Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access



Similar documents
Security Strategies: Controlling Privileged Account Access

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

SonicWALL PCI 1.1 Implementation Guide

Introduction. PCI DSS Overview

The Comprehensive Guide to PCI Security Standards Compliance

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

GFI White Paper PCI-DSS compliance and GFI Software products

CorreLog Alignment to PCI Security Standards Compliance

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

How To Achieve Pca Compliance With Redhat Enterprise Linux

PCI Requirements Coverage Summary Table

Project Title slide Project: PCI. Are You At Risk?

Privileged Session Management Suite: Solution Overview

74% 96 Action Items. Compliance

MySQL Security: Best Practices

PCI DSS Compliance: The Importance of Privileged Management. Marco Zhang

CONTENTS. PCI DSS Compliance Guide

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

Catapult PCI Compliance

The 10 Pains of UNIX Security. Learn How Privileged Account Security Solutions are the Right Painkiller

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

PCI Requirements Coverage Summary Table

LogRhythm and PCI Compliance

Why PCI DSS Compliance is Impossible without Privileged Management

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 3

CSP & PCI DSS Compliance on HP NonStop systems

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

March

Preparing an RFI for. This RFI has been updated to reflect the new requirements in Version 3.0 of the PCI DSS, which took effect January 2015.

05.0 Application Development

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Seven Things To Consider When Evaluating Privileged Account Security Solutions

DMZ Gateways: Secret Weapons for Data Security

FileCloud Security FAQ

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Achieving PCI-Compliance through Cyberoam

Implementation Guide

PowerBroker for Windows

Client Security Risk Assessment Questionnaire

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI DSS Reporting WHITEPAPER

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

PRIVILEGED IDENTITY MANAGEMENT CASE STUDY. Barak Feldman, Cyber-Ark Software Seth Fogie, Lancaster General Health

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Teleran PCI Customer Case Study

Privileged Access Control

LogLogic. Application Security Use Case: PCI Compliance. Jaime D Anna Sr Dir of Product Strategy, TIBCO Software

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

RSA SecurID Two-factor Authentication

The IDG 9074 Remote Access Controller

Vormetric Addendum to VMware Solution Guide for Payment Card Industry Data Security Standard

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Enterprise Random Password Manager Training Guide

IBM Security Privileged Identity Manager helps prevent insider threats

Achieving PCI Compliance Using F5 Products

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Privileged - Super Users out of Control

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Total Privileged Access Management Suite V2.2

How To Manage A Privileged Account Management

Complying with PCI Data Security

Secret Server Qualys Integration Guide

Division of IT Security Best Practices for Database Management Systems

Automate PCI Compliance Monitoring, Investigation & Reporting

PREVENTING DATA LOSS THROUGH PRIVILEGED ACCESS CHANNELS

Compliance and Industry Regulations

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

PCI Data Security Standards (DSS)

Security Overview Enterprise-Class Secure Mobile File Sharing

Mobile Admin Architecture

Compliance and Security Challenges with Remote Administration

Best Practices for PCI DSS V3.0 Network Security Compliance

Installing and Configuring Guardium, ODF, and OAV

PortWise Access Management Suite

PowerBroker for Windows Desktop and Server Use Cases February 2014

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

F-Secure Messaging Security Gateway. Deployment Guide

Trust but Verify: Best Practices for Monitoring Privileged Users

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Introduction to Endpoint Security

Transcription:

edmz Introduces Achieving PCI Compliance for: & Remote Vendor Access [ W H I T E P A P E R ] Written by e-dmz Security, LLC February 2010 C o p y r ig h t 2 0 1 0 e - D M Z S e c u r i t y, LL C. A l l R ig h t s R e s e r v e d. w w w. e D M Z. c o m

Achieving PCI Compliance A White Paper by e-dmz Security, LLC OVERVIEW: Though PCI compliance is not a government driven requirement such as Sarbanes Oxley and HIPAA, noncompliance under PCI can have a devastating impact on any enterprise that relies on credit card transactions. Your contract with credit card companies requires that as an organization you comply with PCI. Non-compliance with PCI can result in specific contractual penalties and/or revocation of your rights as an enterprise to process credit card transactions. Like all compliance and regulatory requirements, there is no single product or policy/procedure that will assure your compliance. THERE IS NO SILVER BULLET for PCI COMPLIANCE. PCI compliance requires that your enterprise deploy many security technologies, and have specific policies and procedures in place. This white paper focuses on the unique issues and solutions associated with both privileged password management and remote vendor access in meeting PCI compliance requirements. Many of the requirements highlighted cannot be resolved or adequately addressed by existing enterprise security technologies such as firewalls, VPN and IDS solutions. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under PCI., control and audit of both shared/privileged account passwords and critical remote third party and administrative level connections is mandatory in meeting PCI requirements and other growing regulatory, compliance and best practice security needs. The chart below (see Appendix A, pg.5) is based on a review of the Payment Card Industry Data Security Standard Security Audit Procedures Version 1.1 September 2006. The chart illustrates the particular PCI issues that are addressed through the deployment of our eguardpost or Auto Repository (PAR) solutions. COMPLIANCE-DRIVEN PASSWORD MANAGEMENT The Auto Repository (PAR) was uniquely designed to solve enterprise security and compliance issues associated with the management and control of shared privileged passwords such as root and administrator. The issue of privileged password management and the unique features of PAR contribute directly and/or indirectly to many specific PCI requirements as outlined in Appendix A. Fundamentally, the compliance audit concerns in the area of shared privileged password management center on ACCOUNTABILITY and AUDIT. Given the level of access and shared nature of accounts like root and administrator, internal and external PCI audits are taking a close look at existing enterprise controls. In most cases, the existing manual based policy/procedure solutions (e.g. Safe envelope) or internally developed technical solutions are not standing up to PCI compliance audits. Under audit scrutiny existing in-house solutions are failing to deliver assured accountability and adequate audit. PAR, winner of SC Magazine s 2006 Readers Trust Award for, provides a purpose-built appliance with no client or host based software requirements to resolve your security and compliance concerns for shared/privileged account, service account and hard-coded password management. - 1 -

The unique capabilities of PAR can help your organization obtain and maintain PCI compliance for many PCI security requirements as reflected in Appendix A. At a high level, the core features, functions and capabilities provided under PAR that help drive PCI compliance include: User Accountability Account Access Control Dual Release Controls (Requestor/Approver(s)) Automated Change (time based and last use based) Strong Generation Secure Storage As is shown in the PAR Access Diagram below, administrators connect to PAR via a standard web browser via https. PAR supports role-based access and connections for requestors, approvers and various admin and auditor functions. From a requestor/approver standpoint, PAR securely stores, releases and changes privileged account passwords for a heterogeneous enterprise system environment including Unix, Windows, Databases and other network devices (firewalls, CISCO), AS400 and mainframes. Provided proper authorization (i.e. approval if under dual control) PAR will deliver the current privileged account password to the administrator. Once authorized release window expires or client expires release window, PAR will automatically change the privileged account password. Connections to back-end systems are also clientless using native system protocols. More information on PAR and a live demonstration can be found on our website at: www.e-dmzsecurity.com. REQUESTOR APPROVERS ADMINISTRATOR AUDITOR ISA MOZILLA FIREFOX IE NETSCAPE PAR Access Diagram RELEASE PASSWORD DEFINE SYSTEMS/USERS AUDIT CHANGE & VERIFY PASSWORDS SYSTEM ADMINISTRATOR HTTPS PAR RPC WINDOWS UNIX LINUX FIREWALLS ROUTERS SSH BACKUP PATCHES/MAINT. NETWORK CONFIG. DB CLIENT ORACLE SYBASE MSSQL COMPLIANCE-DRIVEN THIRD PARTY ACCESS eguardpost was designed to specifically address the enterprise security and compliance concerns associated with allowing remote third party (vendors, suppliers, consultants, etc.) and administrative access into enterprise networks and resources. Unlike remote employee connections, the enterprise does not have the same level of physical or technical controls - 2 -

