I had the opportunity to read a great post on PCI-DSS ! I want to follow up this topic and focus on implementing and maintaining PCI-DSS with a Data Loss Prevention Solution (DLP).
PCI-DSS is not only a matter of defining controls to respect some requirements. It is really important to guarantee that all the efforts done to respect the requirements will not be cancelled a few months later because nobody is taking care of cardholder data, or brand new unprotected applications work on this information. I will focus on 3 of the PCI-DSS requirements and how a DLP Solution can help during cardholder data lifecycle:
- Requirement 3: Protect Stored Data
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 10: Track and Monitor all access to network resources and cardholder data.
In order to respect these 3 requirements the first tasks to complete are identify confidential data, understand where they are stored and how they are used.
In the context of respecting PCI-DSS the first item is probably the easiest: we are looking for cardholder data. We will define policies that look for credit card numbers and PANs (Primary Account Number) using regular expressions and ad hoc data identifiers.
While the first task can seem trivial the second one is one of the toughest. Companies believe they know where their confidential data are stored. Unfortunately this is not always true! In most cases they only know some of the places where data are stored: these are the legitimate (and sometimes protected) repositories. At the same time during every business day data move to several location. Not always IT folks is aware of this data movement because they include unmanaged removable drives, cloud storage, employees personal emails, etc. This is why identifying and protecting repositories is one of the hardest and most importan tasks in confidential data protection projects.
Every responsible of confidential information should be able to understand where are these data. This requirement introduces the third item: how data are used? We already said that data are stored in a few known and protected locations and in several unknown and unprotected repositories. How does this happen? In most cases users copy data where they can easily access them. This is why we found confidential information on personal USB keys, personal emails, etc. In a smaller number of cases users move data to untrusted repositories because they behave as “malicious insiders”: internal users that intentionally expose company information. In order to protect confidential information we must implement controls to educate users and enforce data protection.
After implementing these controls we put our infrastructure in a safe state from a PCI-DSS perspective: we identified where are cardholder data, we learnt how people use these data, and we enforced controls on information. From now on in order to maintain PCI-DSS compliance we must keep protecting our data. The following picture reports the required steps. As you can see these steps are cyclic and require to be run frequently. Let’s go deeper in each of the steps:
- Define PCI compliant policies. This is done at the first step of the PCI-DSS program. Policies must be reviewed periodically because data management procedures change over time and information can be exposed to new and unexpected risks. At the same time policies must be reviewed and tuned using information from the reports described below.
- Remediation: this is one of the most important phases of the data protection process. During remediation phase the reviewer will be able to understand what happened to data and provide information on false positive and missed incidents. In some case the remediation can be automated in order to speed up the incident handling process and avoid interruption of business operations.
- Enforcement: after identifying where the data are stored and how they transit between systems it is important to enforce data protection. Sometimes this can be translated in encrypt data in transit or data at rest. In other cases data will be moved to safer locations. Enforcement actions can be taken by the DLP solution or through the integration with other applications.
- Reports: data protection cannot be considered complete without a measurement system that helps understand the status of the confidential information and provides inputs for tuning of existing policies and creation of new policies that address new requirements.
The periodical execution of these activities provides a dynamic view on confidential information and improves the results of a PCI-DSS program.
Now that we understand how a DLP solution helps achieve PCI-DSS compliance we can come back to the requirements we mentioned above and see how we can address them with Symantec DLP.
Protection of stored data must be split in two parts. The first part is data discovery, that can be translated in the question about where are confidential data. This activity must be run on storage repository and endpoints with the following objectives:
- Detection of exposed PANs and magnetic stripes
- Scan for inappropriately stored cardholder data on laptops, desktops, and workstations
The second part of the protection is the remediation on incidents. This activity will focus on:
- Quarantine data at risk to secure locations
- Prevent users to inadvertently expose credit card data
- Educate users about risk of confidential data exposure
- Control data flows on network protocols
- Integrate with encryption software
In order to guarantee the need-to-know principle for confidential data the administrator of DLP will identify the authorized users that can access confidential information, and create ad hoc policies. An example of policy is "block access to all users except ones belonging to AuthorizedGroup". This control will be implemented using the DLP endpoint agent.
Last requirement we are focusing on is " Track and Monitor all access to network resources and cardholder data". In order to satisfy this requirement we must control data on Network, Storage and Endpoints. Our objectives will be the following:
- Track confidential data network activity
- Content-aware coverage of all activity including USB, print, fax, email, web
- Continuous protection even when disconnected from the corporate network
- Monitor user activity on shares where cardholder data are stored
At the end of this process we should have satisfied three of the twelve requirements of PCI-DSS. There is still a long way to achieve and maintain PCI-DSS compliance. There are several technical and procedural aspects to cover. I wil leave you with some questions:
- What are the tasks and tools to identify vulnerable systems?
- How to determine if the systems that manages confidential information have the correct patching level?
- How to correlate information from the different protection systems?
- How to provide high level dashboards with the status of the infrastructure with respect to PCI-DSS?
- What about users awareness on security risks? how to educate them?