Security Policy Enforcement and PCI Compliance

New Boundary Technologies Cites Automating Security Configuration Management as Key to Protecting Cardholder Data

The PCI Data Security Standard is complex and exacting, with 12 top-level rules and 200 additional requirements for protecting cardholder information. Penalties for non-compliance include fines of up to $500,000 per security incident and possible loss of payment card transaction privileges. And as retailers have come to learn, PCI adds one more layer of complexity and cost to their overall compliance efforts. One year after the June 2005 deadline for PCI compliance, just 22 percent of large merchants were actually in compliance with the mandate. Retailers cite complexity and cost as the main reasons. Compounding the problem is a lack of guidance in the PCI Data Security Standard regarding what technologies, methodologies, and processes constitute best practices for information security. For many retail organizations, locking down PCs and servers via automated configuration management is the key to dramatically reducing the complexity and cost of PCI Data Security Standard compliance.

Configuration management is not a new discipline, but only recently with the advent of products like New Boundary Technologies’ Policy Commander has it become sufficiently automated to deliver a strong return on investment. Manual configuration management is time and resource intensive, even though it is often necessary due to the issues that configuration problems can create. According to an EMA analyst report, more than 60 percent of IT service impact is a direct result of configuration problems. Which is why adopting automated configuration management technologies can drive significant benefits in the areas of IT security, risk mitigation, and compliance.

Traditional Security Limitations

In the early days of the PC, security typically involved scanning floppy disks for viruses, locking computer cases, and limiting access with login passwords. As networks became the dominant paradigm, the spread of malicious code increased, with the potential for damage increasing in direct proportion to the number of computers on the network. But with the advent of the Internet, a Pandora’s Box of access was opened that still has IT professionals struggling to cope.

The Internet introduced and popularized e-mail, chat, instant messaging, peer-to-peer file sharing, desktop search, and other communication channels and applications that expose networks to malicious threats like never before. Because the Internet introduced so many new openings into networks, IT security over the past decade or more has been focused primarily on creating a strong defense perimeter around the network.

Perimeter defense remains an essential component of an overall IT security strategy. It incorporates a variety of technologies and applications designed to limit and control access to the network and the information it contains. This can include hardware and software firewalls, anti-virus applications, identity authentication, spam filtering, intrusion detection, file encryption, vulnerability scanning, virtual private networks, and anti-spyware applications. Unfortunately, perimeter security remains a delicate balancing act that must simultaneously restrict and allow access to information, systems, and resources. An incorrect balance can result in excessive exposure of cardholder information to security threats, or in a backlash from end-users unable to access the IT resources they need to remain productive.

As perimeter defense has matured, threats have not been eliminated. Rather, the nature and the origin of the threats have evolved. As perimeter defense technologies matured, so did the hacker tools and strategies used to circumvent them. As anti-virus systems improved, virus writers became more creative in disguising their malicious code. And perhaps more important, the motives of those seeking to infiltrate networks have changed. Once the domain of misguided enthusiasts seeking notoriety within their underground community, the world of hackers is now dominated by increasingly organized cyber-criminal enterprises with a powerful profit motive.

The Future of Information Security

After more than a decade of evolution, network perimeter defenses are greatly improved, but far from foolproof. External threats are becoming more sophisticated, well funded, and increasingly criminal in nature. And once inside the perimeter, malicious threats quickly and easily exploit what has remained for many years the soft, unprotected underbelly of the network – the vulnerable configuration state of individual computers. In addition, perimeter defenses do almost nothing to protect electronic information from users with legitimate network access. In fact, according to a survey by the Ponemon Institute, nearly 70 percent of the threats to network security and integrity come from malicious employee activity or non-malicious employee errors.

Clearly, network defense perimeters alone are insufficient, and that has resulted in a new emphasis on reducing the vulnerabilities of the systems inside the perimeter. While perimeter defenses are essential to managing threats from outside the network, the key to internal network security lies in the discipline of security configuration management. Integrating these two disciplines is necessary to maintain a network environment that is secure from both external and internal exploits.

Security Configuration Challenges

By default, few if any computer systems, and especially workstations, are configured for strong security in a network environment. Even when new computers are provisioned with secure configurations, they are still dynamic systems subject to random configuration changes that can quickly render them insecure.

To further complicate matters, simply determining the security configuration of a single computer has always been a manual, resource-intensive process. Determining the security configuration of multiple systems becomes a daunting project. In addition, PCs and servers can have multiple roles and multiple users and administrators. In fact, the traditional barriers to determining security configuration are so significant they often prevent administrators from simply knowing the security states of their computers.

