Delivering Security & Compliance On Demand

Transcription

1 TECHNICAL BRIEF QualysGuard Policy Compliance Delivering Security & Compliance On Demand Table of Contents I. Executive Summary II. Introduction III. QualysGuard Policy Compliance: Architecture & Features IV. QualysGuard Policy Compliance: Workflow V. QualysGuard Policy Compliance: Features 1. CONTROLS LIBRARY 2. POLICY EDITOR 3. POLICY MANAGER 4. COMPLIANCE SCANS 5. COMPLIANCE REPORTS 6. EXCEPTIONS MANAGEMENT 7. APIs VI. Summary

2 Executive Summary: QualysGuard Policy Compliance page 2 Executive Summary Today s IT security organizations are under continuous pressure to ensure their business complies with multiple regulations and requirements pertaining to the integrity and security of the IT environment while meeting the demands of internal and external auditors. While auditors are tasked with measuring and enforcing policy adherence, IT security departments need to reduce risk and enable business continuity. A comprehensive vulnerability and compliance management program can make an organization more effective and efficient in reducing the risk of internal and external threats, while at the same time providing proof of compliance necessary to satisfy auditors across multiple compliance initiatives. Auditors are looking for: n Policies that describe how an organization will provide security and integrity n Proof that the policies have been operationalized n Documented evidence that the organization has discovered and fixed any policy compliance lapses It s not about being secure the day the auditors show up. It s about being secure and compliant every month, week, day, and hour. And QualysGuard helps us to achieve and demonstrate that continuous level of security and compliance. Manager of Information Security Vulnerability Management Team Fifth Third Bancorp To satisfy the needs of the IT security and audit organizations, a converged solution that supports the entire compliance process with a combination of policy management and configuration scanning is desirable. Such a solution enables IT staff to collect compliance data from systems on the network and allows auditors to leverage this data across multiple compliance initiatives with overlapping requirements. QualysGuard Policy Compliance, delivered as a Software-as-a-Service (SaaS) solution, meets these needs by helping the IT security organization to pass audits and document compliance tied to corporate security policies, laws and regulations, and provides the ability to satisfy the requirements of internal and external auditors. QualysGuard Policy Compliance extends the global scanning capabilities of QualysGuard Vulnerability Management to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise, and maps this information to user-defined policies in order to accurately document compliance with security regulations and business mandates. 5 Create and Manage Exceptions 1 Create Policies Based on Compliance Needs Risk and Regulatory- Based Policies OS and Application Security Standards 4 Create Compliance Policy Reports (per host, asset group) 3 Compliance Scan 2 Assign Policy To Relevant Assets Map to QualysGuard Policy Compliance Controls Library Figure 1: Policy Compliance Lifecycle

3 Executive Summary: QualysGuard Policy Compliance page 3 QualysGuard Policy Compliance features: n Simplified Compliance Management Customers can set automated compliance scans with controls based on CIS and NIST standards, while mapping to major industry regulations, including CobIT, ISO, NIST, Sarbanes-Oxley, HIPAA, GLBA, Basel II and others. n Automated Compliance Reporting Security and business managers can map compliance to policy by asset group or by host, allowing them to meet the reporting requirements of an individual internal policy or regulation. They also can create and manage exceptions based on a new workflow and enterprise role Auditor. n Seamless Integration Policy Compliance integrates seamlessly with QualysGuard Vulnerability Management, leveraging the same safe, reliable and secure SaaS infrastructure relied upon by thousands of organizations worldwide. QualysGuard Policy Compliance customer benefits: n A Trusted Third Party that yields reliable data. Because all host compliance data and policies are securely stored by QualysGuard and not subject to manipulation, auditors trust the integrity and accuracy of the information and resulting QualysGuard reports. n Deployment and Scalability is extremely important when diverse compliance teams are scattered across the globe. SaaS is best suited to support geographically dispersed teams that may be responsible for compliance for the entire enterprise or only one small part. Scheduled compliance scans can be run against specific parts of the enterprise at specific times, allowing for continuous scanning for compliance issues. SaaS removes scalability as a total cost of ownership (TCO) concern, and compliance becomes as ubiquitous as the web browser. n Agent-less solutions speed deployment and cost less to manage over time. Remediating configuration compliance issues is not complicated by having to remediate problems with the software agents that collect compliance data. Hosts that have malfunctioning software agents cannot be considered in compliance reports. n Subscription-based SaaS model allows the customer to control the compliance solution without the sunk-costs associated with purchasing, licensing and supporting software based products. The entire service is priced per host and there are no hidden costs. This is in stark contrast to solutions that comprise a management console, data collection agents, databases, add-on modules for compliance reporting and in some cases, a separate product that manages selective compliance policies. Simplified deployment, a reliable gold-standard of reporting, and overall lower TCO are primary benefits of the subscription-based SaaS approach. n Role-based Access to data is critical to an organization made up of IT teams that all have some role to play in the compliance process. The roles played by all compliance teams IT operations, security and vulnerability management, internal audit and policy management need to be supported. Even an external audit firm could be granted a view of compliance reports to gauge compliance status over time and streamline the consulting engagement. Gathering IT security and configuration data for compliance purposes is a daunting task and quite expensive for a distributed organization like ours. QualysGuard enables us to collect security and compliance information from all of our global IT assets without having to deploy agents and to leverage this data across multiple compliance and regulatory initiatives. This enables us to drastically reduce the cost of compliance reporting while gaining an accurate view of our security and compliance posture. Director of Security Architecture TransUnion

