Mapping BeyondTrust Solutions to

Transcription

1 TECH BRIEF Privileged Access Management and Vulnerability Management

2 Purpose of This Document... 3 Table 1: Summary Mapping of BeyondTrust Solutions to... 3 What is the Payment Card Industry Data Security Standard (PCI DSS)?... 4 Challenges for IT Organizations in Meeting PCI Requirements... 4 How BeyondTrust Solutions help with... 5 Table 2: Detailed Mapping of BeyondTrust Solutions to... 6 Requirement 1: Install and maintain a firewall configuration to protect cardholder data... 6 Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters... 6 Requirement 3: Protect stored cardholder data... 9 Requirement 4: Encrypt transmission of cardholder data across open, public networks... 9 Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs... 9 Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel Appendix: PowerBroker Privileged Access Management Platform Product Capabilities PowerBroker Privileged Access Management Platform Conclusion About BeyondTrust

3 B E Y O N D T R U S T P L AT FO R M R E T I N A VULN E R AB IL I TY M ANAGE M E N T P O W E R B R OK E R F O R U NI X & L I N U X P O W E R B R OK E R F O R N E T W O R K S P O W E R B R OK E R F O R W I N D O W S & M AC P O W E R B R OK E R I D E NT I TY S E R V I C E S P O W E R B R OK E R P ASSWORD S AF E P O W E R B R OK E R AU D I T I N G & S E C U R I TY S U I T E Purpose of This Document This guide has been prepared so that IT and security administrators can quickly understand how BeyondTrust solutions for privileged access management (PAM) and vulnerability management (VM) map into requirements set forth in the Payment Card Industry Data Security Standard (PCI DSS) version 3.2. This guide is primarily intended to be used for those who must comply with merchant processing specifications but applies to most service providers as well. For a quick view of how BeyondTrust solutions map into these requirements, see table 1 below. Table 1: Summary Mapping of BeyondTrust Solutions to C O N T R O L O B J E C TI V E S P C I D S S R E Q U I R E M E N T S Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendorsupplied defaults for system passwords and other security parameters Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications Requirement 7: Restrict access to cardholder data by business need to know Requirement 8: Identify and authenticate access to system components Requirement 9: Restrict physical access to cardholder data Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Requirement 12: Maintain a policy that addresses the information security for all personnel X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X 3

4 What is the Payment Card Industry Data Security Standard (PCI DSS)? Initially developed in 2004, and currently on version 3.2, the Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for every organization that accepts credit cards such as Visa, MasterCard, American Express, and others. The PCI standard: Was created to increase controls around cardholder data to reduce credit card fraud Has become a de facto standard for protecting access to personally identifiable information (PII), especially in the retail industry Is mandated by the card issuers; and Is administered by the Payment Card Industry Security Standards Council (PCI SSC) Challenges for IT Organizations in Meeting PCI Requirements Organizations that must comply with the merchant requirements under PCI face several challenges when working to prove their compliance with PCI DSS. Fines and penalties: Compliance is mandatory There are three levels of PCI compliance that an organization may be subject to, depending on the number of transactions that the organization processes, or if they are subject to the merchant or the service provider compliance definitions. If an organization is at the highest level of compliance (Tier 1), assessments are conducted annually by a Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC). Any other levels of compliance (Tiers 2-3), may self-assess against the controls and may not directly involve a QSA. If an organization has been breached and was not in compliance with PCI, the card issuers can impose significant financial penalties on the merchant. Complexity, time, and resource constraints: PCI distracts from core operations Merchants and service providers subject to PCI DSS should work to continually improve processes to ensure ongoing compliance and security, rather than treating compliance as a point-in-time project. Naturally, this can create a tremendous resource drain on IT teams. As they can be used as fundamental technologies to achieve compliance, this technical brief explains how to map BeyondTrust privileged access management and vulnerability management solutions to PCI DSS requirements to maintain security, more easily demonstrate and maintain compliance. 4

