RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Transcription

1 Partner Addendum RSA Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at If you require more information specific to this solution guide, you may contact us here: S O L U T I O N G U I D E A D D E N D U M 1

2 Table of Contents 1. INTRODUCTION CLOUD COMPUTING OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS RSA PCI COMPLIANCE SOLUTION RSA PCI REQUIREMENTS MATRIX (OVERVIEW)...16 S O L U T I O N G U I D E A D D E N D U M 2

3 1. Introduction RSA, the security division of EMC, is an expert in information-centric security offering industry-leading solutions in identity assurance and access control; encryption and key management; governance and risk management; compliance and security information management; and fraud protection. Solutions from RSA include: RSA Archer egrc - Build an efficient, collaborative enterprise governance, risk, and compliance (egrc) program across IT, finance, operations, and legal domains. With RSA Archer, you can manage risks, demonstrate compliance, and automate business processes for PCI Compliance. RSA NetWitness Actively monitor the network to solve a wide range of challenging information security problems including insider threats, zero-day exploits and targeted malware, advanced persistent threats, fraud, espionage, data leakage and continuous monitoring of security controls. RSA Data Loss Prevention (DLP) - Discover and monitor the location and flow of sensitive data such as customer credit card data, employee PII, or corporate intellectual property. Educate end users and enforce controls to prevent loss of sensitive data through , web, PCs, smartphones in PCI environments. RSA envision - Centralize log-management service and enable organizations to simplify compliance programs and optimize security-incident management. RSA SecurID Establish an enterprise-wide authentication policy that protects the most valuable applications, resources and information in PCI environments. Using the VMware platform, RSA allows organizations to not only extend virtualization into environments containing sensitive data, but also leverage virtualization technologies to increase security and further reduce risk. RSA technologies can accelerate an organization s journey towards a 100% virtual environment with confidence. Through the integration with VMware, RSA solutions enable organizations to secure and protect enterprise information, and reduce the cost of compliance in a virtual environment while deploying the latest technologies. With the help of RSA, organizations can accelerate complete adoption of VMware technologies with integrated security controls, adapt security policies to both physical and virtual IT environments, and advance endpoint security through centrally managed virtual capabilities. Performance and Reporting of Controls This document provides the first phase of a VMware led project that will culminate in the creation of a fully lab tested and Coalfire verified reference architecture. Customers will be provided with an actionable prescriptive list of products, product features and the specific PCI requirements (controls) that those features map to, as well as configuration guidance for PCI compliance. S O L U T I O N G U I D E A D D E N D U M 3

4 With the assurance that these feature/control mappings have been independently verified, customers will have detailed guidance for the reliable re-creation of an infrastructure where applicable controls are covered. It should be noted that the main focus of this document is the performance of controls, meaning how those controls are provisioned, enforced and detected. It can be seen that several controls cannot be performed programmatically either due to their broad scope, inherent manual nature, or they fall outside of the scope of features offered by any particular product or vendor. This white space of non-performed controls can be reduced with the addition of other products in the overall reference architecture ecosystem, but it may not be possible to eliminate completely. However, in an environment where the Archer GRC platform is deployed, it will be possible to orchestrate and report upon all of the PCI DSS controls, whether or not there is any automated performance deployed. With the Archer GRC platform, controls can be managed and reported upon regardless of what mechanism is employed to perform them. This provides complete visibility into the status of controls because this holistic visualization and integration into a broader GRC program cannot be provided any other way. S O L U T I O N G U I D E A D D E N D U M 4

5 VMware Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases. These use cases address questions like How to be PCI compliant in a VMware Private Cloud by providing helpful information for VMware architects, the compliance community, and third parties. The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vcloud, vcloud Networking and Security, vcenter Operations (vcops) and View. These product suites are described in detail in the VMware Solution Guide for PCI. The use case also provides readers with a mapping of the specific PCI controls to VMware s product suite, partner solutions, and organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its partners can provide a solution that addresses over 70% of the PCI DSS requirements. Figure 1: PCI Requirements S O L U T I O N G U I D E A D D E N D U M 5

6 Figure 2: VMware + RSA Product Capabilities for a Trusted Cloud S O L U T I O N G U I D E A D D E N D U M 6

7 Figure 3: Help Meet Customers Compliance Requirements to Migrate Business Critical Apps to a VMware vcloud S O L U T I O N G U I D E A D D E N D U M 7

8 2. Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following ( Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage. There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services. Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or off-premise. To learn more about VMware s approach to cloud computing, review the following: - VMware Cloud Computing Overview - VMware s vcloud Architecture Toolkit S O L U T I O N G U I D E A D D E N D U M 8

9 When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications. To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware s vcenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: Find more information on VMware compliance solutions for PCI, please visit S O L U T I O N G U I D E A D D E N D U M 9

10 Figure 4: VMware Cloud Computing Partner Integration S O L U T I O N G U I D E A D D E N D U M 10

11 Figure 5: RSA Solution for Securing Virtual Environments S O L U T I O N G U I D E A D D E N D U M 11

12 3. Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss. The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). S O L U T I O N G U I D E A D D E N D U M 12

13 Figure 6: Navigating PCI DSS The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. S O L U T I O N G U I D E A D D E N D U M 13

14 Figure 7: VMware PCI Compliance Products S O L U T I O N G U I D E A D D E N D U M 14

15 4. RSA PCI Compliance Solutions The table below is divided by solution that may contain several components as explained in the description. Table 2: RSA Solutions Solution RSA Archer egrc RSA Identity and Access Management RSA Adaptive Authentication RSA Data Loss Prevention RSA Data Protection Manager RSA Security Information and Event Management Description RSA Archer egrc is an enterprise governance, risk, and compliance (egrc) suite of products that allows organizations to build a collaborative egrc program to manage enterprise risks, demonstrate compliance, automate business processes, and gain visibility into risk and controls. RSA Archer egrc Platform RSA Archer Enterprise Management RSA Archer Incident Management RSA Archer Policy Management RSA Archer Threat management RSA Identity and Access Management is web access management software to allow trusted identities to freely and securely interact with systems and to access information. RSA Access Manager RSA Adaptive Authentication is a comprehensive, risk-based authentication and fraud detection platform. RSA Adaptive Authentication monitors and authenticates online activities in real time by correlating behavioral analysis, device profiling, and data feeds from RSA efraudnetwork. RSA Device Identification RSA Risk Engine RSA efraudnetwork RSA Policy Manager RSA Data Loss Prevention (DLP) modules leverage classification technologies to provide visibility into the location and usage of sensitive data such as credit card data, Personally Identifiable Information (PII), intellectual property, and other corporate confidential data. All three DLP modules are managed through a centralized management console with more than 170 policies and built-in incident management workflow. RSA Data Loss Prevention (DLP) Datacenter RSA Data Loss Prevention (DLP) Network RSA Data Loss Prevention (DLP) Endpoint RSA Data Protection Manager operates by securing sensitive data at the point of capture with data encryption and/or tokenization. Data Protection Manager enables you to manage policies and lifecycle of keys and tokens across the infrastructure. RSA Application Encryption and Tokenization with RSA Data Protection Manager RSA Enterprise Key Management with RSA Data Protection Manager RSA Security Information and Event Management (SIEM) is a security system that provides pervasive infrastructure visibility, enables actionable intelligence and immediate threat investigations, and initiates automated security-incident remediation. RSA envision RSA NetWitness S O L U T I O N G U I D E A D D E N D U M 15

16 RSA SecurID RSA SecurID is an enterprise-wide authentication policy that protects valuable applications, resources, and information. RSA Authentication Manager 5. RSA PCI Requirements Matrix (Overview) Table 3: PCI DSS Requirement P CI D S S R E Q U I R E M E N T N U M B E R OF P CI R E Q U I R E M E N TS R S A A R CH E R E G R C R S A I D E N TI T Y A N D A C CE S S R S A A D A P TI V E A U TH E N TI C A TI ON R S A D A TA L OS S P R E V E N TI ON R S A D A TA P R OT E C TI ON M A N A G E R R S A I N F OR M A TI ON A N D E V E N T R S A S E CU R I D C OLLE C TI V E TO TA L C ON TR OLS A D D R E S S E D B Y R S A P R O D U C TS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment S O L U T I O N G U I D E A D D E N D U M 16

