PCI-DSS Compliance Using the Hitachi ID Management Suite

Payment Card Industry

Data Security Standard (PCI-DSS) 2.0

Compliance Using

Hitachi ID Management Suite

© 2014 Hitachi ID Systems, Inc. All rights reserved.

http://Hitachi-ID.com/

http://Hitachi.com/

Contents

1 Introduction 1

2 The Regulation in Detail 2

3 Improving Security in General 10

3.1 Hitachi ID Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.2 Hitachi ID Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.3 Hitachi ID Access Certifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Hitachi ID Privileged Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

i

PCI-DSS v2.0 Compliance Using Management Suite

1 Introduction

The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonableset of standards intended to guide financial institutions, retailers and other data processors in protectingdata about credit cards and their owners.

It is organized into six logical categories:

1. Build and Maintain a Secure Network.

2. Protect Cardholder Data.

3. Maintain a Vulnerability Management Program.

4. Implement Strong Access Control Measures.

5. Regularly Monitor and Test Networks.

6. Maintain an Information Security Policy.

PCI-DSS is unique among major regulatory requirements for corporations and government agencies inthat it specifically lays out what organizations must do and what they must not do to comply. This makescompliance much more straightforward than regulations such as SOX, HIPAA, etc. which are ambiguous inregards to information security.

To fulfill all of the requirements in PCI-DSS, organizations must deploy a combination of sound businesspractices and various security technologies, including firewalls, virus scanners, identity management sys-tems and more.

The full text of the PCI DSS version 2.0 (as of April 2012) may be found here:

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

This document outlines how components of the Hitachi ID Management Suite can assist organizations incompliance with PCI-DSS.

© 2014 Hitachi ID Systems, Inc.. All rights reserved. 1

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf


2 The Regulation in Detail

Hitachi ID Management Suite can help organizations to comply with PCI-DSS requirements and (whereverrelevant) itself complies as follows:

Requirement Details Product Feature

2.1 Always change vendor-supplieddefaults before installing a systemon the network—for example,include passwords, simple networkmanagement protocol (SNMP)community strings, and eliminationof unnecessary accounts.

Hitachi IDPrivilegedAccessManager

Scrambles all sensitive passwordsregularly, eliminating defaults.

2.1.1 For wireless environmentsconnected to the cardholder dataenvironment or transmittingcardholder data, change wirelessvendor defaults, including but notlimited to default wirelessencryption keys, passwords, andSNMP community strings. Ensurewireless device security settings areenabled for strong encryptiontechnology for authentication andtransmission.

PrivilegedAccessManager

Can be used to house randomizedencryption keys, SNMP communitystrings, etc.

2.3 Encrypt all non-consoleadministrative access. Usetechnologies such as SSH, VPN, orSSL/TLS for web basedmanagement and othernon-console administrative access.


Ensures that when administratorsrequest administrative credentials,they do so only with strongauthentication and over anencrypted UI (HTTPS).

3.4.1 If disk encryption is used (ratherthan file- or column-level databaseencryption), logical access must bemanaged independently of nativeoperating system access controlmechanisms (for example, by notusing local user accountdatabases). Decryption keys mustnot be tied to user accounts.


Can be used to securely storeencryption keys for disk volumes.

3.5 Protect cryptographic keys used forencryption of cardholder dataagainst both disclosure and misuse:


Can be used as a secure keyrepository.




3.6 Fully document and implement allkey-management processes andprocedures for cryptographic keysused for encryption of cardholderdata, including the following:


Can be used to generate, controldisclosure of, periodically replaceand securely store cryptographickeys (not just passwords). Thismakes it suitable as a cryptographicstorage platform, not just aprivileged password managementsystem. The built-in workflowsystem can be used to support3.6.6 – Split knowledge andestablishment of dual control ofcryptographic keys.

6.3.6 Removal of custom applicationaccounts, user IDs, and passwordsbefore applications become activeor are released to customers


Can be used to eliminatehard-coded login IDs andpasswords in applications. Instead,applications use an PrivilegedAccess Manager API to fetch IDsand passwords to back-endsystems.

6.4 Follow change control proceduresfor all changes to systemcomponents.


Can be used to enforce changecontrol processes – i.e., noapproved change control means nopassword disclosure.

6.5 Develop all web applications(internal and external, and includingweb administrative access toapplication) based on securecoding guidelines such as the OpenWeb Application Security ProjectGuide. Cover prevention ofcommon coding vulnerabilities insoftware development processes, toinclude the following:

Various See below..

6.5 OWASP: testing for vulnerable PwdReset... http://www.owasp.org/...

Hitachi IDPasswordManager

Secure authentication prior toself-service password reset.

6.5 OWASP: Password length &complexity http://www.owasp.org/...

PasswordManager

Password complexity checking andsecure random password generator.

6.5.1 Injection flaws, particularly SQLinjection. Also consider OSCommand Injection, LDAP andXPath injection flaws as well asother injection flaws.

ManagementSuite

Complies itself – all inputs arefiltered.

6.5.2 Buffer overflow ManagementSuite

Complies itself – all inputs arechecked for size and trimmed ifrequired.


http://www.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_and_Pwd_Reset_%28OWASP-AT-006%29

http://www.owasp.org/index.php/Password_length_&_complexity



6.5.3 Insecure cryptographic storage ManagementSuite

Complies itself – strong crypto isused to protect sensitive data suchas passwords and securityquestions.

6.5.4 Insecure communications ManagementSuite

Complies itself – inboundcommunications are HTTPS andoutbound user a variety ofprotocols, depending on what thetarget system supports.

6.5.5 Improper error handling ManagementSuite

Complies itself – Error handling isstrictly local and does not leakcredentials.

6.5.6 All -High vulnerabilities identified inthe vulnerability identificationprocess (as defined in PCI DSSRequirement 6.2).

ManagementSuite

Complies itself – all releases aretested for security vulnerabilities.

6.5.7 Cross-site scripting (XSS) ManagementSuite

Complies itself – for example, byfiltering out HTML content frominput fields, which could otherwisebe used to inject scripts fromanother site into a user’s session.

6.5.8 Improper Access Control (such asinsecure direct object references,failure to restrict URL access, anddirectory traversal)

ManagementSuite

Complies itself – all inputs arefiltered. Moreover, access tosensitive data within ManagementSuite is subject to rigorous accesscontrols, linked to both the identityof the requester and the data beingaccessed.

6.5.9 Cross-site request forgery (CSRF) ManagementSuite

Complies itself – generally byavoiding use of cookies to trackauthentication state and limitingfunctionality available via HTTPGET.

7.1 Limit access to system componentsand cardholder data to only thoseindividuals whose job requires suchaccess. Access limitations mustinclude the following:

Hitachi IDIdentityManager

Can assign application privilegesbased on user roles.

7.1.1 Restriction of access rights toprivileged user IDs to leastprivileges necessary to perform jobresponsibilities


Access to privileged accounts canbe controlled by user group (role).and authenticated personally.

7.1.2 Assignment of privileges is basedon individual personnel’s jobclassification and function

IdentityManager

Used to assign privileges, includingby role assignment.




7.1.3 Requirement for an authorizationform signed by management thatspecifies required privileges

IdentityManager

Workflow approval can be requiredprior to role assignment.

7.1.4 Implementation of an automatedaccess control system

ManagementSuite

All products in the ManagementSuite incorporate a flexible accesscontrol system internally. Moreover,Identity Manager is designed toconfigure access control onintegrated systems and applicationswhile Privileged Access Manager isdesigned to control access toprivileged accounts across an ITenvironment.

7.2 Establish an access control systemfor systems components withmultiple users that restricts accessbased on a user’s need to know,and is set to -deny all unlessspecifically allowed. This accesscontrol system must include thefollowing:

IdentityManager

Is used to manage userentitlements, which are typicallyassigned on a least privilege basis.

7.2.1 Coverage of all system components PrivilegedAccessManager

Includes 110 connectors.

7.2.2 Assignment of privileges toindividuals based on jobclassification and function

IdentityManager

Supports role-based access control(RBAC).

8.1 Assign all users a unique ID beforeallowing them to access systemcomponents or cardholder data.

IdentityManager

Supports assignment of globallyunique IDs to all users andcorrelation of locally unique IDs toglobal profiles.

8.2 In addition to assigning a unique ID,employ at least one of the followingmethods to authenticate all users:

• Password.• Two-factor authentication (for

example, token devices,smart cards, biometrics, orpublic keys)

ManagementSuite

Supports management of all ofthese types of authenticationfactors. Authenticates users into itsown portal with any combination ofthe above types of authenticationfactors.




8.3 Incorporate two-factorauthentication for remote access(network-level access originatingfrom outside the network) to thenetwork by employees,administrators, and third parties.Use technologies such as remoteauthentication and dial-in service(RADIUS); terminal accesscontroller access control system(TACACS) with tokens; or VPN(based on SSL/TLS or IPSEC) withindividual certificates.

ManagementSuite

Supports cost effectiveprovisioning, support anddeactivation of two-factorauthentication factors, such astokens and smart cards. Supportsuse of a cell phone plus passwordas an ad-hoc two-factorauthentication method.

8.5 Ensure proper user authenticationand password management fornon-consumer users andadministrators on all systemcomponents as follows:

- See details below.

8.5.1 Control addition, deletion, andmodification of user IDs,credentials, and other identifierobjects.

IdentityManager

Streamlines the management ofuser IDs, credentials andentitlements.

8.5.2 Verify user identity beforeperforming password resets.

PasswordManager

Secures self-service andassisted-service password resetprocesses.

8.5.3 Set first-time passwords to a uniquevalue for each user and changeimmediately after the first use.

IdentityManager

Allows organizations to control theissuance and expiration of initialpasswords on accounts it creates.

8.5.4 Immediately revoke access for anyterminated users.

IdentityManager

Automates termination with a datafeed from a system of record (HR),plus allows authorized users totrigger immediate or scheduleddeactivation through a web requestform.

8.5.5 Remove inactive user accounts atleast every 90 days.

IdentityManager

Tracks inactive accounts andautomatically removes them after Ndays.

8.5.6 Enable accounts used by vendorsfor remote maintenance only duringthe time period needed.


Can assign temporary passwordsfor a short “password checkout”period. Also supports launching aremote control connection forvendors, etc. without disclosing thecurrent password value.




8.5.7 Communicate passwordprocedures and policies to all userswho have access to cardholderdata.

PasswordManager

Can be used not only to enforcepolicies but also to communicatepolicies to end users and trackacceptance of same.

8.5.8 Do not use group, shared, orgeneric accounts and passwords.


Enables organizations to randomizesensitive passwords daily, therebyeliminating the possibility that usersshare them or never change them.

8.5.9 Change user passwords at leastevery 90 days.

PasswordManager

Can require users to change allpasswords regularly, including onsystems and applications with nonative password expirationcapability.

8.5.10 Require a minimum passwordlength of at least seven characters.

ManagementSuite

Identity Manager, PasswordManager and Privileged AccessManager can all enforce complexpassword policies, includingminimum length rules, for passwordcreation, changes andrandomization, respectively. Sevenis a bit short, however...

8.5.11 Use passwords containing bothnumeric and alphabetic characters.

ManagementSuite

All products can enforce a richvariety of password complexityrules.

8.5.12 Do not allow an individual to submita new password that is the same asany of the last four passwords he orshe has used.

PasswordManager

Can enforce “infinite” (i.e.,open-ended) password historyrequirements, to eliminatepassword reuse entirely.

8.5.13 Limit repeated access attempts bylocking out the user ID after notmore than six attempts.

ManagementSuite

All Management Suite componentsinclude intruder lockout to preventrepeated login attempts with invalidcredentials.

8.5.14 Set the lockout duration to 30minutes or until administratorenables the user ID.

ManagementSuite

All Management Suite componentscan enforce this capability for loginattempts into Management Suite.

8.5.15 If a session has been idle for morethan 15 minutes, require the user tore-enter the password to re-activatethe terminal.

ManagementSuite

All Management Suite componentscan enforce this capability for loginattempts into Management Suite.




8.5.16 Authenticate all access to anydatabase containing cardholderdata. This includes access byapplications, administrators, and allother users.


Can enforce this requirement evenfor applications that have nopersonal login IDs. In these cases,it randomizes system-levelpasswords daily and requires ITworkers to self-authenticate whenthey need the current passwordvalue.

9.1 Use appropriate facility entrycontrols to limit and monitorphysical access to systems in thecardholder data environment.

IdentityManager

Can manage the assignment andactivation of building accessbadges.

10.1 – 10.3 Establish a process for linking allaccess to system components(especially access done withadministrative privileges such asroot) to each individual user.


Creates precisely this audit log.This even includes movies ofadministrator sessions.

12.1 Establish, publish, maintain, anddisseminate a security policy thataccomplishes the following:

ManagementSuite

Clearly, Management Suite cannotdevelop policies for any Hitachi IDSystems customer – it’s justsoftware. However, a variety ofManagement Suite capabilitiessupport the following policyrequirements.

12.2 Develop daily operational securityprocedures that are consistent withrequirements in this specification(for example, user accountmaintenance procedures, and logreview procedures).

ManagementSuite

Supports standards and controlsover user account maintenance andlogging of administrative access.

12.3.1 Explicit approval by authorizedparties

ManagementSuite

Identity Manager and PrivilegedAccess Manager in particularinclude a robust workflow engineused for change approvals. Thisapplies to requests for access tosystems in the former and requestsfor privileged access in the latter.

12.3.2 Authentication for use of thetechnology

ManagementSuite

Password Manager supports strongauthentication by helping users tomanage their own credentials.Privileged Access Managerauthenticates IT staff beforegranting privileged access.




