NonStop File Integrity: Check It! Protect It!

File Integrity Monitoring on NonStop

File Integrity Monitoring (FIM) is an important requirement of the PCI data security standard for maintaining confidential (e.g. cardholder) information, and is considered a crucial part of protecting business assets.

NonStop systems are now being used in far more dynamic situations and have more external connections than ever before. The ubiquity of payment cards for personal electronic transactions has changed the security equation in a fundamental way.

Any compromise in security is likely to have far reaching consequences, both for the immediate damage that may be done in terms of financial loss, and for the wider damage done to a merchant’s reputation. The security of personal cardholder information has become paramount.

In this context, FIM should be considered an important security necessity, not just for PCI systems, but for all NonStop systems.

FIM and PCI DSS

PCI DSS Requirement 11.5 stipulates that members must “ Deploy a change-detection mechanism (for example file-integrity monitoring tools) to alert personnel of unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform the critical file comparisons at least weekly.”

In version 2.0 of the security standard, in a clarification to Requirement 11.5.b, it was further specified that it is an audit requirement to “Verify that tools are configured to alert personnel to unauthorized modification of critical files.”

PCI DSS Requirement 11.5 version 3.1 further clarifies that unauthorized modifications include changes, additions, and deletions of critical systems files. It is clear from these excerpts that FIM is a key requirement  of PCI DSS, and therefore a FIM solution must be implemented on any system that handles cardholder information.

What is FIM?

FIM includes any technology that monitors files for changes. Assuming that at least some file change is expected on a system, then FIM’s primary purpose should be to identify possible “bad” changes so that they can be rolled back or remediated in some way.  A “bad change” is any change that is undesirable. This is not the same as an unplanned, unauthorized or suspect change.

An unplanned change is not necessarily a “bad” change. Most system administrators have found it necessary to intervene on occasion to remedy a problem. Their actions might include changing a configuration parameter, or perhaps changing the security of a file due to an oversight.

In both cases, the change is both unplanned and unauthorized. Regardless, the change must be appropriately recorded and reported, then reviewed and either made permanent or modified.

Of course other changes that may be unplanned and unauthorized can be part of an active security threat, in which case FIM may provide the first notice that the system has been compromised.

Accidental change represents no less of an issue and is probably the most likely source of unplanned and unauthorized change. FIM can also be used as part of a change control regime, whereby planned changes are detected and recorded to have occurred as expected

Components of FIM

Basic FIM functionality should allow the administrator to:

1. Create and store a baseline for specified files and their attributes of interest
2. Update the baseline to take into account planned or allowable change
3. Run periodic checks and report the results
4. Store the results of each check

Conclusion

FIM is a critical requirement for security, and key to PCI DSS compliance.

However, the detection of any particular change is just the start of the process. To be effective, FIM solutions must differentiate low-risk from high-risk change; integrate with other security solutions for log and security event management (including real-time alerts) and support a fully-managed history database of changes.

CSP’s File Integrity Checker (FIC) is widely used by financial institutions to deliver FIM in NonStop Guardian and OSS environments, and is tightly integrated with CSP’s other solutions for audit, compliance and Safeguard, EMS and Base24 OMF real-time event monitoring. FIC’s new “Guardian Fileset Compare” feature permits the attributes of any two file sets on any two systems to be compared against each other.

New solutions on nonstop to protect your sensitive data - HPE SecureData Enterprise

For the past few decades, HPE Integrity NonStop systems have been the preferred mission critical computing platform in industries such as financial payments. The key reason for this is the mission critical computing features that NonStop systems offer which very few other platforms can match.

With a Massively Parallel Processing (MPP) architecture, that provides
- unmatched scalability, and
- an integrated software stack that builds high availability right up to the application layer,

NonStop offers unique benefits that has made it a platform of choice for the industry.

The IT systems supporting enterprises in industries such as payments, retail and healthcare contain and manage very sensitive information such as customers’ credit card numbers and personal information such as medical history.

A database containing millions of these customer records is an attractive target for malicious hackers, who try every possible means to steal the data and monetize it in various possible (and often creative) ways. Their success comes at an enormous cost if the target organization becomes a victim of such an attack.  Such organizations end up paying dearly in terms of regulatory fines, lost business, loss of reputation, customer compensation cost and so forth.

Various industry and government regulations have been in place and new ones are in the works which aim at protecting consumers from such breaches and guiding the industry towards implementing solutions and practices which mitigate these risks.

The Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulations (GDPR) are examples, but there are many others in different geographies and industries. The regulations are fairly comprehensive and cover all aspects of protecting sensitive data. It’s rather difficult to explain these regulations in a few lines but the overall philosophy is to:

• Protect the computing environment from external and internal attacks
• Protect the data throughout its life (at creation, as it traverses from one node to another, as it’s processed, and on media - whether live or archived)
• Implement strong authentication and access control measures
• Ensure adequate logging mechanisms to enable forensic analysis in case of a breach
• Document and enforce practices and policies; educate employees

Given the importance of data protection, NonStop has been offering security solutions for many years in order to enable you to meet these stringent security requirements using standards-based cryptography.

Beginning in early 2016, the HPE NonStop Enterprise Division (NED) launched several new products with an aim to provide additional modern, data protection solutions to NonStop customers. These are essentially two product suites:

• HPE SecureData Enterprise
• HPE SecureData companion products for NonStop

HPE SecureData Enterprise

HPE SecureData Enterprise is a unique, end to end data protection platform used by enterprises in a variety of environments. This product is offered by HPE Software group’s Data Security business unit formed with the merger of the erstwhile Atalla products group and Voltage Inc., which was acquired by HPE in early 2015.

The NonStop Enterprise Division (NED) and the HPE Data Security group have teamed up to offer HPE SecureData Enterprise to NonStop customers. In traditional data protection methods, customers employ different techniques for the different environments that the data passes through.

Examples are user access control, file encryption, TLS or SSH protocols for data in transit, disk/volume encryption for secondary storage etc.

Each of these may involve separate cryptography, hand-shake, key protection etc. and the data may be in the clear while in between the stages. Overall, this offers a piecemeal approach and not the best protection for your data.

HPE SecureData Enterprise approaches this topic from the perspective of data-centric security that comprehensively protects the sensitive data in an enterprise. Using a data-centric approach to security, the sensitive data is protected right where it is created, as it traverses through the network, while it’s processed/stored in different nodes, used in analytics and when it is archived. At all stages, the data is in encrypted or tokenized form such that, even if there is a successful breach, the data is unusable by the cyberattacker.

Figure 1 below compares the data-centric security offered by HPE SecureData to the traditional methods of data protection

Three key technology elements are at the core of this solution:

1. HPE Format Preserving Encryption (FPE),
2. HPE Secure Stateless Tokenization (SST), and
3. HPE Secure Stateless Key Management.

1) HPE FPE is a technology used to encrypt data without changing its original format. While it provides the same encryption strength as the traditional encryption technologies do, the key advantage of FPE is that, because it preserves the data format through the encryption process,

- the database which stores the data or
- the applications which process it do not need to be modified, and
-  the majority of applications and processes operate on the data in its protected form—no decryption necessary for use.

This drastically brings down the cost and complexity of transforming an  existing solution from an unprotected to the protected form, and reduces the exposure of sensitive data to attack.

2) HPE SST is a related technology available in HPE SecureData, and is used to protect sensitive data elements in a file or a database by replacing them with tokens.

- HPE SST is recommended for use with Primary Account Numbers (PANs) used in payment cards.

In this solution, a token table consisting of a static, pre-generated table of random numbers, created using a FIPS-validated random number generator, resides on the platform.

A PAN, the data to be tokenized, uniquely maps to a token in that table but has no relationship to it. That token is stored in the system (in files and databases) in place of the PAN (plain data) which is now said to be "tokenized".

Only trusted applications are allowed to detokenize and derive the original PAN. Hence, in contrast to the traditional tokenization technologies where a separate “token vault” is maintained, the HPE SecureData solution has no token vault and hence no cost or management complexities associated with it, and no database or vault to be targeted for cyber-attack. Because the system does not store plaintext data in any form, it is outside the scope of PCI audit, thus greatly reducing the costs of PCI compliance. Moreover, token vaults grow in size with the amount of customer data maintained in them, which adds to the management complexities and challenges in scaling and application performance. An SST-based solution, in contrast, does not have these challenges and hence is highly scalable, typically yielding a strong ROI.

3) HPE Secure Stateless Key Management simplifies the key management needs of the HPE FPE solution through another landmark innovation. It securely derives the key on-thefly thereby greatly reducing the cost and complexities of key management. It can authenticate key requests using industry-standard identity and access management infrastructure such as LDAP or Active Directory.

HPE SecureData Enterprise provides a comprehensive data security solution across a crosssection of computing platforms commonly used in the industry. It is supported on traditional *NIX environments, IBM mainframe, HPE NonStop, open systems, cloud, mobile and Big Data environments such as Vertica, Hadoop, and Teradata. This breadth of support enables you to standardize on a single solution to address the data protection needs across your enterprise, which may use one or more of these platforms. Apart from protecting the data, HPE SecureData gives you immense benefits in terms of managing the cost and complexity of the solution and eliminating security weaknesses in the enterprise.