pci and remote vendor monitoring

8/3/2019 PCI and Remote Vendor Monitoring

http://slidepdf.com/reader/full/pci-and-remote-vendor-monitoring 1/9

Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms© Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

Executive Summary

To respond to the requirements of the Payment Card Industry Data Security Standard regulation (PCI-DSS, or PCI

for short), compliance officers must ensure that each user is accountable for all actions performed. For auditing

business users, many of these needs can be answered using native system logs. But when it comes to privileged

users, the requirements, sensitivities and complexities are all magnified. And when those privileged users

happen to be third-party remote vendors, a redoubling of risk factors occurs.

An auditing platform that focuses on user actions (as opposed to a focus on system resources) will create aholistic and effective solution that answers PCI requirements efficiently.

The 12 high-level categories of the PCI specification cover a wide range of issues, from access rights to data

storage to audit monitoring. This paper provides answers for the items relating to user accountability, namely:

Requirement 6: Develop and maintain secure systems and applications

Requirement 8: Assign unique ID to each person with computer access

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 12: Maintain a policy that addresses information security for all personnel

The core essence of these requirements (most notably the numerous details within Requirement 10) boil down

to a simple statement: “You should know who has done what, for every system access.” This straight-forward

question is best answered with an equally straight-forward solution: “Be able to repl ay exactly what each user

did, as if you were looking over their shoulder as they did it.”

In addition, user-oriented visual auditing provides proactive auditing capabilities for any new software deployed,

allowing for audit reporting on apps that have no internal logging, such as cloud-based apps (ex:

Salesforce.com), commercial apps (ex: Visual Studio, Excel) and legacy bespoke apps (ex: customized CRM).

Easy PCI:

How to Eliminate Remote Vendor Complexity

in PCI-DSS Compliant Platforms

An ObserveIT Whitepaper | Gabriel Friedlander




Scoping the Problem:

Remote Vendors Have a Unique Impact on PCI Compliance

Who are these Remote Vendors, anyway?

Over the past 10 years, streamlined business factors and emerging technology enablers have led to a dramatic

growth in the use of remote 3rd

-party users on corporate networks – so much so that we tend to take it for

granted at this point.

Indeed, these business factors – optimization of HR and outsource staffing, concentration of core expertise in

specific centers, SaaS and crowd-sourcing, to name a few – are built into the grain of corporate IT infrastructure

today. By and large, this process has brought tremendous operational efficiency, and we can expect remote

vendor access to continue in the long term.

In order for remote vendors to be able to able to perform their assigned job, they typically require wide access

to many corporate resources, sometimes at the level of root administrator. Unfortunately, the level of

granularity available via OS access control cannot prevent ‘the bad stuff’ while still allowing ‘the stuff that

actually has to be done’. After all, an admin with full read-write access to a disk drive can also delete the entire

contents, and a DBA with access to a database for backup tasks can also access the database inappropriately.

Covering All Activity: Can you really know what happened based only on obscure system logs?

PCI Section 10.2 requires you to “ i mplement automated audit trails … to reconstruct … events”.

Here, the core question being raised is “What is actually captured ?” When first approaching PCI compliance, it

might be tempting to simply turn on and collect various system logs. However, scratching the surface to go just

a bit deeper raises many questions regarding the content of these logs. Can you really answer the fundamental

question of “Who did what?” PCI auditors are highly attuned to this not-so-subtle differentiation, and know how

to probe the issue during audit reviews.

Exposure during audits is especially acute with regards to remote vendors and the question “Does a particular

application provide sufficient logging info? ” Many important business applications, especially custom apps that

are developed and maintained by external vendors, have not been developed with system logging in mind.

Often, audit logs are added as an afterthought, with the resulting quality in doubt.

A visual audit that captures exact user actions overcomes this issue entirely. Instead of trying to piece together

logs of every possible activity via the resulting system logs, a video replay can show exactly what the user did.

Securing the Audit Trail: Is the cat guarding the cream?

PCI Section 10.5 requires you to “ secure audit trails so they cannot be altered ”, and PCI Section 6 calls for“secure systems and applications”, including “secure authentication and logging” .

With remote vendors touching mission-critical resources, the question to be asked here is “Does a software

vendor know how to neutralize the logs?” It is certainly reasonable to wonder if a remote vendor that

developed a particular bespoke application has the means to temporarily pause logging functionality while

performing system maintenance. Even if this not done maliciously, but rather for performance issues, it still

leaves your compliance in doubt.




An audit that includes exact video recording of everything the user does will overcome these issues. If each

action is captured visually, then the question of what each application is sending to its system log is neutralized.

Eliminating Anonymity: ‘administrator’ is not a name

PCI Section 10.1 calls for “a process for linking all access to system components (especially access done with

administrative privileges such as root) to each individual user.” This is also related to PCI Requirement 8, which

calls for “assigning unique identification to each person with computer access”.

There are a few levels of anonymity concerns that demand consideration:

Do you have ID Management that ties a remote vendor’s generic login (administrator) to a named user?

