How Vanguard Solves Title Your PCI DSS Challenges Sub-title Peter Roberts Sr. Consultant 5/27/2016 1
AGENDA 1. About Vanguard/Introductions 2. What is PCI DSS 3. PCI DSS 3.1/3.2 Important Dates 4. PCI DSS Change Cycle 5. Top PCI challenges for z/os 6. How Vanguard Addresses PCI DSS Requirements 7. Q/A 5/27/2016 2
What is PCI DSS? What is PCI DSS - Payment Card Industry Data Security Standard? Set of standards created by the PCI Security Standards Council Enforced by contract with banks that provide payment card processing Applicable to everyone who stores, processes or transmits payment card data 5/27/2016 3
PCI DSS Requirements High-level overview of the 12 PCI DSS Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 5/27/2016 4
PCI DSS Requirements Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 5/27/2016 5
PCI DSS Requirements Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 5/27/2016 6
PCI DSS Requirements Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 5/27/2016 7
PCI DSS 3.1 / 3.2 Important Dates Feb 13, 2015: PCI 3.1 - Announced April 15, 2015: PCI 3.1 - Published April 28, 2016 : PCI 3.2 - Announced/Published Oct 31, 2016 : PCI 3.1-3.1 Retired Jan 31, 2018: PCI 3.2-3.2 becomes mandatory Jan 31, 2018 : PCI 3.2-3.2 s new additions go from being a best practice to a requirement June 30, 2018 : PCI 3.1 - Non early TLS (v1.1 or later) becomes mandatory 5/27/2016 8
PCI DSS 3.2 Highlights All PCI - Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication (8.3) - Removed all note and testing procedures regarding removal of SSL/early TLS to a new Appendix A2 - Version 3.1 expires on 31 October 2016 (3.2 s new additions are a best practice until 31 January 2018) Service Providers only: - There are several new requirements that relate to Service Providers only including: Maintain a documented description of the cryptographic architecture (3.5.1) Implement a process for the timely detection and reporting of failures of critical security control systems (10.8) If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods (11.3.4.1) And several more Designated Entities Supplemental Validation (DESV) - Applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements (Appendix A.3) 5/27/2016 9
PCI DSS Change Cycle 5/27/2016 10
Common PCI Terms 1. CHD - Card Holder Data 2. SAD - Sensitive Authentication Data 3. PAN Primary Account Number 5/27/2016 11
Interpretation of PCI requirements and applicability to z/os TOP PCI CHALLENGES FOR z/os 5/27/2016 12
Interpreting PCI DSS for z/os What is a z/os System Component? 1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator Master Catalog SDSF The RACF Database Dataset Profiles APF Authorized Copies of the RACF General Resource Session Managers Datasets database Profiles LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes User Catalogs WebSphere RACF CDT Group Connect Authorities RACF Database JES2 / JES3 RACF Classes Role Based Access Parmlib Datasets OMEGAMON General Resource Database Profiles Administrator Multi-User Access Systems WebSphere MQ Encryption Keys IMS Databases z/os Security Patches DFSMS Group Membership DB2 Databases System Proclibs SVC s Privileged Userids DB2 Table Trace Started Tasks CICS System Datasets RACF Exits Oracle Databases SYS1.Parmlib DB2 System RACF Classes for RACF Tables Datasets DB2 SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS System Exits Vendor Security QSA & Compliance Logging Parameters Products Officers ICSF Encryption Keys Magnetic Tape? 5/27/2016 13
Interpreting PCI DSS for z/os - Example PCI 7.2.3 Deny-all Settings - Example Requirement 7: Restrict access to cardholder data by business need to know 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. This access control system must include the following: PCI 7.2.3 Testing Procedure 7.2.3 Default deny-all settings The challenge for complying with PCI 7.2.3 is to determine the meaning of a default deny-all setting Confirm that the access control systems have a default deny-all setting. For a RACF system, the PROTECTALL feature would be the obvious default deny-all setting However, if you stop there, you would be mis-interpreting the requirement 5/27/2016 14
Interpreting PCI DSS for z/os Deny-all Setting Deny-All Settings Some examples of RACF deny-all settings: Profiles - Universal Access ID(*) on an access list with READ or higher Profiles - Warning Global Access Table Inactive RACF Classes 5/27/2016 15
How does Vanguard Help Address PCI DSS? Vanguard Product Suite 5/27/2016 16
Vanguard Configuration Manager What is Vanguard Configuration Manager? Vanguard Configuration Manager Automates the Process of Testing Mainframe Security Configuration Controls to Assess their Compliance with the IBM z/os and RACF Configuration Checklist from the National Checklist Program (NCP) of the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Enhances z Systems Security by Providing Built-In Configuration Control Details Automates Testing on more than 350 z Systems Configuration Control Checks Produces Accurate Compliance Reports in Minutes 5/27/2016 17
