Implement Fine-Grained Enforcement

By Dave Olander  |  Posted 2010-02-18 Print this article Print

Attribute No. 2: Implement fine-grained enforcement

Because next-generation access control solutions address the need to monitor the activities of smaller sets of privileged users, they should not only monitor but also enforce and remediate in real time if they are to add any significant value. An analogy can be drawn to an intrusion detection system (IDS)/intrusion prevention system (IPS). The potential downside of a false positive of an IPS disrupting business results in a significant barrier to their prevention capabilities being turned on. However, access control without the ability to control user activities on the network is not access control, it is access management-two different things.

Attribute No. 3: Integrate audit capabilities to validate controls

Section 8 of the PCI DSS states that actions taken on critical data and systems are performed by and can be traced to known and authorized users. Because of these added security, operational and internal/external compliance requirements, access control solutions must provide robust reporting and auditing capabilities. Next-generation access solutions record every session and offer Tivo-like search and replay capabilities. That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance. And from an e-discovery and security operations perspective, it eliminates any doubt of what occurred at any given point in time.

Attribute No. 4: Automate all the requirements from access to audit

Automation enables processes to scale. Because employees, business partners and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach. Introducing automation eliminates manual error or intervention and dramatically streamlines management.

Attribute No. 5: Deploy an identity-aware infrastructure

Sections 7 and 8 of the PCI DSS require that access to cardholder data be determined by an individual's need to know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to only those people whose jobs necessitate it. Not the device but the person. When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, this allows for the creation and management of granular and explicit access policies.

Dave Olander is President and CEO at Xceedium. Dave assumed the President and CEO position in January 2010. Prior to that, Dave served as senior vice president of engineering. A seasoned executive, Dave joined Xceedium from netForensics where he was vice president of engineering. At netForensics, Dave led strategic development of their security information management product family. Prior to netForensices, Dave was at Raritan where he instituted new engineering processes to accelerate delivery of Raritan's second-generation digital KVM switch. Dave has over 25 years of senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies. Dave's product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions, and security software. Dave holds a Master's degree in Computer, Information and Control Engineering from the University of Michigan, and a Bachelor's degree in Computer Science from Clarkson University. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel