BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

Partner Addendum BeyondTrust Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard The findings and recommendations contained in this document are provided by VMware-certified professionals at Coalfire, a leading PCI Qualified Security Assessor and independent IT audit firm. Coalfire s results are based on detailed document inspections and interviews with the vendor s technical teams. Coalfire s guidance and recommendations are consistent with PCI DSS control intent generally accepted by the QSA assessor community. The results contained herein are intended to support product selection and high-level compliance planning for VMware-based cloud deployments. More information about Coalfire can be found at www.coalfire.com.. S O L U T I O N G U I D E A D D E N D U M 1.

Table of Contents 1. INTRODUCTION... 3 2. CLOUD COMPUTING... 8 3. OVERVIEW OF PCI AS IT APPLIES TO CLOUD/VIRTUAL ENVIRONMENTS...12 4. BEYONDTRUST PCI COMPLIANCE SOLUTION...15 5. BEYONDTRUST PCI S MATRIX (OVERVIEW)...17. S O L U T I O N G U I D E A D D E N D U M 2.

1. Introduction Organizations migrating physical server infrastructure to virtual platforms often find that virtual hosts and guests can present new security risks and compliance violations. Without proper security policies and tools, these risks can outweigh the cost reduction and efficiency benefits offered by virtualization strategies. Without sufficient workflow protocol, consolidating multiple resources with different privileged access levels onto a single physical server could compromise the separation of duties for network and security controls and circumvent security policies. BeyondTrust security solutions enable your organization to adopt best practices for virtual platform security while addressing key mandates outlined by the Payment Card Industry Data Security Standard. Figure 1: BeyondTrust Solution Overview S O L U T I O N G U I D E A D D E N D U M 3

The BeyondInsight IT Risk Management Platform BeyondInsight is an IT Risk Management platform that provides unified management and reporting for BeyondTrust s Retina Vulnerability Management and PowerBroker Privileged Account Management solutions. With BeyondInsight, IT and Security teams have a single, contextual lens through which to view user and asset risk. This clear, consolidated risk profile enables proactive, joint decision-making while ensuring that daily operations are guided by common goals for risk reduction. BeyondInsight adds significant value to Retina and PowerBroker via platform capabilities including asset discovery and profiling; workflow and notification; and in-depth reporting and analytics. In addition offering centralized platform capabilities, BeyondInsight can be configured for any one or combination of the following BeyondTrust solutions*: Retina Network Security Scanner PowerBroker UNIX/Linux PowerBroker for Windows PowerBroker Password Safe *BeyondInsight is not a standalone product as it depends on Retina and PowerBroker product functionality to operate. Vulnerability Management Solutions BeyondTrust s Vulnerability Management solutions enable you to efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses. With our vulnerability management solutions, you can conduct regular risk assessments to enforce security best practices and policies, comply with regulatory auditing mandates, and protect IT assets throughout your organization. This document specifically addresses two BeyondTrust Vulnerability Management Solutions: 1. Retina Network Security Scanner (Retina NSS): A standalone network, web database and virtual vulnerability assessment solution. 2. BeyondInsight for Enterprise Vulnerability Management: An enterprise vulnerability management solution that leverages the BeyondInsight IT Risk Management platform to extend Retina Network Security Scanner to a larger surface while adding richer reporting and analytics capabilities. Both of the above solutions provide PCI DSS-compliant scanning capabilities, including wireless scanning. When used in conjunction with a PCI Authorized Scanning Vendor (ASV), they support the PCI DSS requirement for quarterly internal and external vulnerability scanning and external penetration testing. They also offer in-depth technical reports, as well as executive reports and PCI reports. BeyondTrust Vulnerability Management solutions offer full support for VMware environments, including online and offline virtual image scanning, virtual application scanning and integration with vcenter, Privileged Account Management Solutions BeyondTrust PowerBroker Privileged Account Management solutions allow your organization to adhere to the Principle of Least Privilege, a fundamental security tenet. The Principle of Least Privilege dictates that organizations grant each user only the minimum access necessary to complete legitimate tasks. BeyondTrust makes it easy to establish a layered defense of least-privilege policies, procedures and technical controls with the following PowerBroker solutions: PowerBroker UNIX & Linux PowerBroker for Windows PowerBroker Identity Services AD Bridge PowerBroker Password Safe S O L U T I O N G U I D E A D D E N D U M 4

PowerBroker solutions enable you to control administrative access to the Hypervisor/VMM layer while realizing the cost efficiencies promised by virtualization. Key capabilities include: Administrative tools that prevent virtualization layer breaches and mitigate security risks to hosted workloads Programmable role-constraint mechanisms that enforce segregation of duties for users Virtual platform deployment capabilities enable secure datacenter virtualization PowerBroker makes it easy to enforce consistent policies across the virtual environment with a unique blend of guest control capabilities, host hypervisor control capabilities, and cost-effective virtual platform deployment capabilities. Figure 2: PowerBroker Capabilities and Products within the BeyondInsight Platform VMware s Approach to PCI Compliance Compliance and security continue to be top concerns for organizations that plan to move their environment to cloud computing. VMware helps organizations address these challenges by providing bundled solutions (suites) that are designed for specific use cases. These use cases address questions like How to be PCI compliant in a VMware Private Cloud by providing helpful information for VMware architects, the compliance community, and third parties. The PCI Private Cloud Use Case is comprised of four VMware Product Suites - vcloud, vcloud Networking and Security, vcenter Operations (vcops) and View. These product suites are described in detail in this paper. The use case also provides readers with a mapping of the specific PCI controls to VMware s product suite, partner solutions, and organizations involved in PCI Private Clouds. While every cloud is unique, VMware and its Partners can provide a solution that addresses over 70% of the PCI DSS requirements.. S O L U T I O N G U I D E A D D E N D U M 5.

