PCI Compliance--CA Solution

White Paper PCI Compliance: The CA Solution Sumner Blount, Security Product Solutions May 2007 Table of Contents Introduction to PCI Compliance ......................................................................................................................................................................3 Summary of the PCI Requirements..................................................................................................................................................................3 The CA Security Solution: An Introduction....................................................................................................................................................4 Achieving PCI Compliance ................................................................................................................................................................................4 The Role of Risk and Control Portfolio Management ..................................................................................................................................8 Summary................................................................................................................................................................................................................9 The CA Solution for Security Management ..................................................................................................................................................9 2 Introduction to PCI Compliance The Payment Card Industry (PCI) Data Security Standard (referred to hereafter as “PCI”) represents a collaboration between the leading credit card institutions, including, among others, Visa, MasterCard, American Express and Discover. This standard was jointly created in order to ensure consistency of security standards for these card issuers, and to assure cardholders that their account information was secure, regardless of where the card was used for payment. As part of this effort, the Cardholder Information Security Program (CISP) was created in order to monitor compliance to this standard. The standard was formally adopted in December 2004, with initial compliance required by June 2005. Although there are financial penalties that can be levied against any vendor or service provider who does not comply with these regulations, the most important penalty is the denial of the ability of the merchant to accept or process credit card transactions. Such a penalty could easily destroy their business. Summary of the PCI Requirements The PCI standard does not mandate specific technology or products. Rather, it defines industry best practices for how credit card information should be handled, communicated and stored in order to reduce the probability of unauthorized access to that information. Many of the requirements of PCI relate to strengthening the security perimeter — ensuring that the “bad guys” don’t get access to any internal systems or data that contain cardholder information. However, a number of recent events, such as the CardSystems scandal, illustrate that it is often the insider who is the cause of a major security breach. Therefore, the PCI standard includes a number of requirements whose sole purpose is to limit the access of employees of the vendor or services organization to full customer credit card information. The number of employees who are permitted to see the full credit card number, for example, is strictly limited only to those individuals who clearly “need to know” this information. There are six major categories of requirements in the standard, each of which has a small number of major requirements. The following table lists these categories and major requirements: Category Build and maintain a secure network. Requirement 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored data 4. Encrypt transmission of cardholder data and sensitive information across public networks 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. Maintain an information security policy. 3 The CA Security Solution: An Introduction Security is a significant component of today’s IT infrastructures. In a dynamic computing environment with a variety of assets that need protection, as well as a large and diverse user population, it is critical to ensure: • Protection of critical assets from malicious code, such as viruses, worms, keyloggers and rootkits, as well as malware such as spyware and spam • Proactive risk mitigation by reducing system vulnerabilities • Centralized enforcement of access policies for protection of hosts, applications and data • Automated provisioning and maintenance of digital identities • Integrated solutions with centralized control of the extended security infrastructure • Centralized auditing and reporting to enable effective regulatory compliance CA leads the industry by providing an integrated set of security management solutions: • CA Identity and Access Management (IAM) to effectively manage your users and their access • CA Security Information Management to improve and automate the process of security event analysis • CA Integrated Threat Management to combat the complexity of today’s threat attacks This integrated platform helps you determine and control who has access to your critical corporate resources, determine what is happening in your environment, and combat major categories of online threats. In this way, it can help you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risk and ensure continuous business operations. The following graphic illustrates the three areas of CA security solutions, and a list of the functional capabilities provided by these solutions: • Authentication • Authorization • Federation • Web Services • Provisioning • Password Management • SSO • Access Management Identity a Manag nd A em ess cc t en Sec u Ma ri n • Asset Discovery & Classification • Event Collection • Vulnerability Assessment • Correlation • Forensics • Compliance Mapping • Policy Management • Reporting tio orma n Inf nt ty geme a Threat Mana ment ge • Virus Prevention • Spyware Prevention • Anti-Spam • Gateway Protection • Firewall Protection • Scan and Clean • Malware Protection • Proactive Management The CA Security Management Solution Achieving PCI Compliance PCI compliance involves a variety of requirements, all of which are focused on different areas of establishing a secure environment for the communication and handling of private cardholder information. Some of these requirements are purely process-related, but most can be either achieved or aided through the use of technology in addition to improved security processes. The PCI requirements that can be significantly addressed by CA security solutions include the following (requirements not listed do not relate to CA Solutions): Requirement #1: Install and maintain a firewall configuration to protect cardholder data Summary of Requirement: Firewall configuration standards must be established that define processes, procedures and requirements for securing all network connections. Firewalls must be deployed that restricts connections between publicly accessible servers and any system component storing cardholder data. The CA Solution: The CA Host-Based Intrusion Protection System (CA HIPS) provides three key technologies; standalone firewall, IDS/IPS rules and System Security guards. These three technologies, alone or in combination, provide comprehensive protection. These protections are applied via a set of rules and policies and provide the following capabilities: • Firewall: blocks or allows traffic into or out of the system • Rules: the Intrusion Detection (IDS) rules block known threat while Intrusion Prevention (IPS) rules provide behavioral protection that blocks zero day attacks, essentially blocking the unknown • System Security Guards: protect the core system services such as the Registry, system configuration, etc. 4 There are several ways CA HIPS can provide protection for cardholder information. It can block or allow traffic from their endpoint, and can set policy that the cardholder data is locked down and no action can be taken. Or, it can lock down the data so that it can only be accessed under specific circumstances and at specific times. and is a flexible, easy to implement and use comprehensive solution that does not require JCL or application changes. Best of all, it ensures data is protected even if those tapes fall into the wrong hands. For companies that have previously invested in data protection hardware, software, and processes, CA Tape Encryption: • Safeguards corporate and personal data from unauthorized access • Mitigates risk and the potential costly financial exposures from breached data • Fulfills the ability to prove compliance with state and federal government regulations • Is integral to all Business Continuance, Disaster Recovery and regulatory compliance strategies CA Tape Encryption dynamically encrypts and decrypts any application data on its way to and from z/OS magnetic tape. It simplifies management of the tape encryption process through automation, making it easier for companies to reduce the risk of unauthorized access to confidential information and fulfill escalating security breach of information compliance requirements. It easily fits into the IT infrastructure by not disrupting IT processes, while leveraging current hardware and software investments. Working with virtually all mainframe security systems and tape management systems employed today, CA Tape Encryption is designed with implementation simplicity and flexibility in mind. It automates all encryption and decryption processes and is transparent to users and applications. CA Tape Encryption is the only z/OS software encryption solution that offers automated integrated full life cycle key management. CA Tape Encryption full life cycle key management goes beyond just the central identification, storage and protection of keys. It includes the creation, monitoring, tracking, auditing, backup and recovery and the automated expiration and removal of expired keys. Requirement #2: Do not use vendor-supplied defaults for system passwords and other security parameters Summary of Requirement: All default passwords must be changed before a system is installed on the network. Also, configuration standards must be developed for all system components. These standards must address all known security vulnerabilities and industry best practices. CA Solution: The CA Policy and Configuration Manager helps organizations identify and compare the security configurations of their critical business assets to an established baseline, provides the configuration remediation and measures progress through risk-based reporting. This solution automates the configuration assessment and remediation process, enabling you to improve security policy monitoring efficiencies while reducing ancillary operational costs. Its comprehensive policy and configuration assessment process allows you to mitigate risk and ensure compliance with security policies and industry standards. The CA Policy and Configuration Manager delivers a security configuration management solution providing: • Configuration identification — providing pre-defined and customizable configuration assessment across your diverse IT infrastructure. • Configuration baselines — allowing you to build a baseline snapshot of an asset’s security configuration, monitors and reports deviations from this established baselines, and therefore manage by exception. • Configuration enforcement — providing remediation and reporting tools to help you enforce your configuration policies across your enterprise environment. Requirement #3: Protect Stored Cardholder Data Summary of Requirement: Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. CA Solution: CA Tape Encryption transparently encrypts mainframe and distributed data as it is being written to standard label z/OS tapes. It safeguards personal and business-critical information from unauthorized access, Requirement #5: Use and regularly update antivirus software Summary of Requirement: Antivirus software must be running on all email and desktop systems, and must be regularly checked to ensure that it is actively running and capable of generating audit logs. CA Solution: CA Threat Manager is a comprehensive solution that combines the best-of-breed capabilities of CA Anti-Virus with the anti-spyware capabilities of the CA Anti-Spyware solution. This integrated solution combats a range of malware attacks, including virus, worms, keyloggers, rootkits, etc, as well as identifying and 5 removing spyware and adware attacks. Because these solutions are integrated, CA Threat Manager can also attack blended threats that combine aspects of different categories of these malware attacks. Requirement #6: Develop and maintain secure systems and applications Summary of Requirement: All system components must have the latest vendor-supplied security patches, and there needs to be a well-defined process for identifying new vulnerabilities, as well as managing and tracking the patch status of all effected systems. CA Solution: One common cause of successful attacks is the delay in installing patches to combat a particular vulnerability. This delay is exacerbated when the current status of these vulnerabilities across the entire IT environment is either unknown or inaccurate. As an IT environment grows in