Weitere Ă€hnliche Inhalte Ăhnlich wie PCI-DSS Compliance Using the Hitachi ID Management Suite (20) Mehr von Hitachi ID Systems, Inc. (20) KĂŒrzlich hochgeladen (20) PCI-DSS Compliance Using the Hitachi ID Management Suite1. Payment Card Industry
Data Security Standard (PCI-DSS) 2.0
Compliance Using
Hitachi ID Management Suite
© 2014 Hitachi ID Systems, Inc. All rights reserved.
2. Contents
1 Introduction 1
2 The Regulation in Detail 2
3 Improving Security in General 10
3.1 Hitachi ID Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2 Hitachi ID Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Hitachi ID Access CertiïŹer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Hitachi ID Privileged Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
i
3. PCI-DSS v2.0 Compliance Using Management Suite
1 Introduction
The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonable
set of standards intended to guide ïŹnancial institutions, retailers and other data processors in protecting
data about credit cards and their owners.
It is organized into six logical categories:
1. Build and Maintain a Secure Network.
2. Protect Cardholder Data.
3. Maintain a Vulnerability Management Program.
4. Implement Strong Access Control Measures.
5. Regularly Monitor and Test Networks.
6. Maintain an Information Security Policy.
PCI-DSS is unique among major regulatory requirements for corporations and government agencies in
that it speciïŹcally lays out what organizations must do and what they must not do to comply. This makes
compliance much more straightforward than regulations such as SOX, HIPAA, etc. which are ambiguous in
regards to information security.
To fulïŹll all of the requirements in PCI-DSS, organizations must deploy a combination of sound business
practices and various security technologies, including ïŹrewalls, virus scanners, identity management sys-
tems and more.
The full text of the PCI DSS version 2.0 (as of April 2012) may be found here:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
This document outlines how components of the Hitachi ID Management Suite can assist organizations in
compliance with PCI-DSS.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1
4. PCI-DSS v2.0 Compliance Using Management Suite
2 The Regulation in Detail
Hitachi ID Management Suite can help organizations to comply with PCI-DSS requirements and (wherever
relevant) itself complies as follows:
Requirement Details Product Feature
2.1 Always change vendor-supplied
defaults before installing a system
on the networkâfor example,
include passwords, simple network
management protocol (SNMP)
community strings, and elimination
of unnecessary accounts.
Hitachi ID
Privileged
Access
Manager
Scrambles all sensitive passwords
regularly, eliminating defaults.
2.1.1 For wireless environments
connected to the cardholder data
environment or transmitting
cardholder data, change wireless
vendor defaults, including but not
limited to default wireless
encryption keys, passwords, and
SNMP community strings. Ensure
wireless device security settings are
enabled for strong encryption
technology for authentication and
transmission.
Privileged
Access
Manager
Can be used to house randomized
encryption keys, SNMP community
strings, etc.
2.3 Encrypt all non-console
administrative access. Use
technologies such as SSH, VPN, or
SSL/TLS for web based
management and other
non-console administrative access.
Privileged
Access
Manager
Ensures that when administrators
request administrative credentials,
they do so only with strong
authentication and over an
encrypted UI (HTTPS).
3.4.1 If disk encryption is used (rather
than ïŹle- or column-level database
encryption), logical access must be
managed independently of native
operating system access control
mechanisms (for example, by not
using local user account
databases). Decryption keys must
not be tied to user accounts.
Privileged
Access
Manager
Can be used to securely store
encryption keys for disk volumes.
3.5 Protect cryptographic keys used for
encryption of cardholder data
against both disclosure and misuse:
Privileged
Access
Manager
Can be used as a secure key
repository.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 2
5. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
3.6 Fully document and implement all
key-management processes and
procedures for cryptographic keys
used for encryption of cardholder
data, including the following:
Privileged
Access
Manager
Can be used to generate, control
disclosure of, periodically replace
and securely store cryptographic
keys (not just passwords). This
makes it suitable as a cryptographic
storage platform, not just a
privileged password management
system. The built-in workïŹow
system can be used to support
3.6.6 â Split knowledge and
establishment of dual control of
cryptographic keys.
6.3.6 Removal of custom application
accounts, user IDs, and passwords
before applications become active
or are released to customers
Privileged
Access
Manager
Can be used to eliminate
hard-coded login IDs and
passwords in applications. Instead,
applications use an Privileged
Access Manager API to fetch IDs
and passwords to back-end
systems.
6.4 Follow change control procedures
for all changes to system
components.
Privileged
Access
Manager
Can be used to enforce change
control processes â i.e., no
approved change control means no
password disclosure.
6.5 Develop all web applications
(internal and external, and including
web administrative access to
application) based on secure
coding guidelines such as the Open
Web Application Security Project
Guide. Cover prevention of
common coding vulnerabilities in
software development processes, to
include the following:
Various See below..
