Implement Fine-Grained Enforcement
Attribute No. 2: Implement fine-grained enforcement
Because next-generation access control solutions address the need to monitor the activities of smaller sets of privileged users, they should not only monitor but also enforce and remediate in real time if they are to add any significant value. An analogy can be drawn to an intrusion detection system (IDS)/intrusion prevention system (IPS). The potential downside of a false positive of an IPS disrupting business results in a significant barrier to their prevention capabilities being turned on. However, access control without the ability to control user activities on the network is not access control, it is access management-two different things.
Attribute No. 3: Integrate audit capabilities to validate controls
Section 8 of the PCI DSS states that actions taken on critical data and systems are performed by and can be traced to known and authorized users. Because of these added security, operational and internal/external compliance requirements, access control solutions must provide robust reporting and auditing capabilities. Next-generation access solutions record every session and offer Tivo-like search and replay capabilities. That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance. And from an e-discovery and security operations perspective, it eliminates any doubt of what occurred at any given point in time.
Attribute No. 4: Automate all the requirements from access to audit
Automation enables processes to scale. Because employees, business partners and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach. Introducing automation eliminates manual error or intervention and dramatically streamlines management.
Attribute No. 5: Deploy an identity-aware infrastructure
Sections 7 and 8 of the PCI DSS require that access to cardholder data be determined by an individual's need to know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to only those people whose jobs necessitate it. Not the device but the person. When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, this allows for the creation and management of granular and explicit access policies.