eguardpost allow you to easily answer the question what did the remote vendor do when connected? Like having a camera recording a parking garage, it is not something you would review every day, but when needed it is a great security and compliance value to be able to go to the tape. eguardpost was selected for Information Security Magazine s Tomorrow s Technology Today award in the area of forensic and security audit

5 e-dmz Security s Total Access (TPAM) suite is a robust collection of integrated and modular technologies designed specifically to meet the complex and growing security and compliance requirements associated with privileged identity management and privileged access controls within the enterprise. The focus of TPAM is to provide the enterprise a cost-effective modular platform from which they can enable various privilege control functions as required based on current and/or future privileged access control requirements. The key privileged control functions offered under TPAM include: TPAM Suite Auto Repository Base Appliance Application Session Command Included Module Application eguardpost Base Appliance Optional Module Session Command Application Session Command The TPAM Suite is built on edmz Security s award winning Auto Repository (PAR) and/or eguardpost appliances from either platform the enterprise can enable the specific modules required to meet their current privileged control needs and in the future enable other modules as required to meet new and/or developing privileged control requirements. Where one enterprise may deploy all TPAM module s on a single base appliance as a central privileged access control point, others may deploy in a more distributed fashion. For example, deploy a PAR base appliance as a single control point for all privileged account passwords and deploy a separate eguardpost appliance with privileged session management to control internal developer access to production resources and deploy another eguardpost appliance in the company DMZ with privileged command management enabled to control remote vendor access to specific enterprise resources. Though loosely coupled, the eguardpost appliances are able to tightly integrate with the privileged password modules running on the PAR appliance. A brief description of the TPAM modules is provided below: (): Secure storage, release control and change control of privileged passwords across a heterogeneous deployment of systems and applications is a requirement for all enterprises. Past internally developed solutions and procedures do not meet the needs driven by increased internal threats and compliance. The award winning capabilities of our Auto Repository (PAR) provides the enterprise class features, functions and scalability demanded by today s environment. Application (APM): Embedded, Hard-coded accounts and passwords in scripts and/or applications is an often overlooked back-door security vulnerability to the enterprise. Through the robust CLI/API supported by PAR, these hard-coded passwords can be replaced with a simple call into PAR. APM is provided at no additional cost with the module. In addition, with our optional Accelerator, we can support over 1,000 password requests per second to meet the needs of the most demanding high-frequency A2A or A2DB environments. Session (): From remote vendors to developer access to production or other privileged access requirements, the ability to control access, audit access, monitor access and recording access become more and more critical as companies converge internal resources and/or outsource. Our award winning eguardpost provides full session management and controls including fine-grain resource access control, active session monitoring and full session recoding in an unmatched size efficient format for future replay. Command (PCM): Most enterprises today are forced to do more with less and less resources. As a result, the need to provide restricted delegated privileged access to key resources is growing. The unique configurable privileged command capabilities found in eguardpost v2.2 supports privileged access controls down to the command level. Not only are you able to control, recording and monitor sessions you can limit connections to a specific command for both Unix/Linux and Windows systems

6 APPENDIX A PCI DSS Requirement TPAM Module(s) How TPAM meets PCI 1.4 Prohibit direct public access between external networks and any system component that stores cardholder data 2.1 Always change vendor-supplied defaults TPAM module provides full session proxy between user and resource access. By requiring that all default accounts are managed by TPAM, you can ensure that the passwords are changed based on time and usage. 3.5 Protect encryption keys TPAM/ module supports secure file storage with granular access control Secure key distribution The TPAM/ file storage/release control can be used to support secure key storage and distribution with full audit Secure key storage TPAM/ file storage can be used to securely store keys and other information. All files are AES 256 encrypted Dual control for keys The TPAM/ file storage capability allows for dual (or more) control on the file release process Separation of duties between development, test and production environments. /PCM Several TPAM modules can be used to provide separation of duties between users and/or networks. supports a trusted gateway for developer access to production requirements Broken access control (for example malicious use of IDs) TPAM/ last use password change controls assures that any passwords managed by TPAM are changed after every/any use and thus not susceptible to malicious use. TPAM/ supports auto-login of authorized session. No credential exposure or knowledge eliminates any potential for malicious use as the credential is never known. 7.1 Limit access to computing resources/ automated access control system /PCM TPAM/ provides granular control to dictate which systems can be accessed, proxies the access and full records activity. Added PCM can limit access control to a specific command or executable environment. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed 8.4 Encrypt all passwords during transmission and storage on all system components. /PCM The TPAM session management/control and command level control of the /PCM module can assure access only by authorized users and can further limit session to a specific command. This can help augment host level controls. TPAM/ encrypts all stored passwords using RSA BSafe AES 256 prior to storage in the internal database. In addition, the entire hard drive is encrypted via Guardian Edge hard disk encryption (also AES 256) Immediately revoke access for any terminated users. TPAM helps support this requirement through several features: assures no user employed or terminated has any account password knowledge unless in an active release window. TPAM can fully integrate with directories such as AD to synchronize changes with TPAM policy

7 APPENDIX A Enable accounts used by vendors for remote maintenance only during the time period needed TPAM/ supports dual (or more) connection authorization. Vendors can request access, but it is only allowed if specifically approved by authorized approvers. In the event access is granted, if requested time is exceeded, TPAM will automatically notify administrators of session overrun for appropriate action. Vendor accounts can be time limited Shared admin account TPAM/ was specifically designed to address this issue. In fact it is not always possible to disable all generic privileged accounts. For example, to login at console in single user mode. TPAM/ provides compliant management of shared privileged accounts. TPAM/ provides individual accountability to determine who accessed a shared account Require a minimum password length of at least seven characters TPAM/ supports the setting of many password rules, providing full control over password length. s are generated based on configured rule for account passwords managed by TPAM Use passwords containing both numeric and alphabetic characters TPAM/ supports the setting of many password rules, providing full control over use of numeric and alphabetic charcters. s are generated based on configured rule for account passwords managed by TPAM Limit repeated access attempts by locking out the user ID after not more than six attempts Both and support configuration options for TPAM ID lock-out after a configured number of attempts. If deploying as will be the connection access point to resources, the TPAM lock-out capability can be used in place of or to augment what is available at the resource/host Set the lock-out duration to thirty minutes or until administrator enables the user ID Both and support configuration options for TPAM ID lock-out duration. If deploying as will be the connection access point to resources, the TPAM lock-out duration capability can be used in place of or to augment what is available at the resource/host Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. TPAM/ provides individual accountability of who used a particular account. TPAM/ provides full session recording a replay for activity accountability Logging all action taken by any individual with root or administrative privileges. TPAM/ controls administrative session access to resources, records all activities and provides DVR-like session playback. There is NOTHING done through that is not fully recorded for forensic playback Monitor and control all access to data TPAM/ provides full session recording, archive and replay for all user or administrative sessions controlled by TPAM. Upcoming version will include real-time session monitoring (vs. post forensic playback only)