SlideShare a Scribd company logo

EPV_PCI DSS White Paper (3) Cyber Ark

Erni Susanti
Erni Susanti
1 of 7
Download to read offline
How Enterprise Password Vault Helps to Meet Key Requirements within the PCI DSS The PCI DSS – Cyber-Ark’s View The Payment Card Industry Data Security Standard (PCI DSS) de- fines security measures to protect cardholder information that must be implemented by processors, merchants and service providers. The PCI DSS encompasses many aspects of network and data security. Its implementation implies development and adoption of security policies, the use of various security technologies and products as well as the adaptation of existing systems to use these technologies. As a result of the “lack of existence” of any single product to address all aspects of the PCI DSS, compliance can be a daunting task. Cyber-Ark’s Enterprise Password Vault (EPV) creates a central- ized point for enterprises to achieve exceptional security, stream- line updates, enhance maintenance, and ensure compliance with government regulations across all types of privileged, shared and application passwords. These privileged identities can be found in routers, servers, databases, workstations and embedded in applica- tions. EPV allows you to control the power within your organization by managing and securing all activities and logs associated with privileged passwords and shared accounts. Enterprises should be looking for solutions that solve a broad spec- trum of PCI DSS compliance issues while simultaneously eliminat- ing any new security concerns. Furthermore, the PCI DSS require- ments can be leveraged by enterprises to not only improve their security measures but also improve overall business processes and achieve return on investment (ROI) – which goes beyond compli- ance and security. How Enterprise Password Vault Addresses the Specific Points of PCI DSS Cyber-Ark products are built on top of their patented Vaulting® Tech- nology -- equivalent to a physical safe, only in the digital world. The Cyber-Ark Vault allows organizations to secure data from end-to- end using multiple security layers, including Firewall, Data Access Control and End-to-End Encryption. To that end, Cyber-Ark’s Cyber-Ark® Software and the PCI Data Security Standard ENTERPRISE PASSWORD VAULT® (EPV) Cyber-Ark’s EPV addresses the business concerns and regulatory mandates for sensitive document security by providing a centralized secure repository and sharing platform for an organization’s most highly sensitive information “ ” 57 Wells Avenue Suite 20A Newton, MA 02469 P: 617.965.1544 E: sales@cyber-ark.com W: www.cyber-ark.com
Enterprise Password Vault (EPV) solution complies with many sections of the PCI DSS including: storage, in transit encryption, restricted access on a need-to-know basis, unique ids and compre- hensive auditing. (See Appendix A for more details). Cyber-Ark Enterprise Password Vault Enables organizations to secure, manage, automatically change• and log activities associated with all types of Privileged Pass- words (i.e. System Administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device) as well as embedded passwords found in applications, scripts and applica- tion servers. Defines the storage, reset parameters and usage policies of• passwords as well as personalizes administrative access that is usually carried with generic shared accounts, such as root or DBA users (meeting requirements 2.1, 10 and 10.1). Eliminates the usage of clear-text, hard-coded passwords within• application code as required by section 6.3.6 of the PCI DSS. Streamlines IT processes and greatly improves the efficiency• and security of IT to the organization (related to password management and password resets that otherwise may consume substantial resources). Provides the most secure location for passwords, documents• and files containing such data and addresses most of the above- mentioned requirements (Section 3 of the PCI DSS) Helps achieve other systems’ compliance, by, for example,• securely storing encryption keys from other systems within the Vault as well. Summary The focus on PCI DSS compliance is increasing each and every day, making it incumbent upon processors, merchants and service providers to do all they can to reach compliance as quickly and efficiently as possible. The Enterprise Password Vault, and other Digital Vault-based solutions from Cyber-Ark Software answers to most of the specific PCI requirements around passwords and data security. By implementing these solutions, and the associated best practices approaches for privileged accounts and highly sensitive information, will greatly enhance many companies overall security posture and their compliance with PCI DSS. The focus on PCI DSS compliance is increasing each and every day, making it incumbent upon processors, merchants and service providers to do all they can to reach compliance as quickly and efficiently as possible. “ ” 57 Wells Avenue Suite 20A Newton, MA 02469 P: 617.965.1544 E: sales@cyber-ark.com W: www.cyber-ark.com