5 How BeyondTrust Solutions help with This section of the tech brief contains a detailed table that summarizes how BeyondTrust solutions map to PCI DSS requirements to ensure compliance. For reference, the PCI DSS framework is summarized in the graphic below. For complete descriptions of the standard, control objectives, requirements, testing procedures and guidance, please see the latest PCI DSS guide. 5

6 Table 2: Detailed Mapping of BeyondTrust Solutions to Note: Only relevant requirements and testing procedures for BeyondTrust solutions are included here. For a complete list of control objectives, requirements, testing procedures, and guidance, please see the latest PCI DSS guide. PCI DSS V3.2 APPLICA BILITY MATRIX Build and Maintain a Secure Network and Systems Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Retina Network Security Scanner analyzes router misconfigurations PowerBroker Password Safe defines and holds the accounts authorized to make changes to firewalls and routers No controls in this PCI requirement are addressed by the BeyondTrust solution. 1.4 PowerBroker for Unix & Linux, PowerBroker for Networks, and PowerBroker for Windows and PowerBroker for Mac explicitly can block or deny certain commands for users, including the ability to delete or disable a firewall. 2.1 Retina Network Security Scanner enables an organization to scan and check for select vendors and their default passwords. Retina uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. PowerBroker Password Safe provides the capability to automatically rotate and manage policy for default system passwords, as well as any user-defined account a PowerBroker Password Safe enables an organization to generate new SSH keys b Retina Network Security Scanner enables an organization to assess for default SNMP community strings and passphrases. Retina uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. 6

7 2.1.1.c BeyondInsight enables an organization to scan and check for select vendors and their default passwords against wireless access. Retina uses a dictionary of default passwords. This dictionary is editable to append more defaults if necessary. PowerBroker Password Safe verifies that default passwords have been rotated according to policy, and automatically verifies that out of band changes have not been made d Retina Network Security Scanner enables an organization to check for outdated vulnerable firmware on wireless devices. It does not check for firmware for stronger encryption. 2.2.a 2.2.b 2.2.c 2.2.d Retina Network Security Scanner enables an organization to perform a configuration-based scan against a benchmark such as CIS, SAN, NIST, etc. A report is generated highlighting what configurations have passed or failed against the chosen benchmark. Retina Network Security Scanner generates a vulnerability report and instructions as to how to fix the pending vulnerabilities. Retina Network Security Scanner performs a configuration-based scan to check for system configurations. Retina Network Security Scanner allows for the discovery of all vendor supplied passwords, identifies unnecessary accounts, verification of active applications, services, protocols, daemons, and potential misconfigurations within an asset a BeyondInsight groups assets using Smart Groups. Smart Groups allow for logical grouping of assets based on attributes such as asset name, address group, discovery date, or even installed software. Using Smart Groups, an organization can identify servers and their functions. BeyondInsight enumerates services, ports, and protocols on a list. The list can then be analyzed by a user to see what services, ports, or protocols are allowed or not b BeyondInsight groups assets using Smart Groups. Smart Groups allow for logical grouping of assets based on attributes such as asset name, address group, 7

8 2.2.2.a b b discovery date, or even installed software. Using Smart Groups, an organization can identify servers and their functions. BeyondInsight enumerates services, ports, and protocols on a list. The list can then be analyzed by a user to see what services, ports, or protocols are allowed or not. BeyondInsight enumerates services, ports, and protocols on a list. The list can then be analyzed by a user to see what services, ports, or protocols are allowed or not. Retina Network Security Scanner scans against a company-given benchmark to verify common security parameter settings are included in the system configuration standard and are set appropriately c Retina Network Security Scanner scans against a company-given benchmark to verify common security parameter settings are included in the system configuration standard and are set appropriately. PowerBroker Password Safe manages passwords and rules associated with those accounts a b c BeyondInsight performs custom, wizard-driven checks for scripts, drivers, features, subsystems, files, etc. Retina Network Security Scanner scans system components based on customer specification. Retina Network Security Scanner scans system components based on customer specification Retina Network Security Scanner can identity unnecessary functionality installed on a host including drivers, features, roles, subsystems, file systems, and web services. 2.3.a PowerBroker Identity Services extends Kerberos version 5 authentication using AES-256. PowerBroker Password Safe uses SSL/TLS 1.2 for management of the PowerBroker Password Safe web based interface. 8