over remote third party connections yet under PCI the enterprise has the same liability exposure should such access (authorized or not) result in the release or exposure of consumer credit card information. For these reasons, both internal and external PCI audits are focusing on how the enterprise secures, controls and audits third party, administrative and other sensitive remote connections. eguardpost working independently or in conjunction with PAR (eguardpost includes PAR functionality or can integrate with independent PAR appliance) can help the enterprise meet the intention of many PCI Security Standards as is shown in Appendix A. At a high level, the areas of audit under PCI directly addressed with eguardpost include: Vendor accounts monitored Logging all action to root and administrator Monitor, control and limit access HTTPS Full VCR Like Session Recording & Playback: SSH UNIX/ LINUX eguardpost TERMINAL SERVICES/VNC WINDOWS Technically many of these issues are easily addressed for employees through the deployment of an enterprise VPN, firewall, virus software and IDS. These issues become more challenging when working with remote third party vendors given the lack of ownership and control of the end client system, network and environment. eguardpost delivers a compliance-driven solution to the critical audit issues associated with remote third party connections including: Remote Session RECORDING: Including keystrokes, mouse movements and all screen changes Session Proxy: No direct connection to back-end servers, accounts or applications Clientless secure encrypted communication via https The unique session recording capabilities and VCR-like playback of eguardpost allow you to easily answer the question what did the remote vendor do when connected? Like having a camera recording a parking garage, it is not something you would review every day, but when needed it is a great security and compliance value to be able to go to the tape. eguardpost was selected for Information Security Magazine s Tomorrow s Technology Today award in the area of forensic and security audit. - 3 -

e-dmz Security s Total Access (TPAM) suite is a robust collection of integrated and modular technologies designed specifically to meet the complex and growing security and compliance requirements associated with privileged identity management and privileged access controls within the enterprise. The focus of TPAM is to provide the enterprise a cost-effective modular platform from which they can enable various privilege control functions as required based on current and/or future privileged access control requirements. The key privileged control functions offered under TPAM include: TPAM Suite Auto Repository Base Appliance Application Session Command Included Module Application eguardpost Base Appliance Optional Module Session Command Application Session Command The TPAM Suite is built on edmz Security s award winning Auto Repository (PAR) and/or eguardpost appliances from either platform the enterprise can enable the specific modules required to meet their current privileged control needs and in the future enable other modules as required to meet new and/or developing privileged control requirements. Where one enterprise may deploy all TPAM module s on a single base appliance as a central privileged access control point, others may deploy in a more distributed fashion. For example, deploy a PAR base appliance as a single control point for all privileged account passwords and deploy a separate eguardpost appliance with privileged session management to control internal developer access to production resources and deploy another eguardpost appliance in the company DMZ with privileged command management enabled to control remote vendor access to specific enterprise resources. Though loosely coupled, the eguardpost appliances are able to tightly integrate with the privileged password modules running on the PAR appliance. A brief description of the TPAM modules is provided below: (): Secure storage, release control and change control of privileged passwords across a heterogeneous deployment of systems and applications is a requirement for all enterprises. Past internally developed solutions and procedures do not meet the needs driven by increased internal threats and compliance. The award winning capabilities of our Auto Repository (PAR) provides the enterprise class features, functions and scalability demanded by today s environment. Application (APM): Embedded, Hard-coded accounts and passwords in scripts and/or applications is an often overlooked back-door security vulnerability to the enterprise. Through the robust CLI/API supported by PAR, these hard-coded passwords can be replaced with a simple call into PAR. APM is provided at no additional cost with the module. In addition, with our optional Accelerator, we can support over 1,000 password requests per second to meet the needs of the most demanding high-frequency A2A or A2DB environments. Session (): From remote vendors to developer access to production or other privileged access requirements, the ability to control access, audit access, monitor access and recording access become more and more critical as companies converge internal resources and/or outsource. Our award winning eguardpost provides full session management and controls including fine-grain resource access control, active session monitoring and full session recoding in an unmatched size efficient format for future replay. Command (PCM): Most enterprises today are forced to do more with less and less resources. As a result, the need to provide restricted delegated privileged access to key resources is growing. The unique configurable privileged command capabilities found in eguardpost v2.2 supports privileged access controls down to the command level. Not only are you able to control, recording and monitor sessions you can limit connections to a specific command for both Unix/Linux and Windows systems. - 4 -