Figure 3: PCI Requirements S O L U T I O N G U I D E A D D E N D U M 6

Figure 4: VMware + BeyondTrust Product Capabilities for a Trusted Cloud S O L U T I O N G U I D E A D D E N D U M 7

Figure 5: Help Meet Customers Compliance Requirements to Migrate Business Critical Apps to a VMware vcloud 2. Cloud Computing Cloud computing and virtualization have continued to grow significantly every year. There is a rush to move applications and even whole datacenters to the cloud, although few people can succinctly define the term cloud computing. There are a variety of different frameworks available to define the cloud, and their definitions are important as they serve as the basis for making business, security, and audit determinations. VMware defines cloud or utility computing as the following (http://www.vmware.com/solutions/cloud-computing/public-cloud/faqs.html): Cloud computing is an approach to computing that leverages the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service. Sometimes known as utility computing, clouds provide a set of typically virtualized computers which can provide users with the ability to start and stop servers or use compute cycles only when needed, often paying only upon usage. There are commonly accepted definitions for the cloud computing deployment models and there are several generally accepted service models. These definitions are listed below: Private Cloud The cloud infrastructure is operated solely for an organization and may be managed by the organization or a third party. The cloud infrastructure may be on-premise or off-premise. Public Cloud The cloud infrastructure is made available to the general public or to a large industry group and is owned by an organization that sells cloud services.. S O L U T I O N G U I D E A D D E N D U M 8.

Hybrid Cloud The cloud infrastructure is a composition of two or more clouds (private and public) that remain unique entities, but are bound together by standardized technology. This enables data and application portability; for example, cloud bursting for load balancing between clouds. With a hybrid cloud, an organization gets the best of both worlds, gaining the ability to burst into the public cloud when needed while maintaining critical assets on-premise. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (for example, mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on-premise or offpremise. To learn more about VMware s approach to cloud computing, review the following: http://www.vmware.com/solutions/cloud-computing/index.html#tab3 - VMware Cloud Computing Overview http://www.vmware.com/cloud-computing/cloud-architecture/vcat-toolkit.html - VMware s vcloud Architecture Toolkit When an organization is considering the potential impact of cloud computing to their highly regulated and critical applications, they may want to start by asking: Is the architecture a true cloud environment (does it meet the definition of cloud)? What service model is used for the cardholder data environment (SaaS, PaaS, IaaS)? What deployment model will be adopted? Is the cloud platform a trusted platform? The last point is critical when considering moving highly regulated applications to a cloud platform. PCI does not endorse or prohibit any specific service and deployment model. The appropriate choice of service and deployment models should be driven by customer requirements, and the customer s choice should include a cloud solution that is implemented using a trusted platform. VMware is the market leader in virtualization, the key enabling technology for cloud computing. VMware s vcloud Suite is the trusted cloud platform that customers use to realize the many benefits of cloud computing including safely deploying business critical applications. To get started, VMware recommends that all new customers undertake a compliance assessment of their current environment. VMware offers free compliance checkers that are based on VMware s vcenter Configuration Manager solution. Customers can simply point the checker at a target environment and execute a compliance assessment request. The resultant compliance report provides a detailed rule by rule indication of pass or failure against a given standard. Where compliance problems are identified, customers are directed to a detailed knowledge base for an explanation of the rule violated and information about potential remediation. To download the free compliance checkers click on the following link: https://my.vmware.com/web/vmware/evalcenter?p=compliance-chk&lp=default&cid=70180000000mjsmaaw S O L U T I O N G U I D E A D D E N D U M 9

Figure 6: BeyondTrust PowerBroker For additional information on VMware compliance solutions for PCI, please refer to the VMware Solution Guide for PCI. S O L U T I O N G U I D E A D D E N D U M 10

Figure 7: VMware Cloud Computing Partner integration. S O L U T I O N G U I D E A D D E N D U M 11.

Figure 8: BeyondTrust Cloud Computing Integration With BeyondTrust s PowerBroker solutions, you can completely manage and audit privileged access to your organization s cloud infrastructure, while building fine-grained, context-aware security access policies for all cloud-based assets. Easily configured for separate security zones, PowerBroker solutions enable you to apply appropriate levels of security to multiple applications sharing the same physical or virtual infrastructure. In addition, PowerBroker s policy language allows you to build fine-grained, context-aware access policies for all cloud-based assets. 3. Overview of PCI as it applies to Cloud/Virtual Environments The PCI Security Standards Council (SSC) was established in 2006 by five global payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.). The payment brands require through their Operating Regulations that any merchant or service provider must be PCI compliant. Merchants and service providers are required to validate their compliance by assessing their environment against nearly 300 specific test controls outlined in the PCI Data Security Standards (DSS). Failure to meet PCI requirements may lead to fines, penalties, or inability to process credit cards in addition to potential reputational loss.. S O L U T I O N G U I D E A D D E N D U M 12.

