Centrify Resource Center

Home  |  Centrify Resource Center  |  Blogs  |  Tom Kemp's Centrify Blog
Tom Kemp's Centrify Blog

PCI Compliance for UNIX and Linux Servers

Wednesday, May 19, 2010

One of my first blog posts ever was my analysis of the Payment Card Industry Data Security Standard (PCI DSS). Of all the compliance requirements out there, I felt it had the most specificity and the most teeth behind it in terms of validation steps and penalties for non-compliance. In the early days of Centrify when we just offered our DirectControl and DirectAudit solutions, we primarily addressed Sections 7 ("Restrict access to cardholder data by business need-to-know"), Section 8 ("Assign a unique ID to each person with computer access") and Section 10 ("Track and monitor all access to network resources and cardholder data") of the PCI DSS. With the release of DirectSecure earlier this year and the release of DirectAuthorize last year we have broadened our PCI footprint to address additional PCI requirements, so I want to use this blog post to talk about some of the added requirement we now address.

[Speaking of PCI Compliance, Centrify is proud to sponsor a free webinar with a third party PCI guru that will happen on May 20th entitled "Solving the PCI Puzzle: Putting the Access Control, Privilege Management, and Server Protection Pieces Together". Visit /events/solving-the-pci-puzzle.asp to register (or visit this page after May 20th to view the replay).]

[Also a shout-out to our Director of Product Management, David McNeely, for assistance on this blog post.]

What DirectAuthorize Adds to the PCI Mix

As mentioned above, DirectControl and DirectAudit really do a good job of nailing down Sections 7, 8 and 10 of the PCI DSS. DirectControl addresses these requirements by getting users to login as themselves (i.e. their Active Directory user account) vs. sharing logins (e.g. "root") and delivering its Zone capability for system level access control, while DirectAudit provides user-level auditing to capture "all actions taken by any individual with root or administrative privileges."

In order to provide a more granular access and privilege policy enforcement that is much more dynamic, DirectAuthorize provides a role-based solution enabling the definition of specific roles that can be granted a set of rights to both access specific computers on specific interfaces as well as provide specific privileges to run sensitive commands. This solution is much more dynamic given its ability to assign rights to a single user upon login as well as to time limit those rights enabling administrators to grant temporary rights on a single system, something that is not easily accomplished without reducing the security on the machine.

Here is an example of how DirectAuthorize adds to DirectControl's PCI story: Section 7 is about "Restricting Access to Cardholder Data by Business Need-to Know." Centrify DirectControl provides the unique ability to group similar systems for access control purposes as well as delegated administrative purposes through the use of DirectControl Zones. These Zones can be used to grant a user access to only a specific set of systems on a need-to-know basis. By default, the user is denied the right to login to any other systems in Zones where he does not have membership. Centrify realizes that, in most environments, access to non-Windows systems is granted on a least-access model, where users are granted access only to systems that they need to access, which is quite the opposite of most Windows environments that allow users to log into any system that trusts the Active Directory domain where the user has an account.

This Zone concept of DirectControl can also be coupled with machine-specific, Group Policy-controlled access and deny configurations that can be used to define more restrictive access policies. DirectAuthorize extends this functionality to define a set of Roles that will be granted specific access and privileged command Rights. These Roles are defined on Active Directory enabling both AD users and AD groups to be assigned to the Role, simplifying ongoing management.

DirectSecure and PCI

DirectSecure enables our customers to address additional PCI requirements beyond 7, 8 and 10, specifically:

  • PCI-DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • PCI-DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • PCI-DSS Requirement 11: Regularly test security systems and processes
  • General guidance around network segmentation

Here's how for each:

PCI-DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data

DirectSecure provides the advanced firewall services to ensure that PCI systems are not able to communicate with any other untrusted systems.

PCI-DSS Requirement 1

PCI-DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks

While most applications will encrypt data in transit between systems, there are many more applications that were not designed to provide network encryption services themselves. DirectSecure provides both integrity and confidentiality for all communications between trusted systems.

PCI-DSS Requirement 4

The Heartland data breach was one of the largest data breaches of 2009 and even though they were recently certified as PCI-DSS compliant, the hacker was able to gain access to payment card data through malicious code that sniffs the internal network for the data. While requirement 4.1 does not specifically state that encryption is required on internal networks, these attacks are sophisticated in nature and follow the same attack model described earlier requiring strong host isolation and network encryption. There are several other reasons why encryption should be used for all PCI data transfers on both external and internal networks. For example in retail environments the local store network typically provides both wired and wireless connections, which will require proper configuration to ensure that any data does not leak out of the wireless, network connections.

Additionally, many retail environments that sell technology product are increasingly requiring Internet access in order to demonstrate those products, again making it difficult to separate the network and traffic based on the usage, PCI transactions or demonstrations. Again, the best way to address the need to secure PCI data in transit on these networks is to encrypt the data at the source host so that it will never travel over a network connection without being encrypted.