APPENDIX A PCI DSS Requirement TPAM Module(s) How TPAM meets PCI 1.4 Prohibit direct public access between external networks and any system component that stores cardholder data 2.1 Always change vendor-supplied defaults TPAM module provides full session proxy between user and resource access. By requiring that all default accounts are managed by TPAM, you can ensure that the passwords are changed based on time and usage. 3.5 Protect encryption keys TPAM/ module supports secure file storage with granular access control. 3.6.2 Secure key distribution The TPAM/ file storage/release control can be used to support secure key storage and distribution with full audit. 3.6.3 Secure key storage TPAM/ file storage can be used to securely store keys and other information. All files are AES 256 encrypted. 3.6.6 Dual control for keys The TPAM/ file storage capability allows for dual (or more) control on the file release process. 6.3.3 Separation of duties between development, test and production environments. /PCM Several TPAM modules can be used to provide separation of duties between users and/or networks. supports a trusted gateway for developer access to production requirements. 6.5.2 Broken access control (for example malicious use of IDs) TPAM/ last use password change controls assures that any passwords managed by TPAM are changed after every/any use and thus not susceptible to malicious use. TPAM/ supports auto-login of authorized session. No credential exposure or knowledge eliminates any potential for malicious use as the credential is never known. 7.1 Limit access to computing resources/ automated access control system /PCM TPAM/ provides granular control to dictate which systems can be accessed, proxies the access and full records activity. Added PCM can limit access control to a specific command or executable environment. 7.2 Establish a mechanism for systems with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed 8.4 Encrypt all passwords during transmission and storage on all system components. /PCM The TPAM session management/control and command level control of the /PCM module can assure access only by authorized users and can further limit session to a specific command. This can help augment host level controls. TPAM/ encrypts all stored passwords using RSA BSafe AES 256 prior to storage in the internal database. In addition, the entire hard drive is encrypted via Guardian Edge hard disk encryption (also AES 256). 8.5.4 Immediately revoke access for any terminated users. TPAM helps support this requirement through several features: assures no user employed or terminated has any account password knowledge unless in an active release window. TPAM can fully integrate with directories such as AD to synchronize changes with TPAM policy. - 5 -

APPENDIX A 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed TPAM/ supports dual (or more) connection authorization. Vendors can request access, but it is only allowed if specifically approved by authorized approvers. In the event access is granted, if requested time is exceeded, TPAM will automatically notify administrators of session overrun for appropriate action. Vendor accounts can be time limited. 8.5.8 Shared admin account TPAM/ was specifically designed to address this issue. In fact it is not always possible to disable all generic privileged accounts. For example, to login at console in single user mode. TPAM/ provides compliant management of shared privileged accounts. TPAM/ provides individual accountability to determine who accessed a shared account. 8.5.10 Require a minimum password length of at least seven characters TPAM/ supports the setting of many password rules, providing full control over password length. s are generated based on configured rule for account passwords managed by TPAM. 8.5.11 Use passwords containing both numeric and alphabetic characters TPAM/ supports the setting of many password rules, providing full control over use of numeric and alphabetic charcters. s are generated based on configured rule for account passwords managed by TPAM. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts Both and support configuration options for TPAM ID lock-out after a configured number of attempts. If deploying as will be the connection access point to resources, the TPAM lock-out capability can be used in place of or to augment what is available at the resource/host. 8.5.14 Set the lock-out duration to thirty minutes or until administrator enables the user ID Both and support configuration options for TPAM ID lock-out duration. If deploying as will be the connection access point to resources, the TPAM lock-out duration capability can be used in place of or to augment what is available at the resource/host. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. TPAM/ provides individual accountability of who used a particular account. TPAM/ provides full session recording a replay for activity accountability. 10.2.2 Logging all action taken by any individual with root or administrative privileges. TPAM/ controls administrative session access to resources, records all activities and provides DVR-like session playback. There is NOTHING done through that is not fully recorded for forensic playback. 12.5.5 Monitor and control all access to data TPAM/ provides full session recording, archive and replay for all user or administrative sessions controlled by TPAM. Upcoming version will include real-time session monitoring (vs. post forensic playback only). - 6 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information