9 2.3.c BeyondInsight helps organizations identify weak SSL ciphers and SSL v1.0. BeyondInsight encrypts the web-based admin access to the application itself. PowerBroker Password Safe uses SSL/TLS 1.2 for management of the PowerBroker Password Safe web-based interface. Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks PowerBroker for Unix & Linux and PowerBroker for Networks provide the ability to configure keystroke logging to a point where cardholder data can be prevented from being logged. PowerBroker for Windows provides file integrity to prevent unauthorized changes, deletions, or permission edits. 4.1.b PowerBroker for Windows implements certificate-based SSL V3 encrypted transmission between PowerBroker for Windows and the management console. Any transmission will fail if an incorrect certificate is used. 4.1.c Retina Network Security Scanner enables an organization to help verify outdated versions of a particular transmission protocol in use. 4.1.d Retina Network Security Scanner enables an organization to help verify that the encryption used during transmission is of proper strength. PowerBroker for Windows uses RSA 1024-bit encryption strength for when transmitting between PowerBroker for Windows and management console. Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly 5.1 BeyondInsight enables an organization to detect if antivirus has been installed or shutdown. It can check for Symantec, Norton, McAfee, Sophos, Trend Micro, or Windows Defender. The organization can write their own checks to search for more specific antivirus software. PowerBroker for Windows can prevent known malicious, vulnerable, or unknown software from executing, as well as mandate which versions of software are allowed. 9

10 update anti-virus software or programs Requirement 6: Develop and maintain secure systems and applications BeyondInsight enables an organization to detect if antivirus has been installed or shutdown. It can check for Symantec, Norton, McAfee, Sophos, Trend Micro, or Windows Defender. The organization can write their own checks to search for more specific antivirus software. 5.2.a BeyondInsight enables an organization to check for virus definitions that are older than 14 days. 5.2.b BeyondInsight enables an organization to check for virus definitions that are older than 14 days. 6.2.a Retina Network Security Scanner scans for vulnerabilities and assigns them BeyondTrust risk ratings, PCI risk rating, and CVSS scores. 6.2.b Retina Network Security Scanner scans for vulnerabilities and assigns them BeyondTrust risk ratings, PCI risk rating, and CVSS scores PowerBroker for Unix & Linux and PowerBroker for Networks allow for userbased policy to separate duties between test and production environments. PowerBroker for Windows allows for user-based policy to separate duties between test and production environments. PowerBroker Password Safe provides the capability to segregate user access by policy to development and production environments BeyondInsight scans web applications and helps an organization identify the vulnerabilities mentioned in these testing procedures. 6.6 BeyondInsight scans web applications for vulnerabilities. 10

11 Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know PowerBroker for Unix & Linux and PowerBroker for Networks provide granular, policy- and task-based delegation. Policies are built only for what is necessary for a privileged user to run. PowerBroker for Windows provides fine-grained, policy-based privilege delegation for the Windows environment by removing local admin rights from end users and selectively elevating privileges for things such as applications, software installs, system tasks, scripts, and control panel applets. PowerBroker Identity Services ensures that if privileges are already configured in an Active Directory environment, then PowerBroker Identity Services can map these privileges to UIDs and GIDs based on a business needto-know basis. PowerBroker Password Safe ensures that a user requesting a password for a certain account must be assigned access to that particular account for the request to be granted. PowerBroker Password Safe ensures that, based on a user s role, he/she can only request access to accounts that his/her groups are assigned to BeyondInsight helps an organization identify misconfigured admin groups. BeyondInsight delegates users and the rights they are assigned within the BeyondInsight application. PowerBroker for Unix & Linux and PowerBroker for Networks deliver a rich policy language that can restrict specific roles to specific tasks. PowerBroker for Windows deploys rules based on the RBAC model in Active Directory. PowerBroker Identity Services maps the already configured groups based on roles to UIDs and GIDs PowerBroker for Unix & Linux and PowerBroker for Networks ensure that users with specific root-level tasks are explicitly defined within the policies. PowerBroker for Windows ensures that users with specific admin rights are explicitly defined by authorized personnel. PowerBroker Password Safe logs the approval and the approver of a requested account in PowerBroker Password Safe. 11