size, the management of these vulnerabilities quickly becomes daunting and error-prone. And, even a short delay in deploying patches for a given vulnerability can have significant negative impacts. In short, ineffective tracking and management of vulnerabilities across all systems can be a significant problem in terms of establishing a strong security environment. CA Vulnerability Manager is an effective solution that helps you know, or discover, your assets, understand your security exposures and risks, know what action to take, and measure progress in an easily deployable appliance. Using an asset-based vulnerability assessment helps you quickly protect your enterprise before your systems are compromised. Since exploits of new vulnerabilities are often available almost immediately, the ability to track, manage and deploy fixes for these vulnerabilities becomes extremely important. This section requires that all computing resources (that store or process credit card information) be available only to those people whose job requires such access. The term “resources” needs to be viewed in its full generality, and solutions and processes must include protection of all of these resources in order to ensure compliance. Specifically, access to web applications, enterprise applications, host systems, databases, system files, critical system services, and even “superuser” access rights needs to be tightly controlled. Any solution that does not provide protection for all types of these resources is not sufficient to meet the intent of this requirement. In the case of applications and cardholder data, access is typically based on the user’s role, however that is defined by each individual organization. But, other factors could easily be important in deciding whether access to cardholder information should be allowed — examples include the time of day and day of the week, the location (home or office) of the user, the method used for authentication of the user, or any other attribute of the user. Only a comprehensive solution for asset protection will ensure that only properly authorized individuals can view or process confidential cardholder information. CA SiteMinder® Web Access Manager is the industryleading solution for web application access management. Specific policies can be easily defined that will ensure that only appropriate individuals will be able to access the applications and confidential information related to credit card processing. In addition, by centrally enforcing all access to these applications, development and maintenance of web applications becomes much simpler because application developers can focus on the business logic of the application rather than on enforcing security within each application. Another important by-product of this section of the PCI standard is that access to any host systems that process credit card information. Users who are not authorized to view confidential cardholder information should not be allowed access of any kind to the systems that house that information, unless there is some other compelling reason for that access to be required. To protect against malicious acts against those systems, critical system files and even the rights to control or terminate critical system services must be strongly enforced. Requirement #7: Restrict access to data by business need-to-know Summary of Requirement: Access to systems, applications and data (especially cardholder information) must be tightly restricted to only those individuals who have a clearly defined need to obtain this information. CA Solution: Despite the fact that this section is one of the shortest of the entire PCI standard, it is very broad in its scope and compliance may require the most effort of any requirement in the entire standard. 6 A common and related problem in many IT environments is the number of users with “superuser” access rights. Typically, there are many more superusers (Root, Administrator) than is absolutely required based on their job function, and most of these users do not need all the rights that they are granted. Such an environment raises the risk of improper access to cardholder information, either malicious or inadvertent, and could therefore hinder full PCI compliance.The solution to this problem involves three key elements. First, only grant superuser access rights to the most trusted users in the entire environment. Second, deploy a solution that provides granular superuser access rights, so that all administrators can be granted only those rights that they need to perform their job function. And third, ensure that all superusers are individually identified in the system and do not all use the “Administrator” account. This last requirement will ensure that inappropriate actions can be traced back to a single individual, based on the content of the audit files. CA Access Control is the leading solution of controlling access to host systems, and critical data and files residing on these systems. Policies can be defined that ensure that only properly authorized users can gain access to each such system or resource. In this way, CA Access Control extends the basic security capabilities supported by each native operating system, and provides an expanded, consistent, and more granular set of security capabilities across all the systems in your environment. In addition, highly granular superuser access rights can be defined so that improper actions by an Administrator can be prevented. Regardless of the methods used to control access to this cardholder information, a robust infrastructure for managing user entitlements is required. A centralized identity administration solution is required in order to ensure that all user accounts and access rights are correctly established, and fully auditable. CA Identity Manager is a comprehensive solution that provides an integrated identity management platform that automates the creation, modification and suspension of user identities and their access to enterprise resources to increase security levels and compliance. In addition, CA Identity Manager provides auditing services that can be used by both internal and external auditors to help determine if the entitlement granting practices of the organization are in control and effectively keeping private cardholder data private. These three solutions are key elements of the comprehensive CA solution for identity and access management. These solutions provide identity administration and provisioning, access management for all types of resources, and security information management including full auditing capabilities. Requirement #8: Assign a unique ID to each person with computer access: Summary of Requirement: All actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. This long section of the standard includes a number of specific security requirements. These can be summarized as follows: • Identify all users with a unique username • Use a variety of authentication methods, based on the sensitivity of the application or information being accessed • Use 2-factor authentication for remote access to the network • Ensure that strong password policies exist and are followed • Implement access restrictions based on failed access attempts, as well as periods of user inactivity CA Solution: The CA Identity and Access Management solutions provide all of these capabilities. As an example, CA SiteMinder supports a broad range of authentication methods so that the strength of the method can be associated with the sensitivity of the information or application being accessed. So, virtually any authentication methods can be combined to provide 2-factor authentication for remote users. In addition, CA Identity Manager provides extremely flexible and comprehensive capabilities for managing and controlling user passwords. Specific policies can be enforced that determine the length, format and frequency of change, and even the content of the passwords. As an example, password polices can be defined that require certain types of characters (e.g., numeric, special characters), or restrict passwords that are the same as certain user directory attributes. In this way, passwords can be as arbitrarily strong as the needs of each IT environment dictate, thereby easily meeting the requirements of this section of the standard. 7 Requirement #10: Track and monitor all access to network resources and cardholder data Summary of Requirement: Logging mechanisms and the ability to track user activities are critical. Full logging of user and administrative activity is essential for tracking and analysis of all security events. This section includes a number of very specific requirements. These can be summarized as follows: • Establish a process for linking all access to system components (especially those done with administrative privilege such as root) to an individual user • Implement automated audit trails • Record all important security events within the environment • Secure audit trails so that they cannot be altered • Review logs for all system components at least daily • Retain the audit trail history for a period that is consistent with its effective use CA Solution: CA offers a comprehensive auditing solution, CA Security Command Center — that can enable compliance with these requirements. CA Security Command Center provides aggregation, filtering, correlation and visualization of the contents of audit logs, to make analysis of security events much simpler and more effective. This can greatly reduce the amount of administrator time it takes to process these log files, but more importantly, can help to identify the truly important events so that administrators can focus their time on those events that could pose the most threat to cardholder information. In addition, CA Security Command Center provides capabilities so that key information related to the security state of the environment can be displayed in a way that maximizes administrator effectiveness. The result is lower administrator cost and more effective management and analysis of security event information. As covered under requirement #7, CA Access Control allows granular superuser access rights to be defined for each administrator, and for all events to be traceable back to a specific individual (rather than just “Administrator”). This capability is essential because it not only prevents excessive access rights for certain administrators, but it precludes anonymous actions that cannot be identified with a specific individual. The Role of Risk and Control Portfolio Management Compliance with PCI or virtually any other regulation typically requires a concentrated and focused effort by a team of individuals from many parts of the organization. These compliance activities are often part of a larger enterprise risk management (ERM) effort. In many cases, there is no comprehensive approach to planning, creating, monitoring and reporting on these internal compliance controls. This situation can lead to: • Excessive costs to monitor and manage compliance • Risk and remediation efforts are managed in “silos”, and not in a centralized, consistent fashion • A variety of haphazard tracking methods are used (e.g. spreadsheets) • Compliance information is not readily available for, or easily consumed by, senior executives What is needed is a complete solution for managing the enterprise-level risk profile, so that all risks can be effectively prioritized, assigned owners and tracked on an ongoing basis. A critical element of this process, though, is the ability to associate each risk with the specific controls that are used to remediate the risk. Further, each control should be identified, defined and associated with the specific section of each regulation that it relates to. This allows a complete, visual representation of all risks, and the controls that are associated with them, to help administrators manage these IT risks holistically. The CA Clarity Risk and Controls Solution allows comprehensive and consistent management, tracking, testing and analysis of all compliance and risk management activities. It allows organizations to best understand risks, controls and costs associated with the different business processes required to comply with PCI and other regulations. When there is a risk identified, a workflow can be kicked off that requires a designated person to follow up and effectively perform a specific action to mitigate the risk. This capability allows senior management to manage their control environment by viewing near real-time data relative to business risks, such as terminated IDs that were not removed from the system, or user accounts that do not conform with a given corporate policy. It also provides a mechanism to track and document all tests of controls related to the organization’s key control objectives. 