Organizations with wide area networks will find that a host-based solution to provide server isolation and encryption of data in transit will provide much more flexibility than a hardware-based solution, enabling them to easily group and isolate those servers supporting PCI functions regardless of their location on the WAN. Additional benefits of this host-based software solution include:

  • Reduces the expense associated with a PCI audit by reducing the number of servers "in scope" for the audit, limiting the scope to your "trusted" PCI systems.
  • Eliminates expense and ongoing management costs associated with the acquisition and maintenance of traditional approaches including VLANs, Firewalls and Routers.
Enterprise Network

PCI-DSS Requirement 11: Regularly test security systems and processes

The strongest form of intrusion prevention is to ensure that all communications into and out of a sensitive system must be authenticated in order to effectively control access to the data held by that system.

PCI-DSS Requirement 11

Guidance around network segmentation

As documented in the Payment Card Industry (PCI) Data Security Standard (DSS) "Requirements and Security Assessment Procedures version 1.2.1" document published in July 2009 (located here), the PCI DSS security requirements "apply to all system components." To the PCI DSS, "system components" are defined as "any network component, server, or application that is included in or connected to the cardholder data environment."

While "network segmentation" (i.e. "isolating" and/or "segmenting the network") is not a PCI DSS requirement per se, it is recommended to in fact do so because it may reduce (and I quote):

  • "The scope of the PCI DSS assessment
  • The cost of the PCI DSS assessment
  • The cost and difficulty of implementing and maintaining PCI DSS controls
  • The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations)"

And the document later states

"Without adequate network segmentation (sometimes called a "flat network") the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network. .... At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not."

So it is interesting that the document states that "Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of the corporate network is not a PCI DSS requirement", but it does highly recommend it to reduce scope/cost/etc. especially in light of Section 1.2 that is a requirement:

"1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment. Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage."

So PCI DSS is clear: you must blocked untrusted systems from talking to your systems holding card data and we really really really recommend you segment your network as it will help you avoid having untrusted systems talk to your cardholding systems.

This requirement (Section 1.2) and recommendation (network segmentation) are definitely right smack dab in the wheel house of DirectSecure. DirectSecure has the ability to prevent untrusted computers from communicating with trusted systems, and can further secure your trusted systems by delivering tiered network access and tighter control over who can access specific groups of systems.

Summary

Given the breadth of our offering, it is no surprise that some of the world's largest retailers are using Centrify's solutions to address many of their PCI requirements. And the approach we utilize — leverage an existing technology they own (Microsoft Active Directory) — allows our solutions to be cost effectively deployed and implemented in a timely manner to address any remediation requirements.

For more information I encourage you to check out our May 20th webinar entitled "Solving the PCI Puzzle: Putting the Access Control, Privilege Management, and Server Protection Pieces Together". Visit /events/solving-the-pci-puzzle.asp to register or visit this page after May 20th to view the replay.

Categories: Centrify, Centrify Suite, DirectAudit, DirectAuthorize, DirectSecure, DirectControl for Databases, DirectControl for Systems, DirectControl for Web Apps, Regulatory Compliance, All
Submit Feedback
Bookmarks: del.icio.usDiggFurlNetscapeYahoo! My WebStumbleUponGoogle BookmarksTechnoratiBlinkListNewsvinema.gnoliaRedditWindows Live

< Previous Article: Failed IRS Security Audit Highlights Need for Privileged Identity Management
> Next Article: Comparing the NSS/PAM Implementations of Samba Winbind and Centrify for Active Directory Integration


Subscribe to RSS Feed
About Tom Tom Kemp is CEO of Centrify. You can follow him on his Centrify blog or his Secure Thinking blog on Forbes.com. Full Biography Follow Tom on Twitter
Recent PostsComing Very Soon … the Centrify Customer Conference! Register Today!How Centrify DirectControl for Mobile WorksWhat's New in Centrify Suite 2012.2DirectControl for Mobile in Action Centrify Introduces First Solution that Extends Active Directory to Mobile DevicesBuckle up with Cybersecurity ... It's the Law
CategoriesAll (187)Centrify (164)Centrify Express (14)Centrify Insight (3)Centrify Suite (67)Centrify Zones (2)Cloud (11)Customers and Press (65)DirectAudit (39)DirectAuthorize (34)DirectControl for Databases (54)DirectControl for Mobile (3)DirectControl for Systems (93)DirectControl for Web Apps (50)DirectManage (9)DirectSecure (12)Group Policy (55)Mac OS X (37)Mobile Security (4)Open Source Tools (13)Partners (21)Regulatory Compliance (66)Ubuntu (4)
Articles by Year2012 (8)2011 (32)2010 (30)2009 (45)2008 (44)2007 (28)