Given the difficulties involved, there is little wonder that IT focused its security initiatives on perimeter control rather than on configuration management. But with the recent introduction of technology solutions that automate security configuration management, especially those based on automated security policy enforcement like Policy Commander, nearly all of the traditional challenges have been eliminated.

Security Policy Management – A Key to Compliance

In very simple terms, computer security policies are rules that computers must obey. More specifically, they are configuration and access controls that determine who can do what on any given computer. Policies include configurations and procedures for achieving defined security levels related to password management, group rights, file access, server configuration and a host of other functions. It is important to differentiate computer security policies, which are computer files in digital format, from corporate security policies, which are written documents detailing an organization’s security requirements and mandates.

Computer security policies can come from software vendors like New Boundary Technologies or Microsoft, or from IT security organizations like the National Security Agency (NSA), National Institute of Standards and Technology (NIST), United States Computer Emergency Readiness Team (US-CERT), and the SANS Institute. Security policies can range from very simple ones that control a single configuration setting (such as disabling Windows Update), to complex ‘best practices’ policies (also known as security templates or lockdown guides) that affect dozens or even hundreds of configuration settings. Because security policies help to standardize system configurations, they provide an organized framework for managing security configuration settings across a network. They provide the efficiency, flexibility, and extensibility required to make security configuration management not only possible, but cost effective as well. However, until recently computer security policies have had some traditional issues of their own.

While security policy management can dramatically improve the overall defense posture of the network and lock down access to cardholder information, traditional methods of implementing policies, such as Group Policy Objects, are inherently complex, manual and require extensive IT expertise. In fact, many organizations don’t leverage computer security policies at all, while others using traditional methods struggle to manage them with limited IT resources and expertise. In order for organizations to realize maximum benefit from security policies, they need a way to quickly, easily and accurately deploy policies on all of the servers, workstations and laptops accessing the network. Because computers are very dynamic systems undergoing constant change, organizations also need to constantly monitor them to determine their compliance with assigned policies, and to automatically enforce policies on non-compliant computers. This requires a level of automation that, until recently, simply didn’t exist.

With an automated security policy enforcement solution like Policy Commander, IT professionals can secure workstations and servers quickly and easily. Policy Commander leverages advanced Smart Update™ technology that precisely targets security policies to the correct computers, saving considerable time and effort. Once policies are assigned, Policy Commander continuously monitors computer configurations, and automatically secures systems to their desired state in the event of any configuration change. It allows IT professionals to create a self-monitoring, self-healing security environment inside the firewall, dramatically reducing the risk of security breaches and information theft from both external and internal threats. And it demonstrates to auditors that real-time, continuous monitoring and enforcement of secure computer configurations and cardholder information are in place.

Powered by Policy Commander, the PCI Compliance Solution offered by New Boundary Technologies can virtually eliminate default computer vulnerabilities that represent the largest risks to cardholder information. The solution includes the company’s PCI Security Guide, which breaks down the PCI data security provisions and offers best practices guidance on meeting them. It also delivers a library of computer security policies based on National Security Agency (NSA) and National Institute of Standards and Technology (NIST) recommendations that address specific cardholder information security concerns.

Reaping the Benefits of Automated Security Policy Management

When an IT security configuration template (i.e. lockdown guide) is applied to a system, a substantial reduction in vulnerability exposure can be achieved. In fact, testing by the NSA and NIST has shown that they will reduce the vulnerabilities on systems by 90% or more. That means that all of the perimeter security measures employed by an IT department only address about 10% of the vulnerabilities potentially exploited by malware and malicious activity.

This is where the proper application of computer security policies provides a significant increase in network and information security. Viruses and spyware exploit the software defects in applications and vulnerable configurations of the operating system. While good anti-virus and anti-spyware tools are required to detect and remove malware, those tools are not designed to correct problems in configuration areas such as insecure accounts, unnecessary services, file permissions, or registry settings. In addition, they are essentially reactive measures rather than proactive ones.

Automated security policy management is a relatively new technology that delivers significant value as a key component of an overall security strategy empowering security compliance. As the level of threats to network security continues to rise, prudent retail organizations are adopting appropriate technologies to minimize the risks associated with vulnerability exploits. Just as firewalls and anti-virus applications have become a mainstay of protecting organizational information and computing assets, an automated security policy enforcement solution that enables proactive security configuration management should be considered an essential component of the overall security measures that organizations covered by the PCI Data Security Standard employ.

Back