Accelerate the path to PCI DSS data compliance using InfoSphere Guardium

Transcription

1 Use prebuilt reports, policies, and groups to simplify configuration Kathryn Zeidenstein Evangelist IBM 18 April 2013 Shengyan Sun QA Engineer IBM This article gives you a step-by-step overview of using the Payment Card Industry (PCI) Data Security Standard (DSS) accelerator that is included with the standard InfoSphere Guardium data security and protection solution. The PCI DSS is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who store, process, use, or transmit cardholder data. Failure to comply can mean loss of privileges, stiff fines, and, in the case of a data breach, severe loss of consumer confidence in your brand or services. The accelerator helps guide you through the process of complying with parts of the standard using predefined policies, reports, group definitions, and more. Introduction Recent high profile data thefts, along with industry statistics, indicate significant work remains to be done in most organizations to implement PCI DSS. In its 2010 Data Breach Investigation Report of 141 global organizations that experienced breaches, Verizon's Business Risk Team found that 83% of records compromised involved payment card data. "While other types of data are sought by certain groups (i.e. competitors may target IP), the vast majority of cybercriminals are looking for a quick and easy payoff. Payment cards certainly fit the bill." Investigations also showed that 79% of the organizations attacked that were subject to PCI DSS were not compliant with the standard. is designed to help you meet standard compliance requirements. It includes four compliance accelerators that you are entitled to use with your Activity Monitoring or Vulnerability Assessment license: Basel II, Data Privacy, PCI DSS, and Sarbanes-Oxley Copyright IBM Corporation 2013 Trademarks Page 1 of 27

2 (SOX). They can be downloaded from Passport Advantage as part of the e-assembly. In this article, you will get an overview of the PCI accelerator, looking at each of the major components of the accelerator. You will learn how the accelerator helps you design the correct reports and policies for compliance, but how it is also structured as a checklist of sorts to make it easy to demonstrate to an external auditor how you are managing to PCI compliance standards using. What is PCI DSS? Payment Card Industry (PCI) Data Security Standard (DSS) is a set of technical and operational requirements designed to protect cardholder data and applies to all organizations who store, process, use, or transmit cardholder data. As stated on the PCI Security standard website, the framework for compliance is built around three steps: Assess: Inventory your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. Remediate: Fix those vulnerabilities. Report: Compile records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with. This article assumes some knowledge of to do the hands-on activities, but the main points of the article, in terms of benefits for compliance, should be clear, even without prior Guardium experience. Because the examples show populated reports, this article also assumes that you have already installed and configured and are collecting data activity from your database servers. In this article, you will learn: How to install the accelerator and configure a PCI role that will see the GUI enhancements specifically for the PCI accelerator. The layout of the accelerator and the reports that are included to demonstrate compliance. You will learn how to add members to groups that will enable those reports to return the correct information. The article also briefly discusses security policies and rules. How to use audit processes to automate compliance workflow for reviews and sign-offs. Recommendation: You can download the checklist, which helps you to gather the required information to populate the groups used in the PCI reports and policies. Summary for advanced users If you are familiar with and don't need step-by-step instructions, here is a summary of what you need to do. 1. Download and install the PCI DSS accelerator from Passport Advantage, assigning the PCI role to a user, and resetting the GUI layout for that user. See Install the PCI DSS accelerator and configure the PCI role for more details. 2. Using the Guardium API (See the appendix) or the Group Builder (see Populating groups), populate groups that are used to generate the reports you need, as summarized here: PCI Admin Users PCI Authorized Client IPs Page 2 of 27

