PCI-DSS Compliance Using the Hitachi ID Management Suite


Published on

The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonable set of standards intended to guide financial institutions, retailers and other data processors in protecting data about credit cards and their owners. This document describes how identity management products from Hitachi ID Systems, Inc. can be used to help organizations comply with PCI-DSS.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI-DSS Compliance Using the Hitachi ID Management Suite

  1. 1. Payment Card Industry Data Security Standard (PCI-DSS) 2.0 Compliance Using Hitachi ID Management Suite © 2014 Hitachi ID Systems, Inc. All rights reserved.
  2. 2. Contents 1 Introduction 1 2 The Regulation in Detail 2 3 Improving Security in General 10 3.1 Hitachi ID Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.2 Hitachi ID Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.3 Hitachi ID Access Certifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.4 Hitachi ID Privileged Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 i
  3. 3. PCI-DSS v2.0 Compliance Using Management Suite 1 Introduction The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonable set of standards intended to guide financial institutions, retailers and other data processors in protecting data about credit cards and their owners. It is organized into six logical categories: 1. Build and Maintain a Secure Network. 2. Protect Cardholder Data. 3. Maintain a Vulnerability Management Program. 4. Implement Strong Access Control Measures. 5. Regularly Monitor and Test Networks. 6. Maintain an Information Security Policy. PCI-DSS is unique among major regulatory requirements for corporations and government agencies in that it specifically lays out what organizations must do and what they must not do to comply. This makes compliance much more straightforward than regulations such as SOX, HIPAA, etc. which are ambiguous in regards to information security. To fulfill all of the requirements in PCI-DSS, organizations must deploy a combination of sound business practices and various security technologies, including firewalls, virus scanners, identity management sys- tems and more. The full text of the PCI DSS version 2.0 (as of April 2012) may be found here: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf This document outlines how components of the Hitachi ID Management Suite can assist organizations in compliance with PCI-DSS. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
  4. 4. PCI-DSS v2.0 Compliance Using Management Suite 2 The Regulation in Detail Hitachi ID Management Suite can help organizations to comply with PCI-DSS requirements and (wherever relevant) itself complies as follows: Requirement Details Product Feature 2.1 Always change vendor-supplied defaults before installing a system on the network—for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts. Hitachi ID Privileged Access Manager Scrambles all sensitive passwords regularly, eliminating defaults. 2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission. Privileged Access Manager Can be used to house randomized encryption keys, SNMP community strings, etc. 2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access. Privileged Access Manager Ensures that when administrators request administrative credentials, they do so only with strong authentication and over an encrypted UI (HTTPS). 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts. Privileged Access Manager Can be used to securely store encryption keys for disk volumes. 3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse: Privileged Access Manager Can be used as a secure key repository. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
  5. 5. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following: Privileged Access Manager Can be used to generate, control disclosure of, periodically replace and securely store cryptographic keys (not just passwords). This makes it suitable as a cryptographic storage platform, not just a privileged password management system. The built-in workflow system can be used to support 3.6.6 – Split knowledge and establishment of dual control of cryptographic keys. 6.3.6 Removal of custom application accounts, user IDs, and passwords before applications become active or are released to customers Privileged Access Manager Can be used to eliminate hard-coded login IDs and passwords in applications. Instead, applications use an Privileged Access Manager API to fetch IDs and passwords to back-end systems. 6.4 Follow change control procedures for all changes to system components. Privileged Access Manager Can be used to enforce change control processes – i.e., no approved change control means no password disclosure. 6.5 Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Various See below.. 6.5 OWASP: testing for vulnerable Pwd Reset... http://www.owasp.org/... Hitachi ID Password Manager Secure authentication prior to self-service password reset. 6.5 OWASP: Password length & complexity http://www.owasp.org/... Password Manager Password complexity checking and secure random password generator. 6.5.1 Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws. Management Suite Complies itself – all inputs are filtered. 6.5.2 Buffer overflow Management Suite Complies itself – all inputs are checked for size and trimmed if required. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
  6. 6. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 6.5.3 Insecure cryptographic storage Management Suite Complies itself – strong crypto is used to protect sensitive data such as passwords and security questions. 6.5.4 Insecure communications Management Suite Complies itself – inbound communications are HTTPS and outbound user a variety of protocols, depending on what the target system supports. 6.5.5 Improper error handling Management Suite Complies itself – Error handling is strictly local and does not leak credentials. 6.5.6 All -High vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2). Management Suite Complies itself – all releases are tested for security vulnerabilities. 6.5.7 Cross-site scripting (XSS) Management Suite Complies itself – for example, by filtering out HTML content from input fields, which could otherwise be used to inject scripts from another site into a user’s session. 6.5.8 Improper Access Control (such as insecure direct object references, failure to restrict URL access, and directory traversal) Management Suite Complies itself – all inputs are filtered. Moreover, access to sensitive data within Management Suite is subject to rigorous access controls, linked to both the identity of the requester and the data being accessed. 6.5.9 Cross-site request forgery (CSRF) Management Suite Complies itself – generally by avoiding use of cookies to track authentication state and limiting functionality available via HTTP GET. 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following: Hitachi ID Identity Manager Can assign application privileges based on user roles. 7.1.1 Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities Privileged Access Manager Access to privileged accounts can be controlled by user group (role). and authenticated personally. 7.1.2 Assignment of privileges is based on individual personnel’s job classification and function Identity Manager Used to assign privileges, including by role assignment. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
  7. 7. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 7.1.3 Requirement for an authorization form signed by management that specifies required privileges Identity Manager Workflow approval can be required prior to role assignment. 7.1.4 Implementation of an automated access control system Management Suite All products in the Management Suite incorporate a flexible access control system internally. Moreover, Identity Manager is designed to configure access control on integrated systems and applications while Privileged Access Manager is designed to control access to privileged accounts across an IT environment. 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to -deny all unless specifically allowed. This access control system must include the following: Identity Manager Is used to manage user entitlements, which are typically assigned on a least privilege basis. 7.2.1 Coverage of all system components Privileged Access Manager Includes 110 connectors. 7.2.2 Assignment of privileges to individuals based on job classification and function Identity Manager Supports role-based access control (RBAC). 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. Identity Manager Supports assignment of globally unique IDs to all users and correlation of locally unique IDs to global profiles. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: • Password. • Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) Management Suite Supports management of all of these types of authentication factors. Authenticates users into its own portal with any combination of the above types of authentication factors. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
  8. 8. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. Management Suite Supports cost effective provisioning, support and deactivation of two-factor authentication factors, such as tokens and smart cards. Supports use of a cell phone plus password as an ad-hoc two-factor authentication method. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows: - See details below. 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. Identity Manager Streamlines the management of user IDs, credentials and entitlements. 8.5.2 Verify user identity before performing password resets. Password Manager Secures self-service and assisted-service password reset processes. 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use. Identity Manager Allows organizations to control the issuance and expiration of initial passwords on accounts it creates. 8.5.4 Immediately revoke access for any terminated users. Identity Manager Automates termination with a data feed from a system of record (HR), plus allows authorized users to trigger immediate or scheduled deactivation through a web request form. 8.5.5 Remove inactive user accounts at least every 90 days. Identity Manager Tracks inactive accounts and automatically removes them after N days. 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed. Privileged Access Manager Can assign temporary passwords for a short “password checkout” period. Also supports launching a remote control connection for vendors, etc. without disclosing the current password value. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
  9. 9. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 8.5.7 Communicate password procedures and policies to all users who have access to cardholder data. Password Manager Can be used not only to enforce policies but also to communicate policies to end users and track acceptance of same. 8.5.8 Do not use group, shared, or generic accounts and passwords. Privileged Access Manager Enables organizations to randomize sensitive passwords daily, thereby eliminating the possibility that users share them or never change them. 8.5.9 Change user passwords at least every 90 days. Password Manager Can require users to change all passwords regularly, including on systems and applications with no native password expiration capability. 8.5.10 Require a minimum password length of at least seven characters. Management Suite Identity Manager, Password Manager and Privileged Access Manager can all enforce complex password policies, including minimum length rules, for password creation, changes and randomization, respectively. Seven is a bit short, however... 8.5.11 Use passwords containing both numeric and alphabetic characters. Management Suite All products can enforce a rich variety of password complexity rules. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Password Manager Can enforce “infinite” (i.e., open-ended) password history requirements, to eliminate password reuse entirely. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. Management Suite All Management Suite components include intruder lockout to prevent repeated login attempts with invalid credentials. 8.5.14 Set the lockout duration to 30 minutes or until administrator enables the user ID. Management Suite All Management Suite components can enforce this capability for login attempts into Management Suite. 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. Management Suite All Management Suite components can enforce this capability for login attempts into Management Suite. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
