The Payment Card Industry (PCI) Data Security Standards (DSS) is a great measuring stick for the security posture of any organization. In fact, I love it because it's so clear.
Requirement 7: "Restrict access to cardholder data by business need to know" poses an interesting set of challenges, because it requires the enforcement of the principles of:
- Least Access - users shall only access the systems they need access to
- Least Privilege - once in these systems, they shall only do what they're supposed to do
- Implement a Role-Based Access Controls (RBAC) model
- Shall be enforced across heterogeneous platforms (7.2.1)
- Ideally the process is consistent and easy to document and adhere to workflow (7.1.4, 7.3)
- Closed systems - All systems default to deny access unless (7.2.3)
- Implement the technical(1) controls of Requirement 7
- Multi-platform: Unix/Linux & Windows
- Implement it in less 10 minutes or less
- Prove compliance in 5 minutes or less
- Active Directory 2012 Domain (based on the Microsoft Test Lab Guides)
- One Windows Server
- One RHEL 7
- Centrify software already loaded on a management server (MMCs) and copied in target systems.
The access rules have to be defined as per 7.1.1.
The card data environment consists of one Windows Server 2012, a RHEL 7 and an Ubuntu 14.04 servers. The nature of the work performed is database (SQL Server) and Web (IIS) work on Windows. The RHEL platform is used for an Apache/MySQL app. There are two types of roles in this environment:
- Sysadmin (cross-platform)
- Sysadmins shall perform tasks as root in RHEL systems without knowing the root password. (7.1.2/7.1.3/7.2.2)
- Sysadmins shall be able to perform tasks as Administrator on Windows platforms without being a permanent member of the Local Administrators or Domain Admins group. (7.1.2/7.1.3/7.2.2)
- Developer (cross platform)
- Developers shall perform service control of Apache and IIS services (service httpd start | stop | restart) and iisreset.exe - No root/apache/ credentials or ocal admin rights. (7.1.2/7.1.3/7.2.2)
- Developers shall be able to elevate to the mysql service account and to run the services.msc snap-in in Windows (to stop/start/pause) SQL without the root/mysql credentials or local windows admin rights. (7.1.2/7.1.3/7.2.2)
- Because these are PCI systems, no one than the PCI Sysadmin and PCI developer Role can log in to the system. This includes any other trusted administrators like Domain Admin. (7.2 - deny-all)
- Access to both roles is restricted to the terminal (SSH on Linux and RDP on Windows) no console access.
- The add/moves/changes process shall be controllable via AD Group membership. This makes easy for other upstream tools to control workflow and approvals. This makes compliance with 7.1.4 (approvals) and 7.3 (documentation) much easier.