Upload
vuonglien
View
221
Download
1
Embed Size (px)
Citation preview
5/27/2016 1
Title
Sub-title
How Vanguard Solves
Your PCI DSS Challenges
Peter Roberts
Sr. Consultant
5/27/2016 2 2
AGENDA
1.About Vanguard/Introductions
2.What is PCI DSS
3.PCI DSS 3.1/3.2 Important Dates
4.PCI DSS Change Cycle
5.Top PCI challenges for z/OS®
6. How Vanguard Addresses PCI DSS
Requirements
7.Q/A
5/27/2016 3 3
What is PCI DSS?
What is PCI DSS - Payment Card Industry Data Security Standard?
Set of standards created by the PCI Security Standards Council
Enforced by contract with banks that provide payment card processing
Applicable to everyone who “stores, processes or transmits”
payment card data
5/27/2016 4 4
PCI DSS Requirements
High-level overview of the 12 PCI DSS
Requirements
• Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
5/27/2016 5 5
PCI DSS Requirements
• Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
5. Protect all systems against malware and regularly update anti-virus
software or programs
6. Develop and maintain secure systems and applications
5/27/2016 6 6
PCI DSS Requirements
• Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
5/27/2016 7 7
PCI DSS Requirements
• Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
• Maintain an Information Security Policy
12. Maintain a policy that addresses information security for all personnel
5/27/2016 8 8
PCI DSS 3.1 / 3.2 Important Dates
• Feb 13, 2015: PCI 3.1 - Announced
• April 15, 2015: PCI 3.1 - Published
• April 28, 2016 : PCI 3.2 - Announced/Published
• Oct 31, 2016 : PCI 3.1 - 3.1 Retired
• Jan 31, 2018: PCI 3.2 - 3.2 becomes mandatory
• Jan 31, 2018 : PCI 3.2 - 3.2’s new additions go from
being a best practice to a
requirement
• June 30, 2018 : PCI 3.1 - Non early TLS (v1.1 or later)
becomes mandatory
5/27/2016 9 9
PCI DSS 3.2 Highlights
• All PCI
- Secure all individual non-console administrative access and all remote access to
the CDE using multi-factor authentication (8.3)
- Removed all note and testing procedures regarding removal of SSL/early TLS to
a new Appendix A2
- Version 3.1 expires on 31 October 2016 (3.2’s new additions are a best practice
until 31 January 2018)
• Service Providers only:
- There are several new requirements that relate to Service Providers only
including:
Maintain a documented description of the cryptographic architecture (3.5.1)
Implement a process for the timely detection and reporting of failures of critical
security control systems (10.8)
If segmentation is used, confirm PCI DSS scope by performing penetration testing on
segmentation controls at least every six months and after any changes to
segmentation controls/methods (11.3.4.1)
And several more…
• Designated Entities Supplemental Validation (DESV)
- Applies only to entities designated by a payment brand(s) or acquirer as
requiring additional validation of existing PCI DSS requirements (Appendix A.3)
5/27/2016 10 10
PCI DSS Change Cycle
5/27/2016 11 11
Common PCI Terms
1. CHD - Card Holder Data
2. SAD - Sensitive Authentication Data
3. PAN – Primary Account Number
5/27/2016 12
TOP PCI CHALLENGES FOR z/OS
Interpretation of PCI requirements and applicability to z/OS
5/27/2016 13 13
“Interpreting PCI DSS for z/OS” What is a z/OS “System Component” ?
1st Systems Programmer 2nd Systems Programmer RACF® Engineer RACF Administrator
Master Catalog SDSF The RACF Database Dataset Profiles
APF Authorized
Datasets Session Managers
Copies of the RACF
database
General Resource
Profiles
LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes
User Catalogs WebSphere® RACF CDT
Group Connect
Authorities
RACF Database JES2 / JES3 RACF Classes Role Based Access
Parmlib Datasets OMEGAMON General Resource
Profiles
Database
Administrator
Multi-User Access
Systems WebSphere MQ® Encryption Keys IMS™ Databases
z/OS Security
Patches DFSMS Group Membership DB2 Databases
System Proclibs SVC’s Privileged Userids DB2 Table Trace
Started Tasks CICS® System
Datasets RACF Exits Oracle Databases
SYS1.Parmlib DB2® System
Datasets RACF Tables
RACF Classes for
DB2
SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS
System Exits Vendor Security
Products Logging Parameters
QSA & Compliance
Officers
ICSF Encryption Keys Magnetic Tape ?