  10. 10. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Privileged Access Manager Can enforce this requirement even for applications that have no personal login IDs. In these cases, it randomizes system-level passwords daily and requires IT workers to self-authenticate when they need the current password value. 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. Identity Manager Can manage the assignment and activation of building access badges. 10.1 – 10.3 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. Privileged Access Manager Creates precisely this audit log. This even includes movies of administrator sessions. 12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following: Management Suite Clearly, Management Suite cannot develop policies for any Hitachi ID Systems customer – it’s just software. However, a variety of Management Suite capabilities support the following policy requirements. 12.2 Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). Management Suite Supports standards and controls over user account maintenance and logging of administrative access. 12.3.1 Explicit approval by authorized parties Management Suite Identity Manager and Privileged Access Manager in particular include a robust workflow engine used for change approvals. This applies to requests for access to systems in the former and requests for privileged access in the latter. 12.3.2 Authentication for use of the technology Management Suite Password Manager supports strong authentication by helping users to manage their own credentials. Privileged Access Manager authenticates IT staff before granting privileged access. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
  11. 11. PCI-DSS v2.0 Compliance Using Management Suite Requirement Details Product Feature 12.3.3 A list of all such devices and personnel with access Privileged Access Manager Includes infrastructure auto-discovery and all other Management Suite components include user ID auto-discovery. 12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity Privileged Access Manager Supports this for administrative sessions in particular. 12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use Privileged Access Manager Supports granting and terminating of temporary privileged access to users, including vendors and partners. Assign to an individual or team the following information security management responsibilities: - See below how Management Suite can with some tasks. 12.5.4 Administer user accounts, including additions, deletions, and modifications Identity Manager Automates the processes around user access setup/update/tear-down. 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures. Password Manager Includes a mechanism to invite users to read and acknowledge policy documents. 12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history, and reference checks.) Identity Manager Includes both task dependencies and implementer tasks. Together, these features are used to verify completion of such preliminary tasks before granting logical or physical access to a new user. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
  12. 12. PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite 3 Improving Security in General 3.1 Password Manager Self service management of passwords, PINs and encryption keys Hitachi ID Password Manager improves the security of authentication processes: • A strong, uniform password policy prevents the use of easily guessed passwords and ensures that all passwords are changed regularly. • Password synchronization discourages written passwords (“sticky notes”). • Consistent, reliable authentication processes ensures that users are reliably identified before access- ing sensitive services, such as a help desk password reset. • IT support staff can be empowered to assist callers without having administrator accounts on every system and application. • Extensive audit logs create accountability for password resets. • Encryption ensures that passwords are not stored or transmitted in plaintext. 3.2 Identity Manager User provisioning, RBAC, SoD and access certification Hitachi ID Identity Manager strengthens security by: • Quickly and reliably removing access to all systems and applications when users leave an organiza- tion. • Finding and helping to clean up orphan and dormant accounts. • Assigning standardized access rights, using roles and rules, to new and transitioned users. • Enforcing policy regarding segregation of duties and identifying users who are already in violation. • Ensuring that changes to user entitlements are always authorized before they are completed. • Asking business stake-holders to periodically review user entitlements and either certify or remove them, as appropriate. • Reducing the number and scope of administrator-level accounts needed to manage user access to systems and applications. • Providing readily accessible audit data regarding current and historical security entitlements, including who requested and approved every change. © 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
  13. 13. PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite Identity Manager runs an auto-discovery process nightly, which extracts a list of users, their managed at- tributes and their membership in managed groups from each target system. On systems where Identity Manager is the only authorized user management facility, this list should be identical to the data already in- side Identity Manager. Where this is the policy but changes are nevertheless detected, a security exception can be raised. Normally, such exceptions trigger automatic e-mails to target system administrators, asking them to confirm that the detected security changes are valid. 3.3 Access Certifier Periodic review and cleanup of security entitlements Hitachi ID Access Certifier helps organizations to find and eliminate stale user privileges: • All user objects are subjected to periodic reviews – by managers and group owners. Orphan and dormant accounts are eliminated. • All user membership in security groups (also known as roles, profiles, etc.) are periodically scrutinized. Inappropriate rights are deactivated. • Accountability is introduced by documenting when each login ID and group membership was reviewed and by whom. • Organizational roll-up allows executives to sign off on statements asserting that all sensitive security rights have been reviewed. 3.4 Privileged Access Manager Control and audit access to privileged accounts Hitachi ID Privileged Access Manager helps organizations to secure privileged accounts: • Eliminate static and shared passwords. • Enforce strong authorization controls over who can access which administrative account and when. • Personally authenticate IT staff before granting access to privileged accounts. • Create an audit log of who accessed each privileged account and when. www.Hitachi-ID.com 500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com File: /pub/wp/documents/pci-dss/pci-dss-compliance-2.0.tex Date: 2012-04-29