Professional Documents
Culture Documents
Compliance
PCI Requirement 10: Track and monitor all access to network resources and cardholder data PCI Requirement 8.5.5: Remove and/or disable inactive user accounts at least every 90 days PCI Requirement 7: Limit access to cardholder data by business need-to-know PCI Requirement 6.1: Ensure all system components and software are protected from known vulnerabilities by installing the latest vendor-supplied security patches Data in Scope: Identify, and track, all locations of cardholder data
Organizations that process or store cardholder data are to a data breach and maintain customer trust in their ability to securely transact business.
DatabaseFileWeb
PCI Requirement 10: Track and Monitor all Access to Network Resources and Cardholder Data
PCI Requirement 10 mandates that organizations establish an audit log of all access to network resources and cardholder data. It includes 25 sub-requirements that delineate not only what needs to be logged, but also how those logs are to be managed. PCI Section 10.2 mandates implementation of automated audit trails, and Section 10.3 lists the details that must be included in audit trail entries. Since most IT environments are heterogeneous and contain various database platforms, implementing audit controls across corporate databases is not a trivial task. Some organizations consider using a free database utility, such as native auditing. However, this poses several challenges for database administrators (DBAs) and consultants looking to use built-in native database logging.
Consider: DAM for Achieving Comprehensive Database Audit Capabilities Across Enterprise Platforms
SecureSphere Database Security solutions provide comprehensive audit capabilities and a unified audit trail that enables consistent reporting and analysis. SecureSphere Database Security solutions extend advanced audit capabilities to leading database platforms, such as Oracle, Microsoft SQL, DB2, and Sybase as well as other mission critical systems, such as DB2 for z/OS, DB2/400, Terradata, and Netezaa.
Complete audit trail to monitor and report on access to credit card data.
<
>
DatabaseFileWeb
Consider: DAM for Lowering Operational Costs by Leveraging Centralized Database Audit and Security Management
SecureSphere Database Security solutions enable centralized management of audit trails and alerts from a centralized interface. SecureSphere also enables administrators to apply the same audit policies on different databases, regardless of the specific platform.
<
>
DatabaseFileWeb
For other applications where the user information is available, like Siebel, user tracking can be easily configured (Imperva consultants can assist with the required configuration). Web to Database User Tracking: The integrated SecureSphere Data Security Suite can link specific credit card data access events to source application users, even if the application does not provide this information. Combining the capabilities of the SecureSphere Database Firewall (DBF) and SecureSphere Web Application Firewall (WAF), this integrated suite can transparently correlate Web application login and session information with database transactions and objects accessed. Privileged Account User Tracking: When privileged users log into the database using shared privileged accounts, SecureSphere agents can identify the original user and provide this user information with the audit record.
Typical audit appliances and native database audit capabilities record application names, not actual user names.
PCI Requirement 8.5.5: Remove/Disable Inactive User Accounts at Least Every 90 Days
Proper user management requires removal of dormant database user accounts. Doing so keeps the database secure and eliminates the need to manage stale accounts. User accounts must be disabled when an employee quits an organization or retires. In reality, DBAs are not always notified when somebody leaves. Dormant accounts increase the risk of a data breach. If these accounts are compromised and used for carrying malicious attacks, the impact can be devastating.
Challenge: Databases Do Not Track the User's Last Login Date and Time
If organizations could query the database for the user last login date, then dormant users could easily be identified. Unfortunately, databases do not record this information. Some DBAs try to use various scripts, or manually search audit logs. However, this is a tedious, resource-intensive process that often yields inaccurate results.
<
>
DatabaseFileWeb
Consider DAM Integrated with User Rights Management for Automated Identification of Dormant Users and Dormant Rights
SecureSphere Database Activity Monitoring audits all successful, and failed, login attempts. Combining this information with aggregated user information from across all enterprise databases, enables SecureSphere to present an accurate picture of active users versus dormant users. Through User Rights Management analysis capabilities, organizations can easily identify inactive users, see the last date and time these users were active, and gain additional context about these users, such as manager, department, etc., for safe removal of dormant accounts.
<
>
DatabaseFileWeb
Identify Data Owners: In most organizations, it is not easy to identify who owns certain data. By tracking actual usage of the data, it is possible to identify the most active users who are, or can help identify, the actual data owner. Identify Excessive Access Rights: SecureSphere helps identify excessive rights by correlating user access rights reports with actual data access activity. Users who do not access data, despite their permissions, may no longer be part of the organization or may not need those permissions to perform their job. Establish a Repeatable Access Rights Review Process: Establishing a rights review workflow helps organizations build a repeatable process for reviewing access rights. In addition to following a regular workflow, organizations should maintain an audit trail of the review process by recording whether reviewers accept or reject existing access rights and the required changes.