Regulation requirement How Cyber-Ark helps 2 Do not use vendor-supplied defaults for system passwords and other security parameters. Cyber-Ark Enterprise Password Vault provides a secure location for storing and sharing sensitive and powerful passwords across the enterprise. 2.1 Always change the vendor-sup- plied defaults before you install a system on the network. The Enterprise Password Vault periodically resets and synchro- nizes passwords on servers, applications and appliances. 3 Protect stored data. The most fundamental concept of Cyber‑Ark Vault is its secure storage. The Vault provides comprehensive environment to se- curely store sensitive data. With its firewall, strong authentication, session encryption, storage encryption, extensive auditing, access control, dual control and other security measures, the Vault pro- vides the ultimate environment to ensure the security and confi- dentiality of any type of file or document. 3.1 Keep cardholder information storage to a minimum. Limit your storage amount and reten- tion time to that which is re- quired for business, legal, and/ or regulatory purposes. Information stored within the Enterprise Password Vault is subject- ed to retention period rules and will be deleted upon the expiration of this period. 3.4 Render sensitive cardholder data unreadable anywhere it is stored, by using (among oth- ers) strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. Data stored within the Enterprise Password Vault is encrypted and signed using AES 256-bit and SHA-1. The Vault seamlessly protects and manages encryption keys. 3.5 Protect encryption keys against both disclosure and misuse: 3.5.1 Restrict access to keys to the fewest number of custo- dians necessary. 3.5.2 Store keys securely in the fewest possible locations and forms. Cyber-Ark Enterprise Password Vault internally manages its en- cryption keys. Each data item is encrypted with a unique encryp- tion key. Only the relevant encryption keys are provided to authenticated and authorized users (req. 3.5, 3.5.1, 3.5.2).
Regulation requirement How Cyber-Ark helps 3.6 Fully document and implement all key management processes and procedures, including: 3.6.1 Generation of strong keys 3.6.2 Secure key distribution 3.6.3 Secure key storage 3.6.4 Periodic key changes 3.6.5 Destruction of old keys 3.6.6 Split knowledge and dual control of keys (so that it requires 2 or 3 people, each knowing only their part of the key, to reconstruct the whole key). 3.6.7 Prevention of unauthor- ized substitution of keys Cyber-Ark Enterprise Password Vault fully manages encryption keys for stored data (req. 3.6), including: Generation of strong keys (req. 3.6.1) Keys are securely distributed over an encrypted channel to au- thenticated and authorized users (req. 3.6.2). Keys are securely stored within the Vault, benefiting from all of the Vault’s security layers (req. 3.6.3). Encryption keys can be changed periodically (req. 3.6.4). Encryption keys are used only once – every data item has a unique key (req. 3.6.5). The Dual Control feature ensures selected data is subject to ad- ditional confirmation before leaving the Vault (req. 3.6.6). Encryption keys are stored within the Vault and can’t be substi- tuted manually (req. 3.6.7). 4 Encrypt transmission of card- holder and sensitive informa- tion across public networks. Use encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point- to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC), etc. to safe- guard sensitive cardholder data during transmission over public networks. All data transmitted to and from the Enterprise Password Vault is encrypted and digitally signed using AES-256 and SHA-1. 6 Develop and maintain secure systems and applications. 6.3.6 Removal of custom ap- plication accounts, usernames, and passwords before appli- cations become active or are released to customers. The Enterprise Password Vault is used to remove clear-text, hard‑coded passwords from application code.
Regulation requirement How Cyber-Ark helps 7 7.1 7.2 Restrict access to data by busi- ness need-to-know. Information stored in Cyber- Ark Enterprise Password Vault in a highly departmentalized manner. Only authenticated users can access data and only based on their authorizations. Establish a mechanism for sys- tems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. Information stored in Cyber-Ark Enterprise Password Vault in a highly departmentalized manner. Only authenticated users can access data and only based on their authorizations (req. 7, 7.1). Each user of the Vault is assigned with an individual account and can access only data he or she is permitted to (req. 7.2). 