B O M G A R . CO M
PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS) VERSION 3.1 COMPLIANCE Bomgar offers secure remote support solutions that enable organizations to be compliant with PCI DSS requirements.
INTRODUCTION This document examines how the Bomgar Remote Support Solution aligns with the requirements outlined in the Payment Card Industry Data Security Standard (PCI DSS) version 3.1. This document should be used as a guide and not a validation of the Bomgar solution with the PCI DSS standard. No single software product can ensure or implement “PCI compliance” for any enterprise. Nor is any software product in itself, “PCI compliant.” Compliance to the PCI Data Security Standard (DSS) requires a combination of business practices, personnel management, physical restrictions, and software tools. Nevertheless, specific provisions contained in the Payment Card Industry Data Security Standard Requirements and Security Assessment Procedures Version 3.1 document of the PCI Security Standards Council LLC, https://www.pcisecuritystandards.org/ document_library, reference features and configuration options offered by Bomgar. This paper provides responses to those specific PCI requirements relevant to a Bomgar remote support on-premise implementation based on Bomgar software version 15.2.2.
Note: In addition to Bomgar’s proprietary remote support protocol, Bomgar also can support the use of additional protocols for Intel vPro, SSH, Telnet, and RDP. The use of these additional protocols for remote connectivity require administrative configuration and special privilege authorization for service technicians. The responses below relate to the native Bomgar remote support protocol, not the optional additional protocols. Although the responses below reflect utilization of the Bomgar protocol, the use of these additional protocols may also be implemented without compromising PCI compliance; however, their use in a PCI environment is unlikely.
BOMGAR AND PCI DSS V E R S I O N 3.1 CO M P L I A N C E Bomgar is the leader in enterprise remote support solutions for easily and securely supporting computing systems and mobile devices. The company’s products help organizations improve tech support efficiency and performance by enabling them to securely support nearly any device or system, anywhere in the world — including Windows, Mac, Linux, iOS, Android, BlackBerry and more. Bomgar’s solutions are not directly subject to the PCI DSS requirements. If Bomgar is used by an organization that is subject to the PCI DSS, it is up to a PCI Qualified Security Assessor (QSA) and the organization to determine the scope for their compliance assessment. The table on the following page highlights a subset of applicable PCI DSS requirements and how they are addressed by features within Bomgar. This is not an exhaustive list, but includes the most relevant features for supporting PCI DSS compliance. For more information about Bomgar’s full set of security features, please visit www.bomgar.com/products/security.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
Requirement 1: Build and Maintain a Secure Network and Systems
1.1.6
Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
All requests for support, Click-to-Chat interactions, and remote control sessions originate as inbound TCP/IP communications to the Bomgar appliance. Such inbound requests are generally transparent to intervening firewalls and allows customers to be supported both on-network and off-network with the same measure of security. Bomgar appliance-hosted web portal pages may accept port 80 connections or administrators may restrict portal page access to port 443 (HTTPS). In any event, the Clickto-Chat and remote support connections utilize port 443 TLS 1.2 connections using a Bomgar proprietary application layer protocol. Outbound connectivity from the appliance may optionally be permitted for DNS lookups, enterprise directory authentication, NTP time service synchronization, ITSM ticketing system integration, and a small number of other functions. Details on port utilization is documented in The Bomgar Appliance in the Network: www.bomgar.com/docs/content/documents/ bomgarapplianceinnetwork.pdf
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2.1
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
The two administrative interfaces are supplied with initial default credentials at the time of system installation. Upon first use, Bomgar forces a change of password before any administrative features can be accessed. It is not possible to implement Bomgar without changing the initial default passwords.
2.2
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
See responses to 2.2.1-2.2.4 below
2.2.1
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)
Bomgar is an appliance-based product and its only function is to provide secure remote support.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
2.2.2
Enable only necessary services, protocols, daemons, etc., as required for the function of the system.
As an appliance-based product, Bomgar has eliminated all superfluous services, protocols, and operating system daemons. Only services and protocols required by the Bomgar application are present on the Bomgar appliance.
2.2.4
Configure system security parameters to prevent misuse.
