Hitachi


Previous PDF

swipe to navigate

The Payment Card Industry Data Security Standard (PCI-DSS) is a brief, pragmatic and very reasonable set of standards intended to guide financial institutions, retailers and other data processors in protecting data about credit cards and their owners.

It is organized into six logical categories:

  1. Build and Maintain a Secure Network.
  2. Protect Cardholder Data.
  3. Maintain a Vulnerability Management Program.
  4. Implement Strong Access Control Measures.
  5. Regularly Monitor and Test Networks.
  6. Maintain an Information Security Policy.

PCI-DSS is unique among major regulatory requirements for corporations and government agencies in that it specifically lays out what organizations must do and what they must not do to comply. This makes compliance much more straightforward than regulations such as SOX, HIPAA, etc. which are ambiguous in regards to information security.

To fulfill all of the requirements in PCI-DSS, organizations must deploy a combination of sound business practices and various security technologies, including firewalls, virus scanners, identity management systems and more.

The full text of the PCI DSS version 3.2 may be found here:

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

This document outlines how components of the Hitachi ID Identity and Access Management Suite can assist organizations in compliance with PCI-DSS.

The Regulation in Detail

Hitachi ID Suite can help organizations to comply with PCI-DSS requirements and (wherever relevant) itself complies as follows:

Requirement

Details

Product

Feature
2.1

Always change vendor-supplied defaults before installing a system on the network -- for example, include passwords, simple network management protocol (SNMP) community strings and elimination of unnecessary accounts.

Hitachi ID Privileged Access Manager

Scrambles all sensitive passwords regularly, eliminating defaults.
2.1.1

For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords and SNMP community strings. Ensure wireless device security settings are enabled for strong encryption technology for authentication and transmission.

Privileged Access Manager

Can be used to house randomized encryption keys, SNMP community strings, etc.
2.3

Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access.

Privileged Access Manager

Ensures that when administrators request administrative credentials, they do so only with strong authentication and over an encrypted UI (HTTPS).
3.4.1

If drive encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

Privileged Access Manager

Can be used to securely store encryption keys for storage volumes.
3.5

Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:

Privileged Access Manager

Can be used as a secure key repository.
3.6

Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

Privileged Access Manager

Can be used to generate, control disclosure of, periodically replace and securely store cryptographic keys (not just passwords). This makes it suitable as a cryptographic storage platform, not just a privileged password management system. The built-in workflow system can be used to support 3.6.6 -- Split knowledge and establishment of dual control of cryptographic keys.
6.3.6

Removal of custom application accounts, user IDs and passwords before applications become active or are released to customers

Privileged Access Manager

Can be used to eliminate hard-coded login IDs and passwords in applications. Instead, applications use an Privileged Access Manager API to fetch IDs and passwords to back-end systems.
6.4

Follow change control procedures for all changes to system components.

Privileged Access Manager

Can be used to enforce change control processes -- i.e., no approved change control means no password disclosure.
6.5

Develop all web applications (internal and external and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes, to include the following:

Various

See below..
6.5

OWASP: testing for vulnerable Pwd Reset... http://www.owasp.org/...

Hitachi ID Password Manager

Secure authentication prior to self-service password reset.
6.5

OWASP: Password length & complexity

Password Manager

Password complexity checking and secure random password generator.
6.5.1

Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws.

Hitachi ID Suite

Complies itself -- all inputs are filtered.
6.5.2

Buffer overflow

Hitachi ID Suite

Complies itself -- all inputs are checked for size and trimmed if required.
6.5.3

Insecure cryptographic storage

Hitachi ID Suite

Complies itself -- strong crypto is used to protect sensitive data such as passwords and security questions.
6.5.4

Insecure communications

Hitachi ID Suite

Complies itself -- inbound communications are HTTPS and outbound user a variety of protocols, depending on what the target system supports.
6.5.5

Improper error handling

Hitachi ID Suite

Complies itself -- Error handling is strictly local and does not leak credentials.
6.5.6

All -High vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).

