How to Implement Secure, PCI-Compliant Access Controls

 
 
By Dave Olander  |  Posted 2010-02-18 Email Print this article Print
 
 
 
 
 
 
 

Business trends such as outsourcing, teleworking, cloud computing, and the need to comply with the Payment Card Industry Data Security Standard and other corporate, government and industry regulations have redefined the traditional "moat and castle" notion of the network perimeter. The problem businesses face today is not how to keep people out, but how to safely let them in. Here, Knowledge Center contributor Dave Olander explains how to implement secure, PCI-compliant access controls without introducing additional risk or jeopardizing IT's security or compliance posture.

Many legacy systems are simply not aligned with current business needs. Many offer limited value in today's dynamic business and regulatory environment. Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users such as database administrators, users accessing credit card data, external auditors working remotely, and outsourced or other business partners.

Focused on the "control" piece of access control, next-generation systems are lightweight, agile and plug into existing network infrastructure. As a result, they are becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that deliver the security and compliance benefits required for today's business landscape.

For instance, Section 7 of the Payment Card Industry Data Security Standard (PCI DSS) requires that access to cardholder data is restricted access by business "need-to-know." This means that access rights are granted to only the least amount of data and privileges needed to perform a job. Section 7.1 of the PCI DSS limits access to system components and cardholder data to only those individuals whose job requires such access.

Section 7.2 of the PCI DSS requires merchants to "establish an access control system for systems components with multiple users that restricts access based on a user's need to know, and is set to 'deny all' unless specifically allowed." Section 8 of the PCI DSS requires a unique ID for each person with computer access to ensure that actions taken on critical data and systems are performed by and can be traced to known and authorized users.

In order to meet both the letter and the spirit of the PCI DSS, next-generation access control systems should have the following six attributes:

Attribute No. 1: Right-size permissions based on a zero trust model

At the start of any technology deployment, common sense dictates an audit of current access polices to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are rethinking their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI DSS requirement 7.2: deny all unless specially allowed. They're also taking it further to make sure that those who are allowed are closely monitored. This "zero trust" access model allows organizations to adhere to PCI mandates, even when dealing with users (such as vendors, outsourced personnel and other third parties) who access systems from unmanaged endpoints.




 
 
 
 
Dave Olander is President and CEO at Xceedium. Dave assumed the President and CEO position in January 2010. Prior to that, Dave served as senior vice president of engineering. A seasoned executive, Dave joined Xceedium from netForensics where he was vice president of engineering. At netForensics, Dave led strategic development of their security information management product family. Prior to netForensices, Dave was at Raritan where he instituted new engineering processes to accelerate delivery of Raritan's second-generation digital KVM switch. Dave has over 25 years of senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies. Dave's product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions, and security software. Dave holds a Master's degree in Computer, Information and Control Engineering from the University of Michigan, and a Bachelor's degree in Computer Science from Clarkson University. He can be reached at dolander@xceedium.com.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel