PCI DSS compliance and Privileged Access Monitoring

Transcription

1 PCI DSS compliance and Privileged Access Monitoring February 24, 2014 Abstract How to control and audit remote access to your servers to comply with PCI DSS 3.0 using the BalaBit Shell Control Box Copyright BalaBit IT Security Ltd.

2 Table of Contents 1. Preface Using SCB for compliance What SCB is How SCB works Real-time content monitoring with SCB eyes authorization Supported protocols Public references Using SCB for PCI compliance Other important features Summary About BalaBit

3 Preface 1. Preface This paper discusses the advantages of using BalaBit Shell Control Box (SCB) to control remote access to your UNIX/Linux and Windows servers, networking devices, as well as your virtualized applications. SCB can transparently control, audit and replay protocols commonly used to remotely access and manage servers, including the Secure Shell (SSH), Remote Desktop (RDP), HTTP, Citrix ICA, VMware View, Telnet, and VNC protocols. This document is recommended for technical experts and decision-makers working on auditing server-administration and remoteaccess processes for policy compliance (for example, PCI or ISO27001), or simply to gather information for forensics situations in case of security incidents. However, anyone with basic networking knowledge can fully understand its contents. The procedures and concepts described here are applicable to PCI DSS 3.0 and version 3 F5 of BalaBit Shell Control Box Using SCB for compliance Compliance is becoming increasingly important in several fields laws, regulations and industrial standards mandate increasing security awareness and the protection of customer data. As a result, companies have to increase their auditability and the control over their business processes, for example, by ensuring that only those employees have access sensitive data who really need to, and also carefully auditing all accesses to these data. The BalaBit Shell Control Box (SCB) is a device to control and audit data access: access to the servers where you store your sensitive data. Being independent from the controlled servers, it also complements the system and application logs generated on the server by creating complete, indexed and replayable audit trails of the users' sessions. Using an independent device for auditing is advantageous for the following reasons: SCB organizes the audited data into sessions called audit trails, making it easy to review the actions of individual users; SCB provides reliable, trustworthy auditing data, even of system administrator accounts who are able to manipulate the logs generated on the server, and SCB allows you to create an independent auditor layer. The auditor can therefore control, audit and review the activities of the system administrators, while being independent from them. Owing to its authentication, authorization, and auditing capabilities like 4-eyes authorization and real-time monitoring and auditing, SCB can play an essential part in the access control of remote access, for example, in the control of remote server administration What SCB is BalaBit Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as the system administrators configure your database servers through SSH, or your employees make transactions using thin-client applications in VMware View. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI DSS or ISO It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB; it integrates smoothly into the existing infrastructure. 3

4 How SCB works The BalaBit Shell Control Box (SCB) is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB it integrates smoothly into the existing infrastructure. Figure 1. Controlling remote access with the BalaBit Shell Control Box 1.3. How SCB works SCB logs all administrative traffic (including configuration changes, executed commands, and so on) into audit trails. All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation. In case of any problems (server misconfiguration, database manipulation, unexpected shutdown) the circumstances of the event are readily available in the audit trails, therefore the cause of the incident can be easily identified. The recorded audit trails can be displayed like a movie recreating all actions of the administrator. In other words: with SCB you can oversee and control the work of the system administrators, creating a new management level that has real power over the system administrators. Fast forwarding during replay and searching for events (for example, mouse clicks, pressing the Enter key) and texts seen by the administrator is also supported. Reports and automatic searches can be configured as well. To protect the sensitive information included in the communication, the two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys, therefore sensitive information like passwords are displayed only when necessary. The protocols that SCB can control are not only used in remote administrative access, but also in thin-client environments like Citrix ICA, VNC, or RDP used to access Windows Terminal Services. For such applications SCB provides an application-independent way to record the activities of the clients Real-time content monitoring with SCB SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command or text) appears in the command line or on the screen, or if a window with a particular title appears in a graphical protocol. Since content-monitoring is performed real time, SCB can prevent 4

