Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Virtualization

    How to Implement Secure, PCI-Compliant Access Controls

    By
    Dave Olander
    -
    February 18, 2010
    Share
    Facebook
    Twitter
    Linkedin

      Many legacy systems are simply not aligned with current business needs. Many offer limited value in today’s dynamic business and regulatory environment. Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users such as database administrators, users accessing credit card data, external auditors working remotely, and outsourced or other business partners.

      Focused on the “control” piece of access control, next-generation systems are lightweight, agile and plug into existing network infrastructure. As a result, they are becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that deliver the security and compliance benefits required for today’s business landscape.

      For instance, Section 7 of the Payment Card Industry Data Security Standard (PCI DSS) requires that access to cardholder data is restricted access by business “need-to-know.” This means that access rights are granted to only the least amount of data and privileges needed to perform a job. Section 7.1 of the PCI DSS limits access to system components and cardholder data to only those individuals whose job requires such access.

      Section 7.2 of the PCI DSS requires merchants to “establish an access control system for systems components with multiple users that restricts access based on a user’s need to know, and is set to ‘deny all’ unless specifically allowed.” Section 8 of the PCI DSS requires a unique ID for each person with computer access to ensure that actions taken on critical data and systems are performed by and can be traced to known and authorized users.

      In order to meet both the letter and the spirit of the PCI DSS, next-generation access control systems should have the following six attributes:

      Attribute No. 1: Right-size permissions based on a zero trust model

      At the start of any technology deployment, common sense dictates an audit of current access polices to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are rethinking their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI DSS requirement 7.2: deny all unless specially allowed. They’re also taking it further to make sure that those who are allowed are closely monitored. This “zero trust” access model allows organizations to adhere to PCI mandates, even when dealing with users (such as vendors, outsourced personnel and other third parties) who access systems from unmanaged endpoints.

      Implement Fine-Grained Enforcement

      Attribute No. 2: Implement fine-grained enforcement

      Because next-generation access control solutions address the need to monitor the activities of smaller sets of privileged users, they should not only monitor but also enforce and remediate in real time if they are to add any significant value. An analogy can be drawn to an intrusion detection system (IDS)/intrusion prevention system (IPS). The potential downside of a false positive of an IPS disrupting business results in a significant barrier to their prevention capabilities being turned on. However, access control without the ability to control user activities on the network is not access control, it is access management-two different things.

      Attribute No. 3: Integrate audit capabilities to validate controls

      Section 8 of the PCI DSS states that actions taken on critical data and systems are performed by and can be traced to known and authorized users. Because of these added security, operational and internal/external compliance requirements, access control solutions must provide robust reporting and auditing capabilities. Next-generation access solutions record every session and offer Tivo-like search and replay capabilities. That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance. And from an e-discovery and security operations perspective, it eliminates any doubt of what occurred at any given point in time.

      Attribute No. 4: Automate all the requirements from access to audit

      Automation enables processes to scale. Because employees, business partners and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach. Introducing automation eliminates manual error or intervention and dramatically streamlines management.

      Attribute No. 5: Deploy an identity-aware infrastructure

      Sections 7 and 8 of the PCI DSS require that access to cardholder data be determined by an individual’s need to know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to only those people whose jobs necessitate it. Not the device but the person. When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, this allows for the creation and management of granular and explicit access policies.

      Create Backward and Forward Compatibility

      Attribute No. 6: Create backward and forward compatibility

      Interoperability with the relevant set of related systems should be a given with any emerging technology. In the case of access control and to meet PCI requirements, the base-line integration points are with LDAP, Active Directory, remote and network authentication systems (TACACS and RADIUS), configuration and change management systems, encryption applications, and even security information management (SIM) systems.

      From an architectural perspective, many large companies keep PCI data on mainframe systems which, despite any potential interoperability issues, are still critical systems. As companies embrace virtualization as a way to maximize resources while minimizing costs, all potential support and interoperability issues specific to virtual environments must be considered as well.

      As the first mandate developed specifically for ensuring a specific set of best practices for information security, the PCI DSS standard has been instrumental in aligning security operations to business processes. With other mandates and laws such as the Health Insurance Portability and Accountability Act (HIPAA) undergoing refinements to make security controls more clear-cut and effective, the vendor community has stepped up and made compliance management a reality-enabling security managers to automate critical aspects of compliance-driven audit preparation and reporting.

      As security teams have learned time and time again, when you automate highly-manual, error-prone processes, the result is almost always an improved security profile. In an industry not known for good news, it’s worth acknowledging the progress that IT security professionals, lawmakers, vendors and other members of the information security ecosystem have made in aligning security and compliance objectives.

      Dave Olander is President and CEO at Xceedium. Dave assumed the President and CEO position in January 2010. Prior to that, Dave served as senior vice president of engineering. A seasoned executive, Dave joined Xceedium from netForensics where he was vice president of engineering. At netForensics, Dave led strategic development of their security information management product family. Prior to netForensices, Dave was at Raritan where he instituted new engineering processes to accelerate delivery of Raritan’s second-generation digital KVM switch.

      Dave has over 25 years of senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies. Dave’s product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions, and security software. Dave holds a Master’s degree in Computer, Information and Control Engineering from the University of Michigan, and a Bachelor’s degree in Computer Science from Clarkson University. He can be reached at [email protected].

      Avatar
      Dave Olander
      Dave Olander is President and CEO at Xceedium. Dave assumed the President and CEO position in January 2010. Prior to that, Dave served as senior vice president of engineering. A seasoned executive, Dave joined Xceedium from netForensics where he was vice president of engineering. At netForensics, Dave led strategic development of their security information management product family. Prior to netForensices, Dave was at Raritan where he instituted new engineering processes to accelerate delivery of Raritan's second-generation digital KVM switch. Dave has over 25 years of senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies. Dave's product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions, and security software. Dave holds a Master's degree in Computer, Information and Control Engineering from the University of Michigan, and a Bachelor's degree in Computer Science from Clarkson University. He can be reached at [email protected]

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×