How Backup Exec complies with the Payment Card Industry Data Security Standard (PCI DSS) requirements

Description

Introduction

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes.

Low levels of security result in personal consumer financial information from payment card transactions and processing systems being stolen and used. Several customers are using Backup Exec to protect the card holder database.

Compliance with the PCI DSS helps to improve these vulnerabilities and protect cardholder data.

What is there in the PCI DSS 3.1 standard?

PCI DSS 3.1 specifies several requirements such as:

• Install and maintain a firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

These are just a few requirements from a long list of detailed requirements. For more details, refer to: PCI DSS Quick Reference Guide.

How does it affect Backup Exec?

Amongst the requirements for PCI DSS 3.1 compliance, requirement 4.1 mandates use of strong cryptography and security protocols such TLS 1.2. It also mandates to eliminate SSL and early TLS (versions 1.0 and 1.1). This has implications on the way Backup Exec communicates with the SQL Server (BEDB), as well as with production SQL servers during a SQL Backup. Older versions of Backup Exec (16.x or earlier), installed in an environment where both TLS 1.0 and 1.1 are disabled, cannot communicate with the SQL Server (BEDB), and Backup Exec services will not start as a result.

What does "Support for PCI DSS environment in Backup Exec" mean?

As part of enabling support for PCI DSS 3.1 compliant environments in Backup Exec, build 20.x and later, addresses the issue of working in a 'TLS 1.2 only' environment, specifically the issue of connecting with SQL Server in such environment.

What is TLS?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice-over-IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.

Requirements and Prerequisites

Prerequisites for supported applications

Before using Backup Exec to protect servers in the environment, customer must ensure that these servers and applications running on it have the required configurations enabled as recommended by the PCI standard. For example, for a SQL, SharePoint or Exchange server, depending on the version of the application, you may need to need to install necessary Windows updates / patches, so that TLS communications to and from these applications works correctly. For more information on these configuration requirements, refer to documentation of the respective product.

For SQL Server, refer to the following tech note: TLS 1.2 support for Microsoft SQL Server

For SharePoint Server, refer to the following blog post: Announcing TLS 1.2 support in SharePoint 2013 and SharePoint 2010

For Exchange Server, refer to the following blog post: Exchange TLS & SSL Best Practices

Ensure that the necessary recommendations are followed as per product-specific guidelines.

Enabling TLS 1.2 and disabling TLS 1.0 and 1.1 on such servers without necessary product updates / patches may cause these applications to stop working. Also, it may cause other unsporting applications to stop working.

Prerequisites for Backup Exec

For a fresh installation of Backup Exec (build 20.x or later)

• If Backup Exec database is to be hosted on a remote SQL server:
• • Install .NET 4.6 on the Backup Exec server
  • Install Microsoft SQL Server 2012 Native Client on the Backup Exec server. Download the version which has TLS 1.2 support, as given in this tech note.
  • Ensure that the SQL server has necessary updates installed as pointed by this tech note.
• If Backup Exec database is to be hosted locally on the Backup Exec server itself.
• • Install .NET 4.6 or higher version on the Backup Exec server

As older versions of Backup Exec do not function in a PCI DSS 3.1 compliant environment, to upgrade from an older version of Backup Exec be aware of the following:

• If you have Backup Exec 16.x or older and have plans to enable TLS 1.2 in your environment, you need to upgrade to the current version of Backup Exec (build 20.x or later) before implementing PCI DSS 3.1 compliance to avoid disruptions. Note: There are no plans to support disabling TLS 1.0 and 1.1 for any older versions of Backup Exec.
• If you have an older Backup Exec version, and you have already enabled TLS 1.2 and disabled TLS 1.0 and 1.1, then you need to first disable TLS 1.2, and enable TLS 1.0 and 1.1 so you can upgrade to the current version of Backup Exec. Once the upgrade is done, you can enable TLS 1.2 and disable TLS 1.0 and 1.1.
• In both the cases, before you upgrade to Backup Exec and implement PCI DSS 3.1 compliance in your environment, ensure that following requirements are met.
• • If Backup Exec database is to be hosted on a remote SQL server:
  • Install .NET 4.6 on the Backup Exec server
  • Install Microsoft SQL Server 2012 Native Client on the Backup Exec server. Download the version which has TLS 1.2 support, as given in this tech note.
  • If Backup Exec database is to be hosted locally on the Backup Exec server itself.
  • Install .NET 4.6 or higher version on the Backup Exec server