5 4-eyes authorization harmful commands from being executed on your servers. SCB can also detect numbers that might be credit card numbers. In case of RDP connections, SCB can detect window title content. The following actions can be performed: Log the event in the system logs. Immediately terminate the connection. Send an or SNMP alerts about the event. Store the event in the connection database of SCB. SCB currently supports content monitoring in SSH session-shell connections, Telnet connections, RDP Drawing channels, and in VNC connections eyes authorization SCB can also ensure that a user is overseen and authorized by an auditor or authorizer: when 4-eyes authorization is required for a connection, a user (called authorizer) must authorize the connection on SCB as well. This authorization is in addition to any authentication or group membership requirements needed for the user to access the remote server. Any connection can use 4-eyes authorization, so it provides a protocol-independent, outband authorization and monitoring method. The authorizer has the possibility to terminate the connection any time, and also to monitor real-time the events of the authorized connections: SCB can stream the traffic to the Audit Player application, where the authorizer (or a separate auditor) can watch exactly what the user does on the server, just like watching a movie Supported protocols SCB 3 F5 supports the following protocols: The Secure Shell (SSH) protocol used to access Unix-based servers and network devices. The Remote Desktop Protocol (RDP) used to access Microsoft Windows platforms. Accessing Remote Desktop Services (RemoteApp programs) is also supported. Citrix XenApp and XenDesktop. The X11 protocol forwarded in SSH, used to remotely access the graphical interface of Unix-like systems. The Telnet protocol used to access networking devices (switches, routers) and the TN3270 protocol used with legacy Unix devices and mainframes. The Virtual Network Computing (VNC) graphical desktop sharing system commonly used for remote graphical access in multi-platform environments. VMware View when VMware View Clients using the Remote Desktop (RDP) display protocol to access remote servers. The HTTP protocol (including HTTPS) commonly used to access the web interface of appliances, networking devices, and other applications Public references Among others, the following companies of the financial sector decided to use SCB in their production environment: 5

6 Public references Alfa Bank ( Arcui ( Emerging Markets Payments Jordan ( Dubai Islamic Bank PJS ( National Bank of Kuwait ( Svenska Handelsbanken AB ( The Central Bank of Hungary ( 6

7 Using SCB for PCI compliance 2. Using SCB for PCI compliance The following sections provide a detailed description about the requirements of the Payment Card Industry Data Security Standard (based on PCI DSS version 3.0, available at relevant to auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX), Basel II, or the Health Insurance Portability and Accountability Act (HIPAA) include similar requirements. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Requirement 2.2.1: Implement only one How SCB helps you: SCB is an appliance dedicated primary function per server to prevent functions that require different security levels from nections. Other applications cannot be installed on SCB. for the sole purpose of overseeing remote-access con- co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component. Requirement 2.3: administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. Encrypt all non-console How SCB helps you: SCB helps to enforce that remote access to your servers is adequately encrypted, and makes the remote access (for example, server administration) fully auditable and reviewable for a number of protocols, including SSH, RDP, Citrix ICA, Telnet, VMware View, and VNC. SCB can even tunnel typically non-encrypted protocols in SSL/TLS, for example, VNC or Telnet. Requirement 3: Protect stored cardholder data Requirement 3.3: Mask PAN when displayed (the first six and last four digits are the mask the displayed PANs, it can raise an alert about such How SCB helps you: Although SCB cannot currently maximum number of digits to be displayed), events, or automatically terminate the connection of the such that only personnel with a legitimate user even before such information is displayed. business need can see the full PAN. Note: This requirement does not supersede stricter requirements in place for displays of cardholder data for example, legal or payment card brand requirements for point-of-sale (POS) receipts. 7

8 Requirement 7: Restrict access to cardholder data by business need to know Requirement 3.4: anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: Render PAN unreadable How SCB helps you: One-way hashes based on strong cryptography, (hash must be of the entire PAN) Truncation (hashing cannot be used to replace the truncated segment of PAN) Index tokens and pads (pads must be securely stored) Strong cryptography with associated key-management processes and procedures. The audit trails of SCB can be encrypted using strong public-key cryptography, making any PAN displayed in the recorded audit trails accessible only to the personnel who possess the required encryption keys. Requirement 7: Restrict access to cardholder data by business need to know Requirement 7.1: Limit access to system components and cardholder data to only those individuals whose job requires such access Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities Assignment of privileges is based on individual personnel's job classification and function. How SCB helps you: SCB is a tool that can control remote-access connections using the role-based access control (RBAC) model. It is capable to retrieve the group memberships of the users from LDAP databases (for example, Microsoft Active Directory), and grant access to a connection or a specific feature of a protocol (for example, port forwarding, SCP, X11 forwarding in SSH, or a shared drive or device in RDP) based on these roles. The access rights of SCB are entirely based on ACLs and group memberships. It can be greatly customized, and can work together with an LDAP database (for example, Microsoft Active Directory). Establish an access con- How SCB helps you: Requirement 7.2: trol system for systems components with multiple users that restricts access based on a user's need to know, and is set to "deny all" unless specifically allowed. SCB can restrict access to the remote servers and applications only to users who are members of selected LDAP or Active Directory usergroups, or specifically listed in a userlist. It is also possible to restrict access based on the IP address of the client. SCB can also control access to the channels of the administrative protocol, for example, it can disable access to the shared drives when accessing Windows Terminal servers, or enable port-forwarding in SSH connections only to selected users. As for the configuration and access of SCB and the data stored on SCB, a role-based ACL system is available where the rights of the user can be specified in detail. 8