4 Technical Brief: QualysGuard Policy Compliance page 4 Introduction Qualys has introduced a Policy Compliance solution which allows customers to audit host configurations and measure their level of compliance with internal and external policies. By building such a solution on top of the QualysGuard SaaS platform, it operationalizes Vulnerability Management and Policy Compliance, delivering both in a single solution as the QualysGuard Security and Compliance Suite. Delivered in the browser, this approach provides a consolidated view of the security and compliance posture of an organization while making it easy and cost effective to implement on a global scale. QualysGuard Policy Compliance is a comprehensive yet easy-to-use and deploy application that streamlines compliance efforts by leveraging a single library of compliance standards and controls that can be reused across multiple compliance activities. This paper describes the architecture behind the QualysGuard Policy Compliance application and outlines its current features. QualysGuard Policy Compliance: Architecture & Features The QualysGuard Policy Compliance application extends QualysGuard global scanning capabilities to collect OS Configuration and Application Access controls from hosts and other assets within the enterprise, and maps this information to policies to fix and document compliance with regulations and mandates. A basic responsibility of the IT security organization is to protect the business from internal and external threats. Moreover, the IT security organization is also under pressure to help the business satisfy the business requirements and comply with the demands of internal and external auditors for multiple regulations. Mark Nicolett, Vice President Gartner, Inc. QualysGuard Policy Compliance addresses the key issue that most internal and external compliance requirements overlap. For example, password policies for operating systems and database applications have relevance across Sarbanes- Oxley, HIPAA, Gramm-Leach-Bliley Act (GLBA), Basel II and other external mandates, as well as to internal security processes. Similarly, user access, permissions, patching and password policies, corporate malware strategies, and many other compliance areas and initiatives share similar or identical policy structures and data across multiple compliance requirements. The solution streamlines the collaborative process to meet all policy compliance objectives internal and external while keeping it simple to deploy and manage. Qualys Policy Compliance solution is based on a single electronic library for all compliance standards and compliance controls classified into a common compliance framework such as CIS, CobIT, ISO and NIST which can be accessed by each compliance team for mitigation and audit requirements. QualysGuard Policy Compliance scans are agent-less, and based on data gathered through authenticated scanning of hosts. Successful authentication is essential for obtaining in-depth compliance data. QualysGuard allows users to submit

