Why PCI DSS Compliance is Impossible without Privileged Management

Similar documents
2: Do not use vendor-supplied defaults for system passwords and other security parameters

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

74% 96 Action Items. Compliance

Achieving PCI-Compliance through Cyberoam

Understanding Enterprise Cloud Governance

Solving the Security Puzzle

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

March

Logging and Alerting for the Cloud

Introduction. PCI DSS Overview

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

SonicWALL PCI 1.1 Implementation Guide

Top 10 Most Popular Reports in Enterprise Reporter

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for AIX

PCI DSS Requirements - Security Controls and Processes

Implementation Guide

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Navigating the NIST Cybersecurity Framework

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Did you know your security solution can help with PCI compliance too?

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Cyber-Ark Software and the PCI Data Security Standard

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Becoming PCI Compliant

LogRhythm and PCI Compliance

GFI White Paper PCI-DSS compliance and GFI Software products

Defender Delegated Administration. User Guide

PowerBroker for Windows

University of Sunderland Business Assurance PCI Security Policy

10 easy steps to secure your retail network

PCI Requirements Coverage Summary Table

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

How To Achieve Pca Compliance With Redhat Enterprise Linux

The Comprehensive Guide to PCI Security Standards Compliance

Dell One Identity Manager Scalability and Performance

PCI Requirements Coverage Summary Table

Understanding and Configuring Password Manager for Maximum Benefits

General Standards for Payment Card Environments at Miami University

Dell InTrust Preparing for Auditing Microsoft SQL Server

Corporate and Payment Card Industry (PCI) compliance

CorreLog Alignment to PCI Security Standards Compliance

Complying with PCI Data Security

How To Manage A Privileged Account Management

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Policy Pack Cross Reference to PCI DSS Version 3.1

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Improving PCI Compliance with Network Configuration Automation

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Simplify Your Migrations and Upgrades. Part 1: Avoiding risk, downtime and long hours

PowerBroker for Windows Desktop and Server Use Cases February 2014

PCI and PA DSS Compliance Assurance with LogRhythm

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS 3.2 PRIORITIZED CHECKLIST

Catapult PCI Compliance

IBM Security Privileged Identity Manager helps prevent insider threats

Dell One Identity Cloud Access Manager How to Configure vworkspace Integration

Global Partner Management Notice

Defender 5.7. Remote Access User Guide

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

Windows Azure Customer PCI Guide

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Teleran PCI Customer Case Study

SOLUTION BRIEF THE CA TECHNOLOGIES SOLUTION FOR PCI COMPLIANCE. How Can the CA Security Solution Help Me With PCI Compliance?

TIBCO LogLogic. PCI Compliance Suite Guidebook. Software Release: December Two-Second Advantage

ISO PCI DSS 2.0 Title Number Requirement

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Best Practices for Secure Mobile Access

How To Use Shareplex

CONTENTS. PCI DSS Compliance Guide

CSP & PCI DSS Compliance on HP NonStop systems

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

SharePlex for SQL Server

Best Practices for PCI DSS V3.0 Network Security Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

Achieve Deeper Network Security

PCI Data Security Standards (DSS)

Compliance and Security Challenges with Remote Administration

CA Technologies Solutions for Criminal Justice Information Security Compliance

Transcription:

Why PCI DSS Compliance is Impossible without Privileged Management Written by Joseph Grettenberger, compliance risk advisor, Compliance Collaborators, Inc. Introduction For many organizations, compliance with data security standards doesn t seem to be getting easier. IT security compliance efforts are forever competing with projects to address ever-pressing information security threats, operational vulnerabilities and daily business risks, and they often lose out in the battle for resources and funding. However, in any industry where compliance is an issue, organizations cannot afford to ignore it. Sooner or later, they are going to be required to demonstrate that they have the appropriate IT-related internal controls in place to minimize the risk of fraud or data breach. You can get ahead of the game by understanding your control objectives and selecting solutions that ensure consistency of foundational, high-performance processes like authorization and monitoring that satisfy multiple control objectives, thereby enabling you to both achieve and demonstrate compliance while also automating compliance-related tasks. In this paper, you ll learn about IT security compliance for the Payment Card Industry Data Security Standard (PCI DSS) from an auditor s perspective. Although PCI DSS represents only a portion of the data security compliance obligations faced by most organizations, it is one of the most significant, especially in light of recent, well-publicized financial security breaches that have plagued many of today s industry-leading corporations. Payment Card Industry Data Security Standard Purpose and reach While relatively a newcomer to the IT compliance scene, PCI DSS has been mandated by all members of the PCI Security Standards Council, including Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB International. What this means, essentially, is that all banks that process the payment transactions associated with these cards are responsible for ensuring that merchants meet the standard or face severe penalties.

