PCI DSS Compliance & Your Database

Theft and loss of personal login and credit card data seems to be an almost

daily occurrence, even in large internet companies who supposedly have

taken security measures. Whether it’s Target, e-Bay or even the Amazon

cloud platform, we’re hearing more and more concern about data leaks.

This isn’t just a problem for IT professionals. CEOs have lost their jobs and companies have

suffered huge hits to their reputations over the leakage of secure customer data. Failure

to comply with PCI-DSS can result in revoking of your company’s ability to take credit card

transactions.

Achieving & Maintaining

Database Compliance for PCI

Complying with PCI-DSS data requirements can be confusing, especially with so many

products providing protection on only a portion of PCI-DSS regulations.

Database security provides protection on the actual data. With HexaTier, you can:

Discover exactly where all of your PCI DSS data resides: In what databases, tables, and

columns.

Discover what individuals, servers, applications, and systems have access to every

database.

Restrict or eliminate the ability to destroy, copy, transmit, or tamper with financial data.

Create rules to protect PCI DSS-sensitive data at the database, table, and column level.

Create separation of duties schemes for different users.

Mask PCI DSS sensitive data, including financial data, payment information, and

personal identification.

This paper shows what parts of PCI-DSS you can comply with using HexaTier. You’ll see

exactly how database protection works and get specific breakdown of each of the database

compliance PCI-DSS regulations that HexaTier helps you satisfy. These functions are provided

out-of-the-box, with minimal installation time and absolutely no changes needed on your

network, giving you the ability to answer the PCI-DSS auditor with minimal time and effort.

PCI DSS and Database Security

Among the different standards of data protection, PCI-DSS is the only one created by

commercial entities, the credit card companies. As such, the concerns of PCI-DSS are the

most closely aligned with commercial entities, in that they are designed to prevent leakage

of customer information and protect companies from theft of data that can lead to credit

card theft and identity theft.

For organizations who want to use a baseline for security, PCI-DSS is a great place to start,

even if you aren’t yet taking credit cards.

Fundamentally, most data is stored in databases. Database security is all about protecting

data where it resides, in the database. Unlike solutions that protect from infiltration or

manipulations of app, HexaTier provides protection as close to possible to the actual data,

identifying and intercepting threats from any source.

What is HexaTier?

Features of the HexaTier Unified Database Security Solution

HexaTier, a Unified Database Security (UDS) system, handles multiple layers and issues in a

single product. It is the first solution to supply out-of-the-box real-time regulatory compliance

for databases, with over 28% of the HIPAA requirements met as soon as HexaTier is installed

and configured.

The innovative, robust HexaTier UDS ensures the safe handling of all your sensitive

information, including patient records, billing information, and credit cards.

The 4 main areas of the Universal Database Security solution are as follows:

Database Security

Stops SQL injection attacks and blocks unauthorized database access, providing

full separation of duties (SOD).

Dynamic Data Masking

Allows Personally Identifiable Information (PII) to be hidden in real time from

unauthorized users such as developers and CRM users.

Database Activity Monitoring

Monitors database access and activity and tracks before-and-after audit values.

Real-time alerts help provide full compliance with regulatory requirements.

Compliance Reports

Ad-hoc and scheduled reports which provide compliance reports as required by PCI

DSS. Give auditors exactly the reports they need right when the request it.









How does HexaTier work?

HexaTier is a software-based solution that analyzes and approves every request to a database

server or cloud-based database server. In other words, every single request going to your

database, no matter what the source, needs to pass through HexaTier’s software and be

approved before it reaches the actual database. This provides complete coverage and

real-time ability to stop unauthorized access of any sort or from any source.

As software, HexaTier can be deployed on premise or in cloud infrastructures. It sits inline,

in front of the database. Because of its strategic location, as a shield to all of the database,

HexaTier can perform a wide range of protective activities, from SQLi protection through

data masking and separation of duties, as outlined in the next section.

What Does HexaTier Offer for PCI?

Identification of databases, roles and administrators

Upon installation, HexaTier scans to find out exactly what databases are accessible and by

whom. You can see exactly how many people have admin privileges, what privileges they

have, and when they are using their privileges. Most companies don’t even have an organized

accounting of who can access the databases. Not only do individuals access databases, but

other databases and processes may have direct access. All of this is visible through HexaTier’s

scan.

Built-in rules for database protection from SQL injection attacks

HexaTier’s database firewall contains the fundamental requirements for immediately blocking

SQLi attacks, right out of the box. Suspicious behavior is identified, blocked and reported

instantly.

Restrictions on data tampering

You can implement rules that ensure that data cannot be tampered with or destroyed.

HexaTier can ensure not only that certain users (or all users) are restricted from destroying,

deleting, or tampering with data, but you can also have records of whenever anyone does

tamper with data. Using HexaTier you can create an auditing track of any instance of deletion

or alteration of financial data, and use recovery tools or your corporate backups to restore

data.

Application HexaTier Database Server

Masking of PCI DSS sensitive information at granular level (per table, per column, per user, user group)

Data identified as sensitive can be masked specifically according to use. Using these rules, you can ensure that developers and testers can work on the system, without seeing the data. You can also create rules that allow financial managers to view only the data relevant to their specific department or role. You can ensure that specific data is accessed only by certain users, in certain geographies, or at certain times and dates.

Hiding database existence and location

Because it works as a proxy, HexaTier allows you to have applications access the address of HexaTier, and mask the actual identity of the databases. This adds another layer of protection against malicious attacks.

Separation of duties

Every user can be granted only the permissions that are necessary for the particular role of that user. Separation of duties provides granular-level permissions, such that nobody has access to any part of the data that they do not need for their particular role.

Real-time alerts, reporting, and auditing capabilities

Real-time alerts provide the ability to intervene immediately with any suspicious or malicious behavior. Advanced reporting capabilities provide a variety of reports, described below, as well as customized reporting. A number of PCI DSS compliance requirements are based on reporting and auditing, and HexaTier provides a full suite of reporting capabilities for all activity on the organization’s databases.

PCI DSS Coverage by HexaTier

PCI DSS is broken down into processes and objectives. The items below are relevant to the HexaTier solution.

Processes:

- Security (Application and Network) - Application Change Management Objectives:

- Acquire and Maintain Application Software - Manage Changes

- Ensure Systems Security - Manage Data

PCI DSS Compliance Capabilities

HexaTire Unified Database Security (UDS) helps IT Organizations Address PCI-DSS Requirements where they apply to databases. In particular, HexaTire provides Administrative Safeguards as outlined in the PCI-DSS requirements as described below.

Define groups, roles and responsibilities for

management of network components. Identifies individuals, systems, and other databases with access to existing databases. Allows discovery of existing administrators and creation of rules for separation of duties. Alerts and reports of any changes in admin privileges on the database.

Firewall between untrusted networks and any system components in the cardholder data environment.

HexaTire serves as a firewall between every other system and the databases it protects.

Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.

Protect cardholder data environment from wireless access except where necessary.

Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.

Limit inbound Internet traffic to IP addresses within the DMZ.

Real-time interception of potential threats is implemented on all traffic. Data masking provides protection even from developers and testers who need to use the database for development purposes.

HexaTire identifies each and every command to the database, whether it is over wireless or any other type of communication. Using HexaTire you can create rules determining what parts of the data can be accessed from specific IP addresses, thus configuring wireless access permissions as needed.

As a database firewall, HexaTire prohibits any direct access to the credit card data. Every single request must pass through HexaTire before reaching the cardholder data environment.

HexaTire stands between the database and any outside systems, performing as a virtual DMZ with a set of rules that ensure that only approved users, commands, and systems can reach the database. Any access from a non-authorized source is prevented and reports are triggered.

HexaTire provides tools for identifying precisely what IP addresses and systems can access the database.

1.1.4

1.2

1.2.1

1.2.3

1.3

1.3.1

1.3.2

PCI DSS

Develop configuration standards for all components according to industry standards.

Configure system security parameters to prevent misuse.

Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.

Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Render PAN unreadable anywhere it is stored.

Render PAN unreadable anywhere it is stored.

Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over networks.

Never send unprotected PANs by end-user messaging technologies.

Develop software applications in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices.

HexaTire provides a variety of options for configuration, and comes with built-in firewall configuration in accordance with industry standards.

Easy-to-implement configuration options allow for restriction of access to the database. HexaTire updates provide protection for new threats.

Through separation of duties, HexaTire security parameters ensure that authorized individuals have access only to those functions they need. Reporting of every action by every database user means that even when a user is authorized, they are fully monitored to identify misuse.

HexaTire identifies all the administrators of the database, allowing you to restrict or delete access by systems that do not need access. Reports identify those with database access who are no longer using their privileges, allowing additional elimination of unnecessary functionality and database access.

When any data from the database is accessed, HexaTire can ensure it is masked and therefore unreadable before any other system or user can access the data.

When any data from the database is accessed, HexaTire can ensure it is masked and therefore unreadable before any other system or user can access the data. HexaTire allows only transmission of masked data to parties such as developers and testers who need to use the data or data formats for their roles, but who do not need to see the data in its entirety. HexaTire does not perform encryption.

HexaTire can ensure that certain types of apps never have access to the database.

HexaTire ensures that developers and testers are never exposed to private PCI-DSS data, and provides a layer of protection against SQLi. This provides an extra layer of protection on top of best practices in coding.

2.2

2.2.2

2.2.3

2.2.4

3.3

3.4

4.1

(partial)

4.2

6.3

PCI DSS

Follow change control processes and procedures for all changes to system components.

Protect code against SQL injection.

Cross-site scripting (XSS) protection.

Limit access to system components and cardholder data to only those individuals whose job requires such access.

Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities

Assignment of privileges is based on individual personnel’s job classification and function.

Implementation of an automated access control system.

Assignment of privileges to individuals based on job classification and function.

Develop software applications in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices.

Assign all users a unique ID before allowing them to access system components or cardholder data.

Employ authentication methods

Any and all changes to databases are recorded and any suspicious changes trigger alerts. Even authorized changes are recorded. Changes to users and privileges are also reported. Separation of duties capabilities are implemented as specified in 6.4.1

HexaTire identifies and blocks suspicious cross-site scripting database requests.

HexaTire identifies and blocks suspicious cross-site scripting database requests. Separation of duties, data masking, and database firewall ensure that only authorized processes, users, and systems have access to PCI-DSS protected data. All database use is monitored and reported, so any suspicious access can be identified. HexaTire scans to identify all database users and their privileges, and provides configuration to ensure that every individual is limited to using only those capabilities necessary for their job. Changes to admin privileges are reported.

HexaTire can assign database use privileges by group, or by individual.

As a reverse proxy, HexaTire is an additional layer of access control for every aspect of database use.

HexaTire can assign database use privileges by group, or by individual.

HexaTire ensures that developers and testers are never exposed to private PCI-DSS data, and provides a layer of protection against SQLi. This provides an extra layer of protection on top of best practices in coding.

Only authorized users can make requests to the database.

HexaTire can be set to require passwords and also identify that users are accessing the database only during appropriate times, from appropriate geographies, and from appropriate IP addresses.

6.4

6.5.1

6.5.7

7.1

7.1.1

7.1.2

7.1.4

7.2.2

7.2.3

8.1

8.2

PCI DSS

Ensure proper user identification and a u t h e n t i c a t i o n m a n a g e m e n t f o r nonconsumer users and administrators.

Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.

Remove/disable inactive user accounts at least every 90 days.

Enable accounts used by vendors for remote access only during the time period needed. Monitor vendor remote access accounts when in use.

Change user passwords at least every 90 days.

Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators.

Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user.

Implement automated audit trails for all system components to reconstruct access to cardholder data, actions taken with root or admin privileges, access to audit trails, invalid access attempts, etc.

HexaTire identifies all administrators and systems with access to the database, and allows implementation of rules for access by these entities.

Full monitoring and alerts show when any users have been added to the system or when there have been changes to user privileges or IDs. Reporting shows all changes to admin privileges or users.

The system identifies users who have not been using their privileges for 90 days, allowing removal of non-active users. HexaTire can define rules for the period of time valid for any user’s access to the system. All activities performed on the database are monitors, and alerts of suspicious behavior can be triggered in real time. Full reporting provides information on all remote access.

HexaTire reports show all users who have not changed passwords for the last 90 days.

HexaTire provides full functionality to comply, including authentication of users, but also authentication every time any request is made to the database.

HexaTire is able to identify all users with admin and access privileges to databases.

HexaTire has full audit trails of all access and attempted access to the database, and all actions taken on the database by any user. Audit information is stored on the HexaTire cloud and therefore is safe from tampering and has automated backups, even if any attempt was made to alter it. Auditing information stored on other databases can be protected by HexaTire, so that access to that data can also be tracked and audited.

8.5

8.5.1

8.5.5

8.5.6

8.5.9

8.5.16

10.1

10.2

PCI DSS

For every event, record user identification, type of event, date and time, success or fail, origin and affected data.

Secure audit trails so they cannot be altered.

Retain audit trail for at least 1 year, with a minimum of 3 months immediately available.

Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use For personnel accessing cardholder data via remote-access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

Full accounting of every action on the database is recorded. Because it works as a reverse proxy, HexaTire records every single event and all information related to the event.

If audits are stored in a database, HexaTire can provide full protection, including prohibiting alteration of the records. HexaTire’s audit information is stored on the HexaTire cloud and is backed up for 12 months.

HexaTire stores all audit information with full back up for 12 months or more according to your configuration. All data is immediately accessible through the reports engine.

