SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

Transcription

1 SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE How Can the CA Security Solution Help Me With PCI Compliance?

2 SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR z/os DRAFT CA Technologies Security solutions provide a proven solution for simplifying PCI compliance, as well as protecting your IT assets across the platforms and environments within your enterprise. Healthcare Security Solutions: Protecting Your Organization, Patients, And Information

3 3 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com Section 1: Challenge Protection of Confidential Cardholder Information Introduction to PCI compliance The Payment Card Industry (PCI) Data Security Standard (referred to hereafter as PCI ) represents a collaboration between the leading credit card institutions, including, among others, Visa, MasterCard, American Express, and Discover. This standard was jointly created to help ensure consistency of security standards for these card issuers, and to assure cardholders that their account information was secure, regardless of where the card was used for payment. The PCI standard has been revised over the past few years to increase clarity and to add new requirements (see table). Version Date Released 1.0 December September October August October November 2013 Summary of the PCI requirements The PCI standard does not mandate specific technology or products. Rather, it defines industry best practices for how credit card information should be handled, communicated, and stored in order to reduce the probability of unauthorized access to that information. There are six major categories of requirements in the standard, each of which has a small number of subcategories of requirements. The following table lists these categories and major requirements: Category Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks. Maintain an information security policy Requirements 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update antivirus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security

4 4 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com It is important to note that despite that the fact that these requirements are an excellent and comprehensive set of guidelines for data protection, they cannot guarantee that your credit card data will remain private. More specifically, compliance does not equal security. As a proof point of this, the data breach suffered by Target in late 2013 came just a few months after they were certified as PCI-compliant. The lesson here is that protection of confidential information is a continuous effort that must not stop at the conclusion of each PCI audit. More importantly, people and processes are just as important as technology in helping to protect this data. So, constant vigilance and continuous security process improvement are essential to ensuring privacy of your data. The PCI DSS virtualization supplement In 2011, the PCI Council issued an important update to the PCI DSS V2.0 Standard, entitled the PCI DSS Virtualization Guidelines Supplement. This Supplement was the result of the rapid adoption of virtualized environments, and the need to more clearly specify the requirements for protecting cardholder information across virtual machines and environments. The Supplement is comprehensive and lays out the issues and requirements for information protection in a virtualized environment. The following quote from it is helpful in understanding the impact of these guidelines: An entire VM will be in scope if it stores, processes or transmits cardholder data, or if it connects to or provides an entry point into the CDE (Cardholder Data Environment). If a VM is in scope, both the underlying host system and the hypervisor would also be considered in scope, as they are directly connected to and have a fundamental impact on the functionality and security of the VM. This is a significant expansion of the requirements for PCI compliance, and has had the effect of including systems and components (i.e., the hypervisor) as in scope where previously their status was much less clear. One section is of particular importance to virtual environments Harden the Hypervisor and includes technology requirements such as these: Restrict the use of administrative functions to defined endpoint networks and devices, such as specific laptops or desktops that have been approved for such access. Require multi factor authentication for all administrative functions. Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs. Separate duties for administrative functions, such that authentication credentials for the hypervisor do not have access to applications, data, or individual virtual components. Before implementing a virtualization solution, verify what security controls the solution supports and how they reduce risk of compromise to the hypervisor. We will see in the next section how these can be accomplished using CA Technologies solutions.

5 5 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com Section 2: Solution Achieving PCI Compliance The PCI requirements that can most effectively be addressed by CA Technologies security solutions include the following: (note there are separate sections later that cover Virtualization, Mainframe, and API Security, since these areas span multiple sections in the PCI standard). Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters Summary of requirement: Always change vendor-supplied defaults before installing a system on the network. Develop configuration standards for all system components. Encrypt all non-console administrative access using strong cryptography. CA Technologies solution: CA Privileged Identity Manager (CA PIM) The requirements of this section are broad, and it is highly unlikely that any single solution could ensure compliance with all of its mandates. However, CA Privileged Identity Manager provides capabilities to greatly simplify and automate compliance with this requirement. For example, it can be used to immediately change privileged passwords to prevent the use of default passwords on administrator system accounts. It can also automatically change passwords on a predefined schedule to help ensure that administrator passwords are always fresh (section 2.1). It can also be configured so that administrator logins are encrypted (section 2.3) using industry-standard strong algorithms. Requirement #6: Develop and maintain secure systems and applications Summary of requirement: All system components must have the latest vendor-supplied security patches, and there needs to be processes in place that help ensure that applications are free from vulnerabilities. CA Technologies solution: CA SSO One key element of Section 6.5 of the PCI standard deals with the need to help ensure that all custom applications are based on secure coding guidelines so that vulnerabilities do not exist, and if they do, they cannot be exploited. This section deals with the need to code applications in a manner that helps eliminate vulnerabilities such as invalidated input, bad session management, cross-site scripting attacks, buffer overflows, and improper error handling, among others.