17 TOTAL S O L U T I O N G U I D E A D D E N D U M 17

18 RSA Archer egrc RSA Archer egrc is an enterprise governance, risk, and compliance (egrc) suite of products that allows organizations to build a collaborative egrc program to manage enterprise risks, demonstrate compliance, automate business processes, and gain visibility into risk and controls. RSA Archer egrc Platform RSA Archer egrc Platform supports business-level management of enterprise governance, risk and compliance. As the foundation for all RSA Archer egrc Solutions, the Platform allows solutions to be adapted to requirements, build new applications and integrate with external systems. RSA Archer Enterprise Management RSA Archer Enterprise Management provides a central repository of information on the business hierarchy and operational infrastructure, enabling the formation of an aggregate view of organizational divisions, determine the value of supporting technologies, and use that information in the context of enterprise governance, risk management, and compliance (GRC) initiatives across the enterprise. RSA Archer Incident Management RSA Archer Incident Management centralizes and streamlines the case management lifecycle for cyber and physical incidents and ethics violations. This web-based incident-management software allows the capture of events that may escalate into governance, risk management, and compliance (GRC) incidents, evaluate incident criticality, and assign responders based on impact and regulations. RSA Archer Incident Management also supports the consolidation of response procedures, manage investigations end to end, and report on trends, losses, recovery efforts, and related incidents. RSA Archer Policy Management RSA Archer Policy Management provides a foundation for governance, risk management, and compliance (GRC) programs, with a comprehensive, consistent process for managing the lifecycle of policies and their exceptions. The policy management software provides a single point for creating policies, standards, and controls and mapping them to objectives, regulations, industry guidelines, and best practices. It also provides a mechanism for the communication of policies, track acceptance, assess comprehension, and manage exceptions. RSA Archer Threat Management RSA Archer Threat Management consolidates threat data and reports on threat remediation activities, enabling a consistent, repeatable threat management process. RSA Archer Threat Management documents geopolitical threats, consolidates vulnerability, malicious code, and patch information from security intelligence providers, and captures vulnerability results from scan technologies into one threat-management system. S O L U T I O N G U I D E A D D E N D U M 18

19 Table 4: Applicability of PCI Controls to RSA Archer egrc PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESS ED 1.1.1, b, a, 1.1.4, a, b, a, a, 1.3.1, a, b, 1.4.a, 1.4.b DESCRIPTI ON RSA Archer Policy Management provides capabilities for managing network, firewall and router configuration standards, network diagrams, workflow for process, procedure and testing approvals, as well as network management roles and responsibilities and requirements for periodic review of standards and configurations. RSA Archer Policy Management provides capabilities for defining standards related to confidential or sensitive information of what can or cannot be disclosed to authorized or unauthorized third parties, such as private IP address or routing information. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data a, b, c, d, e, 2.2.a, 2.2.b, 2.2.c, 2.2.d, a, b, b, b a, b, c, d, 3.2.a, 3.2.b, 3.3, 3.4.a, 3.6.a, 3.6.b, 3.6.1, 3.6.2, 3.6.3, 3.6.4, a, b, c, , 3.6.7, RSA Archer Policy Management provides capabilities for defining personal firewall standards for mobile and/or employee-owned devices and communicating standards via workflow processes. RSA Archer Policy Management provides capabilities for defining configuration standards for wireless environments that include changing vendor default values. RSA Archer Policy Management provides capabilities for developing configuration standards for all system components, including the development, approval and dissemination of standards to effected parties for the execution and deployment of the standards. RSA Archer Policy Management provides capabilities for developing policies, procedures, standards, and guidelines around protecting stored cardholder data, data retention and disposal, business and legal requirements for retention timelines, secure disposal of data, and requirements for periodic review of system components that store cardholder data to verify retention and disposal controls are operating effectively. RSA Archer Policy Management provides capabilities for documenting the business need for securely storing sensitive authentication data for issuers and/or companies that support issuing services as well as the process and procedures for securely deleting sensitive authentication data for those entities that are not issuers or support issuing services. RSA Archer Policy Management provides capabilities for documenting PAN masking requirements based on legitimate business need to see the full PAN and supports identifying those persons authorized to S O L U T I O N G U I D E A D D E N D U M 19

20 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT CONTROLS ADDRESS ED DESCRIPTI ON view the full PAN. RSA Archer Policy Management provides capabilities for storing vendor solution documentation used to protect the PAN, or in cases where PAN protection is developed in-house, the supporting documentation that defines and describes the process, procedures and methods used to protect the PAN, including but not limited to encryption algorithms used. Requirement 4: Encrypt transmission of cardholder data across open, public networks RSA Archer Policy Management provides capabilities for fully documenting key management processes and procedures for cryptographic keys used for encrypting cardholder data. Policy Manager supports security standards publications, such as NIST, for inclusion and incorporation as part of the key management and standards processes , 4.2.b RSA Archer Policy Management provides capabilities for storing industry best practices documentation for implementing strong encryption for authentication and transmission with wireless networks transmitting cardholder data or connected to the cardholder data environment. Policy Management through the workflow engine is capable of informing stakeholders of changes to the standards as revisions are updated within Policy Management. Requirement 5: Use and regularly update antivirus software or programs Requirement 6: Develop and maintain secure systems and applications 5.2.a 6.1.b, 6.2.b, 6.3.a, 6.3.b., 6.3.c, 6.3.1, a, 6.4.1, 6.4.2, 6.4.3, 6.4.4, a, 6.5.a, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, RSA Archer Policy Management provides capabilities for documenting policy requirements for the secure transmission or rendering unreadable of PAN if end-user technologies are used for cardholder data-related communication. RSA Archer Policy Management provides capabilities for fully documenting policy and procedure requirements for maintaining anti-virus software and definitions on systems commonly affected by malware. RSA Archer Policy Management provides capabilities for fully documenting security patch policy and procedures on systems within the cardholder data environment, including but not limited to the frequency of security patch updates, systems within scope of patching, exceptions for security patching, vulnerability identification, and risk ranking of vulnerabilities. RSA Archer Policy Management provides capabilities for storing and communicating to affected users such as developers, testers and implementers, software development lifecycle (SDLC) process and procedures, including best practices documentation based on industry-accepted standards. S O L U T I O N G U I D E A D D E N D U M 20

21 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT CONTROLS ADDRESS ED DESCRIPTI ON RSA Archer Policy Management provides capabilities for fully documenting change control policy and procedures from request through to implementation, with notifications throughout the process based on Policy Management s workflow engine. Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security 7.1.1, 7.1.2, 7.1.3, 7.1.4, , 8.2, 8.3, 8.5.2, 8.5.3, 8.5.4, 8.5.5, a, b, b, b, b, b, b, b 9.2.a, 9.2.b, 9.5.b, 9.6, 9.7, 9.7.1, 9.9, 9.9.1, 9.10, a, , 10.4.a, a, b, a, b, , 10.6.a, 10.7.a, 10.7.b 11.1.a, 11.1.b, 11.1.e, b, a Secure coding techniques, training and documentation is supported by RSA Archer Policy Management by including training material, industry-accepted coding standards, OWASP standards for preventing common or most frequent web vulnerabilities. RSA Archer Policy Management provides capabilities for fully documenting access control policies and procedures to limit access to cardholder data based on users roles, privileges are granted with minimum necessary to fulfill job duties, access is granted in writing or electronically, privileges are specified so the access implementers know what rights to assign, and that access controls are implemented via an automated system. Job roles and functions and the privileges associated with them can be stored within RSA Archer Policy Management and undergo documentation lifecycle functions to remain updated and relevant over time to ensure account provisioners have management-approved documentation readily available. RSA Archer Policy Management provides access control, remote access control and password policies aligned with PCI DSS requirements and supports user-defined policies and procedures. Policy Management also provides capabilities for fully documenting user authentication mechanisms, on- and off-boarding procedures, workflow routing for request, authorization and implementation of access requests. RSA Archer Policy Management provides capabilities for fully documenting physical security policy and procedures, employee and non-employee badge access, media backup locations, media distribution, and media destruction. RSA Archer Policy Management provides capabilities for defining, developing, approving and implementing an audit and logging policy, which includes access rights and controls for access to audit and log files for systems within the cardholder data environment. RSA Archer Policy Management provides capabilities for defining and documenting the process for acquiring, distributing and storing the correct time within the organization. RSA Archer Policy Management provides capabilities for defining, developing, approving and implementing a security vulnerability testing policy and procedures that includes provisions for rogue S O L U T I O N G U I D E A D D E N D U M 21

22 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT systems and processes. CONTROLS ADDRESS ED DESCRIPTI ON wireless access point detection, periodic vulnerability scanning (internal and external), and scanning after significant changes. Requirement 12: Maintain a policy that addresses information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment. 12.1, a, b, , 12.2, , , , , , , , , , a, b, 12.4, 12.5, , , , , , 12.6.a, a, b, , 12.7, , , , , a, b, , , , , A.1.1, A.1.2.a, A.1.2.b, A.1.2.c, A.1.2.d, A.1.2.e, A.1.3, A.1.4 RSA Archer Threat Management provides capabilities for incorporating scan results into the threat management system. RSA Archer Policy Management provides capabilities for defining, developing, approving, and implementing an Information Security Policy, Risk Management Policy, Acceptable Use Policy, Background Check Policy, Network Connectivity Policy, Incident Response Policy, and associated procedures for alignment with PCI DSS Requirement 12. Policy Management comes with policies aligned with PCI DSS v2.0. RSA Archer Incident Management provides capabilities for managing security incidents throughout an incident lifecycle. RSA Archer Policy Management provides capabilities for defining, developing, approving, and implementing policies and processes for segregating client data from each other and limiting client access to their own environment. S O L U T I O N G U I D E A D D E N D U M 22

23 RSA Identity and Access Management RSA Identity and Access Management is web access management software to allow trusted identities to freely and securely interact with systems and to access information. RSA Access Manager RSA Access Manager controls access to system resources based on user or user group identity, or on the values of properties assigned to selected users. Table 5: Applicability of PCI Controls to RSA Identity and Access Management PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 7: Restrict access to cardholder data by business need to know CONTROLS DESCRIPTI ON ADDRESS ED 7.2.1, 7.2.2, RSA Access Manager is designed for controlling access to data within web-based applications that uses an external data store such as LDAP or SQL to store user information. Because Access Manager relies upon an external data store for identities, Access Manager is capable of supporting deny-all access to cardholder data by default. Access Manager can provide role-based access through the use of user groups and entitlements assigned to the user group. Requirement 8: Assign a unique ID to each person with computer access 8.1, 8.2, 8.4.a, 8.4.b, 8.5.1, 8.5.4, a, a, b, a, b, a, b, a, b, a, b, For web applications and systems protected with RSA Access Manager before a user is granted access to resources, the user must be added to a user group that is enabled with entitlements. RSA Access Manager provides capabilities for unique identification (user ID plus password) for each person accessing computing resources. RSA Access Manager is capable of secure communications using the SSL protocol for LDAP server connections to protect authentication data. RSA Access Manager supports user ID lifecycle processes by storing properties associated with an access request for a given user ID, credential or other identifier object and providing the capabilities of reporting on the deployed identifier objects. RSA Access Manager provides capabilities for creating multiple password policies (requirements) that support PCI DSS password policy requirements. Access Manager comes with a default password policy that can be used un-edited or modified to suit an organization s security requirements. S O L U T I O N G U I D E A D D E N D U M 23