9 Requirement 8: Identify and authenticate access to system components Requirement 8: Identify and authenticate access to system components Requirement 8.1: Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows: Assign all users a unique ID before allowing them to access system components or cardholder data. How SCB helps you: SCB can authenticate your users using their own, unique user ID even when they are accessing shared accounts, such as Administrator or root. What's more, the users do not even have to know the login credentials (for example, password or certificate) that is required to access the shared account: SCB can store them locally, or use a remote Password Manager or Password Vault service. This greatly simplifies the use of shared accounts (which cannot be avoided, for example, on legacy systems and networking devices), but also makes it much easier to handle personnel changes, since you do not have to change the credentials of the shared account. Requirement 8.1.3: Immediately revoke How SCB helps you: When authenticating users to access for any terminated users. your central LDAP database (for example, Microsoft Active Directory), SCB immediately denies the access of the user as soon as his privileges or relevant group memberships are revoked. Using SCB has the additional advantage that in such cases, access to shared accounts or devices that cannot authenticate the user to LDAP is also denied immediately. Requirement 8.1.5: Manage IDs used by vendors to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed and disabled when not in use. Monitored when in use. How SCB helps you: You can create Time Policies to enable a client to access the protected servers only during the specified time-frame, for example, the scheduled maintenance hours. Alternatively, you can simply disable connections coming from the client when not needed. To oversee and control what the vendor does on the system, you can use 4-eyes authorization, where the vendor can access the system only if you authorize the connection, and you can watch the actions of the vendor real-time (or later) in the Audit Player application. If the user does something that you deem inappropriate or harmful, you can terminate the connection any time. Requirement 8.1.8: If a session has been How SCB helps you: SCB automatically terminates idle for more than 15 minutes, require the user idle sessions (sessions that do not generate network to re-authenticate to re-activate the terminal or traffic) after a specified period. session. 9

10 Requirement 8: Identify and authenticate access to system components Requirement 8.2: a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: In addition to assigning How SCB helps you: Something you know, such as a password or passphrase Something you have, such as a token device or smart card Something you are, such as a biometric. SCB can centrally authenticate the audited connections to a central LDAP (for example, Microsoft Active Directory) or RADIUS server, and enforce the use of strong authentication methods, including passwords, public-keys or certificates, and in certain cases smart cards. Using strong crypto- How SCB helps you: Requirement 8.2.1: graphy, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. SCB supports LDAPS encryption, as well as strong authentication methods in the audited connections (for example, Network Level Authentication (NLA) in RDP connections). Requirement 8.3: authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance). Incorporate two-factor How SCB helps you: Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered twofactor authentication. Examples of two-factor technologies include remote authentication and dial-in service (RA- DIUS) with tokens; terminal access controller access control system (TACACS) with tokens; and other technologies that facilitate two-factor authentication. SCB was designed to control and audit remote access connections. SCB can authenticate the users independently of the accessed server, and supports strong authentication methods such as public-key authentication, X.509 certificates, and also authentication to RADIUS and LDAP databases (for example, Microsoft Active Directory). Being able to require a separate authentication it is an effective tool to implement a centralized two-factor authentication scenario. SCB can also require the users to authenticate on the SCB web interface to access a connection, therefore providing a protocol-independent, outband authentication method. 10