8 8.1 8.2 8.3 8.4 8.5 Assign a unique ID to each per- son with computer access Identify all users with a unique username before allowing them to access system components or cardholder data. Employ at least one of the methods below, in addition to unique identification, to au- thenticate all users: Password, Token devices (e.g., SecureID, certificates, or public key), Bio- metrics. Implement 2-factor authentica- tion for remote access to the network by employees, admin- istrators, and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates. Encrypt all passwords during transmission and storage, on all system components. Ensure proper user authentica- tion and password manage- ment for non-consumer users and administrators, on all system components. Each user of the Enterprise Password Vault is assigned with an individual account (req. 8, 8.1). Cyber-Ark Vault supports strong authentication mechanisms that can be based on passwords or tokens (req. 8.2, 8.5 ) The Vault also supports 2-factor authentication (req. 8.3). The authentication process to the Vault is secure and the creden- tials (e.g. password) us encrypted (req. 8.4) Additionally, Cyber-Ark’s Enterprise Password Vault can be used to protect and periodically change various passwords across the organization (req. 8.4, 8.5).
Regulation requirement How Cyber-Ark helps 10 10.1 10.2 Track and monitor all access to network resources and card- holder data. Establish a process for linking all access to system compo- nents (especially those done with administrative privileges such as root) to an individual user. Implement automated audit trails to reconstruct the fol- lowing events, for all system components: 10.2.1 All individual user ac- cesses to cardholder data. 10.2.2 All actions taken by any individual with root or adminis- trative privileges. 10.2.3 Access to all audit trails. 10.2.4 Invalid logical access attempts. 10.2 5 Use of identification and authentication mechanisms. 10.2.6 Initialization of the audit logs. 10.2.7 Creation and deletion of system level objects. 10.3 Record at least the follow- ing audit trail entries for each event, for all system com- ponents: User identification; Type of event; Date and time; Success or failure indication; Origination of event; Identity or name of affected data; system component or resource. Access to data within the Enterprise Password Vault is logged (req. 10). Enterprise Password Vault enforces personalization of shared administrative accounts (such as root and DBA accounts) and guarantees logging is on an individual level (req. 10.1). Each user of the Vault is assigned with an individual account, thus audit logs are always personal (req. 10.1). Cyber-Ark Enterprise Password Vault logs every successful and unsuccessful events, including login, data access and adminis- trative activities (req. 10.2, 10.2.1, 10.2.4, 10.2.5, 10.2.7). Audit trails are stored within the Vault and protected by it. Audit trails are encrypted and signed and can’t be altered manually. Audit trail is maintained for a predefined period of time and can’t be deleted before the retention period expires. Audit logs are backed up as part of the standard system backup procedures. Access to the logs is governed by access control (req. 10.2.3, 10.2.6, 10.5, 10.5.1, 10.5.2, 10.5.3, 10.5.5, 10.7) Audit logs contain detailed information about the nature of the event, including acting user, type, data and time, success or failure and event origination (req. 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6)
Regulation requirement How Cyber-Ark helps 10.5 Secure audit trails so they cannot be altered, including the following: Limit viewing of audit trails to those with a job-related need; Protect audit trail files from unauthorized modifica- tions; Promptly back-up audit trail files to a centralized log server or media that is dif- ficult to alter; Use file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts. 10.7 Retain your audit trail his- tory for a period that is consis- tent with its effective use, as well as legal regulations. About Cyber-Ark Cyber-Ark™ Software is the leading provider of Privileged Identity Management (PIM) solutions or securing privileged user accounts and highly-sensitive information across the enterprise. Long recognized as an industry innovator for its patented Vaulting Technology™, Cyber-Ark’s digital vault products include: The Enterprise Pass- word Vault™ for the secure management of administrative, application and privileged user passwords; the Inter- Business Vault™, a secure infrastructure for cross-enterprise data exchange of highly-sensitive information, and the Sensitive Document Vault™ for secure storage and management of highly-sensitive documents. Cyber-Ark’s Vaulting platform has been tested by ICSA Labs, an independent division of Cybertrust and the security industry’s central authority for research, intelligence, and certification testing of security products. Cyber-Ark’s award-winning technology is deployed by more than 300 global customers, including 100 of the world’s largest banks and finan- cial institutions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com P: 617.965.1544 | E: sales@cyber-ark.com | W: www.cyber-ark.com