24 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 10: Track and monitor all access to network resources and cardholder data CONTROLS ADDRESS ED 10.1, , , , , , , , , , , 10.7.a, 10.7.b DESCRIPTI ON RSA Access Manager maintains logs of the Authorization Server, Entitlements Server, Dispatcher/Key Server, and Log Server. These logs can be used to monitor the system and maintain an audit trail of all user authentication requests and operations performed by the components of the Access Manager system. The level of detail written to the log files is configurable based on the specific log. Audit log retention periods are configurable with the capability of archiving log files for historical reference, analysis or forensics. RSA Adaptive Authentication RSA Adaptive Authentication is a comprehensive, risk-based authentication and fraud detection platform. RSA Adaptive Authentication monitors and authenticates online activities in real time by correlating behavioral analysis, device profiling, and data feeds from RSA efraudnetwork. RSA Device Identification RSA Device Identification helps enable transparent authentication for the vast majority of users by analyzing the device profile (the device from which the user accesses the server or network) and the behavioral profile (what activities the user typically performs), and matching the current activity against these profiles. RSA Risk Engine RSA Risk Engine is a self-learning technology that evaluates each online activity in real-time, tracking over one hundred indicators in order to detect fraudulent activity. A unique risk score, between 0 and 1000, is generated for each activity. The higher the risk score, the greater the likelihood is that an activity is fraudulent. RSA efraudnetwork RSA efraudnetwork is a cross-organization database of fraud patterns gleaned from RSA s network of customers, ISPs and third party contributors across the globe. When a fraud pattern is identified, the fraud data, transaction profile and device fingerprints are moved to a shared data repository. The efraudnetwork provides direct feeds to the Risk Engine so that when a transaction or activity is attempted from a device or IP that appears in the efraudnetwork data repository, it will be deemed high-risk and prompt a request for additional authentication. RSA Policy Manager RSA Policy Manager enables organizations to react to emerging localized fraud patterns and investigate activities flagged as high-risk. The Policy Manager is used to translate organizational risk policy into decisions and actions through the use of a comprehensive rules framework that can be configured in real-time. S O L U T I O N G U I D E A D D E N D U M 2 4

25 Table 6: Applicability of PCI Controls to RSA Adaptive Authentication PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 7: Restrict access to cardholder data by business need to know CONTROLS DESCRIPTI ON ADDRESS ED 7.2.1, RSA Adaptive Authentication can provide extra authentication methods that can be used in addition to standard logon credentials. The Adaptive Authentication system uses the RSA Risk Engine to detect fraud and other forms of suspect in logon and transaction events. The online application sends a request to the Adaptive Authentication system and it returns the results of the risk assessment with a recommended action. There are additional authentication methods that could be employed such as challenge questions, outof-band phone, and out-of-band . Additionally, the RSA Multi-Credential Framework (MCF) allows organizations to integrate authentication methods that are developed in-house or by a third-party. RSA Policy Manager determines what to do about potentially risk events based on risk analysis. The Policy Manager component is configured by adapting the RSA default polices to the existing business policies. S O L U T I O N G U I D E A D D E N D U M 25

26 RSA Data Loss Prevention RSA Data Loss Prevention (DLP) modules leverage classification technologies to provide visibility into the location and usage of sensitive data such as credit card data, Personally Identifiable Information (PII), intellectual property, and other corporate confidential data. All three DLP modules are managed through a centralized management console with more than 170 policies and built-in incident management workflow. RSA Data Loss Prevention (DLP) Datacenter DLP Datacenter scans storage infrastructure, discovers the risk from data-at-rest, automatically communicates with end business users, and systematically remediates the risk. DLP Datacenter supports automated data discovery on storage platforms including Microsoft Windows file servers, UNIX file servers, NAS/SAN, Microsoft SharePoint, Lotus Notes, databases, and Windows PC local drives. RSA Data Loss Prevention (DLP) Network DLP Network monitors network communications for sensitive data, actively educates end users, and enforces controls in real time to prevent unauthorized transmissions. DLP Network covers various channels of network communications including corporate , web and social media, IM, encrypted traffic, from smartphones and tablets, FTP, and generic TCP. RSA Data Loss Prevention (DLP) Endpoint DLP Endpoint protects sensitive data on PCs by actively monitoring and enforcing controls on end user actions such as print, write to CD/DVD, copy to USB, save to network file share, and transfer via webmail and social media. DLP Endpoint can scan all local drives for sensitive data at risk, whether on physical laptops or virtual desktops. Table 7: Applicability of PCI Controls to RSA Data Loss Prevention PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 3: Protect stored cardholder data CONTROLS ADDRESS ED 3.2.a, 3.2.1, 3.2.2, 3.2.3, 3.4.b, 3.4.d, c DESCRIPTI ON DLP Datacenter can provide data-at-rest scanning mechanisms to detect PCI-related data based on outof-the-box or customizable policies. DLP Datacenter is capable of scanning file shares, databases, storage systems, log files, history files, and other data repositories to identify and report on sensitive account data or primary account data stored not in accordance with PCI DSS requirements. Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1.a, 4.2.a DLP Endpoint is capable of monitoring and enforcing controls on end user actions to detect, report upon or provide preventive controls to prohibit copying or moving PCI-related data onto removable media. DLP Network is capable of monitoring network traffic to detect if secure communications are not deployed where cardholder data is transmitted into or outside of the cardholder data environment (CDE), including but not limited to, open public networks. S O L U T I O N G U I D E A D D E N D U M 26

27 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 12: Maintain a policy that addresses information security for all personnel. CONTROLS DESCRIPTI ON ADDRESS ED DLP Network is capable of identifying and enforcing policies for sensitive data transmitted via end-user messaging technologies, such as , instant messaging, chat, webmail, and generic TCP/IP protocols DLP Datacenter, DLP Endpoint and DLP Network all provide incident reporting capabilities through the DLP Enterprise Manager, a single browser-based management console that offers five key functions: dashboard, incident workflow, reporting, policy administration, and system administration. RSA Data Protection Manager RSA Data Protection Manager operates by securing sensitive data at the point of capture with data encryption and/or tokenization. Data Protection Manager enables you to manage policies and lifecycle of keys and tokens across the infrastructure. RSA Application Encryption and Tokenization with RSA Data Protection Manager Application Encryption and Tokenization with RSA Data Protection Manager secures data at the point of capture and provides a granular level of control over sensitive information. RSA Enterprise Key Management with RSA Data Protection Manager Enterprise Key Management with RSA Data Protection Manager provides comprehensive, enterprise key management, integrating with major vendors across the infrastructure. Data Protection Manager leverages RSA's common enterprise key management infrastructure to simplify the provisioning, distribution, and management of encryption keys and can be easily integrated with a number of host, database, storage area network (SAN) switch, and native-tape encryption solutions. Table 8: Applicability of PCI Controls to RSA Data Protection Manager PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 3: Protect stored cardholder data CONTROLS ADDRESS ED 3.2.a, 3.4.a, 3.5.1, a, b, 3.6.1, 3.6.2, 3.6.3, b, c, DESCRIPTI ON RSA Data Protection Manager secures data at the point of capture and provides granular level of control over sensitive information. Keys are stored in encrypted format using a key encryption key within the Data Protection Manager Server database along with storage for all security objects, administrative and operational information about security objects, security classes, crypto policies, identity groups, identities, tokens, token classes, token formats, and other Data Protection Manager internal operations. After key generation, the Data Protection Manager Server adds a SHA-256 digest of the data, encrypts it, and then stores the key in the database. While encrypting the data, Data Protection Manager uses the Key Encryption Key (KEK), which is securely stored in memory or on an HSM. S O L U T I O N G U I D E A D D E N D U M 27

28 PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT CONTROLS ADDRESS ED DESCRIPTI ON Data Protection Manager provides a combination of encryption and tokenization capabilities. Data Protection Manager provides encryption and enterprise key management to secure sensitive data within databases and tape drives and requires SSLv3/TLSv1 for secure communication between the Data Protection Manager Server and the Key Client. Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Assign a unique ID to each person with computer access Requirement 10: Track and monitor all access to network resources and cardholder data Data Protection Manager provides the capabilities to integrate with third-party Hardware Security Modules (HSM) , 7.2.2, Data Protection Manager provides restricted access to encryption and tokenization components within the cardholder environment by configuring users or integrating with RSA Access Manager for access control. Role-based access is supported by Data Protection Manager along with default deny-all access requests. 8.1, 8.2, 8.4.a, 8.4.b, The Data Protection Manager Server supports multiple user types called identities. Each user type has a 8.5.1, 8.5.3, 8.5.4, different set of capabilities, which provides separation of duties and restricts access. There are varying 8.5.5, a, b, levels of identities, ranging from operational users to super administrators a, a, b, a, Administrators or identities of the Data Protection Manager Server can be authenticated in multiple b, a, ways using certificates, passwords or the RSA Access Manager b, a, b, a, b, , , a, b, c, d 10.1, , , , , , , , , , , , , , , RSA Data Protection Manager server supports multiple message types, severity, where the message are report to, and how the messages are formatted. RSA Data Protection Manager server supports multiple run-time operations for logging of events: creating identities, identity groups, security classes, key classes, token classes, token formats, crypto policies, clients, originators; changes to security object or key states; changes to token formats; assigning identities to identity groups; starting up self-test operations; and various other events. S O L U T I O N G U I D E A D D E N D U M 28

29 RSA Security Information and Event Management RSA Security Information and Event Management (SIEM) is a security system that provides pervasive infrastructure visibility, enables actionable intelligence and immediate threat investigations, and initiates automated security-incident remediation. RSA envision RSA envision provides a centralized log-management service that enables organizations to simplify their compliance programs and optimize their security-incident management. The RSA envision solution facilitates the automated collection, analysis, alerting, auditing, reporting, and secure storage of all logs. RSA envision comes with regulation-specific, out-of-the-box reports, alerts, and correlation rules. Reports can be scheduled to be delivered at a specific time or run on an ad-hoc basis. RSA NetWitness Informer RSA NetWitness Informer Informer is designed to integrate into existing security-operations processes and deliver a level of realtime situational awareness. Informer provides real-time enterprise-wide visualization, alerting, reporting, and trending analysis by having every session, communication, service, application, and user activity recorded, reconstructed, and exposed for analysis. Table 9: Applicability of PCI Controls to RSA Security Information and Event Management PCI DSS V2.0 APPL ICABILITY MATRIX REQUIREMENT Requirement 1: Install and maintain a firewall configuration to protect cardholder data CONTROLS ADDRESS ED 1.1.1, a, b, 1.3.1, 1.3.2, 1.3.3, DESCRIPTI ON RSA envision can provide reporting on router and firewall configuration changes made within the PCI device group to support the formal process for testing and approving of all network connections and changes to firewall and router configurations. RSA envision can report details on all firewall traffic by port to the IP address specified as a run-time parameter where the port used is not directly justified by PCI in support of documenting business justification for use of all services as well as identifying insecure services, protocols and ports allowed that are necessary. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters a, b, c, d RSA envision can report a list of all inbound Internet traffic on non-standard ports within the PCI device group in detail and summary format. RSA envision can provide a report that summarizes all outbound traffic by destination. PCI requires that all outbound traffic be restricted to what is necessary for the payment-card environment. RSA envision can provide a wireless environment configuration changes report that details all configuration changes made to wireless routers. PCI requires that all vendor defaults, including WEP keys, default SSID, password, SNMP community strings and disabling of SSID broadcasts, be changed before a wireless router be introduced to the payment-card environment. S O L U T I O N G U I D E A D D E N D U M 29