Eliminate Remote Vendor Complexity in PCI Compliant Platforms

1

Easy PCI:
How to Eliminate Remote Vendor Complexity
in PCI-DSS Compliant Platforms
An ObserveIT Whitepaper | Gabriel Friedlander

Executive Summary
To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI
for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing
business users, many of these needs can be answered using native system logs. But when it comes to privileged
users, the requirements, sensitivities and complexities are all magnified. And when those privileged users
happen to be third-party remote vendors, a redoubling of risk factors occurs.

An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create a
holistic and effective solution that answers PCI requirements efficiently.

The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data
storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely:

 Requirement 6: Develop and maintain secure systems and applications
 Requirement 8: Assign unique ID to each person with computer access
 Requirement 10: Track and monitor all access to network resources and cardholder data
 Requirement 12: Maintain a policy that addresses information security for all personnel

The core essence of these requirements (most notably the numerous details within Requirement 10) boil down
to a simple statement: “You should know who has done what, for every system access.” This straight-forward
question is best answered with an equally straight-forward solution: “Be able to replay exactly what each user
did, as if you were looking over their shoulder as they did it.”

In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed,
allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex:
Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM).

Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

2

Scoping the Problem:
Remote Vendors Have a Unique Impact on PCI Compliance
Who are these Remote Vendors, anyway?
Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic
growth in the use of remote 3rd-party users on corporate networks – so much so that we tend to take it for
granted at this point.

Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in
specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure
today. By and large, this process has brought tremendous operational efficiency, and we can expect remote
vendor access to continue in the long term.

In order for remote vendors to be able to able to perform their assigned job, they typically require wide access
to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of
granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that
actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire
contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.

Covering All Activity: Can you really know what happened based only on obscure system logs?
PCI Section 10.2 requires you to “implement automated audit trails … to reconstruct … events”.

Here, the core question being raised is “What is actually captured?” When first approaching PCI compliance, it
might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just
a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental
question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how
to probe the issue during audit reviews.

Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular
application provide sufficient logging info?” Many important business applications, especially custom apps that
are developed and maintained by external vendors, have not been developed with system logging in mind.
Often, audit logs are added as an afterthought, with the resulting quality in doubt.

A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together
logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.

Securing the Audit Trail: Is the cat guarding the cream?
PCI Section 10.5 requires you to “secure audit trails so they cannot be altered”, and PCI Section 6 calls for
“secure systems and applications”, including “secure authentication and logging”.
With remote vendors touching mission-critical resources, the question to be asked here is “Does a software
vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that
developed a particular bespoke application has the means to temporarily pause logging functionality while
performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still
leaves your compliance in doubt.


3

An audit that includes exact video recording of everything the user does will overcome these issues. If each
action is captured visually, then the question of what each application is sending to its system log is neutralized.

Eliminating Anonymity: ‘administrator’ is not a name
PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with
administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which
calls for “assigning unique identification to each person with computer access”.

There are a few levels of anonymity concerns that demand consideration:

 Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user?
The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins
or external remote vendors. Some form of identification services must be put in place, so that a user is
clearly identified prior to gaining access. There are numerous technical implementations that can achieve
this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The
PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of
operational efficiency and pure cost-benefit analysis.

 Do your HR or Active Directory databases clearly identify each named user?
The validity and accuracy of internal username databases is handled quite well today for corporate
employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This
may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John
Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date.
Even worse, remote vendor organizations often share a single account, with one userid serving all the
support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it
is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id.

The above issues can be overcome with a strong secondary identification system which requires named-user
credentials, coupled with effective corporate policy enforcement.

Policy Validation and Support Ticket #’s: Yes, I read the new policy statement!
PCI Section 12.5.1 asks that you “establish, document and distribute security policies and procedures” and PCI
Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the
security policy and procedures.”

CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote
vendor location. Even with an extremely tight credential management workflow, there always remains a certain
doubt about policy enforcement at the remote site.

What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are
routed through primary points of contact, while actual work is performed by many additional employees. So
even with good policy communications with the main account manager, there is no way of knowing if the actual
support admin who will be logging in got the news.


4

This communication path can impact compliance (“Does the admin know that s/he should not be opening file
X”), but it also has performance and administration benefits (“Does the admin know that no database traces
should be launched between Thursday midnight and Friday noon during our system upgrade?”)

Some IT departments attempt to diminish this policy and admin complexity using a “ticket number” system, in
which each login user must receive a one-time ticket # associated with a specific task to be performed. This
certainly is an effective method to mitigate risk, but it only makes sense that this ticket tracking is also reflected
in the ID-Management solution and appears in the actual user audit logs.

From ‘Compliant’ to ‘Secure’: Getting even more out of a compliance toolset
The heavy burden of PCI compliance can cause CIOs, Compliance Managers and Security Managers to focus on
compliance-checklist-minimization. (“Just do the bare minimum of what will get us past the auditor!”) This
approach is certainly understandable, yet it overlooks a huge opportunity to augment network security at no
additional cost.

 Managing Physical Presence: Who is actually looking at the screen?
Given that off-site remote vendors are not being managed by corporate facility security, there is a higher
concern for 3rd party providers regarding what takes place on the screen. How do know who else is
watching what is taking place on the screen? Adding screen recording, and making sure that the 3rd party
user is aware of this, can diminish the risk of screen peaking. And even on security breaches, at least we
can know exactly what data was exposed.

 Fast forensic resolution: Show me exactly what happened!
Once a security issue is identified by system monitors, there still remains a wide gap that must be spanned:
What were the conditions that allowed for this event to occur, and what can I do to prevent this from
occurring again? The quickest path to answer these questions is by simply replaying the exact activity.


5

Solving the Problem: PCI Compliancy for remote vendor environments
PCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!)
With ObserveIT, you have instant audit logs that include details of precisely what took place.

ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what
machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app
does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to
demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or
while using a custom ERP extension that the system developers have not implemented logs for yet.

The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance.

WHAT DID THE USER DO?
A human-understandable list
of every user action

Salesforce.com – Microsoft Internet Explorer
MagicISO CD/DVD Manager
Cloud Apps
Microsoft Visual Studio 2010
Commercial S/W with no logs
Skype
CustomerDetails CRM
Legacy software
Registry Editor

Who, When, Where USER SESSION REPLAY:
Bulletproof forensics for
security investigation

PCI-compliant log reports
of Remote Vendor access

Instant forensic investigation
using visual user session replay CAPTURES ALL ACTIONS:
Mouse movement, text entry, UI
interaction, window activity

PLAYBACK NAVIGATION:
PCI 10.2 and 10.3 – Visual audit guarantees sufficient Move quickly between apps
that the user ran
coverage and clarity of user actions
For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact
playback of user activity, as if you were looking over the user’s shoulder as it took place.

With this level of accountability, there is no question as to what transpired, making any attempts of repudiation
or denial utterly groundless.


6

PCI 10.1 – Capturing Named-User credentials without complex password vault management
Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This
step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific
named user. This username appears in every log entry created during the session.

CAPTURE REAL NAME:
Named user id account credentials
are required in order to continue

PRIVILEGED LOGIN:
Generic ‘aministrator’ user id

Privileged User Identification

PCI 12.5 – Policy training that will deny system access without proper acknowledgement
Before authorizing the user to access the system, ObserveIT requires that policy status information be read and
confirmed. This eliminates the need to handle policy update validation in a separate process: No more email
trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote
vendors, in which the policy updates often go to the main point of contact, but other users are the actual people
who log in.

In addition, users can be asked to provide specific details about the support issue being handled, in the form of
ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling
between each session and the reason the session took place in the first place.

NOTE: No database admin task may be
performed between 0800 and 1800 GMT

Please enter your support ticket number in
box below.
POLICY MESSAGING:
User must acknowledge

SUPPORT TICKET:
Require the user to provide
activity identifier

Policy Updates as a mandatory part of the user authentication path


7

Conclusion
The existence of remote vendors poses unique challenges when establishing proper PCI compliance
documentation. The issues raised by 3rd party vendors span many security categories:

 Audit completeness: Can you establish exactly what took place based on your existing log entries?
 Identity management and anonymity: Do you really know who each remote user is?
 Policy training: How can you be sure that each remote user receives policy updates and periodic training?
 Audit security: Are you able to verify that remote admins did not touch any existing log info?
 Flexibility of auditing platform: Does each new application deployment complicate the compliance
logging requirements?
ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented
instead of system-oriented, you are able to recreate exactly what took place on any system resource.