The PCI DSS has six categories with twelve total requirements as outlined below: Table 1: PCI Data Security Standard The PCI SSC specifically began providing formalized guidance for cloud and virtual environments in October, 2010. These guidelines were based on industry feedback, rapid adoption of virtualization technology, and the move to cloud. Version 2.0 of the Data Security Standard (DSS) specifically mentions the term virtualization (previous versions did not use the word virtualization ). This was followed by an additional document explaining the intent behind the PCI DSS v2.0, Navigating PCI DSS. These documents were intended to clarify that virtual components should be considered as components for PCI, but did not go into the specific details and risks relating to virtual environments. Instead, they address virtual and cloud specific guidance in an Information Supplement, PCI DSS Virtualization Guidelines, released in June 2011 by the PCI SSC s Virtualization Special Interest Group (SIG). Figure 9: Navigating PCI DSS S O L U T I O N G U I D E A D D E N D U M 13

The virtualization supplement was written to address a broad set of users (from small retailers to large cloud providers) and remains product agnostic (no specific mentions of vendors and their solutions). * VMware solutions are designed to help organizations address various regulatory compliance requirements. This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address such requirements. VMware encourages any organization that is considering VMware solutions to engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements. It is the responsibility of each organization to determine what is required to meet any and all requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide legal advice and is provided AS IS. VMware makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Nothing that you read in this document should be used as a substitute for the advice of competent legal counsel. Figure 10: VMware PCI Compliance Products S O L U T I O N G U I D E A D D E N D U M 14

4. BeyondTrust PCI Compliance Solution The following table introduces BeyondTrust solutions and describes how they relate to the PCI standard. Table 2: BeyondTrust Solutions Solutions BeyondInsight IT Risk Management Platform: Vulnerability Management Configuration Retina Network Security Scanner PowerBroker UNIX & Linux PowerBroker for Windows PowerBroker Identity Services AD Bridge Description BeyondInsight for Enterprise Vulnerability Management enables large-scale, distributed vulnerability assessment and remediation. The solution offers all the vulnerability assessment capabilities of Retina Network Security Scanner plus centralized management, reporting, analytics and other BeyondInsight platform capabilities. With BeyondInsight for Vulnerability Management, customers have centralized command and control over risk assessments of disparate and heterogeneous infrastructure. Retina Network Security Scanner is a standalone solution designed to discover, profile and assess all assets deployed on an organization s network. With Retina Network Security Scanner, customers can efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses. The solution provides in-depth technical reports, as well as executive reports and PCI reports. When used with in conjunction with the BeyondInsight IT Risk Management Platform, Retina Network Security Scanner delivers a comprehensive view of enterprise-wide network security. PowerBroker UNIX & Linux is a user space network-based solution for fine-grained privileged delegation and auditing in UNIX/Linux environments. PowerBroker UNIX & Linux enables granular policy control over privileged account user behavior. It is an inherently secure and centralized solution for both policy enforcement and auditing of user activity down to the keystroke level. The two main tasks that PowerBroker UNIX & Linux performs are policy-based task delegation and auditing. PowerBroker for Windows provides fine-grained policy based privileged delegation for the Windows environment. PowerBroker for Windows allows organizations to remove local admin rights from end users without hampering productivity. PowerBroker selectively elevates privileges for applications, software installs, system tasks, scripts, control panel applets, and other operations. Additionally, PowerBroker for Windows provides Session Monitoring and File Integrity Monitoring capabilities for granular tracking of privileged user activity across the Windows environment. PowerBroker Identity Services AD Bridge enables organizations to authenticate to Linux, UNIX, and Mac machines using Active Directory (AD) credentials. It automatically maps UIDs and GIDs to users and groups defined in Active Directory by importing Linux, UNIX, and Mac OS password and group files; and provides centralized configuration management using AD Group Policy. PowerBroker Identity Services AD Bridge also provides compliance reporting and auditing capability. Disclaimer: A free, open source version of this program is also available. This whitepaper describes the full enterprise version of PowerBroker Identity Services AD Bridge, as it offers a broader and deeper set of functionality than the open source version. S O L U T I O N G U I D E A D D E N D U M 15

Solutions continued PowerBroker Password Safe Description PowerBroker Password Safe is a hardened appliance for privileged password management across an organization s dynamic IT infrastructure. It can be configured as a physical or virtual appliance, with no difference in functionality. PowerBroker Password Safe provides automated management of highly privileged accounts, such as shared administrative accounts, application accounts, and local administrative accounts, across nearly all IP enabled devices. Furthermore, request, approval, and retrieval workflow functionality is included for end-user access of managed privileged accounts. It comes complete with audit-ready logging and reporting capabilities. S O L U T I O N G U I D E A D D E N D U M 16

