PCI and Remote Vendors


Published on

PCI and Remote Vendors: Eliminating the complexity - Free Guide
To meet PCI requirements, CIOs and compliance officers must ensure user accountability.
When it comes to privileged users, the requirements and complexities are all magnified, especially when these privileged users happen to be third-party remote vendors.

This whitepaper highlights the PCI issues relating to remote vendors, and provides a straightforward solution for how to achieve compliancy. Particular attention is placed on:
- Clarity of what your log contains (as per PCI 10.2)
- Securing the audit logs against admin users (as per PCI 10.5)
- Eliminating anonymity (as per PCI 8 and PCI 10.1)
- Verifying awareness of corporate policy (as per PCI 12.5)

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PCI and Remote Vendors

  1. 1. 1Easy PCI:How to Eliminate Remote Vendor Complexityin PCI-DSS Compliant PlatformsAn ObserveIT Whitepaper | Gabriel FriedlanderExecutive Summary To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing business users, many of these needs can be answered using native system logs. But when it comes to privileged users, the requirements, sensitivities and complexities are all magnified. And when those privileged users happen to be third-party remote vendors, a redoubling of risk factors occurs. An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create a holistic and effective solution that answers PCI requirements efficiently. The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely:  Requirement 6: Develop and maintain secure systems and applications  Requirement 8: Assign unique ID to each person with computer access  Requirement 10: Track and monitor all access to network resources and cardholder data  Requirement 12: Maintain a policy that addresses information security for all personnel The core essence of these requirements (most notably the numerous details within Requirement 10) boil down to a simple statement: “You should know who has done what, for every system access.” This straight-forward question is best answered with an equally straight-forward solution: “Be able to replay exactly what each user did, as if you were looking over their shoulder as they did it.” In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed, allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex: Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM). Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  2. 2. 2Scoping the Problem:Remote Vendors Have a Unique Impact on PCI ComplianceWho are these Remote Vendors, anyway? Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic growth in the use of remote 3rd-party users on corporate networks – so much so that we tend to take it for granted at this point. Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure today. By and large, this process has brought tremendous operational efficiency, and we can expect remote vendor access to continue in the long term. In order for remote vendors to be able to able to perform their assigned job, they typically require wide access to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.Covering All Activity: Can you really know what happened based only on obscure system logs? PCI Section 10.2 requires you to “implement automated audit trails … to reconstruct … events”. Here, the core question being raised is “What is actually captured?” When first approaching PCI compliance, it might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how to probe the issue during audit reviews. Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular application provide sufficient logging info?” Many important business applications, especially custom apps that are developed and maintained by external vendors, have not been developed with system logging in mind. Often, audit logs are added as an afterthought, with the resulting quality in doubt. A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.Securing the Audit Trail: Is the cat guarding the cream? PCI Section 10.5 requires you to “secure audit trails so they cannot be altered”, and PCI Section 6 calls for “secure systems and applications”, including “secure authentication and logging”. With remote vendors touching mission-critical resources, the question to be asked here is “Does a software vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that developed a particular bespoke application has the means to temporarily pause logging functionality while performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still leaves your compliance in doubt. Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  3. 3. 3 An audit that includes exact video recording of everything the user does will overcome these issues. If each action is captured visually, then the question of what each application is sending to its system log is neutralized.Eliminating Anonymity: ‘administrator’ is not a name PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which calls for “assigning unique identification to each person with computer access”. There are a few levels of anonymity concerns that demand consideration:  Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user? The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins or external remote vendors. Some form of identification services must be put in place, so that a user is clearly identified prior to gaining access. There are numerous technical implementations that can achieve this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of operational efficiency and pure cost-benefit analysis.  