Benefits of this solution include:

 Accountability of all activities performed by a remote vendor or service provider: Each system access is
linked to an identifiable individual user
 Reduced costs to generate compliance reports, with less effort, and faster turnaround time
 Unequivocal proof of user activity, guaranteeing authentication and non-repudiation


8

Appendix A: ObserveIT PCI Compliance Matrix
Requirement 6 : Develop and maintain secure systems and applications
6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server
that inherits all corporate security policies. All data is encrypted and digitally
signed, and secure policy rules prevent any access to view or modify log data.
Requirement 8: Assign unique ID to each person with computer access
8.1 Assign unique ID before giving access ObserveIT Identification Services requires that any privileged user access be
8.2 Tie passwords to id accompanied with specific named-user login.
8.4 Secure password during transmission
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1 Establish a process for linking all access to system Prior to enabling a user to initialize a session, ObserveIT can present a demand-
components (especially access done with response secondary credential dialog, thus preventing generic privileged userid
administrative privileges such as root) to each login.
individual user
ObserveIT records all human activity on monitored servers, both visually as well
as with a textual metadata log. Any user action can be replayed to see exactly
what occurred, who did it, and what resources where accessed and affected.
10.2 Implement automated audit trails for all system ObserveIT constantly monitors and records all user activity, including applications
components to reconstruct the following events: launched, UI interaction, system configuration, registry changes or any other
10.2.2 All actions taken by any individual with root or user-initiated action, from login to logoff. ObserveIT records at the OS level and is
administrative privileges agnostic to connection protocol. All access to ObserveIT logs themselves is also
10.2.3 Access to all audit trails audited and recorded.
10.2.7 Creation and deletion of system-level objects.
10.3 Record … audit trail entries for all system By capturing a visual recording of every user action, a full audit trail is established
components for each event for every system component modification or access.
10.4 Use time-synch technology ObserveIT records a timestamp for every screenshot within the user session and
each associated metadata log entry. This allows for 100% correlation between
the replayed sessions, and the presented metadata.
10.5 Secure audit trains so they cannot be altered ObserveIT stores screenshots and metadata as individual records in a SQL
database. Any corporate database security protocols are automatically inherited.
All DB records are protected by digital signature, and cannot be altered or
deleted. Access to records is allowed only by the users that are defined as
administrators. View-only administrator access is also possible, allowing for
further secure auditing.
10.6 Review logs for all system components at least ObserveIT’s built-in compliance reports and customizable reports can be
daily scheduled for automatic delivery on any time frame. Event activity can also be
captured by any network management tool for system alerting based on user
activity.
10.7 Retain audit trail history for at least one year ObserveIT's recorded sessions, attached metadata, and audit records are stored
in a central and protected SQL database, where they are retained indefinitely.
Requirement 12: Maintain a policy that addresses information security
12.5 Assign to an individual or team the following ObserveIT enables policy messaging, in which the user receives a message when
information security management responsibilities: initiating a login. Users must authorize that they have received and read the
12.5.1 Establish , document and distribute security message.
policies and procedures
12.5.5 Monitor and control all access to data
12.6 Implement a formal security awareness program
to make all personnel aware of the importance of
cardholder data security
12.6.2 Require personnel to acknowledge at least
annually that they have read and understood the
security policy and procedures
12.8 If cardholder data is shared with services All ObserveIT auditing features as specified in the above table is also applied to
providers, maintain and implement policies and any remote service provider.
procedures to manage service providers


9

About ObserveIT
ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence
of user sessions, significantly shortening investigation time.

Every action performed by remote vendors, developers, sysadmins, business users or privileged users is
recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is
unclear, simply replay the video, just as if you were looking over the user’s shoulder.

ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root
Cause Analysis.

Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including
finance, healthcare, manufacturing, telecom, government and IT services.

For more information, please contact ObserveIT at:
www.observeit-sys.com
sales@observeit-sys.com
US Phone: 1-800-687-0137
Int’l Phone: +972-3-648-0614


Eliminate Remote Vendor Complexity in PCI Compliant Platforms

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Eliminate Remote Vendor Complexity in PCI Compliant Platforms

Similar to Eliminate Remote Vendor Complexity in PCI Compliant Platforms (20)

More from ObserveIT

More from ObserveIT (20)

Eliminate Remote Vendor Complexity in PCI Compliant Platforms