NUMBE R O F PC I REQUIREME NT S BEYONDI N SIG HT I T RISK MANAGEME NT PL AT FO RM RETI NA NETWORK SECUR I TY SC AN NE R POWERB ROKE R UNIX & LINU X POWERB ROKE R FO R WINDOWS POWERB ROKE R IDE NT ITY SERVICE S A D B RI DGE POWERB ROKE R P A SSWO R D S AFE COLLECTI VE TO T AL CONT ROL S AD D RESSE D B Y BEYONDT RU S T P RODUCTS Solution Guide for Payment Card Industry (PCI) 5. BeyondTrust PCI Requirements Matrix (Overview) BeyondTrust s PCI DSS Compliance Solution includes extensive privilege delegation and vulnerability scanning and management. When properly deployed and configured, the BeyondTrust solution either fully meets or augments the following PCI DSS requirements: Table 3: BeyondTrust PCI DSS Requirements Matrix PCI DSS RE QUI REMENTS Requirement 1: Install and maintain a firewall configuration to protect cardholder data 25 1 1 1 1 3 Requirement 2: Do not use vendor-supplied defaults for system passwords and other 24 15 12 1 5 33 security parameters Requirement 3: Protect stored cardholder data 33 1 1 Requirement 4: Encrypt transmission of cardholder data across open, public networks 9 2 4 Requirement 5: Use and regularly update antivirus software or programs 6 4 4 8 Requirement 6: Develop and maintain secure systems and applications 32 13 12 2 27 Requirement 7: Restrict Access to cardholder data by business need to know 7 2 2 7 6 6 23 Requirement 8: Assign a unique ID to each person with computer access 32 19 18 5 3 8 15 68 Requirement 9: Restrict access to cardholder data by business need to know 28 Requirement 10: Track and monitor all access to network resources and cardholder data 29 18 3 19 20 16 16 92 Requirement 11: Regularly test security systems and processes. 24 7 7 1 15 Requirement 12: Maintain a policy that addresses the information security for all 40 personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment 8 2 2 3 3 3 2 15 TOTAL 297 81 63 36 33 34 41 289. S O L U T I O N G U I D E A D D E N D U M 17.

BeyondInsight IT Risk Management Platform: Vulnerability Management Configuration The following matrix maps the PCI DSS controls to the enterprise vulnerability management functionality of the BeyondInsight IT Risk Management Platform. BeyondInsight for Enterprise Vulnerability Management extends Retina Network Security Scanner to a larger surface while adding richer reporting and analytics capabilities. BeyondInsight provides IT security professionals with context-aware vulnerability assessment and risk analysis. The platform s results-oriented architecture works with users to proactively identify security exposures, analyze business impact, and plan and conduct remediation across network, web, mobile, cloud and virtual infrastructure. BeyondTrust provides solutions to support or meet PCI DSS controls. To achieve full compliance with PCI DSS, it may be necessary to deploy additional policies, processes or technologies in conjunction with BeyondTrust s solutions. Table 9: Applicability of PCI Controls to BeyondInsight for Enterprise Vulnerability Management Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1.1 BeyondInsight meets or augments the following specific controls: BeyondInsight directly supports testing procedure 1.1.1 by having some capability to analyze router misconfigurations. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.1.1.c, 2.1.1.d, 2.2.a, 2.2.b, 2.2.c, 2.2.1.a, 2.2.1.b,2.2.2.a, 2.2.2.b, 2.2.3.b, 2.2.3.c, 2.2.4.a, 2.2.4.b, 2.2.4.c, 2.3.c BeyondInsight meets or augments the following specific controls: BeyondInsight augments support for testing procedure 2.1 by allowing an organization to scan and check for select vendors and their default passwords. BeyondInsight uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. BeyondInsight augments support for testing procedure 2.1.1.c by allowing an organization to scan and check for select vendors and their default passwords against wireless access. BeyondInsight uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. BeyondInsight augments support for testing procedure 2.1.1.d by allowing an organization to check for outdated vulnerable firmware on wireless devices. It does not check for firmware for stronger encryption.. S O L U T I O N G U I D E A D D E N D U M 18.

BeyondInsight augments support for testing procedure 2.2.a by allowing an organization to perform a configuration based scan against a benchmark such as CIS, SAN, NIST, etc. A report is generated highlighting what configurations have passed or failed against the chosen benchmark. BeyondInsight augments support for testing procedure 2.2.b by generating a vulnerability report and instructions as to how to fix the pending vulnerabilities. BeyondInsight augments support for testing procedure 2.2.c by performing a configuration based scan to check for system configurations. BeyondInsight augments support for testing procedures 2.2.1.a and 2.2.1.b by grouping assets into groups using Smart Groups. Smart Groups allows for logical grouping of assets based on attributes such as asset name, address group, discovery date, or even installed software. Using Smart Groups, an organization can identify servers and their functions. BeyondInsight augments support for testing procedures 2.2.2.a and 2.2.2.b by enumerating services, ports, and protocols on a list. The list can then be analyzed by a user to see what services, ports, or protocols are allowed or not. BeyondInsight augments support for testing procedures 2.2.3.b and 2.2.3.c by scanning against a company given benchmark to verify common security parameter settings are included in the system configuration standard and are set appropriately. BeyondInsight augments support for testing procedure 2.2.4.a by providing the ability to perform custom checks for scripts, drivers, features, subsystems, files, etc. The check is a wizard driven check. BeyondInsight augments support for testing procedures 2.2.4.b and 2.2.4.c by scanning system components based on customer specification. BeyondInsight augments support for testing procedure 2.3.c by helping organizations identify S O L U T I O N G U I D E A D D E N D U M 19

