Recent high profile data thefts, along with industry statistics, indicate significant work remains to be done in most organizations to implement PCI DSS. In its 2010 Data Breach Investigation Report of 141 global organizations that experienced breaches, Verizon's Business Risk Team found that 83% of records compromised involved payment card data. "While other types of data are sought by certain groups (i.e. competitors may target IP), the vast majority of cybercriminals are looking for a quick and easy payoff. Payment cards certainly fit the bill." Investigations also showed that 79% of the organizations attacked that were subject to PCI DSS were not compliant with the standard.
InfoSphere Guardium is designed to help you meet standard compliance requirements. It includes four compliance accelerators that you are entitled to use with your Activity Monitoring or Vulnerability Assessment license: Basel II, Data Privacy, PCI DSS, and Sarbanes-Oxley (SOX). They can be downloaded from Passport Advantage as part of the InfoSphere Guardium e-assembly. In this article, you will get an overview of the PCI accelerator, looking at each of the major components of the accelerator. You will learn how the accelerator helps you design the correct reports and policies for compliance, but how it is also structured as a checklist of sorts to make it easy to demonstrate to an external auditor how you are managing to PCI compliance standards using InfoSphere Guardium.
This article assumes some knowledge of InfoSphere Guardium to do the hands-on activities, but the main points of the article, in terms of benefits for compliance, should be clear, even without prior Guardium experience. Because the examples show populated reports, this article also assumes that you have already installed and configured InfoSphere Guardium and are collecting data activity from your database servers.
In this article, you will learn:
- How to install the accelerator and configure a PCI role that will see the GUI enhancements specifically for the PCI accelerator.
- The layout of the accelerator and the reports that are included to demonstrate compliance. You will learn how to add members to groups that will enable those reports to return the correct information. The article also briefly discusses security policies and rules.
- How to use audit processes to automate compliance workflow for reviews and sign-offs.
Recommendation: You can download the checklist, which helps you to gather the required information to populate the groups used in the PCI reports and policies.
Summary for advanced users
If you are familiar with InfoSphere Guardium and don't need step-by-step instructions, here is a summary of what you need to do.
- Download and install the PCI DSS accelerator from Passport Advantage, assigning the PCI role to a user, and resetting the GUI layout for that user. See Install the PCI DSS accelerator and configure the PCI role for more details.
- Using the Guardium API (See the appendix) or the Group
Builder (see Populating groups), populate groups that are
used to generate the reports you need, as summarized here:
- PCI Admin Users
- PCI Authorized Client IPs
- PCI Authorized Server IPs
- PCI Authorized Source Programs
- PCI Cardholder DBs
- PCI Cardholder Sensitive objects
- PCI Limited Access Users
- Configure a security policy, optionally using one of the PCI policies as a template. (See Set up the security policy.)
- Use regularly scheduled security assessments to detect common vulnerabilities or usage of bad practices for security. (See Run regular security assessments.)
- Use audit processes to automate sign-offs and review (See Use audit processes to automate sign-offs and review.)
Install the PCI DSS accelerator and configure the PCI role
The PCI DSS accelerator, along with the accelerators for Sarbanes-Oxley, Data Privacy, and HIPAA, are part of your entitlement to InfoSphere Guardium. Use the following steps to obtain and install it.
- From an authorized Passport Advantage ID, download the Accelerator module for your release of InfoSphere Guardium and upload it to your file server.
- Log in to the Guardium appliance as CLI (or an admin with CLI), run the following
CLI command, and follow the prompted steps:
store system patch install sys
- After the installation is complete, use the following CLI command to confirm
that the patch installed successfully:
show system patch installed
In the listing of the command, you should see a line for the accelerator that shows a status of:
DONE: Patch Installation Succeeded, as shown in Figure 1.
Figure 1. Successful installation of the PCI accelerator
InfoSphere Guardium uses roles to segregate the components that a particular user has access to. The Guardium access manager is responsible for assigning users to roles. The PCI role enables the person responsible for configuring Guardium for PCI compliance to see the relevant information in the Guardium user interface.
In this section, learn how to configure an existing user to have the PCI role in Guardium and configure the layout for the PCI accelerator.
Recommendation: When you configure the layout, that user will lose any existing UI customization, so it is recommended that you create a different user for testing purposes.
- Log in to the Guardium web UI using the accessmgr user account. Select a user
(in this case, user1), and click Roles.
Figure 2. Adding a role for a user
- In the User Role Form, check the box for PCI, and then click
Figure 3. Adding a role for a user
- Next, click Change Layout to configure the user interface to
add the PCI-specific user interface components.
Figure 4. Change the layout to activate PCI components of the user interface
- A window opens asking for an optional description. You can add a
description or not, then click Reset.
Figure 5. Reset will reset the layout for the user when they log on
Now user1 is ready to begin configuring Guardium for PCI monitoring.
First, as user1, log in to the Guardium web interface. Because of your PCI role, you see a customized layout for PCI. If not already highlighted, click on the PCI Accelerator tab and then the Overview subtab. On the left navigation pane, you have the option of viewing an overview of the PCI Standard (as shown in Figure 6) or an introduction to the Guardium PCI accelerator itself.
Figure 6. An overview of the PCI standard
- From the left menu pane, select the PCI Data Security Standard to open the Introduction page.
- From the left menu pane, select PCI Accelerator for Compliance to get the detailed introduction to the PCI accelerator.
Plan and organize
The accelerator can help you with planning and organizing for PCI compliance activities. This section includes reports that inventory your cardholder database servers, database users, authorized source programs, and more.
You can use Guardium API automation to keep these inventories updated as your environment changes, or you can update the inventory manually using the GUI.
Click on the Plan & Organize tab and then click on the Overview option from the left navigation menu to get to the introduction of how the report templates in this section can help you:
- Create an inventory map of cardholder information servers, clients, databases, and users.
- View information about the "who, what, when, and how" of cardholder information that has been touched.
- Verify that generic IDs and accounts are disabled or removed and that there are no shared IDs for system administration activities and other critical functions.
Figure 7. Plan and organize overview
In the left menu pane, you see the list of report templates that are provided to help you plan and stay organized.
Figure 8. Built-in reports to help you plan and organize
If you click on any of these reports, you will see data not found because they rely on groups being populated with relevant members. InfoSphere Guardium uses groups to simplify the management of the system. So, for example, you might have a group of cardholder databases and a group of authorized programs. The reports use the appropriate populated groups as a runtime parameter to show you the relevant information.
This becomes more clear as you continue in this article. First, you'll get a description of the reports and the relevant groups, and then you'll see how to find for yourself what groups a report is using and how to populate a group.
Here is an overview of the reports in the Plan & Organize tab and the group or groups it relies on.
- Cardholder Server IPs List: This reports the cardholder information database server list. You will need to populate the PCI Authorized Server IPs group, which specifies the database server that stores cardholder information.
- Cardholders Databases: Cardholder information databases. You will need to populate the PCI Cardholder DBs group.
- Cardholder Objects: Cardholder information objects. This could be a table, view, or stored procedure that contains the sensitive information. You will need to populate the PCI Cardholder Sensitive objects group.
- DB Clients to Servers Map: This report is a client to server mapping of PCI Authorized Server IPs (the group that specifies the database servers storing cardholder information) to client IPs that are accessing that server. See Figure 14 for an example.
- Active DB Users: This reports on users (who are not administrators) who are visiting the cardholder database. This report uses the PCI Admin Users groups.
- Authorized Source Programs: This reports on the authorized credit applications. This report relies on the PCI Authorized Server IPs and the PCI Authorized Source Programs groups.
- Unauthorized Application Access: This report lets you know if there is a program other than one of your authorized credit applications accessing the authorized database server. Again, this relies on the PCI Authorized Server IPs and PCI Authorized Source Programs groups. (At runtime, the report uses negation on the PCI Authorized Source Program group to identify the unauthorized applications.)
