One of the key requirements for compliance with PCI DSS (the Payment Card Industry Data Security Standard) is that organisations block all non-approved channels of communication, screen all traffic and prohibit direct routes for inbound and outbound internet traffic. The trouble is many organisations forget about the communication traffic they cannot see, ones that use highly evasive techniques and are easily able to circumvent traditional security methods used to control the network.
Today’s workforce expects instant messaging and other real-time communications tools including web conferencing, Voice over IP, and social networking to be ‘always on’, just as their predecessors viewed email.
The problem is Web 2.0 applications like IM, Skype and the chat functions within Facebook can easily traverse the network without being seen, potentially allowing credit card information to leave the organisation unauthorised. If they cannot be seen then they cannot be managed or secured, resulting in a significant risk of violating PCI compliance.
In a recent study of data collected from sixty FaceTime customers there were over 51,000 individual requests for Facebook – 30% of these were for Facebook chat. With 95% of all access requests for social networking sites being allowed by policy it is a sobering thought to those with the responsibility of compliance.
Real-time communications is big business and companies such as Yahoo!, AOL and Skype develop their applications to get as many users as possible signed up to their network, rigorously testing client applications against standard enterprise security infrastructures to ensure their application can tunnel through. Many applications use encrypted protocols, making it impossible for an Intrusion Protection System to detect or to control them.
In addition, they use peer-to-peer connections. Skype, for instance, uses a peer-to-peer connection and is encrypted end-to-end, often even tunnelling through HTTP if that is the only port that it finds open on the firewall, negating the use of a URL filtering solution to control it. Consequently, many organisations do not even realise that their users have installed real-time communications applications.
Should companies look to ban such technologies? The general consensus is no, though the jury is out on Skype (but that’s another story). Industry analysts such as Gartner say that companies should look to embrace such tools along with enterprise versions such as Microsoft OCS and Lotus Sametime. Not just for their telephony savings, but for their recognised benefit of increasing productivity and collaboration within the work place.
However, even companies implementing Unified Communications (UC) should be aware that though some management and control is provided with enterprise-grade solutions, it doesn’t natively provide everything required to comply with many regulatory standards such as the Data Protection Act, let alone compliance with PCI DSS.
In addition, a lack of standards may still see employees trying to install other client software so that they can communicate with friends not using that UC tool, often exacerbating the problem.
Fully blocking rogue communication applications requires more than a traditional firewall. The first step to take is to understand the status quo, getting a thorough understanding of what employees are currently doing on the internet. There are free tools available that provide a deep look at exactly what is traversing the enterprise network, and the results are almost always surprising. Organisations that believe they have these applications locked down tend to be amazed when they discover the actual instances of unauthorised traffic on their network. Blocking ports on the firewall and disallowing access to specific URLs doesn’t cut it anymore.
Once companies have visibility of all traffic on their networks, it is then possible to apply policies to allow or block users and for those applications such as IM that are allowed, to enforce hygiene, content filtering and compliance logging. Only then will businesses be certain that they have covered some of the basics of PCI DSS compliance.