5 Technical Brief: QualysGuard Policy Compliance page 5 authentication credentials in the web application where they are securely stored to perform compliance scanning. Authenticated scanning on Windows, SNMP, Oracle, and Unix (SSH/TELNET) augments the information gathered from operating systems and applications, which is necessary for measuring compliance against internal and external policies. More than a vulnerability scan, the compliance scan allows customers to interrogate hosts, collecting all available data about operating system configuration, host application inventories, current patch levels and other system information. Additionally, QualysGuard Policy Compliance allows customers to schedule compliance scans to support a continuous auditing approach. All policy creation, editing, as well as scheduling scans, compliance monitoring, reporting and exceptions management is done securely using a browser-based application, with the controls library itself hosted and maintained by Qualys. Users are able to create and edit policies and add them to their policy library. Reports are available in the QualysGuard Report Share where they can be run after compliance scans are completed, and users are automatically notified when reports are ready for download. Auditors want to see: policies that describe how an organization will provide security and integrity; proof that the policies have been operationalized; and evidence that the organization can discover and fix policy compliance lapses. An effective vulnerability management and compliance program can make an organization more efficient in reducing the risk of internal and external threats, while, at the same time, provide proof of compliance demanded by auditors. Mark Nicolett, Vice President Gartner, Inc. In summary, QualysGuard Policy Compliance combines the regulatory-specific and task-specific features of point solutions with the convenience, consistency and efficiency of a centralized solution with no software to install or maintain. It lets customers: n Create, edit and manage policies, drawing upon a large store of pre-built controls. QualysGuard Controls Library is based on CIS Benchmarks. n Organize controls together into complete compliance policies for Sarbanes-Oxley 404, HIPAA, GLBA, Basel II, local regulations, internal policies and other areas of compliance. n Provides support for compliance frameworks such as CIS, CobIT, ISO and NIST. n Reuse controls across different compliance policies, as appropriate, to save effort, ensure consistency and simplify compliance management. n Query host configuration data against the policy controls and expected results to determine and document compliance levels. n Monitor compliance levels across the enterprise by business unit, asset group, asset owner and individual host. n Create, track and report on exceptions to policies by control, and/or host with a closed-loop approval process.

6 Technical Brief: QualysGuard Policy Compliance page 6 QualysGuard Policy Compliance: Workflow QualysGuard Policy Compliance provides automated compliance scanning and policy reporting for frameworks and regulations through the following workflow: Figure 2: Policy Compliance Workflow Author Policies from QualysGuard Controls Library. Default policies are available for users to import and customize to their auditing needs. Assign policies to assets and save to the QualysGuard Policy Manager. Run compliance scans on hosts via authenticated credentials to collect data points from hosts. Compliance scan results are stored encrypted within the QualysGuard account. Compliance scan results are stored encrypted within the QualysGuard account. Generate Compliance reports to review results, fix configuration issues and document compliance. Create and manage exceptions. Auditors can approve exceptions and review compliance reports. This workflow allows compliance professionals to define policies that describe how an organization will provide security and integrity; provide proof that the policies have been operationalized; and give evidence that the organization can discover and fix policy compliance lapses.

7 Technical Brief: QualysGuard Policy Compliance page 7 QualysGuard Policy Compliance: Features QualysGuard Policy Compliance delivers the core capabilities for security managers and auditors to integrate compliance into existing IT and vulnerability management processes, and contains the following capabilities: 1. CONTROLS LIBRARY n The Controls Library is a centralized location with technical controls pertaining to operating systems and applications and enables an efficient write once and reuse approach to policy management and reporting on a wide variety of compliances. All QualysGuard controls are derived from the CIS benchmarks. Figure 3: Controls Library n All controls are classified by Operating System or Application, as well as category (i.e. password, permissions, configurations, anti-virus, Malware, etc.). Controls, as appropriate, are classified by compliance framework (CIS, COBIT 4.0, ISO and NIST SP800-53) and/or regulatory compliance (SOX 404, GLBA, HIPAA and Basel II). These classifications include references to specific sections of the framework or regulation. The current technologies supported are Windows XP, Windows 2000, Windows 2003, Windows 2003 Active Directory, Windows 2008, Windows 2008 Active Directory, Windows Vista, Windows 7, AIX 5.x, HPUX 11i.v1 and v2, Solaris 8, 9, and 10, Red Hat Enterprise Linux 3, 4, and 5, SUSE Enterprise Linux 9 and 10, Oracle 9i, 10g, and 11g, and SQL Server 2000, 2005, and Control Statement and Category Rationale for each supported technology Mapping to compliance frameworks & standards is automatically provided for each control Figure 4: Controls Classification

