PCI and Remote Vendor Monitoring
Content
1
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
An ObserveIT Whitepaper | Gabriel Friedlander Executive Summary
To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing business users, many of these needs can be answered using native system logs. But when it comes to privileged users, the requirements, sensitivities and complexities are all magnified. And when those privileged users happen to be third-party remote vendors, a redoubling of risk factors occurs. An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create a holistic and effective solution that answers PCI requirements efficiently. The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely: Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign unique ID to each person with computer access Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 12: Maintain a policy that addresses information security for all personnel
The core essence of these requirements (most notably the numerous details within Requirement 10) boil down to a simple statement: “You should know who has done what, for every system access.” This straight-forward question is best answered with an equally straight-forward solution: “Be able to replay exactly what each user did, as if you were looking over their shoulder as they did it.” In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed, allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex: Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM).
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
2
Scoping the Problem: Remote Vendors Have a Unique Impact on PCI Compliance
Who are these Remote Vendors, anyway?
Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic growth in the use of remote 3rd-party users on corporate networks – so much so that we tend to take it for granted at this point. Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure today. By and large, this process has brought tremendous operational efficiency, and we can expect remote vendor access to continue in the long term. In order for remote vendors to be able to able to perform their assigned job, they typically require wide access to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.
Covering All Activity: Can you really know what happened based only on obscure system logs?
PCI Section 10.2 requires you to “implement automated audit trails … to reconstruct … events”. Here, the core question being raised is “What is actually captured?” When first approaching PCI compliance, it might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how to probe the issue during audit reviews. Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular application provide sufficient logging info?” Many important business applications, especially custom apps that are developed and maintained by external vendors, have not been developed with system logging in mind. Often, audit logs are added as an afterthought, with the resulting quality in doubt. A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.
Securing the Audit Trail: Is the cat guarding the cream?
PCI Section 10.5 requires you to “secure audit trails so they cannot be altered”, and PCI Section 6 calls for “secure systems and applications”, including “secure authentication and logging”. With remote vendors touching mission-critical resources, the question to be asked here is “Does a software vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that developed a particular bespoke application has the means to temporarily pause logging functionality while performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still leaves your compliance in doubt.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
3
An audit that includes exact video recording of everything the user does will overcome these issues. If each action is captured visually, then the question of what each application is sending to its system log is neutralized.
Eliminating Anonymity: ‘administrator’ is not a name
PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which calls for “assigning unique identification to each person with computer access”. There are a few levels of anonymity concerns that demand consideration: Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user? The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins or external remote vendors. Some form of identification services must be put in place, so that a user is clearly identified prior to gaining access. There are numerous technical implementations that can achieve this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of operational efficiency and pure cost-benefit analysis. Do your HR or Active Directory databases clearly identify each named user? The validity and accuracy of internal username databases is handled quite well today for corporate employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date. Even worse, remote vendor organizations often share a single account, with one userid serving all the support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id. The above issues can be overcome with a strong secondary identification system which requires named-user credentials, coupled with effective corporate policy enforcement.
Policy Validation and Support Ticket #’s: Yes, I read the new policy statement!
PCI Section 12.5.1 asks that you “establish, document and distribute security policies and procedures” and PCI Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the security policy and procedures.” CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote vendor location. Even with an extremely tight credential management workflow, there always remains a certain doubt about policy enforcement at the remote site. What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are routed through primary points of contact, while actual work is performed by many additional employees. So even with good policy communications with the main account manager, there is no way of knowing if the actual support admin who will be logging in got the news.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
4
This communication path can impact compliance (“Does the admin know that s/he should not be opening file X”), but it also has performance and administration benefits (“Does the admin know that no database traces should be launched between Thursday midnight and Friday noon during our system upgrade?”) Some IT departments attempt to diminish this policy and admin complexity using a “ticket number” system, in which each login user must receive a one-time ticket # associated with a specific task to be performed. This certainly is an effective method to mitigate risk, but it only makes sense that this ticket tracking is also reflected in the ID-Management solution and appears in the actual user audit logs.
From ‘Compliant’ to ‘Secure’: Getting even more out of a compliance toolset
The heavy burden of PCI compliance can cause CIOs, Compliance Managers and Security Managers to focus on compliance-checklist-minimization. (“Just do the bare minimum of what will get us past the auditor!”) This approach is certainly understandable, yet it overlooks a huge opportunity to augment network security at no additional cost. Managing Physical Presence: Who is actually looking at the screen? Given that off-site remote vendors are not being managed by corporate facility security, there is a higher concern for 3rd party providers regarding what takes place on the screen. How do know who else is watching what is taking place on the screen? Adding screen recording, and making sure that the 3rd party user is aware of this, can diminish the risk of screen peaking. And even on security breaches, at least we can know exactly what data was exposed. Fast forensic resolution: Show me exactly what happened! Once a security issue is identified by system monitors, there still remains a wide gap that must be spanned: What were the conditions that allowed for this event to occur, and what can I do to prevent this from occurring again? The quickest path to answer these questions is by simply replaying the exact activity.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
5
Solving the Problem: PCI Compliancy for remote vendor environments
PCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!)
With ObserveIT, you have instant audit logs that include details of precisely what took place. ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or while using a custom ERP extension that the system developers have not implemented logs for yet. The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance.
WHAT DID THE USER DO?
A human-understandable list of every user action
Salesforce.com – Microsoft Internet Explorer MagicISO CD/DVD Manager Microsoft Visual Studio 2010
Cloud Apps Commercial S/W with no logs
Skype
CustomerDetails CRM Registry Editor
Legacy software
Who, When, Where
USER SESSION REPLAY:
Bulletproof forensics for security investigation
PCI-compliant log reports of Remote Vendor access Instant forensic investigation using visual user session replay
CAPTURES ALL ACTIONS:
Mouse movement, text entry, UI interaction, window activity
PCI 10.2 and 10.3 – Visual audit guarantees sufficient coverage and clarity of user actions
PLAYBACK NAVIGATION:
Move quickly between apps that the user ran
For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact playback of user activity, as if you were looking over the user’s shoulder as it took place. With this level of accountability, there is no question as to what transpired, making any attempts of repudiation or denial utterly groundless.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
6 PCI 10.1 – Capturing Named-User credentials without complex password vault management
Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific named user. This username appears in every log entry created during the session.
CAPTURE REAL NAME:
Named user id account credentials are required in order to continue
PRIVILEGED LOGIN:
Generic ‘aministrator’ user id
Privileged User Identification
PCI 12.5 – Policy training that will deny system access without proper acknowledgement
Before authorizing the user to access the system, ObserveIT requires that policy status information be read and confirmed. This eliminates the need to handle policy update validation in a separate process: No more email trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote vendors, in which the policy updates often go to the main point of contact, but other users are the actual people who log in. In addition, users can be asked to provide specific details about the support issue being handled, in the form of ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling between each session and the reason the session took place in the first place.
NOTE: No database admin task may be performed between 0800 and 1800 GMT Please enter your support ticket number in box below.
POLICY MESSAGING:
User must acknowledge
SUPPORT TICKET:
Require the user to provide activity identifier
Policy Updates as a mandatory part of the user authentication path
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
7
Conclusion
The existence of remote vendors poses unique challenges when establishing proper PCI compliance documentation. The issues raised by 3rd party vendors span many security categories: Audit completeness: Can you establish exactly what took place based on your existing log entries? Identity management and anonymity: Do you really know who each remote user is? Policy training: How can you be sure that each remote user receives policy updates and periodic training? Audit security: Are you able to verify that remote admins did not touch any existing log info? Flexibility of auditing platform: Does each new application deployment complicate the compliance logging requirements? ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented instead of system-oriented, you are able to recreate exactly what took place on any system resource. Benefits of this solution include: Accountability of all activities performed by a remote vendor or service provider: Each system access is linked to an identifiable individual user Reduced costs to generate compliance reports, with less effort, and faster turnaround time Unequivocal proof of user activity, guaranteeing authentication and non-repudiation
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
8
Appendix A: ObserveIT PCI Compliance Matrix
Requirement 6 : Develop and maintain secure systems and applications
6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server that inherits all corporate security policies. All data is encrypted and digitally signed, and secure policy rules prevent any access to view or modify log data. ObserveIT Identification Services requires that any privileged user access be accompanied with specific named-user login.