12.3.3 A list of all such devices andpersonnel with access


Includes infrastructureauto-discovery and all otherManagement Suite componentsinclude user ID auto-discovery.

12.3.8 Automatic disconnect of sessionsfor remote-access technologiesafter a specific period of inactivity


Supports this for administrativesessions in particular.

12.3.9 Activation of remote-accesstechnologies for vendors andbusiness partners only whenneeded by vendors and businesspartners, with immediatedeactivation after use


Supports granting and terminatingof temporary privileged access tousers, including vendors andpartners.

Assign to an individual or team thefollowing information securitymanagement responsibilities:

- See below how Management Suitecan with some tasks.

12.5.4 Administer user accounts, includingadditions, deletions, andmodifications

IdentityManager

Automates the processes arounduser accesssetup/update/tear-down.

12.6.2 Require personnel to acknowledgeat least annually that they haveread and understood the securitypolicy and procedures.

PasswordManager

Includes a mechanism to inviteusers to read and acknowledgepolicy documents.

12.7 Screen potential personnel prior tohire to minimize the risk of attacksfrom internal sources. (Examples ofbackground checks includeprevious employment history,criminal record, credit history, andreference checks.)

IdentityManager

Includes both task dependenciesand implementer tasks. Together,these features are used to verifycompletion of such preliminarytasks before granting logical orphysical access to a new user.


PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite

3 Improving Security in General

3.1 Password Manager

Self service management of passwords, PINs and encryption keys

Hitachi ID Password Manager improves the security of authentication processes:

• A strong, uniform password policy prevents the use of easily guessed passwords and ensures that allpasswords are changed regularly.

• Password synchronization discourages written passwords (“sticky notes”).

• Consistent, reliable authentication processes ensures that users are reliably identified before access-ing sensitive services, such as a help desk password reset.

• IT support staff can be empowered to assist callers without having administrator accounts on everysystem and application.

• Extensive audit logs create accountability for password resets.

• Encryption ensures that passwords are not stored or transmitted in plaintext.

3.2 Identity Manager

User provisioning, RBAC, SoD and access certification

Hitachi ID Identity Manager strengthens security by:

• Quickly and reliably removing access to all systems and applications when users leave an organiza-tion.

• Finding and helping to clean up orphan and dormant accounts.

• Assigning standardized access rights, using roles and rules, to new and transitioned users.

• Enforcing policy regarding segregation of duties and identifying users who are already in violation.

• Ensuring that changes to user entitlements are always authorized before they are completed.

• Asking business stake-holders to periodically review user entitlements and either certify or removethem, as appropriate.

• Reducing the number and scope of administrator-level accounts needed to manage user access tosystems and applications.

• Providing readily accessible audit data regarding current and historical security entitlements, includingwho requested and approved every change.


PCI-DSS v2.0 Compliance Using Hitachi ID Management Suite

Identity Manager runs an auto-discovery process nightly, which extracts a list of users, their managed at-tributes and their membership in managed groups from each target system. On systems where IdentityManager is the only authorized user management facility, this list should be identical to the data already in-side Identity Manager. Where this is the policy but changes are nevertheless detected, a security exceptioncan be raised. Normally, such exceptions trigger automatic e-mails to target system administrators, askingthem to confirm that the detected security changes are valid.

3.3 Access Certifier

Periodic review and cleanup of security entitlements

Hitachi ID Access Certifier helps organizations to find and eliminate stale user privileges:

• All user objects are subjected to periodic reviews – by managers and group owners. Orphan anddormant accounts are eliminated.

• All user membership in security groups (also known as roles, profiles, etc.) are periodically scrutinized.Inappropriate rights are deactivated.

• Accountability is introduced by documenting when each login ID and group membership was reviewedand by whom.

• Organizational roll-up allows executives to sign off on statements asserting that all sensitive securityrights have been reviewed.

3.4 Privileged Access Manager

Control and audit access to privileged accounts

Hitachi ID Privileged Access Manager helps organizations to secure privileged accounts:

• Eliminate static and shared passwords.

• Enforce strong authorization controls over who can access which administrative account and when.

• Personally authenticate IT staff before granting access to privileged accounts.

• Create an audit log of who accessed each privileged account and when.

www.Hitachi-ID.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: [email protected]

File: /pub/wp/documents/pci-dss/pci-dss-compliance-2.0.texDate: 2012-04-29

http://Hitachi-ID.com/

PCI-DSS Compliance Using the Hitachi ID Management Suite

Technology

Transcript of PCI-DSS Compliance Using the Hitachi ID Management Suite