12 7.1.4 PowerBroker for Unix & Linux can use automated access control systems, such as LDAP, Active Directory, NetGroups, or local groups. PowerBroker for Windows uses Active Directory to perform its functions. PowerBroker Identity Services uses Active Directory to function PowerBroker for Unix & Linux and PowerBroker for Networks can configure a second form of authentication before a user performs an action that is authorized to them. PowerBroker for Windows uses Active Directory to perform its functions. PowerBroker Identity Services uses Active Directory to cover all systems, including Linux, Unix, and Mac environments. PowerBroker Password Safe requires users to login with a username and password to access the appliance PowerBroker for Unix & Linux binds specific root-level tasks to specific Unix/Linux users/groups. PowerBroker for Unix & Linux will use user and group information from access control systems and apply policies to particular users/groups based on job classification. PowerBroker for Windows uses user and group information from Active Directory and applies policies to particular users/groups based on job classification. PowerBroker Identity Services uses the customer s Active Directory environment which enforces privileges assigned to individuals based on job classification BeyondInsight helps an organization identify any systems that do not require authentication. This is achieved through BeyondInsight null session scan. PowerBroker for Unix & Linux and PowerBroker for Networks deny access by default due to the very nature of its least privilege strong access model. Since all users in PowerBroker are specified there is no user that is allowed access without being specified. PowerBroker Identity Services denies all users by default. 12

13 PowerBroker Password Safe denies all users by default. You need to have login credentials to access the appliance. Requirement 8: Identify and authenticate access to system components 8.1 BeyondInsight uses unique user IDs for local authentication within the application. PowerBroker Identity Services creates a unique UID for each user whenever AD credentials are bridged to a Linux environment. PowerBroker for Windows uses unique user IDs from Active Directory. 8.2 BeyondInsight helps an organization identify user accounts that do not require authentication. It further checks to see if the username is also the password and if the password is the reverse of the username. PowerBroker for Unix & Linux uses Pluggable Authentication Modules (PAM) for authentication on systems if an organization is using PAM. Additionally, PowerBroker for Unix & Linux can be configured for Kerberos Version 5. PowerBroker for Unix & Linux uses the pbpasswd command to generate an encrypted password that can be used by the getstringpasswd () function in the configuration file. Additionally, PowerBroker for Unix & Linux uses passwords to authenticate users. PowerBroker Identity Services uses Kerberos version 5 for authentication. Additionally, PowerBroker Identity Services can be configured to use SmartCards for authentication. PowerBroker Password Safe prompts users for a password in addition to a user ID. 8.3 PowerBroker for Unix & Linux may utilize RSA tokens and SmartCards PowerBroker Password Safe can enable two-factor authentication RADIUS/X.509 Smart Card for remote network access to the application. 13