weak SSL ciphers and SSL v1.0. BeyondInsight directly supports testing procedure 2.3.c by encrypting the web based admin access to the application itself. Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Use and regularly update antivirus software or programs No controls in this PCI requirement are addressed by the BeyondInsight solution. No controls in this PCI requirement are addressed by the BeyondInsight solution. 5.1, 5.1.1, 5.2.a, 5.2.b BeyondInsight meets or augments the following specific controls: BeyondInsight augments support for testing procedure 5.1 and 5.1.1 by allowing an organization to detect if antivirus has been installed or shutdown. It can check for Symantec, Norton, McAfee, Sophos, or Trend Micro. The organization can develop custom queries to search for more specific antivirus software. Requirement 6: Develop and maintain secure systems and applications 6.1.a, 6.1.b, 6.2.a, 6.2.b, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.7, 6.5.8, 6.5.9, 6.6 BeyondInsight augments support for testing procedure 5.2.a and 5.2.b by allowing an organization check for virus definitions that are older than 14 days. BeyondInsight meets or augments the following specific controls: BeyondInsight augments support for testing procedure 6.1.a by providing a list of all missing security patches needed for a system. BeyondInsight augments support for testing procedure 6.1.b by allowing an organization to identify vulnerabilities older than a specified amount of days. The number of days is configurable by the organization. BeyondInsight directly supports testing procedures 6.2.a and 6.2.b by scanning for vulnerabilities and assigning them BeyondTrust risk ratings, PCI risk rating, and CVSS scores. BeyondInsight augments support for testing procedures 6.5.1 6.5.4 and 6.5.5 6.5.9 by scanning web applications and helping an organization identify the vulnerabilities mentioned in S O L U T I O N G U I D E A D D E N D U M 20

these testing procedures. Requirement 7: Restrict access to cardholder data by business need to know BeyondInsight directly supports testing procedure 6.6 by scanning web applications for vulnerabilities. 7.1.2, 7.2.3 BeyondInsight meets or augments the following specific controls: BeyondInsight augments support for testing procedure 7.1.2 by helping an organization identify misconfigured admin groups. BeyondInsight directly supports testing procedure 7.1.2 by delegating users and the rights they are assigned within the BeyondInsight application. Requirement 8: Assign a unique ID to each person with computer access 8.1, 8.2, 8.5.4, 8.5.5, 8.5.8.a, 8.5.9.a, 8.5.9.b, 8.5.10.a, 8.5.10.b, 8.5.11.a, 8.5.11.b, 8.5.12.a, 8.5.12.b, 8.5.13.a, 8.5.13.b, 8.5.14, 8.5.15, 8.5.16.a, 8.5.16.b BeyondInsight augments support for testing procedure 7.2.3 by helping an organization identify any systems that do not require authentication. This is achieved through BeyondInsight null session scan. PowerBroker for meets or augments the following specific controls: BeyondInsight directly supports testing procedure 8.1 by using unique user IDs for local authentication within the application. BeyondInsight augments support for testing procedure 8.2 by helping an organization identify user accounts that do not require authentication. It further checks to see if the username is also the password and if the password is the reverse of the username. BeyondInsight augments support for testing procedure 8.5.4 by allowing an organization to identify when a user last logged on or off. BeyondInsight augments support for testing procedure 8.5.5 by allowing an organization to identify when a user last logged on or off. This can help an organization determine if an account older than 90 days is disabled or not. BeyondInsight augments support for testing procedure 8.5.8.a by providing a user ID list for the organization to analyze for shared accounts. S O L U T I O N G U I D E A D D E N D U M 21

BeyondInsight augments support for testing procedures 8.5.9.a - 8.5.15 by allowing an organization to identify the security parameters listed in testing procedures 8.5.9.a 8.5.15. BeyondInsight augments support for testing procedure 8.5.16.a by helping an organization check to see if access to SQL database requires authentication without a password. Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and cardholder data 10.1, 10.2.1, 10.2.2, 10.2.4, 10.2.5, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.4.a, 10.4.1.a, 10.4.3, 10.5.1, 10.5.2, 10.7.a, 10.7.b BeyondInsight augments support for testing procedure 8.5.16.b by helping an organization identify insecure database configurations such as querying. Additionally, it can check for vulnerabilities on stored procedures. No controls in this PCI requirement are addressed by the BeyondInsight solution. BeyondInsight meets or augments the following specific controls: BeyondInsight directly supports testing procedure 10.1 by collecting logs from PowerBroker servers and Retina NSS. BeyondInsight augments support for testing procedures 10.2.1, 10.2.2, 10.2.4, and 10.2.5 by collecting the events listed in the testing procedures from PowerBroker servers and Retina NSS. BeyondInsight augments support for testing procedures 10.3.1-10.3.6 by collecting logs from PowerBroker servers and Retina NSS. The logs that are collected satisfy the testing procedures. BeyondInsight augments support for testing procedure 10.4.a by helping an organization identify is a time protocol server is running. BeyondInsight augments support for testing procedure 10.4.1.a by detecting if an NTP server has been found. BeyondInsight augments support for testing procedure 10.4.3 by checking to see if any system uses an unauthorized time server. S O L U T I O N G U I D E A D D E N D U M 22