Dell privileged account management solutions enable you to continuously manage privileged access to CDE system components, thereby filling a fundamental security gap. PCI DSS has an extensive reach it applies not only to your business, but also to virtually any vendor that supports your organization by accepting, storing, processing or transmitting payment card data, including personal data from credit and debit cards. Any business partner or vendor that handles cardholder data (CHD) or sensitive authentication data (SAD) in these capacities is classified as a PCI merchant and is required to comply. Objectives and requirements The overriding goal of PCI DSS is to ensure payment card data confidentiality, which means making sure that you and your vendors have the proper operational processes and controls in place to secure customer data and ensure it is auditable. Specifically, PCI DSS requirements are intended to ensure that organizations: Build and maintain secure networks and systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy Many of the PCI DSS standards have detailed requirements that focus on key processes and controls organizations must have in place for implementing basic privileged access management. These include controls around privileged accounts that: Limit access to cardholder data to only authorized users Ensure each user is uniquely identified and has explicit approval for only the least amount of data and privilege needed to perform their job role Enforce strong password management settings Track logging and recording of all privileged user activity Prevent the abuse of system accounts Secure audit logs Dell Privileged Account Management (PAM) solutions Filling the gap in application-based access management Using the group permissions and role-based management features of business applications that accept or store cardholder data is not enough to secure your data and ensure compliance with PCI DSS requirements. The cardholder data environment (CDE) comprises not only your primary business applications, but also support systems such as file servers, mail servers, backup servers, development and test servers, and network devices. This is also extended to underlying platforms, including databases, operating systems, hypervisors and VM hosts. These system components, as defined in the DSS, provide access to protected information and sometimes even cardholder data, making them subject to PCI DSS assessment as well. Dell privileged account management solutions enable you to continuously manage privileged access to CDE system components that lack privileged access management, thereby filling a fundamental security gap in traditionally weak infrastructure controls. While these solutions will not replace your network monitoring tools, when regularly used as part of an information system security program, they can greatly reduce a host of unauthorized access and system changes and prevent numerous policy violations before they happen. Automating privileged account management and streamlining compliance With Dell PAM solutions, your organization can substantially automate privileged account management, including requests, reviews, approvals, denials and revocations, to help ensure your compliance with PCI DSS controls and industry best practices. Moreover, you can 2