- 8.5.8 Shared Accounts: PCI requirement 8 is that each person who has computer access is assigned a unique ID. This report can help identify when the same user ID is used from multiple client IPs to connect to the same server, which could indicate that ID sharing is occurring
To see the magic behind the reports, you can go to any report and click on the pencil icon to see the query that is used to build the report.
Figure 9. Edit a report to see the query behind it
The Query Builder will include the names of relevant group or groups used when running the report.
Figure 10. Query conditions for a report may contain groups
Your task now is to populate the group, and you'll do that using the Group Builder.
You can access the Group Builder from many different places as groups are a critical component of reporting, security assessments, and policy rules. You navigate to the Group Builder from the Comply tab, which is a tab that appears when you are logged on in the user role. Click on the Comply tab, then select Group builder from the graphic, as shown in Figure 11.
Figure 11. Accessing the group builder tool
Highlight the group you want to modify, and then click Modify. In Figure 12, PCI Authorized Server IPs is selected.
Figure 12. Modify the built-in group
In the Manage Members for Selected Group portlet you can add authorized server IPs to the group. Enter each server IP, and then click Add to put the member in the Group Members window. When you are done, click Back.
Figure 13. Adding members to a group
You can also use the Guardium APIs to populate your groups. The appendix includes an example of how to do this.
As shown in Figure 13, the authorized server IP group is populated with the following IPs:
The client-to-server map report, shown in Figure 14, which uses that authorized server IP group for its query, shows the client accesses to just those two server IPs.
Figure 14. Client-to-server map report
Track and monitor (PCI requirement 10)
Now that you've populated your groups and are able to report on PCI assets and use patterns, you're ready to move on to the Track & Monitor tab. Requirement 10 of the standard states that you must track and monitor all access to network resources and cardholder data. This tab includes a combination of reports and information to help you reach compliance with this part of the standard. Let's take a look.
Figure 15. Reports and activities to comply with Requirement 10
- 10.2 and 10.3 Automation: This section explains the requirements for this part of the standard and how InfoSphere Guardium reports help you comply. Compliance automation enables you to schedule reports and send reports to the appropriate people for action, if required, and sign-off. For more information, see the online help section entitled Protect and Comply.
- 10.2.1 Data Access: This report documents access to cardholder data and relies on the PCI Authorized Server IPs and PCI Admin Users groups (negation on this group means that users who are not admin users are tracked).
- 10.2.2 Admin Activity: Similar to the Data Access report, except that it tracks admin user access to PCI data.
- 10.2.3 Audit Trail Access: This section explains that compliance to this part of the standard requires that the access to audit trails be logged to detect tampering by malicious users who may attempt to hide their tracks. InfoSphere Guardium is self-monitoring so that all actions on the appliance are monitored.
- 10.2.4 Invalid Access: This section contains two reports that can help you detect if someone is trying a brute force attack or if there is an unauthorized application accessing cardholder objects.
- 10.2.6 Initialization Log: PCI section 10.2.6 is concerned with initialization of assessment logs because loss of the log data means that evidence is completely destroyed. This section of the PCI accelerator explains how InfoSphere Guardium handles audit logs, which are encrypted and archived to secondary storage. The data can be restored to the Guardium appliance if required for incident investigation.
- 10.5 Secure audit trails: This section explains how Guardium helps you address this section of the compliance standard, including use of security roles for separation of duties, the use of a hardened, tamper-proof appliance to protect the audit repository, and the ability to automate the archive and purge processes.
- 10.6 Access Auditing: This section of the standard is concerned with frequency of log review, at least daily, to ensure that a breach is detected early. With InfoSphere Guardium, you can use the audit process workflow to automate review of audit reports and create an audit trail of review and sign-offs to validate that you have met the requirements of this part of the standard. See Using audit processes to automate compliance workflow for more information.
Run regular security assessments (PCI requirement 11)
Click on the Ongoing validation (PCI Req 11) tab. This section of the accelerator addresses the PCI standard ("develop configuration standards for all system components") because of the extensive library of assessment tests that are built around Center for Internet Security (CIS) and Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG). For PCI Requirement 11.5, which requires regular monitoring of changes to critical system files, the assessment also includes configuration file "bad practices" as well as a configuration audit system that monitors any changes to those files after they have been locked down.
This section relies on capabilities found in the Vulnerability Assessment tools in InfoSphere Guardium.
From the PCI Req. 11 Ongoing Validation tab, click Overview to get the introduction about the importance of doing regular assessments of possible vulnerabilities.
- From the left menu pane, select Security Assessment.
- From the graphic on that pane, select Define what database you want
assessed to open the Security Assessment builder.
Figure 16. Accessing security assessments
- Click New to create a new assessment.
Figure 17. Creating a new assessment
- Enter a description and time period for this assessment, and click
Add Datasource to associate this assessment with a data
Figure 18. Add a datasource for the assessment
- Enter the name and type for the database as well as the user name and password.
Enter the server IP, port, and service name (if needed for that database).
Click Apply, and then click Back.
Figure 19. Datasource details
- Click Test Connection to make sure Guardium can connect to the data source with the provided information. If all is well, click Back.
- In the Datasource Finder, select the data source you just created, and then
Figure 20. Add the datasource to the new assessment
This adds this data source to the assessment you are building, as shown in Figure 21. Click Apply.
Figure 21. Datasource added to the assessment
Click Configure Tests…, which brings up the screen shown in Figure 22. From your database type tab, select and add tests, which are based on database security best practices, and test for common vulnerability exposures (CVEs). You may want to start by identifying only critical exposures and then add additional tests after you fix the critical vulnerabilities.
Figure 22. Guardium includes a wide variety of built-in assessment tests
- Click Run Once Now to run the assessment immediately. This may
take a while if you have a lot of tests, which is why it is recommended to add
these security tests to an audit process, which can be scheduled. (See Using audit processes to automate compliance workflow
for more information.)
As shown in the excerpts in Figure 23, you get an assessment result that shows you which tests passed, which tests failed, and how you can fix the failures. There is also a graph that shows you results over time so that you can set goals and show progress.
Figure 23. Assessment test results
Again, it is recommended to add security assessment testing on a regular schedule by using the audit process to help you comply with the PCI requirements.
This section has only briefly touched on the topic of vulnerability assessments. Be sure to read the Assess and Harden online help book for more information.
Set up the security policy
Click on the PCI Policy Monitoring tab. This section of the accelerator is all about using policies, which are at the heart of how InfoSphere Guardium does its job. Click Overview to learn how InfoSphere Guardium policy-based monitoring and protection helps you comply with PCI mandates, including the ability to create a policy based on "normal" baseline activity so that deviations from that baseline can be logged as policy violations.
InfoSphere Guardium policies consist of an ordered set of rules that is applied between any observed traffic between the database clients and servers. The three main types of rules are:
- Access rules, which apply to traffic coming from the database client to the database server.
- Exception rules, which apply to any exceptions returned from the database server to the client.
- Extrusion rules, which apply to data results. This might include a policy rule to mask returned data, for example.
Although we describe how to find the currently installed policy and view its rules, the detailed information about how to create rules and their behavior is outside the scope of this article. If you are responsible for creating policies in your organization, you should definitely review some of the materials highlighted in Resources to learn more.
- From the left menu pane, click Policy Description to see the
currently installed policy, which will look something like Figure 24.
Figure 24. Installed policy
- To edit or create a new policy, click on the Monitor/Audit tab. This takes you to the policy finder where you can find a list of predefined policies that you can modify. You can create your own policy by creating new rules or by cloning an existing policy and modifying the rules. Let's see how to do that.
- Click on the policy you want to modify, such as PCI , and click
Figure 25. Cloning an existing policy to modify its rules
- Give the policy a new name, and then click Save.
Figure 26. MYPCI new name
- Select your policy from the policy finder list, and then click Edit
Figure 27. Modifying rules of cloned policy
- As shown in Figure 28, you will see a collapsed list of
all the policy rules in the PCI policy that you can modify for your environment.
