BladeLogic

Solutions

• Overview
• Data Center Operations
• Data Center Compliance
• Sarbanes-Oxley Section 404
• Application Release Management
• ITIL
• PCI
• Resource Library

PCI

Consumers, trading partners, regulators, legislators and shareholders are all demanding that any organization which accepts credit card payments comply with the credit card industry’s PCI DSS (Payment Card Industry Data Security Standard). Companies that fail to protect consumer data stand to lose millions of dollars in fines, lost sales, reduced shareholder value and squandered customer confidence.

While most organizations realize PCI is a business requirement, few realize that the key to compliance lies in doing a good job in everyday systems management. That’s because compliance isn’t an event, but a process, that requires gathering, tracking and analyzing a vast amount of information that changes frequently. If a company does a good job automating, standardizing, and monitoring systems configuration, change management and access control, it can comply not only with the PCI data security requirements, but with other critical regulations – and do a more cost-effective job meeting its service-level agreements for application performance and reliability.

How BladeLogic Helps Organizations Meet Key PCI Requirements

BladeLogic Operations Manager enables system administrators charged with ensuring PCI compliance to automatically make the system-level and system-wide configuration changes required to ensure PCI compliance, to audit systems to ensure they do not drift out of compliance, and to automatically (wherever possible) remediate unauthorized or non-compliant changes. Specifically, BladeLogic Operations Manager allows IT organizations to meet key PCI requirements, such as:

Build and Maintain a Secure Network

• BladeLogic Operations Manager supports Network Address Translation, which meets PCI DSS requirements that internal IP (Internet Protocol) addresses be changed so they are not visible to potential hackers on the Internet.

• The PCI DSS requires that organizations change the vendor-supplied defaults for system passwords and other security parameters. BladeLogic Operations Manager can be used to automate account creation, including password randomization, and to require that passwords be changed when a user first logs in.

• BladeLogic Operations Manager scans systems to ensure they meet PCI DSS requirements that only one primary function (such as Web or database service) be implemented on each server. It also checks servers to ensure that unnecessary and insecure services, scripts, drivers, features and protocols are disabled, and generates reports on the number and type of services and other processes running on each server. It also ships with templates for standard security processes, such as those from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) which can be used as is or customized.

• Per PCI DSS requirements, BladeLogic Operations Manager audits all administrative functions such as SSH/Telnet/Term Services to ensure they are encrypted, and generates reports listing all servers running non-encrypted protocols.

Maintain a Vulnerability Management Program

• The PCI DSS requires that organizations use and regularly update antivirus software. BladeLogic Operations Manager can be used to package and deploy anti-virus software, to detect and remediate servers whose antivirus protection is not current and to generate reports on which servers are out of compliance with anti-virus policies.

• It also requires companies processing credit card transactions to develop and maintain secure systems and applications. BladeLogic Operations Manager can scan all of an organization’s systems for a vendor-supplied or custom list of patches, automatically download, deploy and verify the deployment of the patches, and generate reports on adherence to patch policies.

• BladeLogic's Patented Packaging Technology is an XML-based set of instructions that can be used to easily rollback software or packages which have been deployed into production and later found to be vulnerable. It can also generate reports that help ensure that only secure applications are in production, and to identify and remove vulnerable applications.

• BladeLogic Operations Manager’s role-based access control also helps enforce the separation of duties between development/test and production environments by controlling which administrators can make changes on which systems. It can also be used to meet other PCI DSS requirements such as the removal of test data and accounts before applications go into production, and in some cases to find custom accounts, user names and passwords which PCI DSS requires be removed from applications before they go active.

Restrict Access to Data on the Basis of a Business Need-to-Know

• With the extremely granular role-based access control provided by BladeLogic Operations Manager, administrators can access or configure only the systems to which they require access. It can also provide detailed reports on which personnel had access to computing resources and cardholder information.

• BladeLogic Operations Manager can simultaneously remove account access on all managed systems, to detect and disable or remove inactive accounts, and to automatically grant and revoke access for outsiders (such as contractors) at scheduled times.

Assign a Unique ID To Each Person Who Has Computer Access

• BladeLogic Operations Manager can be used to automate account creation, including password randomization, and to require that passwords be changed when a user first logs in. Its audit capability can monitor, enforce and report on PCI DSS requirements that passwords be changed at least every 90 days, as well as requirements that passwords be made up of both numeric and alphabetic characters.

Regularly Monitor and Test Networks

• BladeLogic Operations Manager can generate comprehensive reports of system access by individual users, showing which specific changes were made by individual users. It can also track, by individual users and administrators, attempts to access data, change system configurations, create or delete system-level objects, view audit trails or log in to the system. These capabilities are enabled by its unique configuration object dictionary that provides a common vocabulary for managing configuration items for real-time, granular management of all configurations across platforms.

Maintain an Information Security Policy

• BladeLogic Operations Manager enables the creation of system build policies that comply with best practices, and audits that report on compliance with defined system build and security policies. It can also be used to audit and enforce system and software policies covering the logging of user identification, events, dates and times, success or failure, origination of event and affected resource.