5/27/2016 14 14
Interpreting PCI DSS for z/OS - Example PCI 7.2.3 – “Deny-all” Settings - Example
Requirement 7: Restrict access to cardholder data by
business need to know
7.2 Establish an access control system for systems components with multiple
users that restricts access based on a user’s need to know and is set to “deny
all” unless specifically allowed. This access control system must include the
following:
7.2.3 Default “deny-all settings
• The challenge for complying with PCI 7.2.3 is to
determine the meaning of a default “deny-all” setting
• For a RACF system, the PROTECTALL feature would be the obvious default
“deny-all” setting
• However, if you stop there, you would be mis-interpreting the requirement
PCI 7.2.3 Testing
Procedure
Confirm that the
access control
systems have a
default “deny-all”
setting.
5/27/2016 15 15
“Interpreting PCI DSS for z/OS”
“Deny-all” Setting
“Deny-All” Settings
Some examples of RACF “deny-all” settings:
Profiles - Universal Access
ID(*) on an access list with READ or higher
Profiles - Warning
Global Access Table
Inactive RACF Classes
5/27/2016 16 16
How does Vanguard Help Address PCI DSS?
Vanguard Product Suite
5/27/2016 17 17
Vanguard Configuration Manager™
• What is Vanguard Configuration Manager™? – Vanguard Configuration Manager™ Automates the Process of Testing
Mainframe Security Configuration Controls to Assess their Compliance with the IBM® z/OS and RACF Configuration Checklist from the National Checklist Program (NCP) of the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS)
– Enhances z Systems® Security by Providing Built-In Configuration Control Details
– Automates Testing on more than 350 z Systems Configuration Control Checks
– Produces Accurate Compliance Reports in Minutes
5/27/2016 18 18
How Does Vanguard Configuration
Manager™ Address PCI DSS?
• Requirement 2 - Do not use vendor-supplied defaults for system
passwords and other security parameters
- Requirement 2.2 Develop configuration standards for all system
components. Assure that these standards address all known security
vulnerabilities and are consistent with industry-accepted system
hardening standards
Sources of industry-accepted system hardening standards may include but
are not limited to:
– Center for Internet Security (CIS)
– International Organization for Standardization (ISO)
– SysAdmin Audit Network Security (SANS) Institute
– National Institute of Standards Technology (NIST).
• Requirement 3 - Protect stored cardholder data
- See ZICS Integrated Cryptographic Service Facility section
5/27/2016 19 19
How Does Vanguard Configuration
Manager™ Address PCI DSS?
• Requirement 5 - Protect all systems against malware and regularly
update anti-virus software or programs
- Since Malware on z/OS is concerned with mainly gain access to APF libraries,
check ACP00060 validates only appropriate Users have access
• Requirement 7 - Restrict access to cardholder data by business need to know
- As well as specifying how Datasets and General Resources are to be
protected, Vanguard Configuration Manager™ also controls what Roles
are allowed to have access and what level of access
• Requirement 8 - Identify and authenticate access to system components
- Reporting
– See RACF - Security Server (RACF) Settings section
» Password Format
» Password Attempts
» Password Expiration
– See ZUSS – UNIX® System Services
– See AAMV - Inactivity Timers
5/27/2016 20 20
How Does Vanguard Configuration
Manager™ Address PCI DSS?
• Requirement 10 – Track and monitor all access to network resources
and cardholder data
- Use Vanguard Configuration Manager™ to report on SMF
Includes checks in the AAMV, ACOM, ACP and RACF categories
5/27/2016 21 21
Common PCI Requirements
NIST RACF Checklist
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=55
5/27/2016 22 22
Vanguard Configuration Manager™
Choose Which STIG level
5/27/2016 23 23
Vanguard Configuration Manager™
Specify or create Baseline datasets
5/27/2016 24 24
Vanguard Configuration Manager™
• Select a Category
5/27/2016 25 25
Vanguard Configuration Manager™
• Category Report Summary
5/27/2016 26 26
Vanguard Configuration Manager™
5/27/2016 27 27
Vanguard Policy Manager™
• What is Vanguard Policy Manager™?