BeyondInsight directly supports testing procedure 10.5.1 and 10.5.2 by restricting only authorized users to view audit trails in BeyondInsight. Requirement 11: Regularly test security systems and processes. 11.1.a, 11.1.b, 11.1.c, 11.2.1.a, 11.2.2.a, 11.2.2.b, 11.2.2.c BeyondInsight directly supports testing procedure 10.7.a and 10.7.b by having the ability to be configured for length of log retention. BeyondInsight meets or augments the following specific controls: BeyondInsight directly supports testing procedure 11.1.a by being able to be configured to perform quarterly scans to detect wireless access points. Once configured, the quarterly scans run automatically. BeyondInsight directly supports testing procedure 11.1.b by scanning for wireless access points. BeyondInsight directly supports testing procedure 11.1.c by having the ability to be automatically configured to run quarterly. BeyondInsight directly supports testing procedure 11.2.1.a by having the ability to be automatically configured to run quarterly and thus guaranteeing an organization four quarterly internal scans occurring in the last 12 month period. BeyondInsight augments support testing procedure 11.2.2.a by having the ability to be automatically configured to run quarterly and thus guaranteeing an organization four quarterly external scans occurring in the last 12 month period. To fully achieve this testing procedure, an organization must hire an Approved Scanning Vendor (ASV), such as BeyondTrust, to perform external scans. BeyondInsight directly supports testing procedure 11.2.2.b by producing CVSS scores in vulnerability reports. BeyondInsight augments support for testing procedure 11.2.2.c by granting the ability to perform external vulnerability scans. To fully meet this control, an organization must hire an ASV, such as BeyondTrust, to perform the external vulnerability assessments. S O L U T I O N G U I D E A D D E N D U M 23

Requirement 12: Maintain a policy that addresses the information security for all personnel. BeyondInsight augments support for testing procedure 11.2.c by granting the ability to perform external vulnerability scans. To fully meet this control, an organization must hire an ASV, such as BeyondTrust, to perform the external vulnerability assessments. No controls in this PCI requirement are addressed by the BeyondInsight solution. Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.2.a, A.1.2.e BeyondInsight meets or augments the following specific controls: BeyondInsight augments support for testing procedure A.1.2.a by helping the shared hosting provider identify misconfigured admin groups. BeyondInsight augments support for testing procedure A.1.2.e by listing the system resources such as disk space, bandwidth, memory, and CPU. The shared hosting provider can use this information to highlight restrictions. S O L U T I O N G U I D E A D D E N D U M 24

Retina Network Security Scanner (NSS) The following matrix maps the PCI DSS controls to the functionality of the Retina Network Security Scanner. Retina Network Security Scanner is a standalone solution that enables you to efficiently identify, prioritize and remediate vulnerabilities such as missing patches and configuration weaknesses. With Retina, you can conduct regular risk assessments to enforce security best practices and policies, comply with regulatory auditing mandates, and protect IT assets throughout your organization. BeyondTrust provides solutions to support or meet PCI DSS controls. To achieve full compliance with PCI DSS, it may be necessary to deploy additional policies, processes or technologies in conjunction with BeyondTrust s solutions. Table 8: Applicability of PCI Controls to Retina Network Security Scanner Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1.1 Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner directly supports testing procedure 1.1.1 by having some capability to analyze router misconfigurations. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1, 2.1.1.c, 2.1.1.d, 2.2.a, 2.2.b, 2.2.c, 2.2.2.a, 2.2.2.b, 2.2.3.b, 2.2.3.c, 2.2.4.a, 2.2.4.b, 2.2.4.c Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 2.1 by allowing an organization to scan and check for select vendors and their default passwords. Retina NSS uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. Retina Network Security Scanner augments support for testing procedure 2.1.1.c by allowing an organization to scan and check for select vendors and their default passwords against wireless access. Retina NSS uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. Retina Network Security Scanner augments support for testing procedure 2.1.1.d by allowing an organization to check for outdated vulnerable firmware on wireless devices. It does not check for firmware for stronger encryption. S O L U T I O N G U I D E A D D E N D U M 25