Bomgar offers a number of security parameter options that should be reviewed and assigned as appropriate for the system use case. For example, administrators may enable or disable a range of cipher suites used for HTTPS portal page communications. In controlled environments, a restricted set of high strength cipher suites may be suitable. Alternatively, for customers supporting the public with a wide range of browsers and browser versions needing to access a web portal, a wider collection of cipher suites might be enabled. The main point is to not merely accept the default configuration options. All options should be evaluated and assigned appropriately.
2.3
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for webbased management and other non-console administrative access.
Administrative access is provided via a browser-based interface using TLS 1.2 encryption. Administrative access may be further restricted to only designated network segments. Direct access to the physical Bomgar appliance console is not available.
2.6
Shared hosting providers must protect each Nothing in PCI DSS Appendix A is applicable to Bomgar onentity’s hosted environment and cardholder data. premises appliance deployments. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.
Requirement 3: Protect stored cardholder data
3.1
Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage: • Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements • Processes for secure deletion of data when no longer needed • Specific retention requirements for cardholder data • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
Bomgar provides an administrative option to capture video of remote desktops during remote support sessions. The only way that the Bomgar system could contain cardholder data is if that data is displayed on a remote desktop during a support session and when video recording is enabled. Since video recording of remote support sessions is not a PCI DSS requirement, Bomgar recommends that the administrative video option not be enabled.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
3.2
Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
BOMGAR RESPONSE Although item 3.2 seems to apply to cardholder authentication, it is worth noting that service technician authentication data is not retained after authentication when service technician authentication is provided by an enterprise directory (such as Microsoft Active Directory) or via multi-factor authentication (MFA) using a RADIUS interface. Authentication via an enterprise directory or MFA is recommended. An administrative option can disallow service technicians from locally saving their Bomgar login credentials.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
4.1
Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks…
The remote support connections use 256-bit encryption within a TLS 1.2 tunnel. An attempt to perform early TLS termination is detected by Bomgar and is not permitted. If cardholder data is visible on a remote screen during a support session, that data is communicated within the encrypted tunnel from the originating remote device all the way through to the service technician’s Bomgar Representative Console application.
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
5.1
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
No mechanism exists for either a service technician or a remote computing device (the customer) to place a file on the Bomgar appliance during a support session. The Bomgar appliance does not make available NFS or CIFS shares. The Bomgar remote support session is a client-server application conducted via a Bomgar proprietary application level protocol. That protocol does not make available any capability for files to be stored on the appliance or executed by the Bomgar appliance processor during a support session.
5.1.2
For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software.
Bomgar conducts its own vulnerability scans of each software release, engages with an independent 3rd party for penetration testing, performs static analysis of certain aspects of the product, and welcomes security evaluations conducted by our customers.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
Requirement 6: Develop and maintain secure systems and applications
6.2
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
In addition to feature upgrades, Bomgar releases an appropriate number of security patch and bug-fix software releases each year. In the event of a high-severity incident, a security patch will be released as quickly as possible. Registered system administrators are notified via email whenever Bomgar has prepared a software update for their Bomgar system. It is important to ensure that Bomgar always has up-to-date contact information for system administrators.
Requirement 7: Restrict access to cardholder data by business need to know
7.1
Limit access to system components and cardholder data to only those individuals whose job requires such access.
7.1.2
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
7.1.3
Assign access based on individual personnel’s job classification and function.
7.2
Establish an access control system for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.
Bomgar offers highly granular control over service technician access and privileges. Care should be taken to construct Bomgar Group Policies to provision privileges appropriately. Bomgar allows for varying levels of access for reporting, remote support, and administrative functions.
Requirement 8: Identify and authenticate access to system components
8.1
Define and implement policies and procedures See responses to 8.1.1-8.1.8 below to ensure proper user identification management for non-consumer users and administrators on all system components as follows:
8.1.1
Assign all users a unique ID before allowing them Bomgar highly recommends that service technician to access system components or cardholder data. authentication be performed via an enterprise directory (such as Microsoft Active Directory, OpenLDAP, etc.) or via RADIUS and multi-factor. With Bomgar’s concurrent licensing model, there is no need or incentive to ever share a Bomgar service technician credential. This licensing model preserves accountability.
8.1.2
Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
8.1.3
Immediately revoke access for any terminated users.
When any service technician credential is disabled in the enterprise directory or RADIUS directory, that technician immediately loses the ability to authenticate to Bomgar.
8.1.4
Remove/disable inactive user accounts at least every 90 days.
When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials. Inactivity expiration is provide by the enterprise directory.