easily demonstrate your organization s compliance by quickly responding to assessor and internal audit inquiries using customizable, out-of-the-box reports. You can monitor and report on privileged activities, including those occurring during sensitive time periods or outside the course of normal business operations. Plus, Dell PAM solutions provide a separate database of activity records that you can use to substantiate policy violations to support personnel sanctions related to the security of information systems. By enabling controlled use of administrative privileges, ensuring controlled access based on need-toknow, and providing detailed recordings of discrete activities performed in controlled environments, Dell PAM solutions help you control privileged access to production operating environments and also ensure that critical access controls are applied to security architectures in all phases of the system development lifecycle. By providing foundational IT security measures, these solutions enable you to adopt robust privileged management and monitoring practices that augment and, to some extent, preempt standard user activity monitoring, malware and intrusion detection controls. Dell PAM solutions include Privileged Password Manager, Privileged Session Manager and Privilege Manager for Sudo. Automate and secure privileged accounts. Dell Privileged Password Manager enables you to automate, control and secure the entire process of granting administrators the credentials necessary to perform their duties. Deployed on a secure, hardened appliance, Privileged Password Manager provides a compliant and efficient way to control these very powerful accounts, ensuring that privileged access is granted according to established policies with appropriate approvals, that all actions are fully audited and tracked, and that passwords are changed immediately upon the expiration of their authorized time limits. To further reduce your security exposure, Privileged Password Manager replaces the privileged passwords embedded in applications with programmatic calls that dynamically retrieve secured, policy-compliant account credentials required for the applications to talk to each other or to databases. Simplify control and monitoring of privileged access. With Dell Privileged Session Manager, you can issue privileged access for a specific period or session to administrators, remote vendors and high-risk users with full recording and replay that enables auditing and compliance. You also benefit from having a single point of control from which you can authorize connections, limit access to specific resources, allow certain commands to be run, view active connections, record all activity, alert if connections exceed pre-set time limits, and terminate connections. Privileged Session Manager is deployed on a secure, hardened appliance and can be combined with Privileged Password Manager to hide account passwords from privileged users. Centrally manage and report on the sudoer policy file. Take your privileged account management through sudo to the next level. Dell Privilege Manager for Sudo, part of Dell Privileged Access Suite for Unix, enhances sudo by enabling you to centrally manage sudo and the sudoers policy files with a single system for reporting on all access rights and activities. Privilege Manager for Sudo also provides keystroke logging, complete with search and playback capabilities, for in-depth auditing and compliance requirements. Privileged Session Manager is deployed on a secure, hardened appliance and can be combined with Privileged Password Manager to hide account passwords from privileged users. 3

How Dell PAM solutions map to PCI DSS requirements The following table demonstrates how Dell privileged account management solutions enable you to proactively identify and address gaps in PCI compliance by mapping PCI DSS requirements to specific Dell PAM capabilities. PCI DSS 3.0 section Requirement How Dell PAM solutions help Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network. This applies to ALL default passwords, including but not limited to those used by operating systems, software that provides security services, application and system accounts, point-of-sale (POS) terminals, Simple Network Management Protocol (SNMP) community strings, etc.). 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure for example, use secured technologies such as SSH, S-FTP, SSL, or IPSec VPN to protect insecure services such as NetBIOS, filesharing, Telnet, FTP, etc. 2.2.4 Configure system security parameters to prevent misuse. Depending on the environments to which it has access, Privileged Password Manager can be used at various points of the server and network device provisioning process to detect and even automatically change vendors default passwords. You can also ensure that passwords are changed and that unnecessary default accounts are removed before new systems added to the network are put into service. use only secured technologies (such as SSH and SSL) to establish connections to systems. Privileged Password Manager, Privileged Session Manager and Privilege Manager for Sudo can ensure that only authorized persons are able to configure and harden systems. 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems and unnecessary web servers. 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN or SSL/TLS for web-based management and other non-console administrative access. 2.4 Maintain an inventory of system components that are in scope for PCI DSS. 2.5 Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. use only secured technologies (such as SSH and SSL) to establish connections to systems. provide a number of features to help inventory the assets in your CDE. For example, the auto-discovery feature will detect all systems in your organization s directory, and the List Assets function can export a list of active systems that were discovered, in Excel or CSV format. Privileged Password Manager can automatically change vendors default passwords as systems are brought into its managed collection. In addition, it can automatically scan periodically for system components with a vendor default password and bring them into its managed collection to have their passwords changed. Requirement 7: Restrict access to cardholder data by business need-to-know 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.1.1 Define access needs for each role, including: System components and data resources that each role needs to access for their job function Level of privilege required for accessing resources. 7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities. 7.1.3 Assign access based on individual personnel s job classification and function. 7.1.4 Require documented approval by authorized parties specifying required privileges. 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. This access control system must include the following: 7.2.1 Coverage of all system components 7.2.2 Assignment of privileges to individuals based on job classification and function enable you to limit access to system components that hold cardholder data to only those individuals whose job requires such access. Specifically, these solutions are designed to: Define access needs for each role, including system components and data resources that each role needs to access for their job function Restrict access of privileged user IDs to least privileges necessary to perform job responsibilities Support policies requiring management to assign access based on an individual s job classification and function Support policies requiring documented approval by authorized parties specifying required privileges Establish access control for system components with multiple users that restricts access based on a user s need to know Provide a full-featured model for the complete management and review of access rights Privilege Manager for Sudo offers full management and recording of root delegation and granular privilege access on Unix and Linux systems. 4