HexaTire implements rules for remote access only for authorized vendors, for specific time periods.

HexaTire can establish rules regarding under what circumstances data can be copied, to what kind of media, and by whom.

10.3

10.5

10.7

12.3.9

12.3.10

PCI DSS

HexaTier Compliance Reporting

The Inactive Database Users report shows all users who have not logged in for any length of time, letting you easily see which users are eligible for having their privileges revoked.

Relevant to PCI-DSS Requirement: 8.5.5, 12.5.4

Database Users with Passwords that haven’t changed shows users who have not changed his/her password in the past x number of days.

Relevant to PCI-DSS Requirement: 2.1, 8.5.9

Database Users with Passwords that haven’t changed shows users who have not changed his/her password in the past x number of days.

Relevant to PCI-DSS Requirement: 2.1, 8.5.9

Inactive Database Users

Login Name Login Create Date Last Login

Jesse 01/04/11 1/4/2011 8:00 AM KayKay 12/04/11 1/3/2011 5:55 PM Newton 01/08/12 2/4/2013 5:07 PM Amanda 01/01/13 1/4/2013 10:22 AM

Database Users with Passwords that never expire

Login Name Login Create Date Last Password Update Daniel 01/04/11 1/2/2014 8:00 AM Danielle 12/04/11 1/3/2014 5:55 PM Ariel 01/08/12 2/4/2014 5:07 PM

Yu 05/12/12 9/4/2014 4:57 PM

Terry 01/01/13 10/4/2014 10:22 AM

Database Users with Passwords that haven’t changed in 90 Days

Login Name Login Create Date Last Password Update

Eli 02/14/14 02/14/14

Tim 08/01/09 10/01/09

Sue 08/01/09 10/01/09

Changes in User Settings

Event Time Username Application Name Action Query Affected User 5/22/2014 8:33 AM 4/06/2014 7:21 PM 2/28/2014 6:33 AM 5/19/2014 4:53 AM Amy Sven Brent Amy SAP Dynamic CRM

GRANT Certificate Permissions (Transact-SQL)

REVOKE Object Permissions (Transact-SQL)

DENY Schema Permissions (Transact-SQL)

REVOKE Certificate Permissions (Transact-SQL) Ivan Nick Joe Ivan GRANT permission [ ,...n ] ON CERTIFICATE :: certificate_name TO principal [ ,...n ] [ WITH GRANT OPTION ]

[ AS granting_principal ]

REVOKE [ GRANT OPTION FOR ] <permission> [ ,...n ] ON [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ] { FROM | TO } <database_ principal> [ ,...n ] [ CASCADE ] [ AS <database_principal> ] DENY permission [ ,...n ] } ON SCHEMA :: schema_name

TO database_principal [ ,...n ] [ CASCADE ]

[ AS denying_principal ] REVOKE [ GRANT OPTION FOR ] permission [ ,...n ] ON CERTIFICATE :: certificate_name { TO | FROM } database_principal [ ,...n ] [ CASCADE ] [ AS revoking_principal ]

Changes in User Settings displays all queries that attempted to create, modify or delete any user settings during a specific time period.

Relevant to PCI-DSS Requirement: 2.1, 8.5.1, 10.2

Changes in User Access rights displays all queries that attempted to create, modify or delete any user privileges during a specific time period. This report includes changes made by the user after his rights were changed.

Relevant to PCI-DSS Requirement: 2.1, 8.5.1, 10.2

Changes in User Access Rights (Part 1)

Event Username Application Action Query Affected User Queries Run after

Time Name Chanted Right

5/22/2014 8:33 AM 5/19/2014 4:53 AM 4/06/2014 7:21 PM 2/28/2014 6:33 AM Gary Eric Gary Joe

GRANT Certificate Permissions (Transact-SQL)

GRANT Certificate Permissions (Transact-SQL)

DENY Full-Text Permissions (Transact-SQL)

REVOKE Object Permissions (Transact-SQL) Ned Kim Lou Dave GRANT <permission> [ ,...n ] TO <database_principal> [ ,...n ] [ WITH GRANT OPTION ]

[ AS <database_principal> ] GRANT permission [ ,...n ] ON SCHEMA :: schema_name

TO database_principal [ ,...n ] [ WITH GRANT OPTION ] [ AS granting_principal ] DENY permission [ ,...n ] ON FULLTEXT { CATALOG :: full-text_ catalog_name | STOPLIST :: full-text_ stoplist_name } TO database_principal [ ,...n ] [ CASCADE ] [ AS denying_principal ] REVOKE [ GRANT OPTION FOR ] <permission> [ ,...n ] ON [ OBJECT :: ][ schema_name ]. object_name [ ( column [ ,...n ] ) ] { FROM | TO } <database_ principal> [ ,...n ] [ CASCADE ] [ AS <database_principal> ]