Requirement 8: Assign unique ID to each person with computer access
8.1 8.2 8.4 10.1 Assign unique ID before giving access Tie passwords to id Secure password during transmission Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user
Requirement 10: Track and monitor all access to network resources and cardholder data
Prior to enabling a user to initialize a session, ObserveIT can present a demandresponse secondary credential dialog, thus preventing generic privileged userid login. ObserveIT records all human activity on monitored servers, both visually as well as with a textual metadata log. Any user action can be replayed to see exactly what occurred, who did it, and what resources where accessed and affected. ObserveIT constantly monitors and records all user activity, including applications launched, UI interaction, system configuration, registry changes or any other user-initiated action, from login to logoff. ObserveIT records at the OS level and is agnostic to connection protocol. All access to ObserveIT logs themselves is also audited and recorded. By capturing a visual recording of every user action, a full audit trail is established for every system component modification or access. ObserveIT records a timestamp for every screenshot within the user session and each associated metadata log entry. This allows for 100% correlation between the replayed sessions, and the presented metadata. ObserveIT stores screenshots and metadata as individual records in a SQL database. Any corporate database security protocols are automatically inherited. All DB records are protected by digital signature, and cannot be altered or deleted. Access to records is allowed only by the users that are defined as administrators. View-only administrator access is also possible, allowing for further secure auditing. ObserveIT’s built-in compliance reports and customizable reports can be scheduled for automatic delivery on any time frame. Event activity can also be captured by any network management tool for system alerting based on user activity. ObserveIT's recorded sessions, attached metadata, and audit records are stored in a central and protected SQL database, where they are retained indefinitely. ObserveIT enables policy messaging, in which the user receives a message when initiating a login. Users must authorize that they have received and read the message.
10.2
10.2.2 10.2.3 10.2.7
10.3 10.4
Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges Access to all audit trails Creation and deletion of system-level objects. Record … audit trail entries for all system components for each event Use time-synch technology
10.5
Secure audit trains so they cannot be altered
10.6
Review logs for all system components at least daily
10.7
Retain audit trail history for at least one year
Requirement 12: Maintain a policy that addresses information security
12.5
12.5.1 12.5.5
12.6
12.6.2
12.8
Assign to an individual or team the following information security management responsibilities: Establish , document and distribute security policies and procedures Monitor and control all access to data Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures If cardholder data is shared with services providers, maintain and implement policies and procedures to manage service providers
All ObserveIT auditing features as specified in the above table is also applied to any remote service provider.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
9
About ObserveIT
ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence of user sessions, significantly shortening investigation time. Every action performed by remote vendors, developers, sysadmins, business users or privileged users is recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is unclear, simply replay the video, just as if you were looking over the user’s shoulder. ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root Cause Analysis. Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services.
For more information, please contact ObserveIT at: www.observeit-sys.com [email protected] US Phone: 1-800-687-0137 Int’l Phone: +972-3-648-0614
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
An ObserveIT Whitepaper | Gabriel Friedlander Executive Summary
To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing business users, many of these needs can be answered using native system logs. But when it comes to privileged users, the requirements, sensitivities and complexities are all magnified. And when those privileged users happen to be third-party remote vendors, a redoubling of risk factors occurs. An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create a holistic and effective solution that answers PCI requirements efficiently. The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely: Requirement 6: Develop and maintain secure systems and applications Requirement 8: Assign unique ID to each person with computer access Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 12: Maintain a policy that addresses information security for all personnel
The core essence of these requirements (most notably the numerous details within Requirement 10) boil down to a simple statement: “You should know who has done what, for every system access.” This straight-forward question is best answered with an equally straight-forward solution: “Be able to replay exactly what each user did, as if you were looking over their shoulder as they did it.” In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed, allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex: Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM).
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
2
Scoping the Problem: Remote Vendors Have a Unique Impact on PCI Compliance
Who are these Remote Vendors, anyway?
Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic growth in the use of remote 3rd-party users on corporate networks – so much so that we tend to take it for granted at this point. Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure today. By and large, this process has brought tremendous operational efficiency, and we can expect remote vendor access to continue in the long term. In order for remote vendors to be able to able to perform their assigned job, they typically require wide access to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.
Covering All Activity: Can you really know what happened based only on obscure system logs?
PCI Section 10.2 requires you to “implement automated audit trails … to reconstruct … events”. Here, the core question being raised is “What is actually captured?” When first approaching PCI compliance, it might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how to probe the issue during audit reviews. Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular application provide sufficient logging info?” Many important business applications, especially custom apps that are developed and maintained by external vendors, have not been developed with system logging in mind. Often, audit logs are added as an afterthought, with the resulting quality in doubt. A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.
Securing the Audit Trail: Is the cat guarding the cream?
PCI Section 10.5 requires you to “secure audit trails so they cannot be altered”, and PCI Section 6 calls for “secure systems and applications”, including “secure authentication and logging”. With remote vendors touching mission-critical resources, the question to be asked here is “Does a software vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that developed a particular bespoke application has the means to temporarily pause logging functionality while performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still leaves your compliance in doubt.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
3
An audit that includes exact video recording of everything the user does will overcome these issues. If each action is captured visually, then the question of what each application is sending to its system log is neutralized.