PCI DSS 3.0 section Requirement How Dell PAM solutions help Requirement 8: Identify and authenticate access to system components. 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. 8.1.3 Immediately revoke access for any terminated users. 8.1.4 Remove/disable inactive user accounts at least every 90 days. 8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed and disabled when not in use. Monitored when in use. 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. 8.2 In addition to assigning a unique ID, ensure proper userauthentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric. 8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. 8.2.3 Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. 8.2.4 Change user passwords/passphrases at least every 90 days. 8.2.5 Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. 8.2.6 Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. 8.3 Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). ensure the assignment of unique user IDs before they allow users privileged access to systems that contain cardholder data. Only authorized users are permitted to control the addition, deletion and modification of user IDs, credentials and other identifier objects. In addition, these solutions enable you to adjust or revoke system access privileges across a variety of platforms in a timely manner for users who have changed roles or have left the organization. Moreover, you can easily remove or disable inactive user accounts in accordance with your organization s account aging policy. Privileged Session Manager enables organizations to carefully manage IDs that are issued to vendors who remotely access, support or maintain system components. You can enable access only during the time period needed, disable credentials when not in use, and monitor vendor access in real time or record it for later review. enable your organization to lock out users after a pre-defined number of access attempts have been made, as well as require users to re-authenticate after a session has been idle for a set period of time. The administrator can specify the number of failed login attempts, the lockout duration and the max idle time, or require an administrator to unlock any locked account. can require the use of single-factor, two-factor or multi-factor authentication for access to CDE components. use strong cryptography to render all authentication credentials unreadable during transmission (TLS) and storage (AES 256) in its password safe. Privileged Password Manager can enforce password policies that require any combination of the following: A minimum password length of at least seven characters Both numeric and alphabetic characters Users to change passwords at least every 90 days New passwords to not be the same as the four previously used passwords First-time password resets By using system-generated passwords that expire after the authorized periods of use, the solution improves security while reducing administrative burden. Privileged Password Manager supports both Dell and third-party Radius server and certificate-based multi-factor authentication solutions for remote network users, administrators and third-party access originating outside the network. 5

PCI DSS 3.0 section Requirement How Dell PAM solutions help Requirement 8: Identify and authenticate access to system components (continued). 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. 8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. 8.7 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other nonapplication processes). All of Dell s privileged account management solutions ensure that all user IDs managed are tied either to named persons or to system accounts that are not used by persons. Privileged Password Manager s support for supplemental authentication mechanisms (such as Dell and third-party Radius server, smartcard and other certificate-based multi-factor authentication solutions) preserves the integrity of policies requiring unique named user IDs for remote network users, administrators and third-party access originating outside the network. Privileged Password Manager ensures that: All access to databases containing cardholder data is restricted through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can be used only by the applications not by individual users or other non-application processes. Requirement 10: Track and monitor all access to network resources and cardholder data. 10.1 Implement audit trails to link all access to system components to each individual user. The recording and logging features of Privileged Password Manager and Privileged Session Manager provide reliable audit trails that link all access to system components to individual users. 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual user accesses to cardholder data. Privileged Session Manager can record: 10.2.2 All actions taken by any individual with root or administrative privileges. 10.2.3 Access to all audit trails. All individual access to cardholder data stored on Windows servers, Unix and Linux systems, and popular databases All actions taken by any individual with root or administrative privileges Access to all audit trails 10.2.4 Invalid logical access attempts. Once a system is under the management of any Dell PAM solution, all invalid requests for privileged access to the system are logged. Access logs can be reviewed by trusted personnel to identify patterns of suspicious login activity. 10.2.5 Use of and changes to identification and authentication mechanisms including but not limited to creation of new accounts and elevation of privileges and all changes, additions, or deletions to accounts with root or administrative privileges. Privileged Session Manager and Privileged Manager for Sudo can be configured to securely archive all administrator functions, including the creation of new accounts and elevation of privileges, as well as all changes, additions or deletions to accounts with root or administrative privileges. 10.2.6 Initialization, stopping, or pausing of the audit logs. With secure audit trail records and the ability to reconstruct privileged activities, Privileged Session Manager and Privilege Manager for Sudo can assist with audits of all audit log administration activities, including the initialization, stopping and pausing of audit logs on virtually any system component within the CDE. 10.2.7 Creation and deletion of system-level objects. Privileged Session Manager s session recording and Privilege Manager for Sudo s keystroke logging assist with audits of the creation and deletion of system-level objects. 6

