Easy PCI - How to Elimnate Remote Vendors in PCI-DSS Compliant Platform by ObserveIT


More Info

Easy PCI:
How to Eliminate Remote Vendor Complexity
in PCI-DSS Compliant Platforms
An ObserveIT Whitepaper | Gabriel Friedlander

Executive Summary
  To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI
  for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing
  business users, many of these needs can be answered using native system logs. But when it comes to privileged
  users, the requirements, sensitivities and complexities are all magnified. And when those privileged users
  happen to be third-party remote vendors, a redoubling of risk factors occurs.

  An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create a
  holistic and effective solution that answers PCI requirements efficiently.

  The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data
  storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely:

             Requirement 6: Develop and maintain secure systems and applications
             Requirement 8: Assign unique ID to each person with computer access
             Requirement 10: Track and monitor all access to network resources and cardholder data
             Requirement 12: Maintain a policy that addresses information security for all personnel

  The core essence of these requirements (most notably the numerous details within Requirement 10) boil down
  to a simple statement: “You should know who has done what, for every system access.” This straight-forward
  question is best answered with an equally straight-forward solution: “Be able to replay exactly what each user
  did, as if you were looking over their shoulder as they did it.”

  In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed,
  allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex:
  Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM).

                     Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                        © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

Scoping the Problem:
Remote Vendors Have a Unique Impact on PCI Compliance
Who are these Remote Vendors, anyway?
  Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic
  growth in the use of remote 3rd-party users on corporate networks – so much so that we tend to take it for
  granted at this point.

  Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in
  specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure
  today. By and large, this process has brought tremendous operational efficiency, and we can expect remote
  vendor access to continue in the long term.

  In order for remote vendors to be able to able to perform their assigned job, they typically require wide access
  to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of
  granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that
  actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire
  contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.

Covering All Activity: Can you really know what happened based only on obscure system logs?
  PCI Section 10.2 requires you to “implement automated audit trails … to reconstruct … events”.

  Here, the core question being raised is “What is actually captured?” When first approaching PCI compliance, it
  might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just
  a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental
  question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how
  to probe the issue during audit reviews.

  Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular
  application provide sufficient logging info?” Many important business applications, especially custom apps that
  are developed and maintained by external vendors, have not been developed with system logging in mind.
  Often, audit logs are added as an afterthought, with the resulting quality in doubt.

  A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together
  logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.

Securing the Audit Trail: Is the cat guarding the cream?
  PCI Section 10.5 requires you to “secure audit trails so they cannot be altered”, and PCI Section 6 calls for
  “secure systems and applications”, including “secure authentication and logging”.
  With remote vendors touching mission-critical resources, the question to be asked here is “Does a software
  vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that
  developed a particular bespoke application has the means to temporarily pause logging functionality while
  performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still
  leaves your compliance in doubt.

                     Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                        © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

 An audit that includes exact video recording of everything the user does will overcome these issues. If each
 action is captured visually, then the question of what each application is sending to its system log is neutralized.

Eliminating Anonymity: ‘administrator’ is not a name
 PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with
 administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which
 calls for “assigning unique identification to each person with computer access”.

 There are a few levels of anonymity concerns that demand consideration:

     Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user?
      The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins
      or external remote vendors. Some form of identification services must be put in place, so that a user is
      clearly identified prior to gaining access. There are numerous technical implementations that can achieve
      this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The
      PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of
      operational efficiency and pure cost-benefit analysis.

     Do your HR or Active Directory databases clearly identify each named user?
      The validity and accuracy of internal username databases is handled quite well today for corporate
      employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This
      may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John
      Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date.
      Even worse, remote vendor organizations often share a single account, with one userid serving all the
      support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it
      is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id.

 The above issues can be overcome with a strong secondary identification system which requires named-user
 credentials, coupled with effective corporate policy enforcement.

Policy Validation and Support Ticket #’s: Yes, I read the new policy statement!
 PCI Section 12.5.1 asks that you “establish, document and distribute security policies and procedures” and PCI
 Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the
 security policy and procedures.”

 CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote
 vendor location. Even with an extremely tight credential management workflow, there always remains a certain
 doubt about policy enforcement at the remote site.

 What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are
 routed through primary points of contact, while actual work is performed by many additional employees. So
 even with good policy communications with the main account manager, there is no way of knowing if the actual
 support admin who will be logging in got the news.

                    Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                       © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

 This communication path can impact compliance (“Does the admin know that s/he should not be opening file
 X”), but it also has performance and administration benefits (“Does the admin know that no database traces
 should be launched between Thursday midnight and Friday noon during our system upgrade?”)