How Does Vanguard Configuration Manager Address PCI DSS? Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters - Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards Sources of industry-accepted system hardening standards may include but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST). Requirement 3 - Protect stored cardholder data - See ZICS Integrated Cryptographic Service Facility section 5/27/2016 18
How Does Vanguard Configuration Manager Address PCI DSS? Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs - Since Malware on z/os is concerned with mainly gain access to APF libraries, check ACP00060 validates only appropriate Users have access Requirement 7 - Restrict access to cardholder data by business need to know - As well as specifying how Datasets and General Resources are to be protected, Vanguard Configuration Manager also controls what Roles are allowed to have access and what level of access Requirement 8 - Identify and authenticate access to system components - Reporting See RACF - Security Server (RACF) Settings section» Password Format» Password Attempts» Password Expiration See ZUSS UNIX System Services See AAMV - Inactivity Timers 5/27/2016 19
How Does Vanguard Configuration Manager Address PCI DSS? Requirement 10 Track and monitor all access to network resources and cardholder data - Use Vanguard Configuration Manager to report on SMF Includes checks in the AAMV, ACOM, ACP and RACF categories 5/27/2016 20
Common PCI Requirements NIST RACF Checklist https://web.nvd.nist.gov/view/ncp/repository/checklistdetail?id=55 5/27/2016 21
Vanguard Configuration Manager Choose Which STIG level 5/27/2016 22
Vanguard Configuration Manager Specify or create Baseline datasets 5/27/2016 23
Vanguard Configuration Manager Select a Category 5/27/2016 24
Vanguard Configuration Manager Category Report Summary 5/27/2016 25
Vanguard Configuration Manager 5/27/2016 26
Vanguard Policy Manager What is Vanguard Policy Manager? Prevents execution of z/os Security Server commands that do not comply with organizational-defined policies Enables enterprises to precisely control which users can execute specific commands, parameters and sub-parameters. Noncompliant commands are modified to comply with policy or prevented from executing. Enhanced logging features are provided to log command events regardless of resource-level or system-level audit settings 5/27/2016 27
Staying Compliant Continuous Monitoring Tools-Intrusion Prevention 1. User issues a supported RACF command Vanguard Policy Manager TM Continuous Monitoring and Policy Enforcement of RACF Commands: a) Validates that the command issuer is authorized to issue the command b) Validates that the command is compliant with user-defined policies c) Modifies commands to comply with written policies prior to execution d) Fails non-compliant commands (e.g. unauthorized changes to the PCI.CREDIT.DATA profile) e) Log all command activity to System Management Facility (SMF) 5/27/2016 28 PCI 7.2.3 PCI 10.2.2 PCI 10.2.7
How Does Vanguard Policy Manager Address PCI DSS? Requirement 7 - Restrict access to cardholder data by business need to know - Can Lock Down PCI related RACF profiles once set up correctly SETROPTS PROTECTALL settings PCI related Dataset and General Resource profiles Requirement 8 - Identify and authenticate access to system components - Lock down SETROPTS for password» Password Format» Password Attempts» Password Expiration Requirement 9 - Restrict physical access to cardholder data - Lock down SETROPTS ERASE-ON-SCRATCH - Lock down PCI related Dataset Profiles for ERASE-ON-SCRATCH Requirement 10 - Track and monitor all access to network resources and cardholder data - Lock down Audit Parms on PCI Dataset & General Resource Profiles 5/27/2016 29
Vanguard Policy Manager 5/27/2016 30
SETROPTS Policy 5/27/2016 31
Not Authorized to change SETROPTS 5/27/2016 32
Vanguard Policy Manager Dataset Policies 5/27/2016 33
Not Authorized to Alter PCI DS Profile User had SYSTEM SPECIAL but was not authorized to the $VPM PCI profiles. Command NOT executed Gets logged as a violation. Can be reported on using Vanguard Advisor (usually the next day) or can use Vanguard Active Alerts to send an immediate notification 5/27/2016 34
Vanguard Policy Manager Enhanced Command Logging 5/27/2016 35
Vanguard Enforcer What is Vanguard Enforcer - Ability to notify and optionally Correct - Manage the Security Implementation Baseline that Enforces Your Security Policies - Continuous Scanning of RACF Security Profiles Looking for Deviations from the Baseline - Logs all Scan Operations and Deviations Found 5/27/2016 36
How Does Vanguard Enforcer Address PCI DSS? Requirement 7 - Restrict access to cardholder data by business need to know - Can ensure that if someone does get access that they are not supposed to have that you are either notified or it can changed the setting back Requirement 10 - Track and monitor all access to network resources and cardholder data - 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts Make sure that SMF Parmlib not changed (could effect what is being collected) Make sure that SMF new exits are not implemented etc. Requirement 11 - Regularly test security systems and processes - 11.5 Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files or content files 5/27/2016 37
Vanguard Enforcer 5/27/2016 38
Vanguard Enforcer 5/27/2016 39
Vanguard Enforcer 5/27/2016 40