3 PCI Authorized Server IPs PCI Authorized Source Programs PCI Cardholder DBs PCI Cardholder Sensitive objects PCI Limited Access Users 3. Configure a security policy, optionally using one of the PCI policies as a template. (See Set up the security policy.) 4. Use regularly scheduled security assessments to detect common vulnerabilities or usage of bad practices for security. (See Run regular security assessments.) 5. Use audit processes to automate sign-offs and review (See Use audit processes to automate sign-offs and review.) Install the PCI DSS accelerator and configure the PCI role The PCI DSS accelerator, along with the accelerators for Sarbanes-Oxley, Data Privacy, and HIPAA, are part of your entitlement to. Use the following steps to obtain and install it. 1. From an authorized Passport Advantage ID, download the Accelerator module for your release of and upload it to your file server. 2. Log in to the Guardium appliance as CLI (or an admin with CLI), run the following CLI command, and follow the prompted steps: store system patch install sys 3. After the installation is complete, use the following CLI command to confirm that the patch installed successfully: show system patch installed In the listing of the command, you should see a line for the accelerator that shows a status of: DONE: Patch Installation Succeeded, as shown in Figure 1. Figure 1. Successful installation of the PCI accelerator uses roles to segregate the components that a particular user has access to. The Guardium access manager is responsible for assigning users to roles. The PCI role enables the person responsible for configuring Guardium for PCI compliance to see the relevant information in the Guardium user interface. In this section, learn how to configure an existing user to have the PCI role in Guardium and configure the layout for the PCI accelerator. Recommendation: When you configure the layout, that user will lose any existing UI customization, so it is recommended that you create a different user for testing purposes. Page 3 of 27

4 1. Log in to the Guardium web UI using the accessmgr user account. Select a user (in this case, user1), and click Roles. Figure 2. Adding a role for a user 2. In the User Role Form, check the box for PCI, and then click Save. Figure 3. Adding a role for a user 3. Next, click Change Layout to configure the user interface to add the PCI-specific user interface components. Page 4 of 27

5 Figure 4. Change the layout to activate PCI components of the user interface 4. A window opens asking for an optional description. You can add a description or not, then click Reset. Figure 5. Reset will reset the layout for the user when they log on Now user1 is ready to begin configuring Guardium for PCI monitoring. First, as user1, log in to the Guardium web interface. Because of your PCI role, you see a customized layout for PCI. If not already highlighted, click on the PCI Accelerator tab and then the Overview subtab. On the left navigation pane, you have the option of viewing an overview of the PCI Standard (as shown in Figure 6) or an introduction to the Guardium PCI accelerator itself. Figure 6. An overview of the PCI standard From the left menu pane, select the PCI Data Security Standard to open the Introduction page. Page 5 of 27

6 From the left menu pane, select PCI Accelerator for Compliance to get the detailed introduction to the PCI accelerator. Plan and organize The accelerator can help you with planning and organizing for PCI compliance activities. This section includes reports that inventory your cardholder database servers, database users, authorized source programs, and more. You can use Guardium API automation to keep these inventories updated as your environment changes, or you can update the inventory manually using the GUI. Click on the Plan & Organize tab and then click on the Overview option from the left navigation menu to get to the introduction of how the report templates in this section can help you: Create an inventory map of cardholder information servers, clients, databases, and users. View information about the "who, what, when, and how" of cardholder information that has been touched. Verify that generic IDs and accounts are disabled or removed and that there are no shared IDs for system administration activities and other critical functions. Figure 7. Plan and organize overview In the left menu pane, you see the list of report templates that are provided to help you plan and stay organized. Figure 8. Built-in reports to help you plan and organize If you click on any of these reports, you will see data not found because they rely on groups being populated with relevant members. uses groups to simplify the management Page 6 of 27

