#9: Set-up strong user authentication and password controls
Establishing strong user authentication and password management controls are critical aspects of any security program and are a major requirement for meeting PCI DSS compliance. Safeguard provides the core functionality necessary to do this and there are additional tools available for extended capabilities and advanced requirements.
Requirement 8 of PCI DSS deals with user identification and password management and is a useful guide even if you’re not subject to PCI compliance—let’s use it as framework for discussion.
PCI DSS 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data.
Providing each user with a unique userid establishes individual accountability within the system. While Safeguard provides the ability to add new users with unique userids, it also has certain privileged userids (e.g., SUPER.SUPER) that by default allow shared access (i.e., no individual accountability). To fully meet this PCI requirement and ensure individual accountability for all users, consider an add-on security solution. For example XYGATE Access Control (XAC) can be deployed to grant users role based access via their own, unique userids while granting and auditing privileged access. Furthermore, XAC can be used to allow an individual user to perform only a restricted subset of what SUPER.SUPER is allowed to do.
PCI DSS 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
- Something you know, such as a password or passphrase
- Something you have, such as a token device or smart card
- Something you are, such as a biometric
Passwords are the most common method for authenticating a user, and Safeguard has standard support for them and also has password management controls (more on that later). To simplify user management or improve user experience, many companies choose to integrate aspects of NonStop user authentication with an enterprise-service such as Active Directory. One way to do this is through XYGATE User Authentication (XUA) which has an LDAP interface for the NonStop. XUA enables companies to use enterprise services and reduce password management overhead and improve users’ experience by reducing password management overhead.
PCI DSS 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
It is widely accepted that usernames and passwords alone do not provide sufficiently strong authentication—and this is particularly true when it comes to authenticating users from outside the network. To address this security concern, two-factor (a.k.a., multi-factor) authentication has been developed and is required by PCI for remote access.
A common approach for second-factor authentication is the use of a token device, like RSA SecurID. Support for this capability is available through add-on solutions such as XUA. XUA provides additional logon controls beyond what is available through Safeguard, and supports authentication using RSA SecurID.
PCI DSS 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
Protecting passwords during transmission is accomplished by using the secure communications capabilities that are part of the NonStop operating system (SSL or SSH).
To protect stored passwords, Safeguard should be configured to encrypt passwords using the most secure algorithm:
- PASSWORD-ENCRYPT = ON
- PASSWORD-ALGORITHM = HMAC256
PCI DSS 8.5: Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows: (subparts 8.5.1 – 8.5.16)
Requirement 8.5 actually has 16 sub-parts relating to different aspects of user identification, authentication and password management. Generally, Safeguard provides the necessary tools to control userids and manage passwords but there are a couple key gaps that need to be addressed.
Firstly, the password reset process must be strengthened. While Safeguard allows the reset of user passwords (or this might be done through an enterprise service), PCI 8.5.2 requires that a user’s identity be verified before the reset. To meet this requirement, a company must implement some process or mechanism to confirm identity when a reset is requested. One way to achieve this verification is through XYPRO solutions which can present a user-specific challenge question to the Help Desk along with the expected answer that the user requesting the reset should provide. Furthermore, Safeguard password changes are always local. To do network password changes, NonStop customers will need an add-on product like XYGATE Password Quality (XPQ).
Secondly, the session timeout process must be hardened. PCI 8.5.15 requires re-authentication if a session has been idle for more than 15 minutes. However, NonStop’s native timeout mechanism (TACL configuration) can only timeout a session if the user is at a TACL prompt and users can easily bypass this. XYPRO’s XAC solution solves this problem by forcing timeout of XAC-controlled sessions whether at a TACL prompt or within a utility.
Lastly, many of the aspects of PCI DSS 8.5 fall into the general area of user and password administration—ensuring a strong password format, enforcing password changes, removing inactive/terminated users, failed attempt lockout and duration, etc.—and Safeguard has the ability to do this. However, depending on the number of users, the management overhead for this administration may be high and tools have been developed to assist. For example, XPQ provides password management capabilities which strengthen security while easing administrative effort.
So that’s #9 on our list—set-up strong user authentication and password controls. Do you agree/disagree? Let us know what you think.
In our next post, we’ll discuss NonStop Security Fundamental #8.
For more information or help: More in-depth information and guidance on these security subjects are available in XYPRO’s NonStop security handbooks: HPE NonStop Server Security: A Practical Handbook and Securing HPE NonStop Servers in an Open Systems World: TCP/IP, OSS and SQL. PCI information can be found at:https://www.pcisecuritystandards.org/index.php
You may also contact XYPRO for assistance. For over 30 years, XYPRO has provided NonStop security solutions and services that help companies protect their NonStop systems and comply with industry regulations (such as PCI DSS, HIPAA, and SOX).