11 Requirement 8: Identify and authenticate access to system components Requirement 8.5: or generic IDs, passwords, or other authentication methods as follows: Do not use group, shared, How SCB helps you: Generic user IDs are disabled or removed. Shared user IDs do not exist for system administration and other critical functions. Shared and generic user IDs are not used to administer any system components. SCB can prohibit the use of generic user IDs, but it can also link generic and shared user IDs to the actual, unique user ID of the user accessing the shared account. That way, the shared account (for example, the administrator account of a networking device) can be used, and the events are linked to the real users performing the events. SCB can also be configured to authenticate on the audited device or server without the user actually knowing the required credentials, keeping the credentials of the shared account secret from the users. (Naturally, the users must authenticate on SCB, or to the central LDAP directory.) Requirement Additional requirement for service providers: Service pro- a unique user ID for each user. This is especially useful How SCB helps you: SCB can be used to provide viders with remote access to customer premises for legacy systems that have limited user-management (for example, for support of POS systems or capabilities. servers) must use a unique authentication credential (such as a password/phrase) for each customer. Requirement 8.7: containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: All access to any database How SCB helps you: All user access to, user queries of, and user actions on databases are through programmatic methods. Only database administrators have the ability to directly access or query databases. Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). SCB was developed to control and audit the remote access of administrators to the protected servers. SCB provides control over the most common applications and protocols used in remote server administration, including Secure Shell (SSH), VNC, VMware View, and Windows Terminal Services. SCB can control regular access as well if normal users also use a supported protocol to access these data, for example, HTTP, Terminal Services running on a Windows Terminal Server, or Citrix XenApp or XenDesktop. In addition to the authentication performed on the remote server, the user can be authenticated using strong authentication methods by SCB to an LDAP (for example, Microsoft Active Directory) or RADIUS database as well, making it possible to facilitate two-factor authentication. Furthermore, the 4-eyes principle can also be enforced by requiring another user to authorize every connection. 11

12 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 10.1: Implement audit trails to link all access to system components to each individual user. How SCB helps you: SCB can automatically deny certain usernames (for example, root) from accessing your protected servers. It can also authenticate users who try to access the servers to your main LDAP database (for example, Microsoft Active Directory). SCB can require the users to authenticate on SCB using their normal usernames, making it possible to tie the connections that use general (for example, root or Administrator) usernames to real accounts. SCB can even control who can use a specific username on the server. Requirement 10.2: audit trails for all system components to reconstruct the following events: All actions taken by any individual with root or administrative privileges Implement automated How SCB helps you: SCB was developed for this very purpose: to control and audit the remote access of administrators to the protected servers. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. Every action of the administrators is visible in the audit trail. SCB can automatically process and index the contents of the audit trails, allowing you to search for specific commands used or texts displayed in the connections. SCB can even create reports from the results, which you can customize, for example, to include audit trails with selected keywords or other conditions. Requirement : trails Access to all audit How SCB helps you: The audit trails stored on SCB can be accessed only by users who have the privilege to do so. Downloading audit trails is logged. The audit trails can be encrypted, and it is also possible to encrypt them with multiple encryption keys. When encrypted with multiple keys, the audit trail can be viewed only if every required decryption key is available. Requirement : attempts Invalid logical access How SCB helps you: SCB automatically logs attempts to access remote servers or specific protocol channels that were denied for some reason. 12

13 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement : Initialization, stopping, How SCB helps you: SCB is a transparent device, or pausing of the audit logs independent from the clients and the audited servers. The users of the remote servers do not need to have accounts on SCB, only users with explicit access to SCB can control the auditing. Requirement : of system-level objects. Creation and deletion How SCB helps you: Typically only administrators can perform such operations, and administrator activities are audited. For its own configuration changes, SCB maintains a detailed changelog, and can require the administrators to describe the reasons of the modification. Requirement 10.3: Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource. How SCB helps you: SCB records all these data and other metadata (for example, type of authentication, and so on) as well about users accessing the protected servers using the supported protocols. SCB can require the users to authenticate on SCB using their normal usernames, making it possible to tie the connections that use general (for example, Administrator) usernames to real accounts. Using time-synchroniz- How SCB helps you: Requirement 10.4: ation technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. Note: One example of time synchronization technology is Network Time Protocol (NTP). SCB can automatically synchronize its system clock to a remote time server. That way the audit trails contain accurate time information even if the server logs are mistimed because the clock of the server is not accurate or has not been synchronized. Requirement 10.5: they cannot be altered. Secure audit trails so How SCB helps you: All audit trails are digitally signed and encrypted using public-key encryption. The encryption can use multiple encryption keys as well. The audit trails can be timestamped using local or external Timestamping Authorities. 13