Do your HR or Active Directory databases clearly identify each named user? The validity and accuracy of internal username databases is handled quite well today for corporate employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date. Even worse, remote vendor organizations often share a single account, with one userid serving all the support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id. The above issues can be overcome with a strong secondary identification system which requires named-user credentials, coupled with effective corporate policy enforcement.Policy Validation and Support Ticket #’s: Yes, I read the new policy statement! PCI Section 12.5.1 asks that you “establish, document and distribute security policies and procedures” and PCI Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the security policy and procedures.” CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote vendor location. Even with an extremely tight credential management workflow, there always remains a certain doubt about policy enforcement at the remote site. What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are routed through primary points of contact, while actual work is performed by many additional employees. So even with good policy communications with the main account manager, there is no way of knowing if the actual support admin who will be logging in got the news. Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  4. 4. 4 This communication path can impact compliance (“Does the admin know that s/he should not be opening file X”), but it also has performance and administration benefits (“Does the admin know that no database traces should be launched between Thursday midnight and Friday noon during our system upgrade?”) Some IT departments attempt to diminish this policy and admin complexity using a “ticket number” system, in which each login user must receive a one-time ticket # associated with a specific task to be performed. This certainly is an effective method to mitigate risk, but it only makes sense that this ticket tracking is also reflected in the ID-Management solution and appears in the actual user audit logs.From ‘Compliant’ to ‘Secure’: Getting even more out of a compliance toolset The heavy burden of PCI compliance can cause CIOs, Compliance Managers and Security Managers to focus on compliance-checklist-minimization. (“Just do the bare minimum of what will get us past the auditor!”) This approach is certainly understandable, yet it overlooks a huge opportunity to augment network security at no additional cost.  Managing Physical Presence: Who is actually looking at the screen? Given that off-site remote vendors are not being managed by corporate facility security, there is a higher concern for 3rd party providers regarding what takes place on the screen. How do know who else is watching what is taking place on the screen? Adding screen recording, and making sure that the 3rd party user is aware of this, can diminish the risk of screen peaking. And even on security breaches, at least we can know exactly what data was exposed.  Fast forensic resolution: Show me exactly what happened! Once a security issue is identified by system monitors, there still remains a wide gap that must be spanned: What were the conditions that allowed for this event to occur, and what can I do to prevent this from occurring again? The quickest path to answer these questions is by simply replaying the exact activity. Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  5. 5. 5Solving the Problem: PCI Compliancy for remote vendor environmentsPCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!) With ObserveIT, you have instant audit logs that include details of precisely what took place. ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or while using a custom ERP extension that the system developers have not implemented logs for yet. The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance. WHAT DID THE USER DO? A human-understandable list of every user action Salesforce.com – Microsoft Internet Explorer MagicISO CD/DVD Manager Cloud Apps Microsoft Visual Studio 2010 Commercial S/W with no logs Skype CustomerDetails CRM Legacy software Registry Editor Who, When, Where USER SESSION REPLAY: Bulletproof forensics for security investigation PCI-compliant log reports of Remote Vendor access Instant forensic investigation using visual user session replay CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION:PCI 10.2 and 10.3 – Visual audit guarantees sufficient Move quickly between apps that the user rancoverage and clarity of user actions For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact playback of user activity, as if you were looking over the user’s shoulder as it took place. With this level of accountability, there is no question as to what transpired, making any attempts of repudiation or denial utterly groundless. Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  6. 6. 6PCI 10.1 – Capturing Named-User credentials without complex password vault management Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific named user. This username appears in every log entry created during the session. CAPTURE REAL NAME: Named user id account credentials are required in order to continue PRIVILEGED LOGIN: Generic ‘aministrator’ user id Privileged User IdentificationPCI 12.5 – Policy training that will deny system access without proper acknowledgement Before authorizing the user to access the system, ObserveIT requires that policy status information be read and confirmed. This eliminates the need to handle policy update validation in a separate process: No more email trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote vendors, in which the policy updates often go to the main point of contact, but other users are the actual people who log in. In addition, users can be asked to provide specific details about the support issue being handled, in the form of ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling between each session and the reason the session took place in the first place. NOTE: No database admin task may be performed between 0800 and 1800 GMT Please enter your support ticket number in box below. POLICY MESSAGING: User must acknowledge SUPPORT TICKET: Require the user to provide activity identifier Policy Updates as a mandatory part of the user authentication path Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  7. 7. 