Hitachi ID Suite

Complies itself -- all releases are tested for security vulnerabilities.
6.5.7

Cross-site scripting (XSS)

Hitachi ID Suite

Complies itself -- for example, by filtering out HTML content from input fields, which could otherwise be used to inject scripts from another site into a user's session.
6.5.8

Improper Access Control (such as insecure direct object references, failure to restrict URL access and directory traversal)

Hitachi ID Suite

Complies itself -- all inputs are filtered. Moreover, access to sensitive data within Hitachi ID Suite is subject to rigorous access controls, linked to both the identity of the requester and the data being accessed.
6.5.9

Cross-site request forgery (CSRF)

Hitachi ID Suite

Complies itself -- generally by avoiding use of cookies to track authentication state and limiting functionality available via HTTP GET.
7.1

Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the following:

Hitachi ID Identity Manager

Can assign application privileges based on user roles.
7.1.1

Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities

Privileged Access Manager

Access to privileged accounts can be controlled by user group (role). and authenticated personally.
7.1.2

Assignment of privileges is based on individual personnel job classification and function

Identity Manager

Used to assign privileges, including by role assignment.
7.1.3

Requirement for an authorization form signed by management that specifies required privileges

Identity Manager

Workflow approval can be required prior to role assignment.
7.1.4

Implementation of an automated access control system

Hitachi ID Suite

All products in the Hitachi ID Suite incorporate a flexible access control system internally. Moreover, Identity Manager is designed to configure access control on integrated systems and applications while Privileged Access Manager is designed to control access to privileged accounts across an IT environment.
7.2

Establish an access control system for systems components with multiple users that restricts access based on a user's need to know and is set to -- deny all unless specifically allowed. This access control system must include the following:

Identity Manager

Is used to manage user entitlements, which are typically assigned on a least privilege basis.
7.2.1

Coverage of all system components

Privileged Access Manager

Includes 130 connectors.
7.2.2

Assignment of privileges to individuals based on job classification and function

Identity Manager

Supports role-based access control (RBAC).
8.1

Assign all users a unique ID before allowing them to access system components or cardholder data.

Identity Manager

Supports assignment of globally unique IDs to all users and correlation of locally unique IDs to global profiles.
8.2

In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
  • Password.
  • Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)

Hitachi ID Suite

Supports management of all of these types of authentication factors. Authenticates users into its own portal with any combination of the above types of authentication factors.
8.3

Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

Hitachi ID Suite

Supports cost effective provisioning, support and deactivation of two-factor authentication factors, such as tokens and smart cards. Supports use of a cell phone plus password as an ad-hoc two-factor authentication method.
8.5

Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:

-

See details below.
8.5.1

Control addition, deletion and modification of user IDs, credentials, and other identifier objects.

Identity Manager

Streamlines the management of user IDs, credentials and entitlements.
8.5.2

Verify user identity before performing password resets.

Password Manager

Secures self-service and assisted-service password reset processes.
8.5.3

Set first-time passwords to a unique value for each user and change immediately after the first use.

Identity Manager

Allows organizations to control the issuance and expiration of initial passwords on accounts it creates.
8.5.4

Immediately revoke access for any terminated users.

Identity Manager

Automates termination with a data feed from a system of record (HR), plus allows authorized users to trigger immediate or scheduled deactivation through a web request form.
8.5.5

Remove inactive user accounts at least every 90 days.

Identity Manager

Tracks inactive accounts and automatically removes them after N days.
8.5.6

Enable accounts used by vendors for remote maintenance only during the time period needed.

Privileged Access Manager

Can assign temporary passwords for a short "password checkout" period. Also supports launching a remote control connection for vendors, etc. without disclosing the current password value.
8.5.7

Communicate password procedures and policies to all users who have access to cardholder data.