14 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement : Limit viewing of audit How SCB helps you: Audit trails can be downloaded trails to those with a job-related need. only by users who have the required privileges. The downloaded audit trails can be viewed only if the user has the required encryption key or encryption keys. The upstream traffic of the communication (the part that may contain passwords or other sensitive information) can be encrypted separately, and is displayed only if the additional encryption key is available. Requirement : Protect audit trail files How SCB helps you: The audit trails are stored on from unauthorized modifications. SCB, which is an appliance physically independent from the audited servers; the users of the remote servers do not need to have accounts on SCB. The audit trails are encrypted, timestamped, and signed to prevent any modification. They can be accessed directly only by those authorized to do so. Requirement : Promptly back up How SCB helps you: The SCB appliance is independent from the audited clients and servers, and extracts audit trail files to a centralized log server or media that is difficult to alter. information from the network connection between the client and the user. That way, the audit trails cannot be accessed, modified, or manipulated from the client or the server, they are safely stored on SCB. SCB uses strong encryption technologies to protect the audit trails from unauthorized access and modification. If you use two SCB appliances in high-availability mode, the recorded audit trails are automatically synchronized to the other node, so a duplicate is stored from every data. Requirement : Write logs for externalfacing technologies onto a secure, centralized, BSD-syslog and the latest IETF-syslog protocols, and How SCB helps you: SCB supports both the legacy internal log server or media device. can send the log messages to the log server via mutually authenticated and TLS-encrypted connections. 14

15 Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 10.6: events for all system components to identify anomalies or suspicious activity. Review logs and security How SCB helps you: Note: Log harvesting, parsing, and alerting tools may be used to meet this Requirement SCB automatically generates daily reports about the audited connections. It can also automatically index the contents of the recorded audit trails to make it possible to search for specific commands used or texts displayed in both terminal-based and graphical connections. You can also define automated searches for specific keywords and search queries, and include the results in custom reports. The content of the audited traffic can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far unaccessible administrative traffic. As for its own logs, SCB can send them to a remote log server or SIEM using reliable, encrypted connections. Requirement : at least daily: All security events Review the following Logs of all system components that store, process, or transmit CHD and/or SAD, or that could impact the security of CHD and/or SAD Logs of all critical system components Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.). How SCB helps you: SCB can greatly increase the effectiveness of such regular reviews, as well as forensic situations. Indexing the audit trails makes it possible to perform free-form searches on the contents of every audit trail, including the commands used in terminal connections, or any text displayed by the server in terminal or graphical connections. Replaying the sessions of privileged users like a movie can also significantly decrease the time needed to determine exactly what happened on the server. Requirement 10.7: for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup). Retain audit trail history How SCB helps you: SCB can store a significant amount of audit trails on-line. The database storing the metadata about the audit trails is available even after the actual audit trails have been archived. 15

16 Requirement 11: Regularly test security systems and processes Requirement 11: Regularly test security systems and processes Requirement 11.4: and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines, baselines, and signatures up to date. Use intrusion-detection How SCB helps you: The content of the audited traffic can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far unaccessible administrative traffic. Requirement 12: Maintain a policy that addresses information security for all personnel Activation of remote- How SCB helps you: Requirement : access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use. The connection policies of SCB can be easily enabled and disabled as needed. When using the 4-eyes authorization principle, every session of a connection policy must be authorized individually, with the possibility of monitoring the work of the user real-time to exert total control over vendor access. It is also possible to limit access to a connection to specific times of the day or week. For personnel access- How SCB helps you: Requirement : ing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data be protected in accordance with all applicable PCI DSS Requirements. SCB can control remote access connections on the channel level: for example, it is possible to disable the SCP channel of SSH connections, or the Clipboard and device sharing channels of RDP connections to prevent the copying of the remotely stored data to local media. The content of the audited connection can be forwarded to an external IDS/DLP system as well, to extend the protection offered by these systems to the so far unaccessible administrative traffic. Also. SCB can fully audit SCP and SFTP file transfers: it records every file operation, and can store a copy of the transferred files in the audit trail. Requirement : all access to data. Monitor and control How SCB helps you: SCB provides a way to control and audit access to remote servers independently from the users and the server administrators, allowing you to create a separate auditor layer above system administrators. 16