7 of the system. So, for example, you might have a group of cardholder databases and a group of authorized programs. The reports use the appropriate populated groups as a runtime parameter to show you the relevant information. This becomes more clear as you continue in this article. First, you'll get a description of the reports and the relevant groups, and then you'll see how to find for yourself what groups a report is using and how to populate a group. Here is an overview of the reports in the Plan & Organize tab and the group or groups it relies on. Graphical maps It is possible to create a graphical view (including a PDF) of client/server mapping as well. This is called the Access Map Application. That application uses IP addresses and database types for filtering, not groups. See the "how-to" topic in the information center for more details (see Resources for a link). Cardholder Server IPs List: This reports the cardholder information database server list. You will need to populate the PCI Authorized Server IPs group, which specifies the database server that stores cardholder information. Cardholders Databases: Cardholder information databases. You will need to populate the PCI Cardholder DBs group. Cardholder Objects: Cardholder information objects. This could be a table, view, or stored procedure that contains the sensitive information. You will need to populate the PCI Cardholder Sensitive objects group. DB Clients to Servers Map: This report is a client to server mapping of PCI Authorized Server IPs (the group that specifies the database servers storing cardholder information) to client IPs that are accessing that server. See Figure 14 for an example. Active DB Users: This reports on users (who are not administrators) who are visiting the cardholder database. This report uses the PCI Admin Users groups. Authorized Source Programs: This reports on the authorized credit applications. This report relies on the PCI Authorized Server IPs and the PCI Authorized Source Programs groups. Unauthorized Application Access: This report lets you know if there is a program other than one of your authorized credit applications accessing the authorized database server. Again, this relies on the PCI Authorized Server IPs and PCI Authorized Source Programs groups. (At runtime, the report uses negation on the PCI Authorized Source Program group to identify the unauthorized applications.) Shared Accounts: PCI requirement 8 is that each person who has computer access is assigned a unique ID. This report can help identify when the same user ID is used from multiple client IPs to connect to the same server, which could indicate that ID sharing is occurring Populating groups To see the magic behind the reports, you can go to any report and click on the pencil icon to see the query that is used to build the report. Page 7 of 27

8 Figure 9. Edit a report to see the query behind it The Query Builder will include the names of relevant group or groups used when running the report. Figure 10. Query conditions for a report may contain groups Your task now is to populate the group, and you'll do that using the Group Builder. You can access the Group Builder from many different places as groups are a critical component of reporting, security assessments, and policy rules. You navigate to the Group Builder from the Comply tab, which is a tab that appears when you are logged on in the user role. Click on the Comply tab, then select Group builder from the graphic, as shown in Figure 11. Figure 11. Accessing the group builder tool Highlight the group you want to modify, and then click Modify. In Figure 12, PCI Authorized Server IPs is selected. Page 8 of 27

9 Figure 12. Modify the built-in group In the Manage Members for Selected Group portlet you can add authorized server IPs to the group. Enter each server IP, and then click Add to put the member in the Group Members window. When you are done, click Back. Figure 13. Adding members to a group You can also use the Guardium APIs to populate your groups. The appendix includes an example of how to do this. Page 9 of 27

10 As shown in Figure 13, the authorized server IP group is populated with the following IPs: The client-to-server map report, shown in Figure 14, which uses that authorized server IP group for its query, shows the client accesses to just those two server IPs. Figure 14. Client-to-server map report Track and monitor (PCI requirement 10) Now that you've populated your groups and are able to report on PCI assets and use patterns, you're ready to move on to the Track & Monitor tab. Requirement 10 of the standard states that you must track and monitor all access to network resources and cardholder data. This tab includes a combination of reports and information to help you reach compliance with this part of the standard. Let's take a look. Figure 15. Reports and activities to comply with Requirement and 10.3 Automation: This section explains the requirements for this part of the standard and how reports help you comply. Compliance automation enables you to schedule reports and send reports to the appropriate people for action, if Page 10 of 27

11 required, and sign-off. For more information, see the online help section entitled Protect and Comply Data Access: This report documents access to cardholder data and relies on the PCI Authorized Server IPs and PCI Admin Users groups (negation on this group means that users who are not admin users are tracked) Admin Activity: Similar to the Data Access report, except that it tracks admin user access to PCI data Audit Trail Access: This section explains that compliance to this part of the standard requires that the access to audit trails be logged to detect tampering by malicious users who may attempt to hide their tracks. is self-monitoring so that all actions on the appliance are monitored Invalid Access: This section contains two reports that can help you detect if someone is trying a brute force attack or if there is an unauthorized application accessing cardholder objects Initialization Log: PCI section is concerned with initialization of assessment logs because loss of the log data means that evidence is completely destroyed. This section of the PCI accelerator explains how handles audit logs, which are encrypted and archived to secondary storage. The data can be restored to the Guardium appliance if required for incident investigation Secure audit trails: This section explains how Guardium helps you address this section of the compliance standard, including use of security roles for separation of duties, the use of a hardened, tamper-proof appliance to protect the audit repository, and the ability to automate the archive and purge processes Access Auditing: This section of the standard is concerned with frequency of log review, at least daily, to ensure that a breach is detected early. With, you can use the audit process workflow to automate review of audit reports and create an audit trail of review and sign-offs to validate that you have met the requirements of this part of the standard. See Using audit processes to automate compliance workflow for more information. Run regular security assessments (PCI requirement 11) Click on the Ongoing validation (PCI Req 11) tab. This section of the accelerator addresses the PCI standard ("develop configuration standards for all system components") because of the extensive library of assessment tests that are built around Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). For PCI Requirement 11.5, which requires regular monitoring of changes to critical system files, the assessment also includes configuration file "bad practices" as well as a configuration audit system that monitors any changes to those files after they have been locked down. This section relies on capabilities found in the Vulnerability Assessment tools in InfoSphere Guardium. From the PCI Req. 11 Ongoing Validation tab, click Overview to get the introduction about the importance of doing regular assessments of possible vulnerabilities. Page 11 of 27

12 1. From the left menu pane, select Security Assessment. 2. From the graphic on that pane, select Define what database you want assessed to open the Security Assessment builder. Figure 16. Accessing security assessments 3. Click New to create a new assessment. Figure 17. Creating a new assessment 4. Enter a description and time period for this assessment, and click Add Datasource to associate this assessment with a data source. Page 12 of 27

13 Figure 18. Add a datasource for the assessment 5. Enter the name and type for the database as well as the user name and password. Enter the server IP, port, and service name (if needed for that database). Click Apply, and then click Back. Figure 19. Datasource details Page 13 of 27

14 6. Click Test Connection to make sure Guardium can connect to the data source with the provided information. If all is well, click Back. 7. In the Datasource Finder, select the data source you just created, and then click Add. Figure 20. Add the datasource to the new assessment This adds this data source to the assessment you are building, as shown in Figure 21. Click Apply. Figure 21. Datasource added to the assessment Click Configure Tests, which brings up the screen shown in Figure 22. From your database type tab, select and add tests, which are based on database security best practices, and test for common vulnerability exposures (CVEs). You may want to start by identifying only critical exposures and then add additional tests after you fix the critical vulnerabilities. Page 14 of 27

15 Figure 22. Guardium includes a wide variety of built-in assessment tests 8. Click Run Once Now to run the assessment immediately. This may take a while if you have a lot of tests, which is why it is recommended to add these security tests to an audit process, which can be scheduled. (See Using audit processes to automate compliance workflow for more information.) As shown in the excerpts in Figure 23, you get an assessment result that shows you which tests passed, which tests failed, and how you can fix the failures. There is also a graph that shows you results over time so that you can set goals and show progress. Page 15 of 27

16 Figure 23. Assessment test results Again, it is recommended to add security assessment testing on a regular schedule by using the audit process to help you comply with the PCI requirements. This section has only briefly touched on the topic of vulnerability assessments. Be sure to read the Assess and Harden online help book for more information. Set up the security policy Click on the PCI Policy Monitoring tab. This section of the accelerator is all about using policies, which are at the heart of how does its job. Click Overview to learn how policy-based monitoring and protection helps you comply with PCI mandates, including the ability to create a policy based on "normal" baseline activity so that deviations from that baseline can be logged as policy violations. policies consist of an ordered set of rules that is applied between any observed traffic between the database clients and servers. The three main types of rules are: Access rules, which apply to traffic coming from the database client to the database server. Exception rules, which apply to any exceptions returned from the database server to the client. Extrusion rules, which apply to data results. This might include a policy rule to mask returned data, for example. Although we describe how to find the currently installed policy and view its rules, the detailed information about how to create rules and their behavior is outside the scope of this article. If you Page 16 of 27

17 are responsible for creating policies in your organization, you should definitely review some of the materials highlighted in Resources to learn more. 1. From the left menu pane, click Policy Description to see the currently installed policy, which will look something like Figure 24. Figure 24. Installed policy 2. To edit or create a new policy, click on the Monitor/Audit tab. This takes you to the policy finder where you can find a list of predefined policies that you can modify. You can create your own policy by creating new rules or by cloning an existing policy and modifying the rules. Let's see how to do that. 3. Click on the policy you want to modify, such as PCI, and click Clone. Page 17 of 27