8.1.5
Manage IDs used by vendors to access, support, or maintain system components via remote access…
Bomgar provides an “Embassy” feature to facilitate the access & management of vendor personnel. These Embassy service technician credentials may be managed via an enterprise directory, RADIUS, or via credentials locally defined within Bomgar. Vendor access may be circumscribed appropriately according to job function and can, for example, be limited to certain days & hours of permitted access.
8.1.6
Limit repeated access attempts by locking out the user ID after not more than six attempts.
Bomgar provides an administrative option to lock out a credential after any specified number of failed logon attempts for locally defined accounts. Furthermore, when Bomgar is integrated with an enterprise directory system such as Active Directory (recommended), the Domain Account Lockout Policy is honored for Bomgar login attempts.
8.1.7
Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.
Once a service technician local credential has been locked out due to exceeding the failed logon attempt threshold, the account is locked until reset by an authorized administrator.
8.1.8
If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
Bomgar offers an idle session timeout administrative setting that can range from 5 minutes to a maximum of 24 hours.
8.2
In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
Bomgar implements multi-factor authentication (MFA) via a RADIUS interface. In addition, Bomgar is certified for the following smart cards and smart card readers for authenticating service technicians on remotely managed computer systems that require smart card authentication:
• Something you know, such as a password or passphrase • Something you have, such as a token device or smart card • Something you are, such as a biometric.
• Readers o SCM SCR3310 v2 USB Smart Card Reader o Broadcom usbccid smartcard reader • Smart Cards o Oberthur 72k(V5.2.d)(Dual-Interface) PIV End -point o Oberthur ID One 128 v5.5d(Dual-Interface) --PIV End-point o Gemalto GCX4 72KDI (Dual-Interface) --PIV End-point o Gemalto TOP DL GX4 144KDI (Dual-Interface) --PIV End-point
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
8.2.1
Using strong cryptography, render all authentication credentials (such as passwords/ phrases) unreadable during transmission and storage on all system components.
When authenticating, service technician credentials travel via TLS 1.2 encryption from their work station or computing device to the Bomgar appliance. When integrated with an enterprise directory, those credentials are then conveyed to an appropriate controller (such as a Microsoft Active Directory Domain Controller or Global Catalog server) via encryption provided by the controller. In a Microsoft Active Directory installation it is strongly recommended that the encrypted port (typically port 636) interface be used for the LDAPS Read/Only authentication queries.
8.2.3
Passwords/phrases must meet the following:
When integrated with an enterprise directory or RADIUS interface, the Bomgar system does not manage service technician credentials or policies.
• Require a minimum length of at least seven characters. • Contain both numeric and alphabetic characters.
8.2.4
Change user passwords/passphrases at least every 90 days.
8.2.5
Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used.
8.2.6
Set passwords/phrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
8.3
Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
Bomgar supports concurrent integration with multiple directories. Therefore, MFA may be mandated for certain classes of service technicians (such as vendors) and system administrators. Bomgar suggests that MFA be employed for all service technician authentication both on network and off network.
8.5
Do not use group, shared, or generic IDs, passwords, or other authentication methods…
With Bomgar’s concurrent licensing model for service technicians, there is no need or incentive to ever share a Bomgar service technician credential.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
Requirement 10: Track and monitor all access to network resources and cardholder data
10.1
Implement audit trails to link all access to system components to each individual user.
Bomgar provides a support session report for every Click-toChat or remote control session as well as a syslog record for administrative changes to the Bomgar system itself.
10.2
Implement automated audit trails for all system components to reconstruct the following events:
All administrative activities stipulated in item 10.2 are logged via outbound syslog records from the Bomgar appliance. The details of the messages and formats may be found in •Syslog Message Guide, Remote Support 15.2:
10.2.2
All actions taken by any individual with root or administrative privileges
10.2.3
Access to all audit trails
10.2.4
Invalid logical access attempts
10.2.5
Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges
10.2.6
Initialization, stopping, or pausing of the audit logs
https://www.bomgar.com/docs/content/documents/15.2/ bomgarsupport-15-2-syslog.pdf
If an authorized administrator disables the syslog logging, a record of that action is logged prior to being disabled. Additionally, changing the destination address of the Syslog Server will send an alert email to the Admin Contact email address as set on the Email Configuration page within the Bomgar administrative interface. Alteration of the email address contact itself will log a record. The session reports are separate from the administrative syslog records. Logging of support sessions may not be stopped or paused.