Recommended

CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
OracleIDM
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
Marco Di Martino
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark training
Global Online Trainings
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 

Recommended

CyberArk
CyberArkCyberArk
CyberArk
Jimmy Sze
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
OracleIDM
 
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for QualysQualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
 
Privileged identity management
Privileged identity managementPrivileged identity management
Privileged identity management
Nis
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
Marco Di Martino
 
Cyber ark training
Cyber ark trainingCyber ark training
Cyber ark training
Global Online Trainings
 
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Privileged Access Management - Unsticking Your PAM Program - CIS 2015
Lance Peterman
 
CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy Intro
CyberArk
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
Jose Luis Balbiano
 
CyberArk Cleveland Defend Multi-Factor
CyberArk Cleveland Defend Multi-FactorCyberArk Cleveland Defend Multi-Factor
CyberArk Cleveland Defend Multi-Factor
Chad Bowerman
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
Imperva
 
IBM Security SaaS IaaS and PaaS
IBM Security SaaS IaaS and PaaSIBM Security SaaS IaaS and PaaS
IBM Security SaaS IaaS and PaaS
Camilo Fandiño Gómez
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
Symantec
 
Devasis Kumar Mahato - Resume
Devasis Kumar Mahato - ResumeDevasis Kumar Mahato - Resume
Devasis Kumar Mahato - Resume
Devasis Kumar
 
IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.
Avishek Priyadarshi
 
SIEM
SIEMSIEM
SIEM
vikasraina
 
Cyberark training pdf
Cyberark training pdfCyberark training pdf
Cyberark training pdf
Akhil Kumar
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 
Iraje brochure v17 master
Iraje brochure v17 masterIraje brochure v17 master
Iraje brochure v17 master
Mechsoft Technologies LLC
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
MHumaamAl
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Andris Soroka
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
rver21
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Digital Bond
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
CyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPVCyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPV
Rodney Dapilmoto
 

More Related Content

What's hot

Devasis Kumar Mahato - Resume
Devasis Kumar Mahato - ResumeDevasis Kumar Mahato - Resume
Devasis Kumar Mahato - Resume
Devasis Kumar
 
IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.
Avishek Priyadarshi
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
 

What's hot (20)

CyberArk Master Policy Intro
CyberArk Master Policy IntroCyberArk Master Policy Intro
CyberArk Master Policy Intro
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
 
CyberArk Cleveland Defend Multi-Factor
CyberArk Cleveland Defend Multi-FactorCyberArk Cleveland Defend Multi-Factor
CyberArk Cleveland Defend Multi-Factor
 
Database Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower CostsDatabase Security, Better Audits, Lower Costs
Database Security, Better Audits, Lower Costs
 
IBM Security SaaS IaaS and PaaS
IBM Security SaaS IaaS and PaaSIBM Security SaaS IaaS and PaaS
IBM Security SaaS IaaS and PaaS
 
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
A Symantec Advisory Guide Migrating to Symantec™ Validation and ID Protection...
 
Devasis Kumar Mahato - Resume
Devasis Kumar Mahato - ResumeDevasis Kumar Mahato - Resume
Devasis Kumar Mahato - Resume
 
IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.IBM-QRadar-Corporate-Online-Training.
IBM-QRadar-Corporate-Online-Training.
 
SIEM
SIEMSIEM
SIEM
 
Cyberark training pdf
Cyberark training pdfCyberark training pdf
Cyberark training pdf
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Iraje brochure v17 master
Iraje brochure v17 masterIraje brochure v17 master
Iraje brochure v17 master
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
Data security solutions_Baltics_IBM_QRadar_SIEM_Use_Cases_28.01.2014
 
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
LTS SECURE SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
 
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
Managing and Securing Remote Access To Critical Infrastructure, Yariv Lenchne...
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 

Viewers also liked

CyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPVCyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPV
Rodney Dapilmoto
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 

Viewers also liked (6)

Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
CyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPVCyberArk Certificate_Advanced_EPV
CyberArk Certificate_Advanced_EPV
 
CyberArk case study
CyberArk case studyCyberArk case study
CyberArk case study
 
BalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT StaffBalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT Staff
 
Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]Technical debt in cyber ark [agile practitioners-2015]
Technical debt in cyber ark [agile practitioners-2015]
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
 

Similar to EPV_PCI DSS White Paper (3) Cyber Ark

Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
Amazon Web Services
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
Evgeniya Shumakher
 
Enterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesEnterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and Strategies
Ulf Mattsson
 
Vaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryVaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_Industry
Johan Dentant
 
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
Bloombase
 

Similar to EPV_PCI DSS White Paper (3) Cyber Ark (20)

Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
Secure Channels Financal Institution Presentation
Secure Channels Financal Institution PresentationSecure Channels Financal Institution Presentation
Secure Channels Financal Institution Presentation
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
 
Maintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the CloudMaintaining Trust & Control of your Data in the Cloud
Maintaining Trust & Control of your Data in the Cloud
 
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
New York Metro ISSA - PCI DSS Compliance - Ulf Mattsson 2009
 
CLOUD SECURITY.pptx
CLOUD SECURITY.pptxCLOUD SECURITY.pptx
CLOUD SECURITY.pptx
 
Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
Bloombase store safe mf solution brief 2018 r0.91
Bloombase store safe mf solution brief 2018 r0.91Bloombase store safe mf solution brief 2018 r0.91
Bloombase store safe mf solution brief 2018 r0.91
 
Enterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and StrategiesEnterprise Data Protection - Understanding Your Options and Strategies
Enterprise Data Protection - Understanding Your Options and Strategies
 
Vaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_IndustryVaultless_Tokenization_Payments_Industry
Vaultless_Tokenization_Payments_Industry
 
Bloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdfBloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdf
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
 
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
Blbs prod-bloombase-store safe-product-brochure-uslet-en-r3
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 

More from Erni Susanti

Shenzhen_Airline_Cargo_case_study_v1d
Shenzhen_Airline_Cargo_case_study_v1dShenzhen_Airline_Cargo_case_study_v1d
Shenzhen_Airline_Cargo_case_study_v1d
Erni Susanti
 
Financial services use cases
Financial services use casesFinancial services use cases
Financial services use cases
Erni Susanti
 
MapR Data Hub White Paper V2 2014
MapR Data Hub White Paper V2 2014MapR Data Hub White Paper V2 2014
MapR Data Hub White Paper V2 2014
Erni Susanti
 
Cisco Big Data Use Case
Cisco Big Data Use CaseCisco Big Data Use Case
Cisco Big Data Use Case
Erni Susanti
 
cisco_bigdata_case_study_1
cisco_bigdata_case_study_1cisco_bigdata_case_study_1
cisco_bigdata_case_study_1
Erni Susanti
 
mapr_case_study_experian
mapr_case_study_experianmapr_case_study_experian
mapr_case_study_experian
Erni Susanti
 

More from Erni Susanti (6)

Shenzhen_Airline_Cargo_case_study_v1d
Shenzhen_Airline_Cargo_case_study_v1dShenzhen_Airline_Cargo_case_study_v1d
Shenzhen_Airline_Cargo_case_study_v1d
 
Financial services use cases
Financial services use casesFinancial services use cases
Financial services use cases
 
MapR Data Hub White Paper V2 2014
MapR Data Hub White Paper V2 2014MapR Data Hub White Paper V2 2014
MapR Data Hub White Paper V2 2014
 
Cisco Big Data Use Case
Cisco Big Data Use CaseCisco Big Data Use Case
Cisco Big Data Use Case
 
cisco_bigdata_case_study_1
cisco_bigdata_case_study_1cisco_bigdata_case_study_1
cisco_bigdata_case_study_1
 
mapr_case_study_experian
mapr_case_study_experianmapr_case_study_experian
mapr_case_study_experian
 