6 6 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com CA SSO can provide important capabilities to help meet some of these requirements and mitigate others. In particular, CA SSO provides secure access to custom applications so that only authorized users can access these applications. Specifically, it can help protect custom application code in the following ways: 1. It filters URLs to block access attempts containing characters and character strings that may prove harmful to the application or its users. This reduces the risk of cross-site scripting attacks because ill-formed URLs cannot get through the CA SSO agent protection. No application modification is required to gain these benefits when CA SSO is used. 2. It provides a robust session management capability to help prevent user sessions from being hijacked by unauthorized users who are attempting to access the resources of another user. 3. It provides centralized configuration management, so that distributed (and therefore, less secure) configuration is eliminated. This capability not only enables improved application security, but helps reduce overall administrative effort, thereby increasing the administrative scalability for any application environment. In summary, CA SSO can help to prevent replay attacks, session hijacking, impersonation attempts, and protect Web applications. In this way, it provides robust capabilities to enable secure applications to be developed and deployed more easily, so as to achieve compliance with this section of the PCI standard. Requirement #7: Restrict access to data by business need-to-know Summary of requirement: Access to systems, applications, and data (especially cardholder information) must be tightly restricted to only those individuals who have a clearly defined need to obtain this information. CA Technologies solutions: CA Identity Manager, CA Identity Governance, CA SSO, CA Privileged Identity Manager Despite the fact that this section is one of the shortest of the entire PCI standard, it is very broad in its scope, and compliance may require the most effort of any requirement in the entire standard. Section 7.1 calls for enforcement of role-based access control, management of privileged users, and some form of documented access certification process. CA Identity Manager provides automated provisioning of accounts and privileges based on the user s role. CA Identity Governance provides a centralized interface for administrators to browse user privileges and identify any improper assignments. It can also be used to establish identity compliance policies, such as segregation of duties, and automate entitlement certification processes to efficiently validate user privileges. Automating certification processes is essential to efficiently confirming that existing access privileges are appropriate, particularly accounting for cases where the standard provisioning process may have been bypassed. It also provides advanced analytics to reduce the time and effort involved in developing an accurate role model while supporting the management of roles throughout their lifecycles. Section 7.2 requires that all computing resources (that store or process credit card information) be available only to those people whose job requires such access. This implies the need to strongly control access to Web applications that process this data. CA SSO is an industry-leading solution that provides centralized control over access to the applications that process confidential card information, so that only appropriate individuals will be able to access them.

7 7 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com Access by privileged users to any host systems that process credit card information must also be tightly controlled. Therefore, it is essential that privileged users be allowed to perform only those actions that are required for their specific responsibilities, and only on the appropriate systems. CA Privileged Identity Manager is a leading solution for privileged identity management that controls access to host systems and critical data and files residing on these systems. Policies can be defined that help ensure that only properly authorized users can gain access to each such system or resource even when using a shared account, such as root or Administrator. In this way, it extends the basic security capabilities supported by each native operating system and provides an expanded, consistent, and more granular set of security capabilities across the systems in your environment. Requirement #8: Assign a unique ID to each person with computer access Summary of requirement: All actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. This long section of the standard includes a number of specific security requirements. These can be summarized as follows: Identify all users with a unique username Use a variety of authentication methods, based on the sensitivity of the application or information being accessed Use two-factor authentication for remote access to the network Ensure that strong password policies exist and are followed Implement access restrictions based on failed access attempts as well as periods of user inactivity Immediately revoke access for any terminated users Remove/disable inactive user accounts at least every 90 days CA Technologies solution: CA SSO, CA Strong Authentication, CA Risk Authentication, CA Privileged Identity Manager The CA security suite provides all of these capabilities. As an example, CA SSO supports a broad range of authentication methods so that the strength of the method can be associated with the sensitivity of the information or application being accessed. In addition, CA Privileged Identity Manager provides flexible capabilities for managing and controlling user passwords. Specific policies can be enforced that determine the length, format, and frequency of change, and even the content of the passwords. Passwords can be as arbitrarily strong as the needs of each IT environment dictate, thereby satisfying the requirements of this section of the standard. CA Privileged Identity Manager also provides automated deprovisioning of user access so that terminated users access privileges and associated accounts can be removed immediately.