7Conclusion The existence of remote vendors poses unique challenges when establishing proper PCI compliance documentation. The issues raised by 3rd party vendors span many security categories:  Audit completeness: Can you establish exactly what took place based on your existing log entries?  Identity management and anonymity: Do you really know who each remote user is?  Policy training: How can you be sure that each remote user receives policy updates and periodic training?  Audit security: Are you able to verify that remote admins did not touch any existing log info?  Flexibility of auditing platform: Does each new application deployment complicate the compliance logging requirements? ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented instead of system-oriented, you are able to recreate exactly what took place on any system resource. Benefits of this solution include:  Accountability of all activities performed by a remote vendor or service provider: Each system access is linked to an identifiable individual user  Reduced costs to generate compliance reports, with less effort, and faster turnaround time  Unequivocal proof of user activity, guaranteeing authentication and non-repudiation Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  8. 8. 8 Appendix A: ObserveIT PCI Compliance MatrixRequirement 6 : Develop and maintain secure systems and applications6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server that inherits all corporate security policies. All data is encrypted and digitally signed, and secure policy rules prevent any access to view or modify log data.Requirement 8: Assign unique ID to each person with computer access8.1 Assign unique ID before giving access ObserveIT Identification Services requires that any privileged user access be8.2 Tie passwords to id accompanied with specific named-user login.8.4 Secure password during transmissionRequirement 10: Track and monitor all access to network resources and cardholder data10.1 Establish a process for linking all access to system Prior to enabling a user to initialize a session, ObserveIT can present a demand- components (especially access done with response secondary credential dialog, thus preventing generic privileged userid administrative privileges such as root) to each login. individual user ObserveIT records all human activity on monitored servers, both visually as well as with a textual metadata log. Any user action can be replayed to see exactly what occurred, who did it, and what resources where accessed and affected.10.2 Implement automated audit trails for all system ObserveIT constantly monitors and records all user activity, including applications components to reconstruct the following events: launched, UI interaction, system configuration, registry changes or any other 10.2.2 All actions taken by any individual with root or user-initiated action, from login to logoff. ObserveIT records at the OS level and is administrative privileges agnostic to connection protocol. All access to ObserveIT logs themselves is also 10.2.3 Access to all audit trails audited and recorded. 10.2.7 Creation and deletion of system-level objects.10.3 Record … audit trail entries for all system By capturing a visual recording of every user action, a full audit trail is established components for each event for every system component modification or access.10.4 Use time-synch technology ObserveIT records a timestamp for every screenshot within the user session and each associated metadata log entry. This allows for 100% correlation between the replayed sessions, and the presented metadata.10.5 Secure audit trains so they cannot be altered ObserveIT stores screenshots and metadata as individual records in a SQL database. Any corporate database security protocols are automatically inherited. All DB records are protected by digital signature, and cannot be altered or deleted. Access to records is allowed only by the users that are defined as administrators. View-only administrator access is also possible, allowing for further secure auditing.10.6 Review logs for all system components at least ObserveIT’s built-in compliance reports and customizable reports can be daily scheduled for automatic delivery on any time frame. Event activity can also be captured by any network management tool for system alerting based on user activity.10.7 Retain audit trail history for at least one year ObserveITs recorded sessions, attached metadata, and audit records are stored in a central and protected SQL database, where they are retained indefinitely.Requirement 12: Maintain a policy that addresses information security12.5 Assign to an individual or team the following ObserveIT enables policy messaging, in which the user receives a message when information security management responsibilities: initiating a login. Users must authorize that they have received and read the 12.5.1 Establish , document and distribute security message. policies and procedures 12.5.5 Monitor and control all access to data12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures12.8 If cardholder data is shared with services All ObserveIT auditing features as specified in the above table is also applied to providers, maintain and implement policies and any remote service provider. procedures to manage service providers Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  9. 9. 9About ObserveIT ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence of user sessions, significantly shortening investigation time. Every action performed by remote vendors, developers, sysadmins, business users or privileged users is recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is unclear, simply replay the video, just as if you were looking over the user’s shoulder. ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root Cause Analysis. Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services. For more information, please contact ObserveIT at: www.observeit-sys.com sales@observeit-sys.com US Phone: 1-800-687-0137 Int’l Phone: +972-3-648-0614 Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com