EPV_PCI DSS White Paper (3) Cyber Ark

  • 1. How Enterprise Password Vault Helps to Meet Key Requirements within the PCI DSS The PCI DSS – Cyber-Ark’s View The Payment Card Industry Data Security Standard (PCI DSS) de- fines security measures to protect cardholder information that must be implemented by processors, merchants and service providers. The PCI DSS encompasses many aspects of network and data security. Its implementation implies development and adoption of security policies, the use of various security technologies and products as well as the adaptation of existing systems to use these technologies. As a result of the “lack of existence” of any single product to address all aspects of the PCI DSS, compliance can be a daunting task. Cyber-Ark’s Enterprise Password Vault (EPV) creates a central- ized point for enterprises to achieve exceptional security, stream- line updates, enhance maintenance, and ensure compliance with government regulations across all types of privileged, shared and application passwords. These privileged identities can be found in routers, servers, databases, workstations and embedded in applica- tions. EPV allows you to control the power within your organization by managing and securing all activities and logs associated with privileged passwords and shared accounts. Enterprises should be looking for solutions that solve a broad spec- trum of PCI DSS compliance issues while simultaneously eliminat- ing any new security concerns. Furthermore, the PCI DSS require- ments can be leveraged by enterprises to not only improve their security measures but also improve overall business processes and achieve return on investment (ROI) – which goes beyond compli- ance and security. How Enterprise Password Vault Addresses the Specific Points of PCI DSS Cyber-Ark products are built on top of their patented Vaulting® Tech- nology -- equivalent to a physical safe, only in the digital world. The Cyber-Ark Vault allows organizations to secure data from end-to- end using multiple security layers, including Firewall, Data Access Control and End-to-End Encryption. To that end, Cyber-Ark’s Cyber-Ark® Software and the PCI Data Security Standard ENTERPRISE PASSWORD VAULT® (EPV) Cyber-Ark’s EPV addresses the business concerns and regulatory mandates for sensitive document security by providing a centralized secure repository and sharing platform for an organization’s most highly sensitive information “ ” 57 Wells Avenue Suite 20A Newton, MA 02469 P: 617.965.1544 E: sales@cyber-ark.com W: www.cyber-ark.com
  • 2. Enterprise Password Vault (EPV) solution complies with many sections of the PCI DSS including: storage, in transit encryption, restricted access on a need-to-know basis, unique ids and compre- hensive auditing. (See Appendix A for more details). Cyber-Ark Enterprise Password Vault Enables organizations to secure, manage, automatically change• and log activities associated with all types of Privileged Pass- words (i.e. System Administrator on a Windows server, Root on a UNIX server, Cisco Enable on a Cisco device) as well as embedded passwords found in applications, scripts and applica- tion servers. Defines the storage, reset parameters and usage policies of• passwords as well as personalizes administrative access that is usually carried with generic shared accounts, such as root or DBA users (meeting requirements 2.1, 10 and 10.1). Eliminates the usage of clear-text, hard-coded passwords within• application code as required by section 6.3.6 of the PCI DSS. Streamlines IT processes and greatly improves the efficiency• and security of IT to the organization (related to password management and password resets that otherwise may consume substantial resources). Provides the most secure location for passwords, documents• and files containing such data and addresses most of the above- mentioned requirements (Section 3 of the PCI DSS) Helps achieve other systems’ compliance, by, for example,• securely storing encryption keys from other systems within the Vault as well. Summary The focus on PCI DSS compliance is increasing each and every day, making it incumbent upon processors, merchants and service providers to do all they can to reach compliance as quickly and efficiently as possible. The Enterprise Password Vault, and other Digital Vault-based solutions from Cyber-Ark Software answers to most of the specific PCI requirements around passwords and data security. By implementing these solutions, and the associated best practices approaches for privileged accounts and highly sensitive information, will greatly enhance many companies overall security posture and their compliance with PCI DSS. The focus on PCI DSS compliance is increasing each and every day, making it incumbent upon processors, merchants and service providers to do all they can to reach compliance as quickly and efficiently as possible. “ ” 57 Wells Avenue Suite 20A Newton, MA 02469 P: 617.965.1544 E: sales@cyber-ark.com W: www.cyber-ark.com