18 Figure 25. Cloning an existing policy to modify its rules 4. Give the policy a new name, and then click Save. Figure 26. MYPCI new name 5. Select your policy from the policy finder list, and then click Edit Rules... Page 18 of 27

19 Figure 27. Modifying rules of cloned policy 6. As shown in Figure 28, you will see a collapsed list of all the policy rules in the PCI policy that you can modify for your environment. You'll see many different rules, including ones that detect and log violations for access to credit card magnetic stripe data and credit card number patterns as well as masking those numbers upon return to an unauthorized user. To view a rule, you can click on the plus sign. To modify the rule, click on the pencil icon as shown in Figure 28, where you are modifying rule 6. Page 19 of 27

20 Figure 28. Click on pencil icon to modify a rule 7. Figure 29 is policy rule 6 expanded. Here, you can see two groups, Cardholder DB Objects and DDL commands, that you need to add members to if you have not done so already. Remember how we said that Group Builder can be found in many places in Guardium? You can see it here in the Policy Builder as well. Page 20 of 27

21 Figure 29. Modify Cardholder Objects and DDL commands groups for this rule 8. Click on the Group builder icon and enter members to the group, as described in Populating groups. 9. Any time you change a policy, you must install the policy. It's a simple click of a button to install, but you will not do that here, because you are just looking at an existing PCI policy to see some of the rules that are there that you may want to use for your environment. 10. Now navigate back to PCI Accelerator > PCI Policy Monitoring, and from the left menu pane select Policy Violations. This is where any policy rules that are triggered appear. You can define the severity of the rule with INFO, LOW, MEDIUM, or HIGH. Figure 30, for example, is an excerpt of Rule #4 of the built-in PCI policy that has a medium level severity. Figure 30. A medium severity alert for an exception violation Policy Violations report according to severity. The violations will be color coded in the Page 21 of 27

22 Use audit processes to automate compliance A key ingredient in the recipe to reduce the burden of PCI compliance and to maintain an audit trail of all reviews and approvals is to use an audit process, which lets you define: What activities, such as reports or security assessments. Who has to review or sign off. When the activities in this audit process run. For example, some activities must be run daily, others may be weekly, monthly, or even quarterly. Figure 31 shows a sample audit process flow. In this example, the PCI owner must review and approve all new connections to the database. That gets passed on to the Information Security officer who must review, and finally to the Guardium administrator, who has a task to perform to ensure that the approved connection does not get reported as a violation in the future. The PCI owner and the Guardium administrator receive PDFs and CSVs of the report in their , while the information security office receives a link to the report. Figure 31. Audit process workflows automate compliance processes The audit process shown in Figure 31 can be run on a scheduled basis to ensure that new connections are being reviewed and acted upon in a timely fashion. Figure 32 shows an example of the audit trail comments that are included with the report. Figure 32. The comments are included with the report for auditing Page 22 of 27

23 Reports can be automatically fed to a content repository such as Microsoft SharePoint after all the previous receivers have reviewed and signed off. This makes it easy to retrieve all the information you need to satisfy an audit, including comments from the reviewers, without requiring retrieval of archived audit data. In addition, by using the data-level security feature in, you can define a single report and still ensure that only those people who are associated with a particular database server see results for that server. For more information about using data-level security and audit processes, refer to the developerworks article "Use data-level security for granular access control of auditing results in " (see Resources). Summary By following the best practices outlined by the standards, you are taking a major leap forward in protecting your data assets from costly and embarrassing breaches. standards accelerators are designed specifically to make it easy to demonstrate compliance to various standards such as PCI, Basel II, Sarbanes-Oxley, and data privacy. Not only are report and policy templates included for you, the accelerator itself helps you demonstrate to an auditor specifically which section of the compliance standard is being addressed and how. Automated workflow management helps you maintain compliance with a reduced total cost of ownership. Appendix: Use API to populate groups has a rich set of APIs to help you automate configuration and maintenance of groups. You can get more information in the Appendices help or from the command-line interface (CLI). When logged in as CLI or as a user with a CLI role, to see a list of all grdapi commands, enter: CLI> grdapi To see the parameters for a particular command, enter the command and help=true as shown here: CLI> grdapi create_member_to_group_by_desc --help=true Listing 1 shows an example of using the APIs to populate PCI groups and to list the members of those groups. Listing 1. Using the Guardium APIs to populate groups for PCI compliance -- Populate PCI groups grdapi create_member_to_group_by_desc Users" member="joe" grdapi create_member_to_group_by_desc Users" member="jdipietro" grdapi create_member_to_group_by_desc Users" member="sa" grdapi create_member_to_group_by_desc desc="pci Admin desc="pci Admin desc="pci Admin desc="pci Admin Page 23 of 27

24 Users" grdapi Users" grdapi Users" member="system" create_member_to_group_by_desc desc="pci Admin member="db2inst2" create_member_to_group_by_desc desc="pci Admin member="bill" Authorized Client IPs" member=" " Authorized Client IPs" member=" " Authorized Client IPs" member=" " Authorized Client IPs" member=" " Authorized Client IPs" member=" " Authorized Server IPs" member=" " Authorized Server IPs" member=" " Authorized Server IPs" member=" " Authorized Server IPs" member=" " Authorized Source Programs" member="%sqlplus%" Authorized Source Programs" member="sqlplus" Authorized Source Programs" member="sap" Authorized Source Programs" member="oracle EBS" Cardholder DBs" member="master" Cardholder DBs" member="creditcard" Cardholder Sensitive objects" member="creditcard" Cardholder Sensitive objects" member="cc" Cardholder Sensitive objects" member="patient" Limited Access Users" member="harry" -- Verify members added to group grdapi list_group_members_by_desc Access Users" grdapi list_group_members_by_desc Sensitive objects" grdapi list_group_members_by_desc DBs" grdapi list_group_members_by_desc Source Programs" grdapi list_group_members_by_desc Server IPs" grdapi list_group_members_by_desc Client IPs" grdapi list_group_members_by_desc desc="pci Limited desc="pci Cardholder desc="pci Cardholder desc="pci Authorized desc="pci Authorized desc="pci Authorized desc="pci Admin Users" Page 24 of 27

25 Downloads Description Name Size PCI pre-audting checklist PCIpre-audit.pdf 143KB Page 25 of 27

26 Resources Learn The Getting started with PCI security standards website is a great introduction to the PCI DSS standard. This article cites the Verizon Data Breach Investigation Report Links to all reports can be found at the Verizon Enterprise website. The website includes links to white papers, demos, and more. The developerworks article "Use data-level security for granular access control of auditing results in " (developerworks, February 2013) includes step-by-step instructions for how to enable data-level security and how to incorporate it into an audit process workflow. A new developerworks community for is evolving to include links to relevant technical content, industry-specific information, and FAQs. Join the community and help it grow. Visit the Tech Talk page to find links to recordings of previous tech talks and get information about upcoming talks. The Information Center includes many "how-tos" to help you make the most of the data activity monitoring solution. The topic of creating a visual access map is covered in this topic of the Information Center. Watch videos on the YouTube channel, including demos of support for SAP, DB2 for z/os, and others. Stay current with information, events, and industry news related to data security and privacy by registering for the newsletter. Follow developerworks on Twitter. Get products and technologies Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently. Discuss Get involved in the Guardium users group on LinkedIn to ask questions and get advice from other users. Page 26 of 27

27 About the authors Kathryn Zeidenstein Kathy Zeidenstein has worked at IBM for a bazillion years. Currently, she is working as a technology evangelist for data activity monitoring, based out of the Silicon Valley Lab. Previously, she was an Information Development Manager for InfoSphere Optim data lifecycle tools. She has had roles in technical enablement, product management and product marketing within the Information Management and ECM organizations at IBM. Shengyan Sun Shengyan Sun has focused on IBM core component testing since she joined IBM in She works closely with customers and actively promotes the application of in the Asia-Pacific market. She had many years of experience in DBA and data analysis system development before joining IBM. Copyright IBM Corporation 2013 ( Trademarks ( Page 27 of 27