Changes in User Access Rights (Part 2: Queries run after changes to User Access Rights) Login Name Query Run Date of Query

Ava Tom Ava 4/23/2014 4/05/2014 4/23/2014

SELECT * from credit_cards WHERE (con-cat(year,’-’, month, ‘-01’) < CUR-DATE())

select patient_id,max(month(RECEIVED_ DATE)) AS Mnth, max(year(RECEIVED_ DATE)) AS Yr, ACCESSION_DAILY_KEY SELECT * FROM credit_cards WHERE month = MONTH(CURDATE()) AND year = YEAR(CURDATE())

Database Users with Administration Privileges

Login Name Login Create Date System Administrator

Eli 05/14/14 YES

Tim 05/08/14 YES

Sue 04/27/14 YES

Mia 04/27/14 NO

This report displays all queries made by the user after his rights were changed. Relevant to PCI-DSS Requirement: 2.1, 8.5.1, 10.2

Database Users with Administration Privileges provides a complete list of all database users with administrative privileges. Relevant to PCI-DSS Requirement: 1.1.4, 7.1, 7.1.1, 7.1.2, 7.1.4, 7.2.2, 8.1, 8.2, 8.5, 8.5.1, 8.5.6

The Latest Database Administrator Logins report displays all the administrative logins that occurred in the past 7 days. Relevant to PCI-DSS Requirement: 8.5

Latest Database Administrator Actions report displays all administrative actions that occurred in the last seven days. Relevant to PCI-DSS Requirement: 1.2.3, 6.4, 8.51, 8.5.6, 10.1, 10.2, 10.3, 10.7, 12.3.10

Latest Database Administrator Logins

Login Name Login Date & Time Originating IP Application Name Sue 5/19/2014 11:53 AM 206.196.115.38 SAP

Tim 5/12/2014 4:01 AM 41.206.12.7

Tim 5/11/2014 2:37 AM 41.206.1.1 Dynamic CRM

Latest Database Administrator Actions

Login Name Login Date & Time Originating IP Application Name Database Name Action (query) Jim Amy Alex Mia 5/19/2014 11:53 AM 5/11/2014 2:37 AM 5/10/2014 8:37 PM 5/12/2014 4:01 AM Northwind 216.27.61.137 Northwind 255.255.0.0 Northwind 122.140.201.66 172.16.81.100

SELECT EMP_ID, LAST_NAME FROM EMPLOYEE_TBL WHERE EMP_ID = ‘333333333’ SELECT * FROM shop

WHERE price IN (SELECT MAX(price) FROM shop GROUP BY article);; SELECT * FROM PRODUCTS ORDER BY PRICE DESC LIMIT 0,1

select name from

ids left join tokens on ids.eid = tokens.eid

Conclusions

When it comes to protecting patient records, the closer you get to the record itself, the better

your protection is. Database protection like HexaTire doesn’t just protect the access to data;

it protects the data itself. Each and every database request needs to go through HexaTire

before it touches your database. This methodology provides the closest protection possible,

in real-time.

This paper gives a specific breakdown of each of the PCI-DSS regulations where HexaTire is

relevant for your organization, so you know exactly what coverage you get, and you can show

an auditor the specifics of your PCI-DSS compliance. Best of all, these functions are provided

out-of-the-box, with minimal installation time and absolutely no changes needed on your

network.

HexaTier UDS provides 4 lines of coverage:

Database Firewall using a reverse proxy that intercepts each and every command and

access to the database, analyzing the specific commands and making sure every single

command is valid, issued by the proper user and permissible. Separation of duties is

available, to define different levels of access for different individuals and groups. The

granular definitions allow assigning permissions at the level of specific tables and

columns.

Auditing is available in real-time as well as in retrospect. Not only can you know exactly

who has accessed the databases and in what capacity, you can receive alerts of any

suspicious behavior in real-time and prevent unauthorized access. In cases of suspicious

behavior, you will know immediately instead of at the time of a scheduled audit.

Data masking means that developers, contractors and testers can use a fully-functioning

production database, without actually seeing the real data. Masked data performs as

real data without any of the exposure risks of data. Masking makes it possible to grant

full access to DBAs without compromising privacy.

Reports provide accounting of security threats that were prevented and insight into

the activity on your databases. A flexible reports generator allows you to offer your staff,

auditors and administrators exactly the reports needed. Built-in reports are appropriate

for HIPAA and other types of auditors.