8 8 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com CA Identity Governance can be used to identify orphaned accounts, which are accounts that are not associated with a valid user. This helps close an important security vulnerability that exists in most enterprises. A common problem in many IT environments relates to the use of shared passwords among privileged users (administrators, root users). When administrators share their system and account passwords, it results in two very important problems. First, users of these shared passwords essentially become anonymous, and their actions cannot be associated with the person who performed them should an audit be necessary. Second, it usually results in over-privileged users, since they may be granted entitlements that they don t need to perform their normal job function. CA Shared Account Manager provides accountability of privileged access through the issuance of passwords on a temporary, one-time use basis. Once the password is used, it is no longer valid and therefore cannot be shared with other administrators. In addition, it provides accountability of administrator actions through secure auditing, so that all administrator actions can be associated with a single individual (as required by this section of the standard). There is another potential problem related to authentication of users that could hinder compliance with PCI. Authenticating UNIX/Linux users typically means maintaining records separate from Windows users. This complicates password synchronization, and can introduce delays in deprovisioning users. CA Privileged Identity Manager includes the UNIX Authentication Bridging, a component that enables the management of UNIX users in a single user store, Windows Active Directory (AD). This provides consolidation of authentication and account information into one enterprise AD instead of maintaining credentials on various UNIX/Linux systems. This should help centralize and strengthen your authentication capabilities, thereby improving your PCI compliance profile. One of the most important requirements of this section relates to strong, multi-factor authentication. Although there are many specific requirements in this section, many of them can be summarized as deploy, effective 2-factor authentication. Although important for high-value transactions or for certain remote users, many companies have resisted this due to perceived inconvenience of using and managing 2-factor hardware tokens. The CA Advanced Authentication Suite consists of two products that together provide comprehensive, risk-based strong authentication. CA Strong Authentication is a versatile authentication server that offers a variety of credentials and authentication management capabilities that can satisfy PCI requirement #8. It provides a secure, software-based credential that not only meets the two-factor requirement, but is easy for end-users to adopt. It also eliminates the need to track password history because each password/ key combination is unique and the password is not stored in a database or transferred anywhere during the authentication process. This helps protect users from identity theft and fraud without changing their familiar sign-on experience and without requiring the possession of a separate hardware token. It appears to the user as the standard name/password sign-on, but it actually uses a PKI-based challenge/response method to verify the user s identity before granting access to applications. In this way, it helps protect against man-in-the-middle, phishing, pharming, password cracking and brute force attacks.

9 9 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com CA Risk Authentication is a risk-based authentication and fraud detection solution that prevents fraud in both consumer and enterprise online services. In conjunction with CA Strong Authentication, it provides organizations the ability to select and enforce different levels of authentication based on a context-based risk evaluation of the given activity or transaction. Based on the calculated risk score and company policies, organizations can require additional forms of authentication to effectively match the security level with the perceived level of risk. CA Advanced Authentication can be deployed on the customer s premises or be consumed as cloud-based services. They can be used alone or in conjunction with the extensive authentication capabilities of CA SSO to help meet compliance requirements and protect access to cardholder data. Requirement #10: Track and monitor all access to network resources and cardholder data Summary of requirement: Logging mechanisms and the ability to track user activities are critical. Full logging of user and administrative activity is essential for tracking and analysis of all security events. This section includes a number of very specific requirements. These can be summarized as follows: Establish a process for linking all access to system components (especially those done with administrative privilege, such as root) to an individual user Implement automated audit trails Record all important security events within the environment Secure audit trails so that they cannot be altered Review logs for all system components at least daily Retain the audit trail history for a period that is consistent with its effective use CA Technologies solution: CA Privileged Identity Manager CA Privileged Identity Manager enables you to log all access events to objects such as programs, folders, and files. It can provide a full view of who has been accessing these objects, some of which might contain protected credit card information. The ability to track access enables you to quickly remediate improper access rights, as well as to identify individuals who might be misusing their authorized access to this confidential information. It can also monitor the actions of each user of a shared account (such as Admin, or root). Use of these accounts often masks improper actions, as well as making compliance difficult because actions can often not be associated with a specific individual. CA Privileged Identity Manager can also record the actual sessions (including key and mouse strokes) of your privileged users through Session Recording. When apparent anomalies arise, it is easy to actually view the screen seen by the admin, and to observe what actions he or she performed. The ability to re-create actual interactions is extremely valuable in helping to provide proof of compliance to auditors, as well as to help identify potentially improper administrator actions.