– Prevents execution of z/OS Security Server commands that do not comply with organizational-defined policies
– Enables enterprises to precisely control which users can execute specific commands, parameters and sub-parameters. Noncompliant commands are modified to comply with policy or prevented from executing.
– Enhanced logging features are provided to log command events regardless of resource-level or system-level audit settings
5/27/2016 28
“Staying Compliant”
Continuous Monitoring Tools-Intrusion Prevention
Vanguard Policy ManagerTM
1. User issues a
supported RACF
command
“Continuous Monitoring and Policy
Enforcement” of RACF
Commands:
a) Validates that the command issuer is
authorized to issue the command
b) Validates that the command is
compliant with user-defined policies
c) Modifies commands to comply with
written policies prior to execution
d) Fails non-compliant commands
(e.g. unauthorized changes to the
PCI.CREDIT.DATA profile)
e) Log all command activity to System
Management Facility (SMF)
PCI 10.2.2
PCI 10.2.7
PCI 7.2.3
5/27/2016 29 29
How Does Vanguard Policy
Manager™ Address PCI DSS?
• Requirement 7 - Restrict access to cardholder data by business
need to know
- Can “Lock Down” PCI related RACF profiles once set up correctly
SETROPTS PROTECTALL settings
PCI related Dataset and General Resource profiles
• Requirement 8 - Identify and authenticate access to system
components
- Lock down SETROPTS for password
» Password Format
» Password Attempts
» Password Expiration
• Requirement 9 - Restrict physical access to cardholder data
- Lock down SETROPTS ERASE-ON-SCRATCH
- Lock down PCI related Dataset Profiles for ERASE-ON-SCRATCH
• Requirement 10 - Track and monitor all access to network
resources and cardholder data
- Lock down Audit Parms on PCI Dataset & General Resource Profiles
5/27/2016 30 30
Vanguard Policy Manager™
5/27/2016 31 31
SETROPTS Policy
5/27/2016 32 32
Not Authorized to change SETROPTS
5/27/2016 33 33
Vanguard Policy Manager™
Dataset Policies
5/27/2016 34 34
Not Authorized to Alter PCI DS Profile
• User had SYSTEM SPECIAL but was not authorized to the $VPM
PCI profiles. Command NOT executed
• Gets logged as a violation. Can be reported on using Vanguard
Advisor™ (usually the next day) or can use Vanguard Active Alerts™
to send an immediate notification
5/27/2016 35 35
Vanguard Policy Manager™
Enhanced Command Logging
5/27/2016 36 36
Vanguard Enforcer™
• What is Vanguard Enforcer™
- Ability to notify and optionally Correct
- Manage the Security Implementation Baseline that Enforces Your Security Policies
- Continuous Scanning of RACF Security Profiles Looking for Deviations from the Baseline
- Logs all Scan Operations and Deviations Found
5/27/2016 37 37
How Does Vanguard Enforcer™
Address PCI DSS?
• Requirement 7 - Restrict access to cardholder data by business
need to know
- Can ensure that if someone does get access that they are not supposed
to have that you are either notified or it can changed the setting back
• Requirement 10 - Track and monitor all access to network resources
and cardholder data
- 10.5.5 Use file-integrity monitoring or change-detection software on logs
to ensure that existing log data cannot be changed without generating
alerts
Make sure that SMF Parmlib not changed (could effect what is being
collected)
Make sure that SMF new exits are not implemented etc.
• Requirement 11 - Regularly test security systems and processes
- 11.5 Deploy a change-detection mechanism (for example, file-integrity
monitoring tools) to alert personnel to unauthorized modification of
critical system files, configuration files or content files
5/27/2016 38 38
Vanguard Enforcer™
5/27/2016 39 39
Vanguard Enforcer™
5/27/2016 40 40
Vanguard Enforcer™
5/27/2016 41 41
Vanguard Enforcer™
Vanguard Enforcer™ Sensor Notification Alert - Example
5/27/2016 42 42
Vanguard Advisor™
• What is Vanguard Advisor™?