You'll see many different rules, including ones that detect and log violations
for access to credit card magnetic stripe data and credit card number patterns
as well as masking those numbers upon return to an unauthorized user.
To view a rule, you can click on the plus sign. To modify the rule, click on the pencil icon as shown in Figure 28, where you are modifying rule 6.
Figure 28. Click on pencil icon to modify a rule
- Figure 29 is policy rule 6 expanded. Here, you
can see two groups, Cardholder DB Objects and DDL commands, that you need to add members
to if you have not done so already. Remember how we said that Group Builder can
be found in many places in Guardium? You can see it here in the Policy Builder
Figure 29. Modify Cardholder Objects and DDL commands groups for this rule
- Click on the Group builder icon and enter members to the group, as described in Populating groups.
- Any time you change a policy, you must install the policy. It's a simple click of a button to install, but you will not do that here, because you are just looking at an existing PCI policy to see some of the rules that are there that you may want to use for your environment.
- Now navigate back to PCI Accelerator > PCI Policy
Monitoring, and from the left menu pane select Policy
Violations. This is where any policy rules that are triggered
appear. You can define the severity of the rule with INFO, LOW, MEDIUM, or HIGH.
Figure 30, for example, is an excerpt of Rule #4 of the built-in PCI policy that has
a medium level severity.
Figure 30. A medium severity alert for an exception violation
The violations will be color coded in the Policy Violations report according to severity.
Use audit processes to automate compliance
A key ingredient in the recipe to reduce the burden of PCI compliance and to maintain an audit trail of all reviews and approvals is to use an audit process, which lets you define:
- What activities, such as reports or security assessments.
- Who has to review or sign off.
- When the activities in this audit process run. For example, some activities must be run daily, others may be weekly, monthly, or even quarterly.
Figure 31 shows a sample audit process flow. In this example, the PCI owner must review and approve all new connections to the database. That gets passed on to the Information Security officer who must review, and finally to the Guardium administrator, who has a task to perform to ensure that the approved connection does not get reported as a violation in the future. The PCI owner and the Guardium administrator receive PDFs and CSVs of the report in their e-mail, while the information security office receives a link to the report.
Figure 31. Audit process workflows automate compliance processes
The audit process shown in Figure 31 can be run on a scheduled basis to ensure that new connections are being reviewed and acted upon in a timely fashion.
Figure 32 shows an example of the audit trail comments that are included with the report.
Figure 32. The comments are included with the report for auditing
Reports can be automatically fed to a content repository such as Microsoft™ SharePoint after all the previous receivers have reviewed and signed off. This makes it easy to retrieve all the information you need to satisfy an audit, including comments from the reviewers, without requiring retrieval of archived audit data.
In addition, by using the data-level security feature in InfoSphere Guardium, you can define a single report and still ensure that only those people who are associated with a particular database server see results for that server. For more information about using data-level security and audit processes, refer to the developerWorks article "Use data-level security for granular access control of auditing results in InfoSphere Guardium" (see Resources).
By following the best practices outlined by the standards, you are taking a major leap forward in protecting your data assets from costly and embarrassing breaches.
InfoSphere Guardium standards accelerators are designed specifically to make it easy to demonstrate compliance to various standards such as PCI, Basel II, Sarbanes-Oxley, and data privacy. Not only are report and policy templates included for you, the accelerator itself helps you demonstrate to an auditor specifically which section of the compliance standard is being addressed and how. Automated workflow management helps you maintain compliance with a reduced total cost of ownership.
Appendix: Use InfoSphere Guardium API to populate groups
InfoSphere Guardium has a rich set of APIs to help you automate configuration and maintenance of groups. You can get more information in the Appendices help or from the command-line interface (CLI).
When logged in as CLI or as a user with a CLI role, to see a list of all grdapi commands, enter:
To see the parameters for a particular command, enter the command and
CLI> grdapi create_member_to_group_by_desc --help=true
Listing 1 shows an example of using the APIs to populate PCI groups and to list the members of those groups.