Eliminating Anonymity: ‘administrator’ is not a name
PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which calls for “assigning unique identification to each person with computer access”. There are a few levels of anonymity concerns that demand consideration: Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user? The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins or external remote vendors. Some form of identification services must be put in place, so that a user is clearly identified prior to gaining access. There are numerous technical implementations that can achieve this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of operational efficiency and pure cost-benefit analysis. Do your HR or Active Directory databases clearly identify each named user? The validity and accuracy of internal username databases is handled quite well today for corporate employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date. Even worse, remote vendor organizations often share a single account, with one userid serving all the support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id. The above issues can be overcome with a strong secondary identification system which requires named-user credentials, coupled with effective corporate policy enforcement.
Policy Validation and Support Ticket #’s: Yes, I read the new policy statement!
PCI Section 12.5.1 asks that you “establish, document and distribute security policies and procedures” and PCI Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the security policy and procedures.” CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote vendor location. Even with an extremely tight credential management workflow, there always remains a certain doubt about policy enforcement at the remote site. What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are routed through primary points of contact, while actual work is performed by many additional employees. So even with good policy communications with the main account manager, there is no way of knowing if the actual support admin who will be logging in got the news.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
4
This communication path can impact compliance (“Does the admin know that s/he should not be opening file X”), but it also has performance and administration benefits (“Does the admin know that no database traces should be launched between Thursday midnight and Friday noon during our system upgrade?”) Some IT departments attempt to diminish this policy and admin complexity using a “ticket number” system, in which each login user must receive a one-time ticket # associated with a specific task to be performed. This certainly is an effective method to mitigate risk, but it only makes sense that this ticket tracking is also reflected in the ID-Management solution and appears in the actual user audit logs.
From ‘Compliant’ to ‘Secure’: Getting even more out of a compliance toolset
The heavy burden of PCI compliance can cause CIOs, Compliance Managers and Security Managers to focus on compliance-checklist-minimization. (“Just do the bare minimum of what will get us past the auditor!”) This approach is certainly understandable, yet it overlooks a huge opportunity to augment network security at no additional cost. Managing Physical Presence: Who is actually looking at the screen? Given that off-site remote vendors are not being managed by corporate facility security, there is a higher concern for 3rd party providers regarding what takes place on the screen. How do know who else is watching what is taking place on the screen? Adding screen recording, and making sure that the 3rd party user is aware of this, can diminish the risk of screen peaking. And even on security breaches, at least we can know exactly what data was exposed. Fast forensic resolution: Show me exactly what happened! Once a security issue is identified by system monitors, there still remains a wide gap that must be spanned: What were the conditions that allowed for this event to occur, and what can I do to prevent this from occurring again? The quickest path to answer these questions is by simply replaying the exact activity.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
5
Solving the Problem: PCI Compliancy for remote vendor environments
PCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!)
With ObserveIT, you have instant audit logs that include details of precisely what took place. ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or while using a custom ERP extension that the system developers have not implemented logs for yet. The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance.
WHAT DID THE USER DO?
A human-understandable list of every user action
Salesforce.com – Microsoft Internet Explorer MagicISO CD/DVD Manager Microsoft Visual Studio 2010
Cloud Apps Commercial S/W with no logs
Skype
CustomerDetails CRM Registry Editor
Legacy software
Who, When, Where
USER SESSION REPLAY:
Bulletproof forensics for security investigation
PCI-compliant log reports of Remote Vendor access Instant forensic investigation using visual user session replay
CAPTURES ALL ACTIONS:
Mouse movement, text entry, UI interaction, window activity
PCI 10.2 and 10.3 – Visual audit guarantees sufficient coverage and clarity of user actions
PLAYBACK NAVIGATION:
Move quickly between apps that the user ran
For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact playback of user activity, as if you were looking over the user’s shoulder as it took place. With this level of accountability, there is no question as to what transpired, making any attempts of repudiation or denial utterly groundless.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
6 PCI 10.1 – Capturing Named-User credentials without complex password vault management
Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific named user. This username appears in every log entry created during the session.
CAPTURE REAL NAME:
Named user id account credentials are required in order to continue
PRIVILEGED LOGIN:
Generic ‘aministrator’ user id
Privileged User Identification
PCI 12.5 – Policy training that will deny system access without proper acknowledgement
Before authorizing the user to access the system, ObserveIT requires that policy status information be read and confirmed. This eliminates the need to handle policy update validation in a separate process: No more email trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote vendors, in which the policy updates often go to the main point of contact, but other users are the actual people who log in. In addition, users can be asked to provide specific details about the support issue being handled, in the form of ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling between each session and the reason the session took place in the first place.