8 Technical Brief: QualysGuard Policy Compliance page 8 n Add User Defined Controls to create custom configurations to expand your scanning capabilities with Policy Compliance. The following User Defined Controls are supported for Windows XP, Windows 2000, Windows 2003, Windows 2008, Windows Vista and Windows 7 operating systems: Registry Key Existence, Registry Value Existence, Registry Value Content Check, Registry Permission, File/Directory Existence, File/Directory Permission, File Integrity Check. In addition, the following User Defined Controls are supported for AIX 5.x and 6.x, CentOS 4.x and 5.x, Debian GNU/Linux 5.x, HPUX 11i.v1, v2, and v3, Red Hat Enterprise Linux 3, 4, and 5, Mac OS X 10.x, opensuse 10.x and 11.x, Oracle Enterprise Linux 4 and 5, Solaris 8, 9, and 10, SUSE Enterprise Linux 9, 10, and 11, Ubuntu 8.x and 9.x, and VMWare ESX 3.x and 4.x operating systems: File/Directory Existence, File/Directory Permission, File Content Check, and File Integrity Check. Figure 5 : User Defined Controls n Add custom references to map controls to custom internal documents. Figure 6: Controls Editor

9 Technical Brief: QualysGuard Policy Compliance page 9 2. POLICY EDITOR QualysGuard Policy Editor is a WYSIWYG user interface to create and edit policies, and assign them to assets. A policy can be divided into sections and can include a cover page to document specific details about the usage and purpose of the policy within the organization. In addition, users can define the pass/fail status of a control per policy by changing the expected value of the control in that policy. Each control within a policy represents a data query comparison to user-supplied baseline information. Best practice baseline values for each control are already included and these default values are available out-ofthe-box. These values can be edited by the user. The resulting controls and their comparison values supplied by Figure 7: Policy Editor the user (or the defaults from Qualys) represent a host data query that compares the data retrieved from the host system to the expected result to report a pass/fail compliance status for the host. QualysGuard asset groups are assigned to the relevant policy via the Assign Assets workflow. New asset groups can be created in support of compliance efforts or existing QualysGuard asset groups can be used for that purpose. This allows policies to be applied to a location, an operating system, or any other logical grouping of assets. 3. POLICY MANAGER Collections of controls can be combined into complete, compiled policies tailored to each compliance area relevant to your operations and saved in the Policy Manager. Over time, policies change to reflect new business practices, security policies and regulations. These life-cycle steps are supported through tracking of the user that created or updated the policy, and the date the policy was created or updated. Figure 8: Policy Manager

10 Technical Brief: QualysGuard Policy Compliance page COMPLIANCE SCANS n Compliance scans, like vulnerability scans, can be scheduled to run in an automated manner or on demand. QualysGuard s highly accurate and non-intrusive scanning engine with trusted scanning capabilities for new compliance checks returns the results for the hosts within groups of assets assigned to compliance policies. All compliance scans are performed via authenticated credentials. Therefore, it is imperative that the authentication records for compliance assets be set accordingly. Privileged access (root or administrator like privileges) is required for compliance scanning in order to scan hosts for the data points used by controls. Figure 9: Compliance Scan Scheduler n Authentication Report compliance summary shown in Figure 10, identifies the percentage of hosts in each asset group that were successfully authenticated to during the most recent compliance scan. Figure 10: Authentication Success/Fail Report n Authentication Report results gives users diagnostic information on why the authentication failed on certain hosts. Users can drill down by authentication type to discover the cause of authentication failure and use this information to fix the authentication error before the next compliance scan. Figure 11 illustrates how this diagnostic information is presented to the user. Figure 11: Authentication Report with Diagnostic Information