Listing 1. Using the Guardium APIs to populate groups for PCI compliance
-- Populate PCI groups grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="Joe" grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="JDiPietro" grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="SA" grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="System" grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="DB2inst2" grdapi create_member_to_group_by_desc desc="PCI Admin Users" member="bill" grdapi create_member_to_group_by_desc desc="PCI Authorized Client IPs" member="10.10.9.56" grdapi create_member_to_group_by_desc desc="PCI Authorized Client IPs" member="10.10.9.251" grdapi create_member_to_group_by_desc desc="PCI Authorized Client IPs" member="10.10.9.57" grdapi create_member_to_group_by_desc desc="PCI Authorized Client IPs" member="10.10.9.250" grdapi create_member_to_group_by_desc desc="PCI Authorized Client IPs" member="10.10.9.249" grdapi create_member_to_group_by_desc desc="PCI Authorized Server IPs" member="10.10.9.56" grdapi create_member_to_group_by_desc desc="PCI Authorized Server IPs" member="10.10.9.57" grdapi create_member_to_group_by_desc desc="PCI Authorized Server IPs" member="10.10.9.251" grdapi create_member_to_group_by_desc desc="PCI Authorized Server IPs" member="10.10.9.250" grdapi create_member_to_group_by_desc desc="PCI Authorized Source Programs" member="%SQLPLUS%" grdapi create_member_to_group_by_desc desc="PCI Authorized Source Programs" member="SQLPLUS" grdapi create_member_to_group_by_desc desc="PCI Authorized Source Programs" member="SAP" grdapi create_member_to_group_by_desc desc="PCI Authorized Source Programs" member="Oracle EBS" grdapi create_member_to_group_by_desc desc="PCI Cardholder DBs" member="master" grdapi create_member_to_group_by_desc desc="PCI Cardholder DBs" member="creditcard" grdapi create_member_to_group_by_desc desc="PCI Cardholder Sensitive objects" member="creditcard" grdapi create_member_to_group_by_desc desc="PCI Cardholder Sensitive objects" member="cc" grdapi create_member_to_group_by_desc desc="PCI Cardholder Sensitive objects" member="patient" grdapi create_member_to_group_by_desc desc="PCI Limited Access Users" member="harry" -- Verify members added to group grdapi list_group_members_by_desc desc="PCI Limited Access Users" grdapi list_group_members_by_desc desc="PCI Cardholder Sensitive objects" grdapi list_group_members_by_desc desc="PCI Cardholder DBs" grdapi list_group_members_by_desc desc="PCI Authorized Source Programs" grdapi list_group_members_by_desc desc="PCI Authorized Server IPs" grdapi list_group_members_by_desc desc="PCI Authorized Client IPs" grdapi list_group_members_by_desc desc="PCI Admin Users"
|PCI pre-audting checklist||PCIpre-audit.pdf||143KB|
- The Getting started with PCI security standards website is a great introduction to the PCI DSS standard.
- This article cites the Verizon Data Breach Investigation Report 2010 . Links to all reports can be found at the Verizon Enterprise website .
- The InfoSphere Guardium website includes links to white papers, demos, and more.
- The developerWorks article "Use data-level security for granular access control of auditing results in InfoSphere Guardium" (developerWorks, February 2013) includes step-by-step instructions for how to enable data-level security and how to incorporate it into an audit process workflow.
- A new developerWorks community for InfoSphere Guardium is evolving to include links to relevant technical content, industry-specific information, and FAQs. Join the community and help it grow.
- Visit the InfoSphere Guardium Tech Talk page to find links to recordings of previous tech talks and get information about upcoming talks.
- The InfoSphere Guardium Information Center includes many "how-tos" to help you make the most of the InfoSphere Guardium data activity monitoring solution. The topic of creating a visual access map is covered in this topic of the Information Center.
- Watch videos on the InfoSphere Guardium YouTube channel, including demos of support for SAP, DB2 for z/OS, and others.
- Stay current with information, events, and industry news related to data security and privacy by registering for the InfoSphere Guardium newsletter.
- Follow developerWorks on Twitter.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Get involved in the Guardium users group on LinkedIn to ask questions and get advice from other users.