6.5 OWASP: testing for vulnerable Pwd
Reset... http://www.owasp.org/...
Hitachi ID
Password
Manager
Secure authentication prior to
self-service password reset.
6.5 OWASP: Password length &
complexity http://www.owasp.org/...
Password
Manager
Password complexity checking and
secure random password generator.
6.5.1 Injection ïŹaws, particularly SQL
injection. Also consider OS
Command Injection, LDAP and
XPath injection ïŹaws as well as
other injection ïŹaws.
Management
Suite
Complies itself â all inputs are
ïŹltered.
6.5.2 Buffer overïŹow Management
Suite
Complies itself â all inputs are
checked for size and trimmed if
required.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 3
6. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
6.5.3 Insecure cryptographic storage Management
Suite
Complies itself â strong crypto is
used to protect sensitive data such
as passwords and security
questions.
6.5.4 Insecure communications Management
Suite
Complies itself â inbound
communications are HTTPS and
outbound user a variety of
protocols, depending on what the
target system supports.
6.5.5 Improper error handling Management
Suite
Complies itself â Error handling is
strictly local and does not leak
credentials.
6.5.6 All -High vulnerabilities identiïŹed in
the vulnerability identiïŹcation
process (as deïŹned in PCI DSS
Requirement 6.2).
Management
Suite
Complies itself â all releases are
tested for security vulnerabilities.
6.5.7 Cross-site scripting (XSS) Management
Suite
Complies itself â for example, by
ïŹltering out HTML content from
input ïŹelds, which could otherwise
be used to inject scripts from
another site into a userâs session.
6.5.8 Improper Access Control (such as
insecure direct object references,
failure to restrict URL access, and
directory traversal)
Management
Suite
Complies itself â all inputs are
ïŹltered. Moreover, access to
sensitive data within Management
Suite is subject to rigorous access
controls, linked to both the identity
of the requester and the data being
accessed.
6.5.9 Cross-site request forgery (CSRF) Management
Suite
Complies itself â generally by
avoiding use of cookies to track
authentication state and limiting
functionality available via HTTP
GET.
7.1 Limit access to system components
and cardholder data to only those
individuals whose job requires such
access. Access limitations must
include the following:
Hitachi ID
Identity
Manager
Can assign application privileges
based on user roles.
7.1.1 Restriction of access rights to
privileged user IDs to least
privileges necessary to perform job
responsibilities
Privileged
Access
Manager
Access to privileged accounts can
be controlled by user group (role).
and authenticated personally.
7.1.2 Assignment of privileges is based
on individual personnelâs job
classiïŹcation and function
Identity
Manager
Used to assign privileges, including
by role assignment.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 4
7. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
7.1.3 Requirement for an authorization
form signed by management that
speciïŹes required privileges
Identity
Manager
WorkïŹow approval can be required
prior to role assignment.
7.1.4 Implementation of an automated
access control system
Management
Suite
All products in the Management
Suite incorporate a ïŹexible access
control system internally. Moreover,
Identity Manager is designed to
conïŹgure access control on
integrated systems and applications
while Privileged Access Manager is
designed to control access to
privileged accounts across an IT
environment.
7.2 Establish an access control system
for systems components with
multiple users that restricts access
based on a userâs need to know,
and is set to -deny all unless
speciïŹcally allowed. This access
control system must include the
following:
Identity
Manager
Is used to manage user
entitlements, which are typically
assigned on a least privilege basis.
7.2.1 Coverage of all system components Privileged
Access
Manager
Includes 110 connectors.
7.2.2 Assignment of privileges to
individuals based on job
classiïŹcation and function
Identity
Manager
Supports role-based access control
(RBAC).
8.1 Assign all users a unique ID before
allowing them to access system
components or cardholder data.
Identity
Manager
Supports assignment of globally
unique IDs to all users and
correlation of locally unique IDs to
global proïŹles.
8.2 In addition to assigning a unique ID,
employ at least one of the following
methods to authenticate all users:
âą Password.
âą Two-factor authentication (for
example, token devices,
smart cards, biometrics, or
public keys)
Management
Suite
Supports management of all of
these types of authentication
factors. Authenticates users into its
own portal with any combination of
the above types of authentication
factors.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 5
8. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
8.3 Incorporate two-factor
authentication for remote access
(network-level access originating
from outside the network) to the
network by employees,
administrators, and third parties.
Use technologies such as remote
authentication and dial-in service
(RADIUS); terminal access
controller access control system
(TACACS) with tokens; or VPN
(based on SSL/TLS or IPSEC) with
individual certiïŹcates.
Management
Suite
Supports cost effective
provisioning, support and
deactivation of two-factor
authentication factors, such as
tokens and smart cards. Supports
use of a cell phone plus password
as an ad-hoc two-factor
authentication method.
8.5 Ensure proper user authentication
and password management for
non-consumer users and
administrators on all system
components as follows:
- See details below.
8.5.1 Control addition, deletion, and
modiïŹcation of user IDs,
credentials, and other identiïŹer
objects.
Identity
Manager
Streamlines the management of
user IDs, credentials and
entitlements.
8.5.2 Verify user identity before
performing password resets.
Password
Manager
Secures self-service and
assisted-service password reset
processes.
8.5.3 Set ïŹrst-time passwords to a unique
value for each user and change
immediately after the ïŹrst use.
Identity
Manager
Allows organizations to control the
issuance and expiration of initial
passwords on accounts it creates.
8.5.4 Immediately revoke access for any
terminated users.
Identity
Manager
Automates termination with a data
feed from a system of record (HR),
plus allows authorized users to
trigger immediate or scheduled
deactivation through a web request
form.
8.5.5 Remove inactive user accounts at
least every 90 days.
Identity
Manager
Tracks inactive accounts and
automatically removes them after N
days.
8.5.6 Enable accounts used by vendors
for remote maintenance only during
the time period needed.
Privileged
Access
Manager
Can assign temporary passwords
for a short âpassword checkoutâ
period. Also supports launching a
remote control connection for
vendors, etc. without disclosing the
current password value.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 6
9. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
8.5.7 Communicate password
procedures and policies to all users
who have access to cardholder
data.
Password
Manager
Can be used not only to enforce
policies but also to communicate
policies to end users and track
acceptance of same.
8.5.8 Do not use group, shared, or
generic accounts and passwords.
Privileged
Access
Manager
Enables organizations to randomize
sensitive passwords daily, thereby
eliminating the possibility that users
share them or never change them.
8.5.9 Change user passwords at least
every 90 days.
Password
Manager
Can require users to change all
passwords regularly, including on
systems and applications with no
native password expiration
capability.
8.5.10 Require a minimum password
length of at least seven characters.
Management
Suite
Identity Manager, Password
Manager and Privileged Access
Manager can all enforce complex
password policies, including
minimum length rules, for password
creation, changes and
randomization, respectively. Seven
is a bit short, however...
8.5.11 Use passwords containing both
numeric and alphabetic characters.
Management
Suite
All products can enforce a rich
variety of password complexity
rules.
8.5.12 Do not allow an individual to submit
a new password that is the same as
any of the last four passwords he or
she has used.
Password
Manager
Can enforce âinïŹniteâ (i.e.,
open-ended) password history
requirements, to eliminate
password reuse entirely.
8.5.13 Limit repeated access attempts by
locking out the user ID after not
more than six attempts.
Management
Suite
All Management Suite components
include intruder lockout to prevent
repeated login attempts with invalid
credentials.
8.5.14 Set the lockout duration to 30
minutes or until administrator
enables the user ID.
Management
Suite
All Management Suite components
can enforce this capability for login
attempts into Management Suite.
8.5.15 If a session has been idle for more
than 15 minutes, require the user to
re-enter the password to re-activate
the terminal.
Management
Suite
All Management Suite components
can enforce this capability for login
attempts into Management Suite.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 7
10. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
8.5.16 Authenticate all access to any
database containing cardholder
data. This includes access by
applications, administrators, and all
other users.
Privileged
Access
Manager
Can enforce this requirement even
for applications that have no
personal login IDs. In these cases,
it randomizes system-level
passwords daily and requires IT
workers to self-authenticate when
they need the current password
value.
9.1 Use appropriate facility entry
controls to limit and monitor
physical access to systems in the
cardholder data environment.
Identity
Manager
Can manage the assignment and
activation of building access
badges.
10.1 â 10.3 Establish a process for linking all
access to system components
(especially access done with
administrative privileges such as
root) to each individual user.
Privileged
Access
Manager
Creates precisely this audit log.
This even includes movies of
administrator sessions.
12.1 Establish, publish, maintain, and
disseminate a security policy that
accomplishes the following:
Management
Suite
Clearly, Management Suite cannot
develop policies for any Hitachi ID
Systems customer â itâs just
software. However, a variety of
Management Suite capabilities
support the following policy
requirements.
12.2 Develop daily operational security
procedures that are consistent with
requirements in this speciïŹcation
(for example, user account
maintenance procedures, and log
review procedures).
Management
Suite
Supports standards and controls
over user account maintenance and
logging of administrative access.
12.3.1 Explicit approval by authorized
parties
Management
Suite
Identity Manager and Privileged
Access Manager in particular
include a robust workïŹow engine
used for change approvals. This
applies to requests for access to
systems in the former and requests
for privileged access in the latter.
12.3.2 Authentication for use of the
technology
Management
Suite
Password Manager supports strong
authentication by helping users to
manage their own credentials.
Privileged Access Manager
authenticates IT staff before
granting privileged access.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 8
11. PCI-DSS v2.0 Compliance Using Management Suite
Requirement Details Product Feature
12.3.3 A list of all such devices and
personnel with access
Privileged
Access
Manager
Includes infrastructure
auto-discovery and all other
Management Suite components
include user ID auto-discovery.
12.3.8 Automatic disconnect of sessions
for remote-access technologies
after a speciïŹc period of inactivity
Privileged
Access
Manager
Supports this for administrative
sessions in particular.
12.3.9 Activation of remote-access
technologies for vendors and
business partners only when
needed by vendors and business
partners, with immediate
deactivation after use
Privileged
Access
Manager
Supports granting and terminating
of temporary privileged access to
users, including vendors and
partners.
Assign to an individual or team the
following information security
management responsibilities:
- See below how Management Suite
can with some tasks.
12.5.4 Administer user accounts, including
additions, deletions, and
modiïŹcations
Identity
Manager
Automates the processes around
user access
setup/update/tear-down.
12.6.2 Require personnel to acknowledge
at least annually that they have
read and understood the security
policy and procedures.
Password
Manager
Includes a mechanism to invite
users to read and acknowledge
policy documents.
12.7 Screen potential personnel prior to
hire to minimize the risk of attacks
from internal sources. (Examples of
background checks include
previous employment history,
criminal record, credit history, and
reference checks.)
Identity
Manager
Includes both task dependencies
and implementer tasks. Together,
these features are used to verify
completion of such preliminary
tasks before granting logical or
physical access to a new user.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 9
12. PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite
3 Improving Security in General
3.1 Password Manager
Self service management of passwords, PINs and encryption keys
Hitachi ID Password Manager improves the security of authentication processes:
âą A strong, uniform password policy prevents the use of easily guessed passwords and ensures that all
passwords are changed regularly.
âą Password synchronization discourages written passwords (âsticky notesâ).
âą Consistent, reliable authentication processes ensures that users are reliably identiïŹed before access-
ing sensitive services, such as a help desk password reset.
âą IT support staff can be empowered to assist callers without having administrator accounts on every
system and application.
âą Extensive audit logs create accountability for password resets.
âą Encryption ensures that passwords are not stored or transmitted in plaintext.
3.2 Identity Manager
User provisioning, RBAC, SoD and access certiïŹcation
Hitachi ID Identity Manager strengthens security by:
âą Quickly and reliably removing access to all systems and applications when users leave an organiza-
tion.
âą Finding and helping to clean up orphan and dormant accounts.
âą Assigning standardized access rights, using roles and rules, to new and transitioned users.
âą Enforcing policy regarding segregation of duties and identifying users who are already in violation.
âą Ensuring that changes to user entitlements are always authorized before they are completed.
âą Asking business stake-holders to periodically review user entitlements and either certify or remove
them, as appropriate.
âą Reducing the number and scope of administrator-level accounts needed to manage user access to
systems and applications.
âą Providing readily accessible audit data regarding current and historical security entitlements, including
who requested and approved every change.
© 2014 Hitachi ID Systems, Inc.. All rights reserved. 10
13. PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite
Identity Manager runs an auto-discovery process nightly, which extracts a list of users, their managed at-
tributes and their membership in managed groups from each target system. On systems where Identity
Manager is the only authorized user management facility, this list should be identical to the data already in-
side Identity Manager. Where this is the policy but changes are nevertheless detected, a security exception
can be raised. Normally, such exceptions trigger automatic e-mails to target system administrators, asking
them to conïŹrm that the detected security changes are valid.
3.3 Access CertiïŹer
Periodic review and cleanup of security entitlements
Hitachi ID Access CertiïŹer helps organizations to ïŹnd and eliminate stale user privileges:
âą All user objects are subjected to periodic reviews â by managers and group owners. Orphan and
dormant accounts are eliminated.
âą All user membership in security groups (also known as roles, proïŹles, etc.) are periodically scrutinized.
Inappropriate rights are deactivated.
âą Accountability is introduced by documenting when each login ID and group membership was reviewed
and by whom.
âą Organizational roll-up allows executives to sign off on statements asserting that all sensitive security
rights have been reviewed.
3.4 Privileged Access Manager
Control and audit access to privileged accounts
Hitachi ID Privileged Access Manager helps organizations to secure privileged accounts:
âą Eliminate static and shared passwords.
âą Enforce strong authorization controls over who can access which administrative account and when.
âą Personally authenticate IT staff before granting access to privileged accounts.
âą Create an audit log of who accessed each privileged account and when.
www.Hitachi-ID.com
500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@Hitachi-ID.com
File: /pub/wp/documents/pci-dss/pci-dss-compliance-2.0.tex
Date: 2012-04-29