17 Additional PCI DSS Requirements for Shared Hosting Providers Additional PCI DSS Requirements for Shared Hosting Providers Requirement A.1.1: Restrict each entity's access and privileges to its own cardholder data environment only. How SCB helps you: SCB can ensure that remote users can access only the servers that they are allowed to, and can also audit the remote access for several protocols. Providers can also use SCB to grant every entity access to its own audit trails. Requirement A.1.3: Ensure logging and How SCB helps you: SCB can be placed centrally audit trails are enabled and unique to each entity's cardholder data environment and consist- to automatically collect audit trails for every remote ac- into the provider's infrastructure, and can be configured ent with PCI DSS Requirement 10. cess. SCB collects the audit trail of every session into separate files, and can organize them based on the parameters of the connection, thus ensuring that only the related entity has access to the audit trails. Encrypting the audit trails increases the security of the audit trails even more: only the personnel with the required decryption keys can open and replay the audit trails. Requirement A.1.4: provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider. Enable processes to How SCB helps you: SCB provides instant access to the recorded audit trails. Indexing the audit trails makes it possible to perform free-form searches on the contents of every audit trail, including the commands used in terminal connections, or any text displayed by the server in terminal or graphical connections. Replaying the sessions of privileged users like a movie can also significantly decrease the time needed to determine exactly what happened to the entity's servers and data. 17

18 Other important features 3. Other important features This section highlights some of the features of BalaBit Shell Control Box that were not discussed in detail so far, but are useful to know about. Protocol inspection SCB acts as an application level proxy gateway: the transferred connections and traffic are inspected on the application level (Layer 7 in the OSI model), rejecting all traffic violating the protocol an effective shield against attacks. This high-level understanding of the traffic gives control over the various features of the protocols, like the authentication and encryption methods used in SSH connections, or the channels permitted in RDP traffic. Detailed access control SCB allows you to define connections: access to a server is possible only from the listed client IP addresses. This can be narrowed by limiting various parameters of the connection, for example, the time when the server can be accessed, the usernames and the authentication method used in SSH, or the type of channels permitted in SSH or RDP connections (for example, SCB can permit SSH port-forwarding only to selected users, or disable access to shared drives in RDP). Controlling the authentication means that SCB can enforce the use of strong authentication methods (public key), and also verify the public key of the users. High availability support All audited traffic must pass SCB, which can become a single point of failure. If SCB fails, the administrators cannot access the protected servers for maintenance. Since this is not acceptable for critical servers and services, SCB is also available with HA support. In this case, two SCB units (a master and a slave) having identical configuration operate simultaneously. The master shares all data with the slave node, and if the master unit stops functioning, the other one becomes immediately active, so the servers are continuously accessible. Seamless integration The system is fully transparent, no modification on the client or the server is necessary, resulting in simple and cost effective integration into your existing infrastructure. Automatic data and configuration backups The recorded audit trails and the configuration of SCB can be periodically transferred to a remote server. The latest backup including the data backup can be easily restored via SCB's web interface. Managing SCB SCB is configured from a clean, intuitive web interface. The roles of each SCB administrator can be clearly defined using a set of privileges: manage SCB as a host, manage the connections to the servers, or view the audit trails. The web interface is accessible via a network interface dedicated to the management traffic. This management interface is also used for backups, logging to remote servers, and other administrative traffic. 18

19 Summary 4. Summary This paper has shown how to use the BalaBit Shell Control Box (SCB) appliance to control privileged access to remote systems and record the activities into searchable and replayable movie-like audit trails, and how to use the audit trails in forensic situations. SCB is an ideal choice to enhance your IT infrastructure if your organization must comply to external regulations like PCI DSS About BalaBit BalaBit IT Security Ltd. is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the logging "company", based on the company's flagship product, the open source log server application syslog-ng, which is used by more than companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. To learn more about commercial and open source SCB products, request an evaluation version, or find a reseller, visit the following links: Shell Control Box homepage Product manuals, guides, and other documentation Contact us and request an evaluation version Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1117 Budapest, Alíz Str. 2 Phone: Fax: Web: Copyright 2014 BalaBit IT Security Ltd. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaBit. The latest version is always available at the BalaBit Documentation Page. 19