  • 3. Regulation requirement How Cyber-Ark helps 2 Do not use vendor-supplied defaults for system passwords and other security parameters. Cyber-Ark Enterprise Password Vault provides a secure location for storing and sharing sensitive and powerful passwords across the enterprise. 2.1 Always change the vendor-sup- plied defaults before you install a system on the network. The Enterprise Password Vault periodically resets and synchro- nizes passwords on servers, applications and appliances. 3 Protect stored data. The most fundamental concept of Cyber‑Ark Vault is its secure storage. The Vault provides comprehensive environment to se- curely store sensitive data. With its firewall, strong authentication, session encryption, storage encryption, extensive auditing, access control, dual control and other security measures, the Vault pro- vides the ultimate environment to ensure the security and confi- dentiality of any type of file or document. 3.1 Keep cardholder information storage to a minimum. Limit your storage amount and reten- tion time to that which is re- quired for business, legal, and/ or regulatory purposes. Information stored within the Enterprise Password Vault is subject- ed to retention period rules and will be deleted upon the expiration of this period. 3.4 Render sensitive cardholder data unreadable anywhere it is stored, by using (among oth- ers) strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. Data stored within the Enterprise Password Vault is encrypted and signed using AES 256-bit and SHA-1. The Vault seamlessly protects and manages encryption keys. 3.5 Protect encryption keys against both disclosure and misuse: 3.5.1 Restrict access to keys to the fewest number of custo- dians necessary. 3.5.2 Store keys securely in the fewest possible locations and forms. Cyber-Ark Enterprise Password Vault internally manages its en- cryption keys. Each data item is encrypted with a unique encryp- tion key. Only the relevant encryption keys are provided to authenticated and authorized users (req. 3.5, 3.5.1, 3.5.2).
  • 4. Regulation requirement How Cyber-Ark helps 3.6 Fully document and implement all key management processes and procedures, including: 3.6.1 Generation of strong keys 3.6.2 Secure key distribution 3.6.3 Secure key storage 3.6.4 Periodic key changes 3.6.5 Destruction of old keys 3.6.6 Split knowledge and dual control of keys (so that it requires 2 or 3 people, each knowing only their part of the key, to reconstruct the whole key). 3.6.7 Prevention of unauthor- ized substitution of keys Cyber-Ark Enterprise Password Vault fully manages encryption keys for stored data (req. 3.6), including: Generation of strong keys (req. 3.6.1) Keys are securely distributed over an encrypted channel to au- thenticated and authorized users (req. 3.6.2). Keys are securely stored within the Vault, benefiting from all of the Vault’s security layers (req. 3.6.3). Encryption keys can be changed periodically (req. 3.6.4). Encryption keys are used only once – every data item has a unique key (req. 3.6.5). The Dual Control feature ensures selected data is subject to ad- ditional confirmation before leaving the Vault (req. 3.6.6). Encryption keys are stored within the Vault and can’t be substi- tuted manually (req. 3.6.7). 4 Encrypt transmission of card- holder and sensitive informa- tion across public networks. Use encryption techniques (at least 128 bit) such as Secure Sockets Layer (SSL), Point- to-Point Tunneling Protocol (PPTP), Internet Protocol Security (IPSEC), etc. to safe- guard sensitive cardholder data during transmission over public networks. All data transmitted to and from the Enterprise Password Vault is encrypted and digitally signed using AES-256 and SHA-1. 6 Develop and maintain secure systems and applications. 6.3.6 Removal of custom ap- plication accounts, usernames, and passwords before appli- cations become active or are released to customers. The Enterprise Password Vault is used to remove clear-text, hard‑coded passwords from application code.
  • 5. Regulation requirement How Cyber-Ark helps 7 7.1 7.2 Restrict access to data by busi- ness need-to-know. Information stored in Cyber- Ark Enterprise Password Vault in a highly departmentalized manner. Only authenticated users can access data and only based on their authorizations. Establish a mechanism for sys- tems with multiple users that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed. Information stored in Cyber-Ark Enterprise Password Vault in a highly departmentalized manner. Only authenticated users can access data and only based on their authorizations (req. 7, 7.1). Each user of the Vault is assigned with an individual account and can access only data he or she is permitted to (req. 7.2). 