The first compliance issue stems from the basic nature of all privileged users, whether internal sysadmins

or external remote vendors. Some form of identification services must be put in place, so that a user is

clearly identified prior to gaining access. There are numerous technical implementations that can achieve

this goal, including biometrics, smart cards, password vaults and secondary demand-response login. The

PCI Requirement does not specify which of these methods to choose, and so the decision is a choice of

operational efficiency and pure cost-benefit analysis.

Do your HR or Active Directory databases clearly identify each named user?

The validity and accuracy of internal username databases is handled quite well today for corporate

employees, but when it comes to remote vendors it is a weak point that often leads to audit failure. This

may take many forms, including generic info (ex: Name=”VendorCorp User” instead of Name=”John

Smith”), missing fields (ex: no address or social security # on file), and policy training not being up to date.

Even worse, remote vendor organizations often share a single account, with one userid serving all the

support and development staff! In so many cases, even if perfect tracking info is handled for John Smith, it

is Joe Williams or any of dozens of other VendorCorp employees who is actually logging on with John’s id.

The above issues can be overcome with a strong secondary identification system which requires named-user

credentials, coupled with effective corporate policy enforcement.

Policy Validation and Support Ticket #’s: Yes, I read the new policy statement!

PCI Section 12.5.1 asks that you “ establish, document and distribute security policies and procedures” and PCI

Section 12.6.2 calls on you to “require personnel to acknowledge…that they have read and understood the

security policy and procedures.”

CIOs and CSOs today are facing the unpleasant fact that they can’t know exactly who each user is at a remote

vendor location. Even with an extremely tight credential management workflow, there always remains a certain

doubt about policy enforcement at the remote site.

What’s more, the ability to require policy training is severely hampered. Relationships with a remote vendor are

routed through primary points of contact, while actual work is performed by many additional employees. So

even with good policy communications with the main account manager, there is no way of knowing if the actual

support admin who will be logging in got the news.




Solving the Problem: PCI Compliancy for remote vendor environments

PCI 10.2 – Implementing audit logs (Even for apps that do not have built-in logging!)

With ObserveIT, you have instant audit logs that include details of precisely what took place.

ObserveIT captures activity at the user level (after all, a PCI audit is about what people are doing, not what

machines are doing!) Therefore, it captures detailed logs for user activity in any application, even if that app

does not have its own logging capabilities (or if the logs are insufficient). For example, you may need to

demonstrate what took place while a user was editing an MS-Word doc, or while running a webinar session, or

while using a custom ERP extension that the system developers have not implemented logs for yet.

The textual metadata log drives built-in reports that explicitly demonstrate PCI compliance.

PCI-compliant log reports

of Remote Vendor access

Instant forensic investigation

using visual user session replay

PCI 10.2 and 10.3 – Visual audit guarantees sufficient

coverage and clarity of user actions

For any issue investigation, each log entry event is linked to a full video replay of the user session. View an exactplayback of user activity, as if you were looking over the user’s shoulder as it took place.

With this level of accountability, there is no question as to what transpired, making any attempts of repudiation

or denial utterly groundless.

Salesforce.com – Microsoft Internet Explorer

MagicISO CD/DVD Manager

Microsoft Visual Studio 2010

Skype

CustomerDetails CRM

Registry Editor

Cloud Apps

Commercial S/W with no logs

Legacy software

Commercial S/W with no logsCommercial S/W with no logs

WHAT DID THE USER DO? A human-understandable list

of every user action

Who, When, Where USER SESSION REPLAY:Bulletproof forensics for

security investigation

PLAYBACK NAVIGATION:Move quickly between apps

that the user ran

CAPTURES ALL ACTIOMouse movement, text entry,

interaction, window activity




PCI 10.1 – Capturing Named-User credentials without complex password vault management

Privileged remote vendor users must provide detailed named-user credentials in order to initiate a session. This

step is mandatory in order for the user to initiate a session. Therefore, every session is associated with a specific

named user. This username appears in every log entry created during the session.

Privileged User Identification

PCI 12.5 – Policy training that will deny system access without proper acknowledgement

Before authorizing the user to access the system, ObserveIT requires that policy status information be read and

confirmed. This eliminates the need to handle policy update validation in a separate process: No more email

trees, no more tracking spreadsheets to make sure everyone got it. This is especially relevant for remote

vendors, in which the policy updates often go to the main point of contact, but other users are the actual people

who log in.

In addition, users can be asked to provide specific details about the support issue being handled, in the form of

ticket numbers or issue descriptions. This further enhances the searchable user audit with a tighter coupling

between each session and the reason the session took place in the first place.

Policy Updates as a mandatory part of the user authentication path

CAPTURE REAL NAME:Named user id account credentials

are required in order to continue

PRIVILEGED LOGIN:Generic ‘ aministrator ’ user id

NOTE: No database admin task may be

performed between 0800 and 1800 GMT

Please enter your suppo rt ticket number in

box below.POLICY MESSAGING:

User must acknowledge

SUPPORT TICKET:Require the user to provide

activity identifier




Conclusion

The existence of remote vendors poses unique challenges when establishing proper PCI compliance

documentation. The issues raised by 3rd

party vendors span many security categories:

Audit completeness: Can you establish exactly what took place based on your existing log entries?