8 CA Clarity Risk and Controls Solution provides the following key benefits for corporate risk management and compliance efforts: • Reduced inefficiencies associated with multiple compliance activities • Effective tracking, analysis and reporting on resources and controls throughout the enterprise • Measurement of cost and TCO for all controls in your environment • Ability to adapt very quickly to new industry, organizational or governmental mandates that require compliance • Advanced visualization and graphic reporting on all controls and risk management activities CA Clarity Risk and Controls Solution provides an excellent solution for managing all risks and controls that comprise an enterprise’s PCI or other compliance effort. The CA Solution for Security Management The CA Security Management platform includes a set of products that provide an industry leading, integrated suite, including the following products: Identity and Access Management Identity Management and Provisioning CA Identity Manager. CA Identity Manager provides an integrated identity management platform that automates the creation, modification, and suspension of user identities and their access to enterprise resources to increase security levels and compliance, while reducing administration costs and enhancing the user experience. In addition, CA Identity Manager provides auditing services that can be used by both internal and external auditors to help determine if the entitlement granting practices of the organization are in control and effectively keeping private data private. Access Management CA SiteMinder. CA SiteMinder provides advanced security policy and management capabilities, and proven reliability and scalability, enabling the delivery of essential information and applications to employees, partners, and customers. CA SiteMinder® Federation Security Services is an add-on set of software services to CA SiteMinder that enables browser-based identity federation, providing cross-domain single sign-on. CA TransactionMinder®. Similar to CA SiteMinder in architecture, CA TransactionMinder provides a secure and centralized, policy-based authentication and authorization management capability for Web services. CA TransactionMinder integrates with standard Web services frameworks and provides fine-grained access control for XML documents across multi-step business transactions. CA Access Control delivers a consistently strong access policy across distributed platforms and operating systems. This solution provides policy-based control of who can access specific systems, applications and files; what they can do within them; and when they are allowed access. It also provides capabilities for management of “root” privileges for greater administrative security. CA ACF2™ and CA Top Secret® provides leading-edge security for the z/OS, z/VM and VSE business transaction environments, including z/OS UNIX and Linux for zSeries. Summary Compliance with the requirements of the PCI standard has become a business imperative for firms that process significant numbers of credit card transactions, or provide any type of credit card services to other organizations. Although these requirements are based on industry best practices, it is unlikely that most organizations would initially comply with this standard without improvements in their IT security processes and system, as well as their business processes. Compliance with PCI requires a concerted effort, typically involving multiple groups within the IT organization. Although changes to various IT processes are usually involved, the adoption of specific technology solutions can greatly aid the compliance effort. CA offers solutions that can not only greatly protect assets and information related to cardholders, but can also help reduce overall IT costs by automation of many IT processes related to the protection of this information. 9 CA Embedded Entitlements Manager enables organizations to embed comprehensive identity, finegrained authorization and security auditing components in developed applications while externalizing policy management. Use of pre-built, best practices components saves significant development costs while providing consistent security across applications. Threat Management CA Anti-Virus provides enterprise-class protection against virtually all forms of costly virus attacks — from the perimeter to the PDA. A single management console simplifies the management of heterogeneous enterprise environments, provides easy methods to implement, administer and update signatures, and safeguards your enterprise from viruses and malicious code before they can enter your network. CA Anti-Spyware detects and removes spyware, non-viral malware, as well as annoying pests like adware to protect enterprises from diminished PC performance, unauthorized access and information theft. CA Threat Manager combines best-of-breed CA AntiSpyware with CA Anti-Virus with a single management console and increases efficiency through a common agent, logging facility, and updating tools. CA Host-Based Intrusion Prevention System blends stand-alone firewall and intrusion detection and prevention capabilities to provide centralized proactive threat protection to counter online threats. This combination offers superior access control, policy enforcement, easy intrusion prevention management and deployment from a central location via a single, intuitive user interface to enhance your endpoint protection. CA Secure Content Manager offers a complete, scalable content security management solution that includes email and web content security, anti-spam and URL filtering, comprehensive antivirus protection, data confidentiality monitoring and malicious code defense. Security Information Management CA Security Command Center is essential to proactively managing the complexities of an organization’s security environment. Its technology enables security administrators to visualize, in near-real time, threats to financial systems or other systems, to identify vulnerabilities to financial systems and to provide a Chief Security Officer or Compliance Officer with an integrated view of IT assets. CA Vulnerability Manager proactively protects your IT assets from external attacks and internal security threats by correlating exclusive vulnerability data with your assets. CA Vulnerability Manager delivers vulnerability assessment, patch remediation, configuration remediation and compliance analysis through a web-based user interface and an easily deployable appliance. CA Network Forensics is the leading network based forensics security product, and allows you to discover what happened on a company/agency’s network, either in a real-time basis or post real-time. It does this by passively capturing the packets as they traverse the network and reconstructing them in a graphic format. It is used in forensics based investigations, for compliance, for network discovery, and in conjunction with all of a firm’s installed security devices. CA Policy and Configuration Manager helps organizations identify and compare the security configurations of their critical business assets to an established baseline, provides the configuration remediation and measures progress through risk-based reporting. Copyright © 2007 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP306620507