 Some IT departments attempt to diminish this policy and admin complexity using a “ticket number” system, in
 which each login user must receive a one-time ticket # associated with a specific task to be performed. This
 certainly is an effective method to mitigate risk, but it only makes sense that this ticket tracking is also reflected
 in the ID-Management solution and appears in the actual user audit logs.

From ‘Compliant’ to ‘Secure’: Getting even more out of a compliance toolset
 The heavy burden of PCI compliance can cause CIOs, Compliance Managers and Security Managers to focus on
 compliance-checklist-minimization. (“Just do the bare minimum of what will get us past the auditor!”) This
 approach is certainly understandable, yet it overlooks a huge opportunity to augment network security at no
 additional cost.

     Managing Physical Presence: Who is actually looking at the screen?
      Given that off-site remote vendors are not being managed by corporate facility security, there is a higher
      concern for 3rd party providers regarding what takes place on the screen. How do know who else is
      watching what is taking place on the screen? Adding screen recording, and making sure that the 3rd party
      user is aware of this, can diminish the risk of screen peaking. And even on security breaches, at least we
      can know exactly what data was exposed.

     Fast forensic resolution: Show me exactly what happened!
      Once a security issue is identified by system monitors, there still remains a wide gap that must be spanned:
      What were the conditions that allowed for this event to occur, and what can I do to prevent this from
      occurring again? The quickest path to answer these questions is by simply replaying the exact activity.

                     Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                        © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

Solving the Problem: PCI Compliancy for remote vendor environments
PCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!)
  With ObserveIT, you have instant audit logs that include details of precisely what took place.

  ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what
  machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app
  does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to
  demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or
  while using a custom ERP extension that the system developers have not implemented logs for yet.

  The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance.

              WHAT DID THE USER DO?
                  A human-understandable list
                      of every user action

         Salesforce.com – Microsoft Internet Explorer
         MagicISO CD/DVD Manager
                                          Cloud Apps
         Microsoft Visual Studio 2010
                                         Commercial S/W with no logs
         CustomerDetails CRM
                                          Legacy software
         Registry Editor

                                                                  Who, When, Where                                     USER SESSION REPLAY:
                                                                                                                           Bulletproof forensics for
                                                                                                                            security investigation

  PCI-compliant log reports
  of Remote Vendor access

                                                    Instant forensic investigation
                                                  using visual user session replay                                      CAPTURES ALL ACTIONS:
                                                                                                                          Mouse movement, text entry, UI
                                                                                                                           interaction, window activity

                                                                                                           PLAYBACK NAVIGATION:
PCI 10.2 and 10.3 – Visual audit guarantees sufficient                                                          Move quickly between apps
                                                                                                                    that the user ran
coverage and clarity of user actions
  For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exact
  playback of user activity, as if you were looking over the user’s shoulder as it took place.

  With this level of accountability, there is no question as to what transpired, making any attempts of repudiation
  or denial utterly groundless.

                           Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                                 © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

PCI 10.1 – Capturing Named-User credentials without complex password vault management
 Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This
 step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific
 named user. This username appears in every log entry created during the session.

                                                                                                            CAPTURE REAL NAME:
                                                                                                            Named user id account credentials
                                                                                                             are required in order to continue

                  PRIVILEGED LOGIN:
                  Generic ‘aministrator’ user id

                                                            Privileged User Identification

PCI 12.5 – Policy training that will deny system access without proper acknowledgement
 Before authorizing the user to access the system, ObserveIT requires that policy status information be read and
 confirmed. This eliminates the need to handle policy update validation in a separate process: No more email
 trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote
 vendors, in which the policy updates often go to the main point of contact, but other users are the actual people
 who log in.

  In addition, users can be asked to provide specific details about the support issue being handled, in the form of
 ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling
 between each session and the reason the session took place in the first place.

                                                   NOTE: No database admin task may be
                                                   performed between 0800 and 1800 GMT

                                                   Please enter your support ticket number in
                                                   box below.
                                                                                                POLICY MESSAGING:
                                                                                                   User must acknowledge

                                                                                                SUPPORT TICKET:
                                                                                                Require the user to provide
                                                                                                    activity identifier

                                 Policy Updates as a mandatory part of the user authentication path

                     Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                             © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

  The existence of remote vendors poses unique challenges when establishing proper PCI compliance
  documentation. The issues raised by 3rd party vendors span many security categories:

      Audit completeness: Can you establish exactly what took place based on your existing log entries?
      Identity management and anonymity: Do you really know who each remote user is?
      Policy training: How can you be sure that each remote user receives policy updates and periodic training?
      Audit security: Are you able to verify that remote admins did not touch any existing log info?
      Flexibility of auditing platform: Does each new application deployment complicate the compliance
       logging requirements?
  ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented
  instead of system-oriented, you are able to recreate exactly what took place on any system resource.

  Benefits of this solution include:

      Accountability of all activities performed by a remote vendor or service provider: Each system access is
       linked to an identifiable individual user
      Reduced costs to generate compliance reports, with less effort, and faster turnaround time
      Unequivocal proof of user activity, guaranteeing authentication and non-repudiation

                      Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                         © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

       Appendix A: ObserveIT PCI Compliance Matrix
Requirement 6 : Develop and maintain secure systems and applications
6.3       Secure authentication, logging                            ObserveIT is a secure platform, with all data storage maintained in an SQL server
                                                                    that inherits all corporate security policies. All data is encrypted and digitally
                                                                    signed, and secure policy rules prevent any access to view or modify log data.
Requirement 8: Assign unique ID to each person with computer access
8.1       Assign unique ID before giving access                     ObserveIT Identification Services requires that any privileged user access be
8.2       Tie passwords to id                                       accompanied with specific named-user login.
8.4       Secure password during transmission
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1      Establish a process for linking all access to system      Prior to enabling a user to initialize a session, ObserveIT can present a demand-
          components (especially access done with                   response secondary credential dialog, thus preventing generic privileged userid
          administrative privileges such as root) to each           login.
          individual user
                                                                    ObserveIT records all human activity on monitored servers, both visually as well
                                                                    as with a textual metadata log. Any user action can be replayed to see exactly
                                                                    what occurred, who did it, and what resources where accessed and affected.
10.2      Implement automated audit trails for all system           ObserveIT constantly monitors and records all user activity, including applications
          components to reconstruct the following events:           launched, UI interaction, system configuration, registry changes or any other
 10.2.2   All actions taken by any individual with root or          user-initiated action, from login to logoff. ObserveIT records at the OS level and is
          administrative privileges                                 agnostic to connection protocol. All access to ObserveIT logs themselves is also
 10.2.3   Access to all audit trails                                audited and recorded.
 10.2.7   Creation and deletion of system-level objects.
10.3      Record … audit trail entries for all system               By capturing a visual recording of every user action, a full audit trail is established
          components for each event                                 for every system component modification or access.
10.4      Use time-synch technology                                 ObserveIT records a timestamp for every screenshot within the user session and
                                                                    each associated metadata log entry. This allows for 100% correlation between
                                                                    the replayed sessions, and the presented metadata.
10.5      Secure audit trains so they cannot be altered             ObserveIT stores screenshots and metadata as individual records in a SQL
                                                                    database. Any corporate database security protocols are automatically inherited.
                                                                    All DB records are protected by digital signature, and cannot be altered or
                                                                    deleted. Access to records is allowed only by the users that are defined as
                                                                    administrators. View-only administrator access is also possible, allowing for
                                                                    further secure auditing.
10.6      Review logs for all system components at least            ObserveIT’s built-in compliance reports and customizable reports can be
          daily                                                     scheduled for automatic delivery on any time frame. Event activity can also be
                                                                    captured by any network management tool for system alerting based on user
10.7      Retain audit trail history for at least one year          ObserveIT's recorded sessions, attached metadata, and audit records are stored
                                                                    in a central and protected SQL database, where they are retained indefinitely.
Requirement 12: Maintain a policy that addresses information security
12.5      Assign to an individual or team the following             ObserveIT enables policy messaging, in which the user receives a message when
          information security management responsibilities:         initiating a login. Users must authorize that they have received and read the
 12.5.1   Establish , document and distribute security              message.
          policies and procedures
 12.5.5   Monitor and control all access to data
12.6      Implement a formal security awareness program
          to make all personnel aware of the importance of
          cardholder data security
 12.6.2   Require personnel to acknowledge at least
          annually that they have read and understood the
          security policy and procedures
12.8      If cardholder data is shared with services                All ObserveIT auditing features as specified in the above table is also applied to
          providers, maintain and implement policies and            any remote service provider.
          procedures to manage service providers

                                 Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                                       © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

About ObserveIT
  ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence
  of user sessions, significantly shortening investigation time.

  Every action performed by remote vendors, developers, sysadmins, business users or privileged users is
  recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is
  unclear, simply replay the video, just as if you were looking over the user’s shoulder.

  ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root
  Cause Analysis.

  Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including
  finance, healthcare, manufacturing, telecom, government and IT services.

                                                                  For more information, please contact ObserveIT at:
                                                                  US Phone: 1-800-687-0137
                                                                  Int’l Phone: +972-3-648-0614

                     Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms
                                        © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

To top