8 8.1 8.2 8.3 8.4 8.5 Assign a unique ID to each per- son with computer access Identify all users with a unique username before allowing them to access system components or cardholder data. Employ at least one of the methods below, in addition to unique identification, to au- thenticate all users: Password, Token devices (e.g., SecureID, certificates, or public key), Bio- metrics. Implement 2-factor authentica- tion for remote access to the network by employees, admin- istrators, and third parties. Use technologies such as RADIUS or TACACS with tokens, or VPN with individual certificates. Encrypt all passwords during transmission and storage, on all system components. Ensure proper user authentica- tion and password manage- ment for non-consumer users and administrators, on all system components. Each user of the Enterprise Password Vault is assigned with an individual account (req. 8, 8.1). Cyber-Ark Vault supports strong authentication mechanisms that can be based on passwords or tokens (req. 8.2, 8.5 ) The Vault also supports 2-factor authentication (req. 8.3). The authentication process to the Vault is secure and the creden- tials (e.g. password) us encrypted (req. 8.4) Additionally, Cyber-Ark’s Enterprise Password Vault can be used to protect and periodically change various passwords across the organization (req. 8.4, 8.5).
  • 6. Regulation requirement How Cyber-Ark helps 10 10.1 10.2 Track and monitor all access to network resources and card- holder data. Establish a process for linking all access to system compo- nents (especially those done with administrative privileges such as root) to an individual user. Implement automated audit trails to reconstruct the fol- lowing events, for all system components: 10.2.1 All individual user ac- cesses to cardholder data. 10.2.2 All actions taken by any individual with root or adminis- trative privileges. 10.2.3 Access to all audit trails. 10.2.4 Invalid logical access attempts. 10.2 5 Use of identification and authentication mechanisms. 10.2.6 Initialization of the audit logs. 10.2.7 Creation and deletion of system level objects. 10.3 Record at least the follow- ing audit trail entries for each event, for all system com- ponents: User identification; Type of event; Date and time; Success or failure indication; Origination of event; Identity or name of affected data; system component or resource. Access to data within the Enterprise Password Vault is logged (req. 10). Enterprise Password Vault enforces personalization of shared administrative accounts (such as root and DBA accounts) and guarantees logging is on an individual level (req. 10.1). Each user of the Vault is assigned with an individual account, thus audit logs are always personal (req. 10.1). Cyber-Ark Enterprise Password Vault logs every successful and unsuccessful events, including login, data access and adminis- trative activities (req. 10.2, 10.2.1, 10.2.4, 10.2.5, 10.2.7). Audit trails are stored within the Vault and protected by it. Audit trails are encrypted and signed and can’t be altered manually. Audit trail is maintained for a predefined period of time and can’t be deleted before the retention period expires. Audit logs are backed up as part of the standard system backup procedures. Access to the logs is governed by access control (req. 10.2.3, 10.2.6, 10.5, 10.5.1, 10.5.2, 10.5.3, 10.5.5, 10.7) Audit logs contain detailed information about the nature of the event, including acting user, type, data and time, success or failure and event origination (req. 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6)
  • 7. Regulation requirement How Cyber-Ark helps 10.5 Secure audit trails so they cannot be altered, including the following: Limit viewing of audit trails to those with a job-related need; Protect audit trail files from unauthorized modifica- tions; Promptly back-up audit trail files to a centralized log server or media that is dif- ficult to alter; Use file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts. 10.7 Retain your audit trail his- tory for a period that is consis- tent with its effective use, as well as legal regulations. About Cyber-Ark Cyber-Ark™ Software is the leading provider of Privileged Identity Management (PIM) solutions or securing privileged user accounts and highly-sensitive information across the enterprise. Long recognized as an industry innovator for its patented Vaulting Technology™, Cyber-Ark’s digital vault products include: The Enterprise Pass- word Vault™ for the secure management of administrative, application and privileged user passwords; the Inter- Business Vault™, a secure infrastructure for cross-enterprise data exchange of highly-sensitive information, and the Sensitive Document Vault™ for secure storage and management of highly-sensitive documents. Cyber-Ark’s Vaulting platform has been tested by ICSA Labs, an independent division of Cybertrust and the security industry’s central authority for research, intelligence, and certification testing of security products. Cyber-Ark’s award-winning technology is deployed by more than 300 global customers, including 100 of the world’s largest banks and finan- cial institutions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com P: 617.965.1544 | E: sales@cyber-ark.com | W: www.cyber-ark.com