AIX > Trends > AIX

AIX Solutions For Security and Compliance

The Payment Card Industry Data Security Standard is a guide to effective security policy

The Payment Card Industry Data Security Standard is a guide to effective security policy

The Payment Card Industry Data Security Standard (PCI DSS) describes proper IT security for businesses handling credit-card transactions and other sensitive data. It’s a security compliance requirement for some companies and an excellent guide to effective security policy and configuration. The AIX* OS provides many security products that can help your organization achieve this level of security and compliance.

The PCI DSS standard has six topics and 12 categories that are presented in this article.

1. Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

For more than a decade the AIX OS has provided a firewall with its base OS. In addition to the basic firewall feature there’s also port-scan protection and full IP Security and VPN functionality. The AIX Security Expert feature is free and part of the standard base AIX offering. The AIX Security Expert product automatically enables many features and benefits, including automated configuration. AIX Security Expert makes available more than 300 security settings with just a couple mouse clicks or via the aixpert command. Security expertise is built into this product. The system administrator can use AIX Security Expert to create a single security policy for all systems, so they’re now configured securely and consistently.

Requirement 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.

In addition to the straightforward settings of high, medium and low, AIX Security Expert provides an option called the SOX/COBIT Best Practices Security option. This option sets the password parameters to be consistent with PCI and COBIT compliance standards.

2. Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Once upon a time, computer attacks were mainly performed by amateurs for fun. This has changed to well-planned, organized attacks mainly motivated by financial gains. In this regard the major attacks occur to gain access to critical information such as credit-card numbers and Social-Security numbers. The PCI standard rightfully requires that this type of critical information be encrypted and stored at rest (when stored on media such as disk).

The AIX OS provides excellent support for customers to implement these controls without purchasing any additional software. It supports Encrypted File System (EFS) that can be used to store the data at rest in an encrypted form. Some of the EFS features include:

1. Strong user-level encryption using RSA (1024/2048/4096 bits) and AES (128/256 bits) algorithms.
2. Minimal setup where applications don’t need to change to use the EFS underneath.
3. The capability to encrypt individual files, files in a directory or files in a file system.
4. Keystores for individual users contain the private keys used in EFS.
5. Encryption can be done at group level, providing access to set of files to all the users in the group.
6. Support for admin mode and root-guard modes. In the admin mode, root has access to files of all users in the system (for retrieval of files if a user leaves the organization or if the user forgets the password to the keystore, etc). In the root-guard mode, root can’t access an individual user’s encrypted files (root can still back up files in the encrypted form).
7. AIX tools support for backup/restore, management of the encrypted files.

The AIX OS supports Encrypted File System (EFS) that can be used to store the data at rest in an encrypted form.

Tweet