10 10 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com PCI Compliance in Specific Environments API Management & Security for PCI Compliance There s a difference between PCI compliance and strong security. It is possible to pass a PCI audit while still having areas of vulnerability in your infrastructure that put credit card data at risk. This is why it is critical to ensure that attacks such as cross-site request forgery, SQL injection, XQuery injection, parameter tampering, Trojan horses, and the like are detected and prevented. And, the most effective way to do that is with an API solution that can monitor, analyze, and control traffic into your environment in order to significantly reduce your risk of a successful attack. The CA API Management & Security suite includes API gateways that provide enterprise-level security and can be configured as part of a PCI process, allowing organizations to create an end-to-end electronic payment process while enhancing compliance with PCI. In fact, the CA API Secure Implementation Guide enables organizations to implement PCI-compliance access controls, password management, encryption key management, traffic management, role-based access, and auditing to help ensure the privacy and security of cardholder data. The benefits of this solution for PCI compliance span many sections of the PCI standard. A brief summary of how the CA API Management & Security suite can enhance PCI compliance includes: Requirement Category Capabilities provided by CA API Management & Security 1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-support defaults for system passwords Built-in XML firewall provides comprehensive XML threat protection. Allows customers to redefine default passwords, stores all passwords encrypted, and reset/expire passwords on a regular basis. 3 Protect cardholder data Built-in PKI capabilities support encryption of cardholder data and PANs at rest, and in transit. 4 Encrypt transmission of cardholder data across open, public networks 5 Use and regularly update anti-virus software 6 Develop & maintain secure systems and applications Provides automatic SSL-encryption of all message traffic. Supports virus scanning of message attachments using popular anti-virus software using the ICAP interface. Provides admin control over password strength and maximum idle times for admin sessions. Provides centralized security for all your applications in a dedicated, hardened security device. 7 Restrict access to cardholder data by business need-to-know 8 Assign a unique ID for each person with access Provides strict role-based access control (RBAC) for all system functionality, including encrypted audit logs. Provides mechanisms to enroll, expire, and disable users.

11 11 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com In summary, a strict focus on simply passing your PCI audit without considering other areas of security risk is short-sighted. There are many areas of infrastructure security that need to be considered. The CA API Management & Security suite can help close those vulnerabilities that could lead to an expensive and painful breach of your customers cardholder data. PCI compliance in virtual environments An earlier section summarized the PCI requirements for virtual environments. As we saw, the requirements are stringent if credit card information exists within any component of a virtual environment, all components are in scope and must comply. Most of the new requirements relate to security best practices for example, restrict physical access, implement least privilege, enforce segregation of duties, ensure correct system configurations, and the like. All of these are sound best practices in all environments, but particularly relevant for virtual ones. But, one requirement is unique for virtual environments harden the hypervisor. Because it represents a single point of failure, the hypervisor must be secured in order to best protect the privacy of all cardholder information housed anywhere in the virtual environment. CA Privileged Identity Manager for Virtual Environments is a security solution specifically designed to protect systems and information in a virtual environment. It secures privileged user access to virtual machines, hypervisors, and virtual appliances helping organizations control privileged user actions, secure access to the virtual environment, and comply with industry mandates. It delivers key capabilities to manage privileged user passwords, harden the hypervisor, and monitor privileged user activity. Key capabilities of the product include: Privileged user password management enables the issuance of passwords on a temporary, one-time use basis, or as necessary. User activity monitoring audits activity performed on the hypervisor and keeps track of privileged account usage based on the original user ID. Segregation of duties helps enforce industry-standard segregation of duties rules on the hypervisor. For example, it can prevent the hypervisor administrator from accessing virtual machine configurations via the hypervisor thus forcing all virtual environment changes to be governed through the management consoles only. Secure multi-tenancy extends traditional physical network segmentation to virtual environments. It can provide improved tenant isolation for better compliance and MSP enablement, inter-vm traffic control over policy-based framework and higher VM density on physical hardware by enabling guests with various trust-levels to share a common host with least privileged access between members of different zones. Hypervisor hardening controls access to the system resources, programs, files, and processes through a stringent series of criteria that includes time, login method, network attributes and access program.