PCI DSS 3.0 section Requirement How Dell PAM solutions help Requirement 10: Track and monitor all access to network resources and cardholder data (continued). 10.3 Record at least the following audit trail entries for all system components for each event: 10.3.1 User identification Privileged Session Manager records entire sessions with the user ID, 10.3.2 Type of event date and time, and origination of the event. The remaining elements (type of event, success or failure, and identity of the affected data, 10.3.3 Date and time system component or resource) can be gleaned by viewing the 10.3.4 Success or failure indication recorded session. Privilege Manager for Sudo records all commands performed by a 10.3.5 Origination of event privileged user for a given session along with the user ID, date and time, and origination of the event. The remaining elements (type of 10.3.6 Identity or name of affected data, system component, or resource event, success or failure, and identity of the affected data, system component or resource) can be gleaned by reviewing the recorded commands. 10.5 Secure audit trails so they cannot be altered. Privileged Password Manager, Privileged Session Manager and Privilege Manager for Sudo can all be used to limit viewing of audit trails on native platforms (Windows, Linux, Unix, and databases) to only those users who have specifically been assigned rights by an authorized administrator. By configuring these solutions to limit access to only those administrators in trusted roles, you can also substantially reduce the possibility of audit trail tampering on these platforms. In addition, the appliance that holds the audit trails captured by uses strong cryptography to render both the records it captures and its own audit log unreadable to unauthorized access. The audit log can be accessed only by the TPAM system administrator. 10.5.3 Promptly back-up audit trail files to a centralized log server or media that is difficult to alter. 10.5.4 Write logs for external-facing technologies onto a secure, centralized, internal log server or media device. 10.6.2 Review logs of all other system components periodically based on the organization s policies and risk management strategy, as determined by the organization s annual risk assessment. 10.6.3 Follow up exceptions and anomalies identified during the review process. 10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). 10.8 Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. The appliance used for Privileged Password Manager and Privileged Session Manager serves as a centralized log server that is secured using full disk encryption so it is difficult to alter. All access to and from the appliance is encrypted using TLS. In addition, recorded events and commands (including records of access to systems that contain cardholder data) are secured in the encrypted password vault, separate from recorded events captured from other sources. Therefore, any changes made to native logs within the environment being monitored would not affect the records tracked within the Dell products themselves. Privileged Session Manager and Privilege Manager for Sudo can periodically review privileged access that has been granted to systems containing or having access to cardholder data. In addition, these management tools are ideal in supporting follow-up for exceptions and anomalies identified during the review process. The playback of recorded sessions as old as 90 days within Privileged Session Manager can be made immediately available for analysis. Older sessions must be archived to external storage to ensure that physical resources on the appliance that houses the solution are not exhausted. The documented, consistent use of automated session monitoring in Privileged Session Manager or keystroke recording in Privilege Manager for Sudo can provide supporting evidence that security policies and operational procedures for monitoring access to network resources and cardholder data are in use. Requirement 11: Regularly test security systems and processes. 11.6 Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. The documented, consistent use of automated session monitoring in Privileged Session Manager or keystroke recording in Privilege Manager for Sudo can provide supporting evidence that security policies and operational procedures for monitoring access to network resources and cardholder data are in use. 7