14 8.4.a PowerBroker for Unix & Linux recognizes a password field and automatically suppresses the password. As a result, passwords are never stored. PowerBroker for Windows encrypts transmission using SSL V3 certificates. PowerBroker Identity Services uses Kerberos version 5 for authentication which encrypts (AES-256) passwords during transmission and storage. PowerBroker Password Safe encrypts passwords using AES256. The database is stored on a secure, locked down physical or virtual appliance that has been hardened to DISA Gold standard. 8.4.b PowerBroker for Unix & Linux recognizes a password field and automatically suppresses the password. As a result, passwords are never stored. PowerBroker for Windows encrypts transmission using SSL V3 certificates. PowerBroker Identity Services uses Kerberos version 5 for authentication which encrypts (AES-256) passwords during transmission and storage. PowerBroker Password Safe encrypts passwords using AES256. The database is stored on a secure, locked down physical or virtual appliance that has been hardened to DISA Gold standard PowerBroker Password Safe modifies a user s right to what systems he/she can request access to. 8.6.a 8.6.b PowerBroker Password Safe generates a random password every time a user checks back in the credentials. PowerBroker Password Safe generates a random password every time a user requests access to a particular system. 14

15 Requirement 9: Restrict physical access to cardholder data N/A No controls in this PCI requirement are addressed by the BeyondTrust solution. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data 10.1 BeyondInsight collects logs from PowerBroker servers and Retina NSS. PowerBroker for Unix & Linux and PowerBroker for Networks links all privileged access to Unix and Linux-based system components to individual users by binding specific root-level tasks to Unix/Linux user IDs. This is an inherent function of PowerBroker for Unix & Linux as all privileged tasks are logged. PowerBroker for Windows audits what applications users are launching that are enabled by default. PowerBroker for Windows also allows for the configuration of session monitoring. Session monitoring captures screenshots of what actions a user is performing. PowerBroker Identity Services generates its own log traffic of all authentication and authorization requests. All functions and processes are also logged. These logs are available in the PowerBroker Identity Services Event log. PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for File System audits user activity when files are directly manipulated PowerBroker Auditor for Active Directory can audit the authentication process BeyondInsight collects the events listed in the testing procedures from PowerBroker servers and Retina NSS. PowerBroker for Unix & Linux and PowerBroker for Networks log privileged access if the user connects through the PowerBroker CLI BeyondInsight collects the events listed in the testing procedures from PowerBroker servers and Retina NSS. 15

16 PowerBroker for Unix & Linux and PowerBroker for Networks logs all privileged tasks, for all users with privileged or root-level credentials through keystroke logging. PowerBroker Password Safe generates user activity logs PowerBroker for Unix & Linux and PowerBroker for Networks log privileged access to PowerBroker event logs. This can be seen by the command request and all arguments a user inputs. PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for File System audits all activity on the file system BeyondInsight collects the events listed in the testing procedures from PowerBroker servers and Retina NSS. PowerBroker for Unix & Linux and PowerBroker for Networks log all privileged access requests, whether accepted or rejected. PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for Active Directory logs all logon activity BeyondInsight collects the events listed in the testing procedures from PowerBroker servers and Retina NSS. PowerBroker for Unix & Linux and PowerBroker for Networks log the identification and authentication mechanism used c PowerBroker Auditor for Active Directory audits all changes to the built-in administrative account PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for Active Directory generates an audit when a subsystem is stopped or started PowerBroker for Unix & Linux and PowerBroker for Networks log creation and deletion of system level objects. Since PowerBroker logs the keystroke of the user, creation and deletion of system level objects will be identifiable. PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for Active Directory audits all object creation, deletion, and modification. 16

17 BeyondInsight collects logs from PowerBroker servers and Retina NSS. The logs that are collected satisfy the testing procedures. PowerBroker for Unix & Linux and PowerBroker for Networks ensure all the logs generated in PowerBroker contain these audit trail items for Unix- and Linux-based systems including network devices by default. PowerBroker for Windows enables you to view the actual screenshots of a user s actions and sessions, with each session fully describing what a user does. PowerBroker Identity Services uses the PowerBroker Identity Services event logging system. PowerBroker Password Safe generates user activity logs. PowerBroker Auditor for Active Directory ensures that all audit logs contain the identity of who initiated the change PowerBroker Auditor for File Systems ensures that all audit logs contain the identity of who initiated the change 10.4.a BeyondInsight helps an organization identify if a time protocol server is running a BeyondInsight detects if an NTP server has been found BeyondInsight checks to see if any system uses an unauthorized time server BeyondInsight restricts only authorized users to view audit trails in BeyondInsight. PowerBroker for Unix & Linux and PowerBroker for Networks are configurable to restrict access to audit records to only people with job-related need. PowerBroker for Windows is configurable to restrict access to audit trails with only people with job-related need. PowerBroker Password Safe enables configured access to log entries to authorized individuals only. 17

