Security news and insights from Citrix
Everybody has heard the stories and wants to believe - but there's no such thing as "PCI Compliant" products*.
People are constantly asking the question: Is "Product X" PCI compliant? The short answer is: No.
The long answer requires some careful explanation.
PCI sets forth 12 major requirements for an organization to meet, with the result of meeting these requirements culminating in an attestation of compliance. The PCI auditor verifies that the intent of PCI has been met, and compliance is granted. (OK, I know I just oversimplified a very complex set of processes - but the result is the same: the organization is deemed compliant or not)
But, what about the products that are used to support organizational PCI compliance? Network firewalls, antivirus, IDS/IPS, and application firewalls are listed in the PCI specification as core products whose functionality is required to obtain PCI compliance. Don't these products have to be certified as compliant? No, there is no provision for product compliance in the PCI DSS v1.1 specification.
So, given that PCI doesn't directly certify products, what should an organization do to provide audit assurance that products can be used for the intended PCI purpose?
- Verify vendor claims - just because a salesperson says it, it doesn't make the statement true.
- Rely on trusted third-parties - organizations like ICSA Labs, NSS Labs, WASC and OWASP have detailed product capability matrixes, testing and certification criteria, and comparative data.
- Discuss concerns with your auditors - because PCI auditors make the final decision on compliance, they should be involved in key decisions leading up to the certification event.
There have been some wild claims with PCI - including the notion of "PCI certified products." When faced with conflicting information, work with trusted vendors and partners, press your auditor or PCI QSA for the documented facts, and escalate ambiguity as necessary through to the PCI Security Standards Council.
With factual information and proper actions, we can all help PCI reach its lofty goal: Increase trust in credit card usage by holding merchants to a high standard - the PCI DSS.
PCI Backgrounder
PCI DSS, the Payment Card Industry Data Security Standard (or simply PCI) specifies compliance standards for credit card usage. If your organization stores, processes, or transmits credit card data, PCI applies to you. The PCI Security Standards Council maintains and publishes the standard at www.pcisecuritystandards.org.
*Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval._
Looking back at the 2008 US RSA Security Conference, there was a tremendous amount of interaction, but not a readily apparent amount of innovation.
I spent the bulk of my time in meetings with customers, partners, press, and analysts. All seemed to echo the same sentiment - there's not any single "wow factor" at this year's RSA. But, that's not to say that there weren't hot topics, the two most obvious being DLP and Virtualization Security.
DLP
DLP, or Data Loss Prevention (also sometimes known as Data Leakage Prevention) is the capability to keep sensitive data from inadvertently leaving the organization. The concept and message around DLP is rather simple, but the architecture and management of DLP is where the difficulty comes into play.
When you consider all the sensitive data in most organizations, where it exists, and how it's used, you get a feel for just how big of a problem DLP needs to address. In most organizations, data isn't even regularly classified and labeled as public or non-public information. And, data has been over-distributed onto any media that can hold it (e.g. laptops, USB keys, iPods), often without any control. DLP technologies purport to get a handle around this problem and manage the access to and distribution of sensitive data.
On the surface, DLP seems like it's facing a really tough problem. And it is - if you're just trying to add controls to the existing model of data access and over-distribution. Looking at the problem with virtualization in your toolbox, though, can change our basic assumptions and bring us closer to the elusive goal of DLP.
Combining application virtualization and DLP allows authorized users to access a view of sensitive data, while providing additional context-sensitive controls around access to the data. As an example, a user in the office might be given the ability to use a data housing sensitive application on their corporate managed device only after submitting strong credentials and passing necessary security checks. A policy would prohibit them from using the application in ways that violate policy, such as printing sensitive info. Because the DLP software is integrated with the application virtualization environment in the data center, the DLP software has full control over usage of sensitive components data, and the data never leaves the datacenter. DLP can be much more effective when managed from the datacenter and the management of sensitive data on endpoints is eliminated from the equation. The same concept holds true for both application virtualization and desktop virtualization.
Virtualization Security
As the above DLP example shows, virtualization is stimulating innovative thoughts and challenging the status quo. There were many questions posed at RSA about upcoming client and desktop virtualization opportunities, in addition to current server virtualization security challenges.
On the server front, most of the discussions were around how network-level security objectives can be achieved in a virtual server environment. Organizations that have implemented server virtualization have watched as the proliferation of these environments have reduced security visibility for legacy network controls. The network folks want to know how to "see" into the virtual server environment, and how to control VM-VM communications. This is being accomplished for the most part through "security virtual appliances" or "security virtual machines" that duplicate physical network controls in the virtual realm. There appeared to be many vendors touting capabilities for scanning, IDS/IPS, and virtual firewalls with techniques borrowed from the physical realm.
The real breakthroughs appear to be just in front of us and will involve how we utilize virtual applications and desktops. The capability to virtualize and abstract for security isolation, as well as usability appear to be driving real change. These changes promise to allow user functionality to follow them anywhere, without cumbersome user configuration and management. And, with security policies built in, maintained and verified, we should see the trust models change for the better. Microsoft introduced some very interesting concepts and considerations around End-to-End Trust at the beginning of the show that extend well into virtualized client capabilities.
As the security industry matures, we'll probably witness less of a "wow" factor with each conference. But we'll all sleep a little better knowing we're getting closer to the goals of true security.