Password Manager

Can be used not only to enforce policies but also to communicate policies to end users and track acceptance of same.
8.5.8

Do not use group, shared, or generic accounts and passwords.

Privileged Access Manager

Enables organizations to randomize sensitive passwords daily, thereby eliminating the possibility that users share them or never change them.
8.5.9

Change user passwords at least every 90 days.

Password Manager

Can require users to change all passwords regularly, including on systems and applications with no native password expiration capability.
8.5.10

Require a minimum password length of at least seven characters.

Hitachi ID Suite

Identity Manager, Password Manager and Privileged Access Manager can all enforce complex password policies, including minimum length rules, for password creation, changes and randomization, respectively. Seven is a bit short, however...
8.5.11

Use passwords containing both numeric and alphabetic characters.

Hitachi ID Suite

All products can enforce a rich variety of password complexity rules.
8.5.12

Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

Password Manager

Can enforce "infinite" (i.e., open-ended) password history requirements, to eliminate password reuse entirely.
8.5.13

Limit repeated access attempts by locking out the user ID after not more than six attempts.

Hitachi ID Suite

All Hitachi ID Suite components include intruder lockout to prevent repeated login attempts with invalid credentials.
8.5.14

Set the lockout duration to 30 minutes or until administrator enables the user ID.

Hitachi ID Suite

All Hitachi ID Suite components can enforce this capability for login attempts into Hitachi ID Suite.
8.5.15

If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

Hitachi ID Suite

All Hitachi ID Suite components can enforce this capability for login attempts into Hitachi ID Suite.
8.5.16

Authenticate all access to any database containing cardholder data. This includes access by applications, administrators and all other users.

Privileged Access Manager

Can enforce this requirement even for applications that have no personal login IDs. In these cases, it randomizes system-level passwords daily and requires IT workers to self-authenticate when they need the current password value.
9.1

Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment.

Identity Manager

Can manage the assignment and activation of building access badges.
10.1 -- 10.3

Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

Privileged Access Manager

Creates precisely this audit log. This even includes movies of administrator sessions.
12.1

Establish, publish, maintain and disseminate a security policy that accomplishes the following:

Hitachi ID Suite

Clearly, Hitachi ID Suite cannot develop policies for any Hitachi ID Systems customer -- it's just software. However, a variety of Hitachi ID Suite capabilities support the following policy requirements.
12.2

Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures and log review procedures).

Hitachi ID Suite

Supports standards and controls over user account maintenance and logging of administrative access.
12.3.1

Explicit approval by authorized parties

Hitachi ID Suite

Identity Manager and Privileged Access Manager in particular include a robust workflow engine used for change approvals. This applies to requests for access to systems in the former and requests for privileged access in the latter.
12.3.2

Authentication for use of the technology

Hitachi ID Suite

Password Manager supports strong authentication by helping users to manage their own credentials. Privileged Access Manager authenticates IT staff before granting privileged access.
12.3.3

A list of all such devices and personnel with access

Privileged Access Manager

Includes infrastructure auto-discovery and all other Hitachi ID Suite components include user ID auto-discovery.
12.3.8

Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity

Privileged Access Manager

Supports this for administrative sessions in particular.
12.3.9

Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use

Privileged Access Manager

Supports granting and terminating of temporary privileged access to users, including vendors and partners.
  Assign to an individual or team the following information security management responsibilities:

-

See below how Hitachi ID Suite can with some tasks.
12.5.4

Administer user accounts, including additions, deletions and modifications

Identity Manager

Automates the processes around user access setup/update/tear-down.
12.6.2

Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

Password Manager

Includes a mechanism to invite users to read and acknowledge policy documents.
12.7

Screen potential personnel prior to hire to minimize the risk of attacks from internal sources. (Examples of background checks include previous employment history, criminal record, credit history and reference checks.)

Identity Manager

Includes both task dependencies and implementer tasks. Together, these features are used to verify completion of such preliminary tasks before granting logical or physical access to a new user.

Previous PDF