18 PowerBroker Auditor for Active Directory ensures that permissions can be set to restrict who is authorized to view audit logs PowerBroker Auditor for File System ensures that permissions can be set to restrict who is authorized to view audit logs BeyondInsight restricts only authorized users to view audit trails in BeyondInsight. PowerBroker for Unix & Linux and PowerBroker for Networks may be architected in such a way that the log server is sitting on a separate host from the policy server. PowerBroker Auditor for Active Directory ensures that permissions restrict who has view rights, and that logs are stored remotely across the network. PowerBroker Auditor for File System ensures that permissions restrict who can modify logs and that they are stored remotely across the network PowerBroker for Unix & Linux and PowerBroker for Networks can forward all PowerBroker logs to a centralized log server or SIEM by way of PowerBroker s sync host process. The logs themselves are encrypted, making them difficult to alter. PowerBroker for Windows stores logs in one single database. To access the logs, you must go through several layers of authorization. PowerBroker Password Safe backs up logs and exports the logs to a different location chosen by the customer a PowerBroker for Unix & Linux and PowerBroker for Networks send logs to BeyondInsight. BeyondInsight will then generate a report highlighting exceptions. PowerBroker for Windows has logs accessible on PowerBroker for Windows web management interface. It is up to the customer to review these logs daily. PowerBroker Password Safe is configurable to send an out to an authorized individual of actions performed in PowerBroker Password Safe. 18

19 b PowerBroker for Windows makes security-related events accessible on managed clients and PowerBroker for Windows web management interface. This information can be used to generate alerts based on targeted actions, or be reviewed by the customer in whole daily. PowerBroker for Mac makes security-related events accessible on managed clients and PowerBroker for Mac s web management interface. This information can be used to generate alerts based on targeted actions or be reviewed by the customer in whole daily. PowerBroker Password Safe is configurable to send an out to an authorized individual of actions performed in PowerBroker Password Safe a BeyondInsight can be configured for length of log retention. PowerBroker for Unix & Linux and PowerBroker for Networks retain audit logs based on a customer configurable retention period. PowerBroker for Windows stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained. PowerBroker for Mac stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained. PowerBroker Identity Services stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained. PowerBroker Auditor for Active Directory makes log retention and archiving configurable b BeyondInsight can be configured for length of log retention. PowerBroker for Unix & Linux and PowerBroker for Networks retain audit logs based on a customer configurable retention period. PowerBroker for Windows stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained. PowerBroker for Mac stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained PowerBroker Identity Services stores log data indefinitely. It is up to the customer to configure how long the logs need to be retained. 19

20 Requirement 11: Regularly test security systems and processes a 11.1.b 11.1.c a a b BeyondInsight can be configured to perform quarterly scans to detect wireless access points. Once configured, the quarterly scans run automatically. BeyondInsight scans for wireless access points. BeyondInsight can be automatically configured to run quarterly. BeyondInsight can be automatically configured to run quarterly and thus guaranteeing an organization four quarterly internal scans occurring in the last 12- month period. BeyondInsight can be automatically configured to run quarterly, thus, guaranteeing an organization four quarterly external scans occurring within the last 12-month period. To fully achieve this testing procedure, an organization must hire an Approved Scanning Vendor (ASV), such as BeyondTrust, to perform external scans. BeyondInsight produces CVSS scores in vulnerability reports c 11.5.a BeyondInsight grants the ability to perform external vulnerability scans. To fully meet this control, an organization must hire an ASV, such as BeyondTrust, to perform the external vulnerability assessments. PowerBroker for Windows and PowerBroker for Unix & Linux have policy-based File Integrity Monitoring capability that can monitor/prevent changes to directories/files based on application and/or user/group. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses the information security for all personnel. N/A No controls in this PCI requirement are addressed by the BeyondTrust solution. 20