Vanguard Enforcer Vanguard Enforcer Sensor Notification Alert - Example 5/27/2016 41
Vanguard Advisor What is Vanguard Advisor? - Uses Live or Historical SMF Records and Log Stream Data - Conduct a Wide Variety of Analyses from an Array of Packaged and Customizable Reports - 100s of Pre-Built Commonly Used Reports - Customized Reports without the need to Learn Complex Reporting Languages - Deliver Violation Notices and Reports via Email 5/27/2016 42
How Does Vanguard Advisor Address PCI DSS? Requirement 4 - Encrypt transmission of cardholder data across open, public networks - Can help prove that you are using a secure version of FTP and a safe (secure) Cypher Requirement 10 - Track and monitor all access to network resources and cardholder data - 10.6 Review logs and security events for all system components to identify anomalies or suspicious activity 5/27/2016 43
Vanguard Advisor 5/27/2016 44
Vanguard Advisor 5/27/2016 45
Vanguard Advisor 5/27/2016 46
Vanguard Advisor 5/27/2016 47
PCI Requirement 4 FTP Advisor Report 5/27/2016 48
Vanguard Multi-Factor Solutions What are the Vanguard Multi-Factor Solutions? Two-Factor (Multi-Factor) Authentication» Vanguard ez/pivcard Authenticator» Vanguard ez/token» Vanguard Tokenless Authentication How Do Vanguard Multi-Factor Solutions Address PCI DSS? - Requirement 8: Identify and authenticate access to system components * New with PCI DSS 3.2 8.3 Secure all individual non-console administrative access* and all remote access to the CDE using multi-factor authentication By employing at least two of the following methods to authenticate users» Something you know, such as a password or passphrase» Something you have, such as a token device or smart card» Something you are, such as a biometric 5/27/2016 49
Some Professional Services Solutions Vanguard Professional Services also has additional offerings to help you get PCI DSS Ready. Limit access to system components & CHD Role Based Access (PCI DSS 7.1) Annual Penetration Testing including z/os (PCI DSS 11.3) DB2 to RACF Security migration assistance 5/27/2016 50
The End Thank You Here are some helpful Websites: Requirements and Security Assessment Procedures https://www.pcisecuritystandards.org/documents/pci_dss_v3-2.pdf PCI SSC Data Security Standards https://www.pcisecuritystandards.org/security_standards/index.php NIST Checklist https://web.nvd.nist.gov/view/ncp/repository/checklistdetail?id=55 51 5/27/2016 51
Vanguard zsecurity University May 23 May 26 Basics of RACF Administration 24 CPE 4 days Online June 1 June 3 RACF Security for z/os Applications ALL MODULES 18 CPE 3 days Online June 1 RACF Security for z/os Applications MODULE 1 RACF for DB2 6 CPE 1 day Online June 2 June 3 RACF Security for z/os Applications MODULE 2 RACF for CICS 12 CPE 2 days Online June 6 June 9 Beyond RACF Basics 24 CPE 4 days Online June 13 June 15 Auditing z/os and RACF June 21 June 24 Beyond RACF Basics 18 CPE 3 days Online 24 CPE 4 days Jacksonville, FL June 27 June 30 Basics of RACF Administration 24 CPE 4 days Online Register to attend a course, or to get more information: http://www.go2vanguard.com/training Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits. 5/27/2016 52 Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
Vanguard zsecurity University Software Solutions Services Training International About Customer To register for a webinar or training course: go2vanguard.com Select - Training Register to attend a course, or to get more information: http://www.go2vanguard.com/training Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits. 5/27/2016 53 Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
5/27/2016 54 54
Questions? How to Contact Us Vanguard Integrity Professionals 6625 South Eastern Ave., Suite 100 Las Vegas, NV 89119-3930 Direct/International: (702) 794-0014 Toll Free: (877) 794-0014 Fax: (702) 794-0023 TechSupport@go2vanguard.com 5/27/2016 55
Legal Notice Copyright 2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. Trademarks The following are trademarks of Vanguard Integrity Professionals Nevada: Vanguard Administrator Vanguard Advisor Vanguard Analyzer Vanguard SecurityCenter Vanguard SecurityCenter for DB2 Vanguard Offline Vanguard Cleanup Vanguard PasswordReset Vanguard Authenticator Vanguard incompliance Vanguard IAM Vanguard GRC Vanguard QuickGen Vanguard Active Alerts Vanguard Configuration Manager Vanguard Configuration Manager Enterprise Edition Vanguard Policy Manager Vanguard Enforcer Vanguard ez/token Vanguard Tokenless Authenticator Vanguard ez/piv Card Authenticator Vanguard ez/integrator Vanguard ez/signon Vanguard ez/password Synchronization Vanguard Security Solutions Vanguard Security & Compliance Vanguard zsecurity University 5/27/2016 56
Trademarks The following are trademarks or registered trademarks of the International Business Machines Corporation: CICS CICSPlex DB2 eserver IBM IBM z IBM z Systems IBM z13 IMS MQSeries MVS NetView OS/390 Parallel Sysplex RACF RMF S/390 System z System z9 System z10 System/390 VTAM WebSphere z Systems z9 z10 z13 z/architecture z/os z/vm zenterprise Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product and service names may be trademarks or service marks of others. 5/27/2016 57