Identity management and anonymity: Do you really know who each remote user is?

Policy training: How can you be sure that each remote user receives policy updates and periodic training?

Audit security: Are you able to verify that remote admins did not touch any existing log info?

Flexibility of auditing platform: Does each new application deployment complicate the compliance

logging requirements?

ObserveIT is designed explicitly to overcome these issues. By creating a visual audit log that is user-oriented

instead of system-oriented, you are able to recreate exactly what took place on any system resource.

Benefits of this solution include:

Accountability of all activities performed by a remote vendor or service provider: Each system access is

linked to an identifiable individual user

Reduced costs to generate compliance reports, with less effort, and faster turnaround time

Unequivocal proof of user activity, guaranteeing authentication and non-repudiation




Appendix A: ObserveIT PCI Compliance Matrix

Requirement 6 : Develop and maintain secure systems and applications

6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server

that inherits all corporate security policies. All data is encrypted and digitally

signed, and secure policy rules prevent any access to view or modify log data.

Requirement 8: Assign unique ID to each person with computer access

8.1 Assign unique ID before giving access ObserveIT Identification Services requires that any privileged user access be

accompanied with specific named-user login.8.2 Tie passwords to id

8.4 Secure password during transmission

Requirement 10: Track and monitor all access to network resources and cardholder data

10.1 Establish a process for linking all access to system

components (especially access done with

administrative privileges such as root) to each

individual user

Prior to enabling a user to initialize a session, ObserveIT can present a demand-

response secondary credential dialog, thus preventing generic privileged userid

login.

ObserveIT records all human activity on monitored servers, both visually as well

as with a textual metadata log. Any user action can be replayed to see exactly

what occurred, who did it, and what resources where accessed and affected.

10.2 Implement automated audit trails for all system

components to reconstruct the following events:

ObserveIT constantly monitors and records all user activity, including applications

launched, UI interaction, system configuration, registry changes or any other

user-initiated action, from login to logoff. ObserveIT records at the OS level and is

agnostic to connection protocol. All access to ObserveIT logs themselves is a lsoaudited and recorded.

10.2.2 All actions taken by any individual with root or

administrative privileges10.2.3 Access to all audit trails

10.2.7 Creation and deletion of system-level objects.

10.3 Record … audit trail entries for all system

components for each event

By capturing a visual recording of every user action, a full audit trail is established

for every system component modification or access.

10.4 Use time-synch technology ObserveIT records a timestamp for every screenshot within the user session and

each associated metadata log entry. This allows for 100% correlation between

the replayed sessions, and the presented metadata.

10.5 Secure audit trains so they cannot be altered ObserveIT stores screenshots and metadata as individual records in a SQL

database. Any corporate database security protocols are automatically inherited.

All DB records are protected by digital signature, and cannot be altered or

deleted. Access to records is allowed only by the users that are defined as

administrators. View-only administrator access is also possible, allowing for

further secure auditing.

10.6 Review logs for all system components at least

daily

ObserveIT’s built-in compliance reports and customizable reports can be

scheduled for automatic delivery on any time frame. Event activity can also be

captured by any network management tool for system alerting based on user

activity.

10.7 Retain audit trail history for at least one year ObserveIT's recorded sessions, attached metadata, and audit records are stored

in a central and protected SQL database, where they are retained indefinitely.

Requirement 12: Maintain a policy that addresses information security

12.5 Assign to an individual or team the following

information security management responsibilities:

ObserveIT enables policy messaging, in which the user receives a message when

initiating a login. Users must authorize that they have received and read the

message.12.5.1 Establish , document and distribute security

policies and procedures

12.5.5 Monitor and control all access to data

12.6 Implement a formal security awareness program

to make all personnel aware of the importance of cardholder data security

12.6.2 Require personnel to acknowledge at least

annually that they have read and understood the

security policy and procedures

12.8 If cardholder data is shared with services

providers, maintain and implement policies and

procedures to manage service providers

All ObserveIT auditing features as specified in the above table is also applied to

any remote service provider.



Easy PCI: How to Eliminate Remote Vendor Complexity in PCI-DSS Compliant Platforms

About ObserveIT

ObserveIT auditing software acts like a security camera on your servers. It provides bulletproof video evidence

of user sessions, significantly shortening investigation time.

Every action performed by remote vendors, developers, sysadmins, business users or privileged users is

recorded. Video recordings include mouse click, app usage and keystrokes. Each time a security event is

unclear, simply replay the video, just as if you were looking over the user’s shoulder.

ObserveIT is the perfect solution for 3rd Party Vendor Monitoring, Compliance Report Automation and Root

Cause Analysis.

Founded in 2006, ObserveIT has a worldwide customer base that spans many industry segments including

finance, healthcare, manufacturing, telecom, government and IT services.

For more information, please contact ObserveIT at:

www.observeit-sys.com

[email protected]

US Phone: 1-800-687-0137

Int’l Phone: +972-3-648-0614

pci and remote vendor monitoring

Documents