User Rights Management identifies which users can access what data.
PCI Requirement 6.1: Ensure that all System Components and Software are Protected from Known Vulnerabilities by Having the Latest Vendorsupplied Security Patches Installed
PCI requires organizations to ensure their databases are protected by applying the latest security patches. Database breaches often exploit known vulnerabilities in applications and supporting data systems. Unpatched systems expose organizations to a variety of threats.
<
>
DatabaseFileWeb
Challenge: Cardholder Data Proliferation in the Enterprise Creates Unmitigated Risk of a Data Breach
While organizations place controls on cardholder data, certain business processes reduce the effectiveness of these efforts. For example, production data is cloned into development and QA instances required to test new application development. Data warehouse applications use this data for business analytics. The need to identify all data in-scope is at the heart of the PCI compliance effort because it is both essential to achieve this objective and secure cardholder data, as well as to limit the scope of the audit to relevant systems only.
<
>
DatabaseFileWeb
Conclusion
PCI DSS establishes an actionable security and compliance framework for protecting cardholder data. Organizations that process or store such data are obligated to secure this data and minimize their financial exposure to a data breach. Organizations must also maintain customer trust in their ability to securely transact business data. Imperva is the market leader and innovator in data security for PCI compliance. Impervas comprehensive and powerful platform, SecureSphere, accurately protects and audits all in-scope assets, including Web applications, databases, and files. Unlike point solutions for PCI compliance, Imperva offers a single, fully integrated and centrally managed solution that reduces total cost of ownership and enables phased, seamless deployment. SecureSphere allows customers to incrementally address PCI requirements according to their business and technical priorities. Imperva accelerates deployment by providing built-in data discovery and classification capabilities and pre-packaged PCI policies and reports. With SecureSphere, customers can quickly and painlessly satisfy audit requirements while securing their data. Since many organizations are subject to more than one set of regulations, Imperva SecureSphere can also address additional compliance requirements such as SOX and HIPAA. Imperva has significant experience in enabling organizations to successfully meet, and exceed, PCI requirements. Imperva offers flexible consulting, support, and training offerings to help organizations rapidly realize the value of their SecureSphere investment. This article is an excerpt from the Imperva white paper Data Security for PCI Compliance. To view the original document, click here.
About Imperva
More organizations trust Imperva to protect their business applications and databases than any other vendor. Only Imperva delivers innovative technology to give full audit accountability and separation of duties to meet regulatory compliance. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring from the database to the accountable application user. To learn more about Impervas solution visit www.imperva.com.
<
>
DatabaseFileWeb
Text
Ensure that all system components and software have the latest vendor-supplied security patches installed. Install relevant security patches within one month of release. Note: An organization may consider applying a risk-based approach to prioritize their patch installations. For example, by prioritizing critical infrastructure (for example, public-facing devices and systems, databases) higher than less-critical internal devices, to ensure high-priority systems and devices are addressed within one month, and addressing less critical devices and systems within three months.
NA
6.2
Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues. Separation of duties between development/ test, and production environments
Subscription-based SecureSphere ADC Insight Services provide regular updates to the assessments of known vulnerabilities in business application (SAP, Oracle EBS, etc.) and database software. This information is integrated in the assessment capability mentioned in section 6.1 SecureSpheres Dynamic Profiling can enforce and audit separation of duties between different users and/or roles based upon their normal behavior profiles. For example, by monitoring production environments user access SecureSphere can detect and log unauthorized changes made by developers. Sensitive data discovery and user account assessments can audit removal of these accounts from production Web application and database systems Sensitive data discovery and user account assessments can audit removal of these accounts from production Web application and database systems SecureSphere Change Control Module can audit on configuration changes to database servers SecureSphere protects against each of the vulnerabilities identified by requirements 6.5.1 through section 6.5.10 all of the vulnerabilities enumerated by the Open Web Application Security Project (OWASP) guideline as well as many advanced vulnerabilities not covered by PCI or the OWASP Top Ten. Since SecureSphere capabilities go above and beyond the latest standards, it may be considered as a compensating control in certain scenarios. Its also worth noting that as threats change over time, SecureSphere is automatically updated by Imperva to provide protection against the latest vulnerabilities and standards. It is much more difficult to identify and deploy secure coding practices to developers as threats change. For more information about how SecureSphere protects against the OWASP Top Ten list of security vulnerabilities, please see the SecureSphere and OWASP Top Ten Technical Brief.
6.3.3
6.3.5
Removal of test data and accounts before production systems become active Removal of custom application accounts, usernames, and passwords before applications become active or are released to customers Follow change control procedures for all changes to system components. The procedures must include the following: Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following: Note: The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when PCI DSS v1.2 was published. However, if and when the OWASP guide is updated, the current version must be used for these requirements.
6.3.6
6.4
6.5
<
>
DatabaseFileWeb
Req #
6.5.1 6.5.2
Text
Cross-site scripting (XSS) Injection flaws, particularly SQL injection. Also consider LDAP and Xpath injection flaws as well as other injection flaws. Malicious file execution Insecure direct object references Cross-site request forgery (CSRF) Information leakage and improper error handling Broken authentication and session management Insecure cryptographic storage Insecure communications
NA
X X X X X X X
6.5.10 6.6
Failure to restrict URL access For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Installing a web-application firewall in front of public-facing web applications X
< 10 >
DatabaseFileWeb
Text
Establish a process for linking all access to system components (especially those with administrative privileges such as root) to each individual user.
NA
10.2
Implement automated audit trails for all system components to reconstruct the following events:
SecureSphere audits on all database events specified for compliance with requirement 10.2. SecureSphere audits some of the Web application events required for compliance with requirement 10.2. In addition to auditing, SecureSphere can issue real-time alerts in the event of significant policy violations. For example, it may be important to know in real-time when a database administrator uses a decryption stored procedure to access a credit card table. SecureSphere audits all database access to cardholder data and link that access to specific users (see item 10.1). SecureSphere audits all database management actions by administrators. SecureSphere audits access to its own Web and database audit trail. SecureSphere can additionally audit access to data that resides within native database logs. SecureSphere audits invalid Web and database logical access attempts. X SecureSphere audits Web and database authentication events. SecureSphere audits initialization of its own Web and database audit logs. SecureSphere audits creations and deletions of system-level database objects (schemas, installation dangerous stored procedures, etc.). SecureSphere Web and database event logs include all of the data specified in requirement 10.3. SecureSphere Web and database event logs include specific user names (see 10.1). SecureSphere Web and database event logs include event types. SecureSphere Web and database event logs include the date and time. The SecureSphere Web Application Firewall records Web server response codes, indicating server errors. The SecureSphere Database Firewall and Database Activity Monitoring track database errors and login failures.
10.2.1
10.2.2 10.2.3
All actions taken by any individual with root or administrative privileges Access to all audit trails
X X
Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system-level objects Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication
X X
10.3
X X X X
< 11 >
DatabaseFileWeb
Req #
10.3.5 10.3.6 10.4 10.5
Text
Origination of event Identity or name of affected data, system component or resource Synchronize all critical system clocks and times. Secure audit trails so they cannot be altered.
NA
10.5.1
10.5.2
10.5.3
Promptly back up audit trail files to a centralized log server or media that is difficult to alter. Write logs for external-facing technologies onto a log server on the internal LAN. Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6
10.5.4
The SecureSphere Web Application Firewall, typically deployed as an external-facing technology, can write logs to a log server on the internal LAN. SecureSphere Web and database audit logs can be signed and encrypted.
10.5.5
10.6
SecureSphere Web and database audit reports and alerts enable this requirement. Workflow can be defined to track review activity and require sign-off.
10.7
Retain audit trail history for at least one year, with a minimum of three month immediately available for analysis (for example, online, archived, or restorable from back-up).
Imperva SecureSphere Web and database audit trail logs can be backed up and stored for a configurable period. Support for SAN, NAS and integration with log management from SenSage, ArcSight, Prism Microsystems, RSA, and others provides multiple options for long-term, high-volume data retention.
< 12 >
White Paper
Appendix B Imperva SecureSphere Deployment
Imperva Agent
Databases
Network Monitoring Native Audit
Users
Web Servers Web Application Firewall (6.6) Database Activity Monitoring (10, 7, 8.5, 6.1)
INTERNET
Uni ed Management Server (MX)
The SecureSphere Data Security Suite comprises market-leading SecureSphere Web Application, Database, and File Security Solutions. The SecureSphere Data Security Suite can be deployed as separate standalone appliances, as shown above, or as a single, integrated security appliance. Together, the SecureSphere deployment monitors and protects sensitive resources and addresses PCI requirements 6.6, 7, 8.5, 10, and 11.5. An MX Management Server centrally manages all SecureSphere appliances. Security updates from the Imperva Application Defense Center (ADC) and from ThreatRadar cloud servers keep SecureSphere defenses up-to-date.
Imperva Headquarters 3400 Bridge Parkway, Suite 200 Redwood Shores, CA 94065 Tel: +1-650-345-9000 Fax: +1-650-345-9004 Toll Free (U.S. only): +1-866-926-4678 www.imperva.com Copyright 2011, Imperva All rights reserved. Imperva, SecureSphere, and "Protecting the Data That Drives Business" are registered trademarks of Imperva. All other brand or product names are trademarks or registered trademarks of their respective holders. #WP-DATABASE-SECURITY-PCI-COMPLIANCE-0611rev1