PCI DSS 3.0 section Requirement How Dell PAM solutions help Requirement 12: Maintain a policy that addresses information security for all personnel. 12.3.1 Explicit approval by authorized parties provide an approval request workflow module that enforces explicit approval for logical access to critical technologies by authorized parties. 12.3.2 Authentication for use of the technology ensure that all technology use is authenticated with user ID and password. For increased security, two-factor authentication can be required. 12.3.3 A list of all such devices and personnel with access provide a number of features that can help you inventory assets and 12.3.4 A method to accurately and readily determine owner, contact determine asset owner information. For example, the auto-discovery information, and purpose (for example, labeling, coding, and/or feature can detect all systems in your organization s directory, and inventorying of devices) the List Assets function can export a list of active systems associated with the appliance in Excel or CSV format. Privilege Manager for Sudo also provides centralized reporting for all access rights and activities for Unix and Linux system components. 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use 12.5.4 Administer user accounts, including additions, deletions, and modifications. 12.5.5 Monitor and control all access to data. With Privileged Session Manager, you can grant access to vendors and business partners for a specific period of time using a workflow that requires those users to request and gain approval for a session. In addition, you can record all activity during a session, limit access to specific commands and resources, view all activity occurring within the session in real time, alert if connections exceed pre-set time limits, and terminate connections before pre-set time limits when necessary. When Privileged Session Manager is used in conjunction with Privileged Password Manager, the password can be hidden from the vendor or partner and immediately changed after the end of the session. Privileged Password Manager, Privileged Session Manager and Privilege Manager for Sudo help ensure that delegated responsibility for administering privileged user accounts (including additions, deletions and modifications to privileges) and authentication management is formally assigned. In addition, these solutions can help ensure that delegated responsibility for monitoring and controlling all access to the systems that contain cardholder data is formally assigned. Appendix A, Requirement A.1: Shared hosting providers must protect the cardholder data environment. A.1.3 A.1.4 Ensure logging and audit trails are enabled and unique to each entity's cardholder data environment and consistent with PCI DSS Requirement 10. Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. A hosting service provider can use automated session monitoring in Privileged Session Manager or recorded keystrokes in Privilege Manager for Sudo to help ensure that logging and audit trails are enabled and unique to each entity s CDE. A hosting service provider can use automated session monitoring in Privileged Session Manager or recorded keystrokes in Privilege Manager for Sudo to assist technical personnel with timely forensic investigation processes in the event of a compromise. Privileged Session Manager and Privilege Manager for Sudo are designed to capture the activities of privileged sessions on systems with sensitive data. When the session recording function is used consistently to record all access to cardholder data, auditors can use the activity records of these tools for investigation purposes. 8

Conclusion The scope of PCI DSS compliance is quite large, including the need to manage access within the order-entry applications that capture payment card data themselves. However, in order to be compliant, you must also manage access to the underlying support systems and platforms that store and protect the integrity of cardholder data. Dell privileged account managed solutions enable you to substantially automate the enforcement of PCI DSS controls and protect virtually all systems within the CDE from unauthorized access. With these solutions, you can ensure that each system user is uniquely identified; prevent the abuse of system accounts; enforce strong password management settings; track, record and log all privileged use activity; secure audit trails; ensure explicit approval by authorized parties; and much more. To learn more about how Dell PAM solutions can help you achieve, demonstrate and maintain PCI DSS compliance, please visit software.dell.com/solutions/ privileged-management/ About the author Joe Grettenberger has over 25 years of experience as an IT assurance professional, including eight years of technology auditing experience in both the public and private sectors. He is certified as an information systems auditor (CISA) and compliance and ethics professional (CCEP), and has served clients for over six years as an IT governance and risk management consultant covering a wide range of IT assurance issues within the regulatory, legal and industry compliance space. Grettenberger has held IT audit, assurance and advisory positions at a number of organizations, including Modern Compliance Solutions, Quest Software, Vintela, Center 7, Franklin Covey and SAIC, and he started his own consulting practice in 2008. He was a recent participant in the Internet Security Alliance initiative to promote crossindustry IT security standards and has participated in several other standardsetting best practice initiatives, including serving on the SunTone Architecture Council and chairing the MSP Association s Best Practice Committee. www.compliancecollaborators.com Dell privileged account managed solutions enable you to substantially automate the enforcement of PCI DSS controls and protect virtually all systems within the CDE from unauthorized access. 9

For More Information 2015 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. ( Dell ). Dell, Dell Software, the Dell Software logo and products as identified in this document are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document. About Dell Software Dell Software helps customers unlock greater potential through the power of technology delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com. If you have any questions regarding your potential use of this material, contact: Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com Refer to our Web site for regional and international office information. 10 TechBrief-PCI-DSS-Compliance-US-KS-26147

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information