Solutions

• Overview
• Vendor Access Control
• Compliance
• PCI DSS
• Who Must Comply?
• IT Operations Challenges
• GateKeeper for PCI
• HIPAA
• Secure Remote Management
• Reducing Outsourcing Risk
• Enhancing Citrix Security
• Data Sheets
• White Papers
• Case Studies
• Resource Center

Home >> Solutions >> Compliance >> PCI DSS >> GateKeeper for PCI

GateKeeper for PCI

 

The Xceedium GateKeeper solution automates key requirements for PCI and provides a cost-effective way for companies to implement a PCI compliance strategy that works with new or legacy infrastructure. The Xceedium GateKeeper enforces and automates compliance controls by: providing authentication of privileged users accessing systems containing card data; controlling and encrypting access to systems containing card data; enabling user containment and risk prevention; tracking and monitoring privileged user activity; delivering centralized reporting to validate compliance; and alerting for security violations. The appliance works with new and legacy point of sale systems to encrypt the entire infrastructure, including clear text protocols.

Snapshot: Xceedium Solves PCI DSS

Each of the PCI DSS's 12 main requirements each have several sub-conditions that further set the parameters for meeting each requisite. The Xceedium GateKeeper either fully supports, partially supports or indirectly supports a significant portion of seven of these 12 Requirements.

The Xceedium GateKeeper Offers a Comprehensive Solution for Addressing the Top Technology Challenges for Achieving PCI Compliance, Including:

Requirements 2 and 8
Providing privileged user accountability for all access to systems that store and process/transmit card data

• Local strong passwords on the GateKeeper
• GateKeeper adds a layer of authentication
• Adds accountability and unique IDs to user access for shared accounts
• Supports Active Directory, OpenLDAP, Radius and PKI/CAC

The Xceedium GateKeeper adds accountability and unique login IDs for access to systems that may rely on shared administrative accounts or login IDs. It also provides the ability to bring access accountability, unique login IDs and encryption to all interactive connections including Serial and KVM console connections. Assigning a unique identification (ID) to each person that has access ensures that actions taken on critical data and systems are performed by – and can be traced to – known and authorized users. Xceedium GateKeeper is also integrated with existing IM solutions like Active Directory, Open LDAP, Radius, PKI/CAC, Radius and end point security solutions.

Requirement 4
Encrypting transmitted card data for legacy systems

• Dual layer encryption (legacy clear text protocol conversion)
• Centralized SSL encryption for all access methods
• Integrated Java access applets

Using a Reverse Port Forwarding access methodology, the Xceedium GateKeeper enables granular compartmentalization for each user at the device, system, port and application level, as well as centralized SSL encryption for all access methods. The Xceedium GateKeeper provides dual layer encryption, which is a simple and unobtrusive way to phase out client-side access to legacy systems (i.e. legacy POS systems.) It can also provide clear text protocol conversion if required by the customer (i.e. SSH-to-Telnet.)

Requirement 6
Provide separation of duties for privileged user infrastructure access

• Application isolation
• Separation of system and infrastructure environments
• Containment to specific environments and applications

The Xceedium GateKeeper naturally provides separation of duties and protects critical systems from unauthorized access due to the fact that users have no visibility to unauthorized systems or environments. Additionally, its patent-pending LeapFrog Prevention technology prohibits privileged and external users – who have been contained to one of these duties – from using their higher authorization levels to move to environments outside of their assigned areas.

Requirement 7
Controlling logical access to systems containing card data

• Access control using Deny All Permit Exception (DAPE) access provisioning
• Containment (LeapFrog Prevention™, Application isolation)

The Xceedium GateKeeper addresses Requirement 7 through its Deny All Permit Exception (DAPE) or whitelisting security model. This allows customers to provision and authorize system access for technical users based on the principle of least privilege. The DAPE model is essentially the reverse of the access provisioning model commonly found in standard VPN solutions, in which the default is to permit all and deny based on exceptions.

With a VPN solution, regardless of whether it is a SSL or IPSec protocol, this access model typically has a predefined encrypted domain and a default access policy that gives a VPN user full accessibility to all the resources inside that encrypted domain. In order to restrict a particular VPN user to reduce his or her authorized resources, exceptions in the form of rules or nested access policies must be created to block that user from all unauthorized resources within the encrypted domain.

Conversely, in the DAPE model, each user or group account starts with no access or visibility to the entire infrastructure. In order for a user to have access to specific resources on the network, an exception is created to give highly granular resource access permission to an individual user or group of users with visibility to only that explicit resource.

Xceedium's patent-pending LeapFrog Prevention technology detects and prevents violations of the access security policy with a violations model that includes the ability to define commands and key words that are prohibited from use (with a white list or black list). If a particular action is a violation, Xceedium GateKeeper prevents it from being completed and issues real-time alerts. Additionally, LeapFrog Prevention socket filter technology enables the Xceedium GateKeeper to monitor and enforce policy at the socket layer, as well as prevent and track all user violations. When a user attempts to open a socket to another device or server on the network using interactive protocols or commands, GateKeeper blocks use of the protocol to prevent "leap-frogging" to other devices. LeapFrog Prevention technology is available for Windows, Linux, Solaris, AIX and all network devices/appliances.

Requirement 10
Tracking and monitoring privileged user access to network devices and systems with cardholder data

• Provide complete logging and tracking of privileged users – ingress/egress command filtering
• Provide full session recording
• Real-time monitoring, alerting/remediation – ingress/egress command filtering
• Comprehensive centralized reporting

In order to meet PCI monitoring requirements, Xceedium GateKeeper provides an end-to-end view of privileged user activity at all levels, including the command line level, and a complete audit trail that crosses over the many different components and systems and artificial boundaries established in the enterprise. The Xceedium GateKeeper also delivers real-time alerting and remediation. Additionally, keystroke logging and full CLI session recording ensure that all user activity is tracked, including the date and time the user logged into a specific device and the access method used. The duration and content of the session is logged/recorded for both in-band and out of-band sessions. Xceedium GateKeeper supports Syslog and full file playback for session recording data storage.

Finally (and perhaps, most critically) Xceedium provides easy-to-produce reports that assist companies in validating that they have met PCI compliance requirements. These centralized reports deliver information on individuals, groups, devices, protocols, violations, etc. and are combined with flexible filtering to make it possible to easily produce the comprehensive audit reports needed to satisfy PCI compliance requirements.

Requirement 12
Maintain a policy that addresses information security for employees and contractors

• Enforcement of access security policy for the entire infrastructure
• Automated testing of access controls
• Real time alerting/remediation

The GateKeeper addresses the above items within Requirement 12 by providing active security policy enforcement and authorization. Through our unique containment (Leapfrog Prevention™ technology) and application isolation technology, the Xceedium GateKeeper acts as a central point of access policy creation and enforcement for all technical users. It also provides centralized comprehensive compliance reporting to validate security controls.

Related Links

• Products
• Demos
• Webinar
• Data Sheets
• White Papers
• Case Studies
• Evaluate