12 12 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE ca.com PCI compliance for the mainframe Any comprehensive strategy for PCI compliance needs to incorporate mainframes, due to their critical nature in any security environment. In particular, some previous very public breaches of customer credit card information involved inadequate mainframe security. CA Technologies offers a number of mainframe security solutions that can enable you to incorporate mainframes into your PCI compliance strategy, along with the other CA distributed security solutions. The CA mainframe security solutions include: CA ACF2 and CA Top Secret provide flexible and robust capabilities for managing identities and entitlements. Specific policies can be enforced to determine the length, format and complexity of passwords. Life of user passwords can also be controlled on both a global or individual basis. Password strengths can be managed by an organization given their specific IT environments. CA ACF2 and CA Top Secret are the front line for access control on the mainframe environment and likely your principal means to address the requirements in sections 2, 6, 7, 10, and 12. In addition, these tools provide alternate or optional methods towards solving requirements 3, 8, 9, and 12. CA ACF2 and CA Top Secret Option for DB2 allows you to control the security of your critical DB2 for z/os environment where it s most practical: within the existing CA ACF2 or CA Top Secret access control system. For those sites with DB2 and especially those where DB2 data supports the cardholder environment, this tool will likely be your primary solution for PCI DSS requirements in sections 2, 6, 7, 10, and 12. Through ACF2 or Top Secret, the DB2 Option may also contribute to satisfying the requirements in sections 7, 8, 12, and 12. CA Auditor for z/os helps identify the system, application and security exposures in z/os environments that arise from improper system configuration and operational errors, as well as intentional circumvention of controls and malicious attacks. This solution may be your primary response on z/os to PCI requirements in sections 10 and 11. It also may help you solve requirements 2, 6, 7, 10, and 12. CA Cleanup for z/os provides mainframe identity and entitlement monitoring for your CA ACF2, CA Top Secret and/or IBM RACF security on z/os. Specific policies can be defined to monitor the usage (or lack of usage) for identities and entitlements and after a defined period of inactivity, the entitlement and/or identity can be archived and then removed from the system. This prevents orphaned identities and entitlements from having the potential of causing adverse effects to PCI data. CA Cleanup can reduce unused permissions and user IDs without the high cost of manual administration. This solution may be your principal method to meet PCI DSS requirement and may contribute to and CA Chorus for Security and Compliance Management allows all activity against PCI (and non-pci) data to be monitored in an effort to determine and maintain least-privileged access by all users who require access to PCI data to perform their job function. Also, CA Compliance Manager will assist in achieving and maintaining the least privileged access model. This will help ensure that the level of access a user has to an object, is the absolute minimum access which they require to perform their job. This solution may likely be deployed as your response to requirements in sections 10, 11, and 12. It may be an alternate means toward achieving sections 10 and 12. Finally, it will likely be a part of your solutions for requirements 2, 3, 6, 7, 8, 10, 11, and 12.

13 13 SOLUTION BRIEF: THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE Section 3: Summary PCI compliance can be challenging, especially as the requirements increase with each new version of the standard. No solution can address all areas of these requirements, nor can any solution promise that it will make your environment compliant. However, CA Technologies security solutions provide a proven solution for simplifying PCI compliance, as well as protecting your IT assets across the platforms and environments within your enterprise. These solutions can be deployed on-premise, in the cloud, or in hybrid environments for maximum flexibility. In addition, it provides a common security model across the three critical channels: Web, mobile, and APIs. This breadth of capability not only enables you to simplify compliance and reduce risk, but it also enables a consistent, convenient experience for your Web and mobile users. We have simplified PCI compliance for many of our customers. For more information, visit us at ca.com/iam. Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2014 CA. All rights reserved. UNIX is a registered trademark of The Open Group. Windows, Active Directory, and RACF are trademarks of Microsoft. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA Technologies does not provide legal advice. CS _0414