10.3
Record at least the following audit trail entries for The Bomgar records capture all details specified in items 10.3.1 all system components for each event: through 10.3.6.
10.3.1
User identification
10.3.2
Type of event
10.3.2
Date and time
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
10.3.4
Success or failure indication
10.3.5
Origination of event
10.3.6
Identity or name of affected data, system component, or resource.
10.4
Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
10.4.1
Critical systems have the correct and consistent time.
10.4.2
Time data is protected.
10.4.3
Time settings are received from industryaccepted time sources.
10.5
Secure audit trails so they cannot be altered.
10.5.1
Limit viewing of audit trails to those with a jobrelated need.
10.5.2
Protect audit trail files from unauthorized modifications.
10.5.3
Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
10.5.4
Write logs for external-facing technologies onto a secure, centralized, internal log server or media device.
10.5.5
Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
BOMGAR RESPONSE
The ONLY method to establish time of day on the Bomgar appliance is via an NTP source specified through an administrative interface.
Support session reports (i. e., remote control sessions) stored on the appliance may not be altered by anyone, even the most highly privileged administrators. Administrative actions logged via syslog are sent to the syslog server IP as specified in the Bomgar administrative interface and these logs are not retained on the appliance. Support session reports may be retained on the appliance for a maximum of 90-days. These report files may be offloaded programmatically (for example, when integrated with an ITSM application they would be copied immediately upon session end) or through the use of a Bomgar supplied utility to offload on an administrator-defined schedule. When offloaded either programmatically or via the utility the reports are not deleted from the appliance until the retention period has elapsed. Once session reports are offloaded from the Bomgar appliance it is a customer responsibility to manage the data according to the PCI DSS requirements.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
10.7
Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup).
BOMGAR RESPONSE Since the maximum retention for support session reports on the Bomgar appliance is 90-days, the session reports must be offloaded for longer-term retention. Bomgar provides a utility program to perform scheduled report transfer. The retention on the Bomgar appliance should be set at 90-days to allow easy access for authorized personnel and to permit the use of filters to quickly & easily locate specific reports of interest using a variety of filter criteria.
Requirement 11: Regularly test security systems and processes
11.2.1
Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.
11.2.2
Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
11.2.3
Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.
11.3
Implement a methodology for penetration testing…
11.3.1
Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
11.3.2
Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
Bomgar welcomes customers to perform independent vulnerability scans. Detected anomalies should be immediately reported to Bomgar Support. Occasionally, scanning products will produce a false positive usually based on the assumed availability of a service or interface that is not actually present or enabled on the Bomgar appliance (see item 2.2.2, above). Bomgar Support will be able to advise if a reported vulnerability is a false positive.
Same as 11.2, above.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
PCI DSS REQUIREMENTS
BOMGAR RESPONSE
Requirement 12: Maintain a policy that addresses information security for all personnel.
12.3.8
Automatic disconnect of sessions for remoteaccess technologies after a specific period of inactivity
Bomgar offers an idle session timeout administrative setting that can range from 5 minutes to a maximum of 24 hours.
12.3.9
Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use
Vendor credentials may be defined in an enterprise directory (which may provide the ability to enable/disable on demand) or defined locally within Bomgar (which also provides the ability for authorized administrators to enable/disable upon demand). Additionally, Bomgar provides the ability for authorized service technicians to extend an ad hoc External Rep Invite to provide temporary supervised collaboration in a support session.
12.3.10 For personnel accessing cardholder data via
remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
All file transfer capabilities by service technicians are discrete privileges governed by Bomgar Group Policies. If file transfer is permitted, service technicians may be limited to only specific directories or folder locations for uploads and downloads. Also, the ability for a service technician to take a screen shot of the remote computing device through the Bomgar Representative Console application is determined by an administrative policy option. Similarly, clipboard synchronization is governed by an administrative option that can be restricted.
Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers
A.1
Shared hosting providers must protect the cardholder data environment
Because Bomgar is an on-premises solution, nothing in PCI DSS Appendix A is applicable.
[email protected] I 866.205.3650 (U.S.) I +44 (0) 1 628.480.210 (U.K./EMEA) I BOMGAR.COM I ©2016 Bomgar, Inc. All rights reserved worldwide.