21 Appendix: PowerBroker Privileged Access Management Platform The PowerBroker Privileged Access Management Platform is an integrated solution to provide control and visibility over all privileged accounts and users. By uniting best-of-breed capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security, and closes gaps to reduce privileged risks. Product Capabilities PowerBroker Privileged Access Management Platform The PowerBroker platform includes the following individual best-of-breed products that are fully integrated into the platform itself. For how these products help to achieve PCI DSS requirements, please reference the detailed chart earlier in this document. PowerBroker Password Safe PowerBroker Password Safe is an automated password and privileged session management solution offering secure access control, auditing, alerting and recording for any privileged account from local or domain shared administrator, to a user s personal admin account (in the case of dual accounts), to service, operating system, network device, database (A2DB) and application (A2A) accounts even to SSH keys, cloud, and social media accounts. Password Safe offers multiple deployment options, broad and adaptive device support, with session 21

22 monitoring, application password management, and SSH key management included natively. PowerBroker for Windows PowerBroker for Mac PowerBroker for Unix & Linux PowerBroker for Sudo PowerBroker for Networks PowerBroker Identity Services PowerBroker for Windows is a privilege management solution that mitigates the risks of cyber attacks as a result of users having excessive rights. By removing admin rights, protecting the integrity of critical files, and monitoring user behavior, PowerBroker protects organizations without impacting end-user productivity. PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS to perform administrative tasks successfully without entering elevated credentials. PowerBroker for Unix & Linux is a least privilege solution that enables IT organizations to eliminate the sharing of credentials by delegating Unix and Linux privileges and elevating rights to run specific Unix and Linux commands without providing full root access. PowerBroker for Sudo provides centralized policy, logging, and version control with change management for multiple sudoers files. The solution simplifies policy management, improves log security and reliability, and increases visibility into entitlements. This makes it easier for you to securely manage on low-priority servers, or in areas where completely replacing sudo is not feasible. PowerBroker for Networks is an agentless privilege management solution that controls, audits, monitors and alerts on activity on network devices, enabling organizations of all sizes to reduce cybersecurity risks and achieve privilege management at scale. PowerBroker Identity Services centralizes authentication for Unix, Linux, and Mac environments by extending Active Directory s Kerberos authentication and single sign-on capabilities to these platforms. By extending Group Policy to non-windows platforms, PowerBroker provides centralized configuration management, reducing the risk and complexity of managing a heterogeneous environment. 22

23 PowerBroker Auditing & Security Suite Retina CS Platform capabilities PowerBroker Auditing & Security Suite centralizes real-time change auditing for Active Directory, File Systems, Exchange, SQL, and NetApp, restores Active Directory objects or attributes, and helps to establish and enforce entitlements across the Windows infrastructure. Through simplified administration, IT organizations can mitigate the risks of unwanted changes and better understand user activity to meet compliance requirements. Retina CS is a vulnerability management software solution designed from the ground up to provide organizations with context-aware vulnerability assessment and risk analysis for making better privileged access management decisions. The PowerBroker platform is built on the shared capabilities found in BeyondInsight, our IT risk management platform. Common components centralized for all products in BeyondInsight include asset and account discovery, threat, vulnerability and behavioral analytics, reporting and connectors to third-party systems, and central management and policy. Conclusion By partnering with BeyondTrust, organizations can address their compliance and security requirements as defined in PCI DSS, leaving fewer gaps while improving efficiency over their privileged access management and vulnerability management practices. 23

24 About BeyondTrust BeyondTrust is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Account Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit 24