Retina Network Security Scanner augments support for testing procedure 2.2.a by allowing an organization to perform a configuration based scan against a benchmark such as CIS, SAN, NIST, etc. A report is generated highlighting what configurations have passed or failed against the chosen benchmark. Retina Network Security Scanner augments support for testing procedure 2.2.b by generating a vulnerability report and instructions as to how to fix the pending vulnerabilities. Retina Network Security Scanner augments support for testing procedure 2.2.c by performing a configuration based scan to check for system configurations. Retina Network Security Scanner augments support for testing procedures 2.2.2.a and 2.2.2.b by enumerating services, ports, and protocols on a list. The list can then be analyzed by a user to see what services, ports, or protocols are allowed or not. Retina Network Security Scanner augments support for testing procedures 2.2.3.b and 2.2.3.c by scanning against a company given benchmark to verify common security parameter settings are included in the system configuration standard and are set appropriately. Retina Network Security Scanner augments support for testing procedure 2.2.4.a by providing the ability to perform custom checks for scripts, drivers, features, subsystems, files, etc. The check is a wizard driven check, Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 4.1.c, 4.1.d Retina Network Security Scanner augments support for testing procedures 2.2.4.b and 2.2.4.c by scanning system components based on customer specification. No controls in this PCI requirement are addressed by the Retina Network Security Scanner solution. Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner directly supports testing procedure 4.1.c by allowing an organization to help verify outdated versions of a particular transmission protocol in use. Retina Network Security Scanner directly supports testing procedure 4.1.d by allowing an organization to help verify that the encryption used during transmission is of proper strength. S O L U T I O N G U I D E A D D E N D U M 26

Requirement 5: Use and regularly update antivirus software or programs 5.1, 5.1.1, 5.2.a, 5.2.b Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 5.1 and 5.1.1 by allowing an organization to detect if antivirus has been installed or shutdown. It can check for Symantec, Norton, McAfee, Sophos, or Trend Micro. The organization can write their own checks to search for more specific antivirus software. Requirement 6: Develop and maintain secure systems and applications 6.1.a, 6.2.a, 6.2.b, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.7, 6.5.8, 6.5.9, 6.6 Retina Network Security Scanner augments support for testing procedure 5.2.a and 5.2.b by allowing an organization check for virus definitions that are older than 14 days. Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 6.1.a by providing a list of all missing security patches needed for a system. Retina Network Security Scanner directly supports testing procedures 6.2.a and 6.2.b by scanning for vulnerabilities and assigning them BeyondTrust risk ratings, PCI risk rating, and CVSS scores. Retina Network Security Scanner augments support for testing procedures 6.5.1 6.5.4 and 6.5.5 6.5.9 by scanning web applications and helping an organization identify the vulnerabilities mentioned in these testing procedures. Requirement 7: Restrict access to cardholder data by business need to know Retina Network Security Scanner directly supports testing procedure 6.6 by scanning web applications for vulnerabilities. 7.1.2, 7.2.3 Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 7.1.2 by helping an organization identify misconfigured admin groups. Retina Network Security Scanner augments support for testing procedure 7.2.3 by helping an organization identify any systems that do not require authentication. This is achieved through Retina NSS null session scan. S O L U T I O N G U I D E A D D E N D U M 27

Requirement 8: Assign a unique ID to each person with computer access 8.2, 8.5.4, 8.5.5, 8.5.8.a, 8.5.9.a, 8.5.9.b, 8.5.10.a, 8.5.10.b, 8.5.11.a, 8.5.11.b, 8.5.12.a, 8.5.12.b, 8.5.13.a, 8.5.13.b, 8.5.14, 8.5.15, 8.5.16.a, 8.5.16.b PowerBroker for meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 8.2 by helping an organization identify user accounts that do not require authentication. It further checks to see if the username is also the password and if the password is the reverse of the username. Retina Network Security Scanner augments support for testing procedure 8.5.4 by allowing an organization to identify when a user last logged on or off. Retina Network Security Scanner augments support for testing procedure 8.5.5 by allowing an organization to identify when a user last logged on or off. This can help an organization determine if an account older than 90 days is disabled or not. Retina Network Security Scanner augments support for testing procedure 8.5.8.a by providing a user ID list for the organization to analyze for shared accounts. Retina Network Security Scanner augments support for testing procedures 8.5.9.a - 8.5.15 by allowing an organization to identify the security parameters listed in testing procedures 8.5.9.a 8.5.15. Retina Network Security Scanner augments support for testing procedure 8.5.16.a by helping an organization check to see if access to SQL database requires authentication without a password. Requirement 9: Restrict access to cardholder data by business need to know Requirement 10: Track and monitor all access to network resources and 10.4.a, 10.4.1.a, 10.4.3 Retina Network Security Scanner augments support for testing procedure 8.5.16.b by helping an organization identify insecure database configurations such as querying. Additionally, it can check for vulnerabilities on stored procedures. No controls in this PCI requirement are addressed by the Retina Network Security Scanner solution. Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure 10.4.a by helping an S O L U T I O N G U I D E A D D E N D U M 28

cardholder data organization identify a time protocol server is running. Retina Network Security Scanner augments support for testing procedure 10.4.1.a by detecting if an NTP server has been found. Requirement 11: Regularly test security systems and processes. 11.1.a, 11.1.b, 11.1.c, 11.2.1.a, 11.2.2.a, 11.2.2.b, 11.2.2.c Retina Network Security Scanner augments support for testing procedure 10.4.3 by checking to see if any system uses an unauthorized time server. Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner directly supports testing procedure 11.1.a by being able to be configured to perform quarterly scans to detect wireless access points. Once configured, the quarterly scans run automatically. Retina Network Security Scanner directly supports testing procedure 11.1.b by scanning for wireless access points. Retina Network Security Scanner directly supports testing procedure 11.1.c by having the ability to be automatically configured to run quarterly. Retina Network Security Scanner directly supports testing procedure 11.2.1.a by having the ability to be automatically configured to run quarterly and thus guaranteeing an organization four quarterly internal scans occurring in the last 12 month period. Retina Network Security Scanner augments support of testing procedure 11.2.2.1 when used by an Approved Scanning Vendor (ASV), such as BeyondTrust Software, Inc. Note that the PCI Security Council maintains a structured process for security solution providers to become Approved Scanning Vendors (ASVs), as well as to be re-approved each year. To fully comply with 11.2.2 scans must be conducted by ASV using approved configurations of their scanning tools quarterly. Retina NSS can be used by organizations that want to supplement the PCI required quarterly scanning activities. Retina Network Security Scanner supports testing procedure 11.2.2.b by producing CVSS scores in vulnerability reports, but as noted above compliance of 11.2.2 is only achieved when S O L U T I O N G U I D E A D D E N D U M 29

performed by an ASV using PCI SSC approved by staff and scanning tools. Those organizations that want to supplement scans internally will find that industry accepted CVSS scores are provided. Retina Network Security Scanner augments support for testing procedure 11.2.2.c by granting the ability to perform external vulnerability scans. To fully meet this control, an organization must hire an ASV, such as BeyondTrust, to perform the external vulnerability assessments. Requirement 12: Maintain a policy that addresses the information security for all personnel. Requirement A.1: Shared hosting providers must protect the cardholder data environment A.1.2.a, A.1.2.e Retina Network Security Scanner augments support for testing procedure 11.2.c by granting the ability to perform external vulnerability scans. To fully meet this control, an organization must hire an ASV, such as BeyondTrust, to perform the external vulnerability assessments. No controls in this PCI requirement are addressed by the Retina Network Security Scanner solution. Retina Network Security Scanner meets or augments the following specific controls: Retina Network Security Scanner augments support for testing procedure A.1.2.a by helping the shared hosting provider identify misconfigured admin groups. Retina Network Security Scanner augments support for testing procedure A.1.2.e by listing the system resources such as disk space, bandwidth, memory, and CPU. The shared hosting provider can use this information to highlight restrictions. S O L U T I O N G U I D E A D D E N D U M 30

PowerBroker UNIX & Linux The following matrix maps the PCI DSS controls to the functionality of PowerBroker UNIX & Linux. PowerBroker UNIX & Linux delegates root tasks and authorization on UNIX, Linux, and OS X systems without ever disclosing the elevated accounts password. Using centralized authorization policies, PowerBroker enables you to implement granular controls over elevated permissions. BeyondTrust provides solutions to support or meet PCI DSS controls. To achieve full compliance with PCI DSS, it may be necessary to deploy additional policies, processes or technologies in conjunction with BeyondTrust s solutions. Table 4: Applicability of PCI Controls to PowerBroker UNIX & Linux Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks 1.4b PowerBroker UNIX & Linux meets or augments the following specific controls: PowerBroker UNIX & Linux augments support for testing procedure 1.4b by having an ability to explicitly block or deny certain commands for users. This can include a user s ability to delete or disable a firewall. No controls in this PCI requirement are addressed by the PowerBroker UNIX & Linux solution. 3.2.1 PowerBroker UNIX & Linux meets or augments the following specific controls: PowerBroker UNIX & Linux augments support for testing procedure 3.2.1 because PowerBroker UNIX & Linux provides the ability to configure keystroke logging to a point where cardholder data can be prevented from being logged. No controls in this PCI requirement are addressed by the PowerBroker Unix & Linux solution. S O L U T I O N G U I D E A D D E N D U M 31

Requirement 5: Use and regularly update antivirus software or programs No controls in this PCI requirement are addressed by the PowerBroker UNIX & Linux solution. Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.1, 7.2.2, 7.2.3 No controls in this PCI requirement are addressed by the PowerBroker UNIX & Linux solution. PowerBroker UNIX & Linux meets or augments the following specific controls: PowerBroker UNIX & Linux directly supports testing procedure 7.1.1 because the concept of least privilege is the very nature of PowerBroker UNIX & Linux. The function of PowerBroker UNIX & Linux is policy based granular task based delegation. Policies are built only for what is necessary for a privileged user to run. PowerBroker UNIX & Linux directly supports testing procedure 7.1.2 because PowerBroker UNIX & Linux s rich policy language can restrict specific roles to specific tasks. PowerBroker UNIX & Linux augments support for testing procedure 7.1.3 because users with specific root-level tasks are explicitly defined within the policies in PowerBroker UNIX & Linux. PowerBroker UNIX & Linux augments support for testing procedure 7.1.4 because PowerBroker UNIX & Linux uses automated access control systems, such as LDAP, to work. PowerBroker UNIX & Linux directly supports testing procedure 7.2.1 by having the ability to configure a second form of authentication before a user performs an action that is authorized to them. PowerBroker UNIX & Linux directly supports testing procedure 7.2.2 by binding specific rootlevel tasks to specific UNIX/Linux user IDs. PowerBroker UNIX & Linux will use user and group information from access control systems and apply policies to particular users/groups based on job classification. S O L U T I O N G U I D E A D D E N D U M 32