NOTE: No database admin task may be performed between 0800 and 1800 GMT Please enter your support ticket number in box below.
POLICY MESSAGING:
User must acknowledge
SUPPORT TICKET:
Require the user to provide activity identifier
Policy Updates as a mandatory part of the user authentication path
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
7
Conclusion
The existence of remote vendors poses unique challenges when establishing proper PCI compliance documentation. The issues raised by 3rd party vendors span many security categories: Audit completeness: Can you establish exactly what took place based on your existing log entries? Identity management and anonymity: Do you really know who each remote user is? Policy training: How can you be sure that each remote user receives policy updates and periodic training? Audit security: Are you able to verify that remote admins did not touch any existing log info? Flexibility of auditing platform: Does each new application deployment complicate the compliance logging requirements? ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented instead of system-oriented, you are able to recreate exactly what took place on any system resource. Benefits of this solution include: Accountability of all activities performed by a remote vendor or service provider: Each system access is linked to an identifiable individual user Reduced costs to generate compliance reports, with less effort, and faster turnaround time Unequivocal proof of user activity, guaranteeing authentication and non-repudiation
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
8
Appendix A: ObserveIT PCI Compliance Matrix
Requirement 6 : Develop and maintain secure systems and applications
6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server that inherits all corporate security policies. All data is encrypted and digitally signed, and secure policy rules prevent any access to view or modify log data. ObserveIT Identification Services requires that any privileged user access be accompanied with specific named-user login.
Requirement 8: Assign unique ID to each person with computer access
8.1 8.2 8.4 10.1 Assign unique ID before giving access Tie passwords to id Secure password during transmission Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user
Requirement 10: Track and monitor all access to network resources and cardholder data
Prior to enabling a user to initialize a session, ObserveIT can present a demandresponse secondary credential dialog, thus preventing generic privileged userid login. ObserveIT records all human activity on monitored servers, both visually as well as with a textual metadata log. Any user action can be replayed to see exactly what occurred, who did it, and what resources where accessed and affected. ObserveIT constantly monitors and records all user activity, including applications launched, UI interaction, system configuration, registry changes or any other user-initiated action, from login to logoff. ObserveIT records at the OS level and is agnostic to connection protocol. All access to ObserveIT logs themselves is also audited and recorded. By capturing a visual recording of every user action, a full audit trail is established for every system component modification or access. ObserveIT records a timestamp for every screenshot within the user session and each associated metadata log entry. This allows for 100% correlation between the replayed sessions, and the presented metadata. ObserveIT stores screenshots and metadata as individual records in a SQL database. Any corporate database security protocols are automatically inherited. All DB records are protected by digital signature, and cannot be altered or deleted. Access to records is allowed only by the users that are defined as administrators. View-only administrator access is also possible, allowing for further secure auditing. ObserveIT’s built-in compliance reports and customizable reports can be scheduled for automatic delivery on any time frame. Event activity can also be captured by any network management tool for system alerting based on user activity. ObserveIT's recorded sessions, attached metadata, and audit records are stored in a central and protected SQL database, where they are retained indefinitely. ObserveIT enables policy messaging, in which the user receives a message when initiating a login. Users must authorize that they have received and read the message.
10.2
10.2.2 10.2.3 10.2.7
10.3 10.4
Implement automated audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges Access to all audit trails Creation and deletion of system-level objects. Record … audit trail entries for all system components for each event Use time-synch technology
10.5
Secure audit trains so they cannot be altered
10.6
Review logs for all system components at least daily
10.7
Retain audit trail history for at least one year
Requirement 12: Maintain a policy that addresses information security
12.5
12.5.1 12.5.5
12.6
12.6.2
12.8
Assign to an individual or team the following information security management responsibilities: Establish , document and distribute security policies and procedures Monitor and control all access to data Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures If cardholder data is shared with services providers, maintain and implement policies and procedures to manage service providers
All ObserveIT auditing features as specified in the above table is also applied to any remote service provider.
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
9
About ObserveIT
ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence of user sessions, significantly shortening investigation time. Every action performed by remote vendors, developers, sysadmins, business users or privileged users is recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is unclear, simply replay the video, just as if you were looking over the user’s shoulder. ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root Cause Analysis. Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services.
For more information, please contact ObserveIT at: www.observeit-sys.com [email protected] US Phone: 1-800-687-0137 Int’l Phone: +972-3-648-0614
Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