Autonomic security, AKA, self-healing, self-defending, situation aware security, or feedback-based security management, has long been a dream in distributed IT computing. It could be the reason that this dream was not realized is that it is too hard to do in distributed computing.
Enter virtualized computing, with centralization and much greater control over the [wily careless security-ignorant only-cares-about productivity] user. Now does that change the complexion of the problem?
The enemy is the usual: malware, such as worms, viruses and trojans, plus future attacks we don't even know about now. Malware designers unfortunately have the upper hand, with ever stealthier approaches to evil. Most security countermeasures are simply responses to known threats. Thus the bad guys are controlling the game.
With virtualized computing, IT asserts more control. Might it not be possible to realize autonomic security more effectively? One of the problems distributed computing has is relentless complexity and lack of control. With distributed computing, the end user is in the driver's seat! Maybe if all end users were very diligent about security this would be fine. This is sadly not the case.
Autonomic security affords the luxury of not relying on a human to notice things are stealthily going amok. It is possible to monitor what is going on in the network, applications, OS's, processors, and so on. With a virtualized environment, does this not become easier?
To be clear, it is possible autonomic computing actually creates additonal security challenges, dong things automatically like changing system configurations, interconnections and so on, creating interesting entrees for malware designers.
I'd very much enjoy a dialog on the following thought: in a centrally controlled virtualized environment, is security innovation possible? Given that we can get better information about what is going on, for example anomolous behavior such as a processor being hit abnormally, or other anomolies such as buffer overflows or abnormal accesses or sensitive data being touched in any way, could we not modify the enterprise security policy on the fly? Could we have software to look at the collective of information now at our fingertips and change security policy appropriately?
The model I have in mind is human behavior. If you are walking down the street and it's daytime, and it's a cheerful sunny day, and nothing suspicious is going on, we behave in a way to maximize productivity and pleasure. In contrast, if you're walking down the street and it's dark and late, and there are strange- looking people about, and they are looking at you with too much interest, your security posture changes and security becomes more important than productivity and pleasure (until you get out of the situation.)
So could we not use that model and have an adaptive security policy that intelligently changes, based on the information available. Not attacks per se, as there is software that does that already. What if we could look at the health of the network and applications and decide that situation is not normal and a more restrictive security policy is now required? Productivty and pleasure take a back seat when it's "code red".
I'd like to hear from folks with thoughts in this area!
Most people don't realize the value of the answers to their personal security questions (Citrix Password Manager calls this Question Based Authentication.) As it turns out, those answers are more valuable than passwords. If someone learns enough answers to your personal security questions, they very often can reset your password and have access to your accounts. Yes, that includes your online bank account and it's a very real problem. In fact, I have a friend so paranoid about this that he swears his favorite color is "three."
Some of the issues around personal security questions are kind of interesting. For example, I've dealt with customers where personal privacy of employees is a big consideration in selecting the questions. Let's call that one "sensitivity". Another issue is what I'll call "changeability" - your favorite movie may change from month to month. Then another issue is what I'll call "detectability" - my place of birth is public record, if somebody happens to know where I was born and what my maiden name was. Both of those are completely unguessable in my case so I am probably safe on that problem.
Then there is always my favorite, "guessability" - there are only so many colors, even if you count teal and puce.
We can't forget the punctuation marks either. Tricky to remember whether I indicated a teacher's name as Mrs. Winters, Ms. Winters, Mrs Winters or Ms Winters when I signed up for a web account. Have to be careful on that one.
We are finding that the more flexibility you can allow the better on these personal security questions for CPM. Let companies write their own personal security questions that are more obscure than place of birth. Let people choose between a number of security questions that they find unique and easy to remember.
In fact, I'd love some comments on pet peeves and helpfuls suggestions on personal security questions!
There's recently been a fair amount of discussion on security and Presentation Server installation, with some insightful responses (see Brian Madden's blog entry). One point about the original posting: it was concerned with attacks from authenticated users only. An Internet attacker has to jump the authentication hurdle first. That's why strong authentication is so important for Internet-facing deployments.
The book Citrix Access Security for IT Administrators (ISBN-13: 978-0-07-148543-2) is a great resource for planning and securing your setup. Several Internet-facing configurations are described. It doesn't cover everything: we had to leave out Access Gateway because it didn't fit the editorial timetable; and those with specific regulatory requirements will also want to refer to the Common Criteria documentation, and the Security Standards and Deployment Scenarios documents, at https://www.citrix.com/security.
And yes, this edition of the book covers Presentation Server 4.0. We'd love to do a second edition for Presentation Server 4.5 and later. Getting into print is a lot of work, so we'd like to know first whether you like this kind of security material in book form, or delivered some other way. The Common Criteria documentation and the Security Standards and Deployment Scenarios document are already posted for Presentation Server 4.5. Let us know your thoughts.
Also, since this book was written, we launched the Citrix Ready program. Take a look at the Citrix Ready Products Guide for third-party information - there's a section for security products.
Finally, consider whether SmartAuditor is a good fit to your organization. It's a powerful tool for addressing the risks from authenticated users. At this time, it is a feature of the Platinum Edition of Presentation Server - see Citrix Presentation Server Editions.