11 Technical Brief: QualysGuard Policy Compliance page COMPLIANCE REPORTS Compliance reports with multiple views to review compliance status with a particular policy by business unit, by asset group, or by host are critical for monitoring the enterprise compliance status. Compliance reports include: n Per Host real time report includes the pass/fail status of a policy control for the host, the expected result or best practice (as supplied by Qualys) and the result found by QualysGuard. Expanding control details allows the user to see the information returned that caused the failed compliance state for the host. This is an operational report that allows the user to take action on a given host and issue an exception per control if necessary as shown in Figure 12. Figure 12: Per Host Policy Compliance Report n A Per Control report can also be generated in real time that shows the compliance status of multiple hosts within a business unit or asset group, on a control by control basis as shown in Figure 13. Figure 13: Per Control Compliance Report n The Policy report summary indicates compliance percentage per control (list with percentages). Results of compliance are listed by control for the corresponding assets that are assigned to the policy as shown in Figure 14. This report provides the organization with the auditor global view on the state of compliance. Figure 14: Policy Compliance Report

12 Technical Brief: QualysGuard Policy Compliance page EXCEPTIONS MANAGEMENT While policies are meant to be adhered to in order to reduce risk in the organization or comply with a specific regulatory standard, at certain times specific hosts may need an exception from a particular policy control for legitimate business reasons. n Exceptions can be set on a temporary or permanent bases. A specific host may be exempted from a specific control in a specific policy for an explicit period of time by entering an expiration date or permanently by leaving the expiration date blank. Workflows allow users to create and assign exceptions by host or groups of hosts (See Figures 15 and 16). Workflow to create exceptions in bulk Workflow to create individual exceptions by control and by IP Figure 16: Exception Creation and Assignment Figure 15: Workflows to Create Exceptions n Requested Exceptions must be assigned to and accepted by an approver. QualysGuard users with Manager and Auditor privileges (Figure 16) are designated as exception approvers. The approver may set a variety of status levels for the exception. Figure 17: Auditor User Role for Managing Exceptions

13 Technical Brief: QualysGuard Policy Compliance page 13 n The Centralized Exceptions List shows exceptions, their owners, issues and statuses in a concise manner that allows an internal or external auditor a view of accepted business risk and demonstrates a mature approach to the risk management process. This list can be viewed by policy, assignee and requester. Search options allow you to sort the list by exception attributes such as policy, control, host, requestor and status. Figure 18: Managing Exceptions n Exceptions Audit Trail includes all exception requestor/approver information captured in an audit trail (Figure 19). At each stage of the exceptions life-cycle, exception notifications are supported, including notifications for time-bound exceptions that enter an expired state. Figure 19: Audit Trail per Exception

14 Technical Brief: QualysGuard Policy Compliance page APPLICATION PROGRAMMING INTERFACES QualysGuard Policy Compliance APIs allow API users to report on policy compliance data in their user account. Three Compliance APIs are available: 1. The Control API allows API users to download all Controls, including User Defined Controls, from their subscription 2. The Policy API allows API users to download all Policies from their subscription 3. The Posture API allows API users to download the Control status (Pass/Fail) by host for a Policy For additional information on the Compliance APIs, see the QualysGuard API v2 User Guide at Summary The ability to control all policies and their associated policy controls centrally, and to link them directly to queries of host compliance data, eliminates the need for separate policy management applications. Instead, you have a single, consistent, easy-to-use solution for your policy, compliance and audit management needs that supports the policy s life-cycle and any policy exceptions. QualysGuard Policy Compliance does not enforce a one-size-fits-all approach to compliance management within your organization. Each IT team that deals with compliance issues has a specific role to play. QualysGuard Policy Compliance supports this separation of IT team roles with role-based access to different portions of the application, while facilitating workflow between all the different teams involved with compliance efforts. This approach provides a continuous vulnerability and compliance management cycle for regulatory mandates, internal policies and compliance teams across your entire enterprise. USA Qualys, Inc Bridge Parkway, Redwood Shores, CA T: 1 (650) sales@qualys.com UK Qualys, Ltd. Beechwood House, 10 Windsor Road, Slough, Berkshire, SL1 2EJ T: +44 (0) Germany Qualys GmbH München Airport, Terminalstrasse Mitte 18, München T: +49 (0) France Qualys Technologies Maison de la Défense, 7 Place de la Défense, Courbevoie T: +33 (0) Japan Qualys Japan K.K. Pacific Century Place 8F, Marunouchi, Chiyoda-ku, Tokyo T: United Arab Emirates Qualys FZE P.O Box 10559, Ras Al Khaimah, United Arab Emirates T: China Qualys Hong Kong Ltd. Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing T: Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 05/10