- Uses Live or Historical SMF Records and Log Stream Data
- Conduct a Wide Variety of Analyses from an Array of Packaged and Customizable Reports
- 100s of Pre-Built Commonly Used Reports
- Customized Reports without the need to Learn Complex Reporting Languages
- Deliver Violation Notices and Reports via Email
5/27/2016 43 43
How Does Vanguard Advisor™
Address PCI DSS?
• Requirement 4 - Encrypt transmission of cardholder data across
open, public networks
- Can help prove that you are using a secure version of FTP and a safe
(secure) Cypher
• Requirement 10 - Track and monitor all access to network resources
and cardholder data
- 10.6 Review logs and security events for all system components to
identify anomalies or suspicious activity
5/27/2016 44 44
Vanguard Advisor™
5/27/2016 45 45
Vanguard Advisor™
5/27/2016 46 46
Vanguard Advisor™
5/27/2016 47 47
Vanguard Advisor™
5/27/2016 48 48
PCI Requirement 4
FTP Advisor Report
5/27/2016 49 49
Vanguard Multi-Factor Solutions
• What are the Vanguard Multi-Factor Solutions? – Two-Factor (Multi-Factor) Authentication
» Vanguard ez/PivCard Authenticator™
» Vanguard ez/Token™
» Vanguard Tokenless Authentication™
• How Do Vanguard Multi-Factor Solutions Address PCI DSS?
- Requirement 8: Identify and authenticate access to system
components
8.3 Secure all individual non-console administrative access* and all remote
access to the CDE using multi-factor authentication
– By employing at least two of the following methods to authenticate
users
» Something you know, such as a password or passphrase
» Something you have, such as a token device or smart card
» Something you are, such as a biometric
* New with PCI DSS 3.2
5/27/2016 50 50
Vanguard Professional Services also has additional offerings to help you get PCI DSS Ready.
• Limit access to system components & CHD…Role Based Access
(PCI DSS 7.1)
• Annual Penetration Testing including z/OS
(PCI DSS 11.3)
• DB2 to RACF Security migration assistance
Some Professional Services Solutions
5/27/2016 51 51
The End
51
Thank You
Here are some helpful Websites:
Requirements and Security Assessment Procedures
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf
PCI SSC Data Security Standards
https://www.pcisecuritystandards.org/security_standards/index.php
NIST Checklist
https://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=55
5/27/2016 52
May 23 – May 26 Basics of RACF Administration 24 CPE 4 days Online
June 1 – June 3 RACF Security for z/OS Applications – ALL MODULES 18 CPE 3 days Online
June 1 RACF Security for z/OS Applications – MODULE 1 – RACF for DB2 6 CPE 1 day Online
June 2 – June 3 RACF Security for z/OS Applications – MODULE 2 – RACF for CICS 12 CPE 2 days Online
June 6 – June 9 Beyond RACF Basics 24 CPE 4 days Online
June 13 – June 15 Auditing z/OS and RACF 18 CPE 3 days Online
June 21 – June 24 Beyond RACF Basics 24 CPE 4 days Jacksonville,
FL
June 27 – June 30 Basics of RACF Administration 24 CPE 4 days Online
Vanguard zSecurity University™
Register to attend a course, or to get more information: http://www.go2vanguard.com/training
Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.
Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
5/27/2016 53
To register for a webinar or training course:
go2vanguard.com Select - Training
Vanguard zSecurity University™
Software Solutions Services Training International About Customer
Register to attend a course, or to get more information: http://www.go2vanguard.com/training
Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.
Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
5/27/2016 54 54
5/27/2016 55 55
Questions?
How to Contact Us Vanguard Integrity Professionals
6625 South Eastern Ave., Suite 100
Las Vegas, NV 89119-3930
Direct/International: (702) 794-0014
Toll Free: (877) 794-0014
Fax: (702) 794-0023
5/27/2016 56 56
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to
view these materials for your organization’s internal purposes. Any unauthorized reproduction,
distribution, exhibition or use of these copyrighted materials is expressly prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard SecurityCenter for DB2
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
5/27/2016 57 57
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product and service names may be trademarks or service marks of others.
Trademarks
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF