< Back

Security : Data Breach : Payment Card Industry Data Security Standard : Access Controls

How to Implement Secure, PCI Compliant Access Controls

By David Olander
David Olander
President and Chief Executive Officer

Business trends such as outsourcing, the rise of cloud computing, teleworking and of course, the need to demonstrate compliance with a wide variety of corporate, government, and vertical industry regulations have redefined the traditional, “moat and castle” notion of the network perimeter.  The problem organizations face today is not how to keep people out, but how to let them in - and how to control them once they are in - without introducing additional risk, and without jeopardizing IT’s security or compliance posture. 

Many legacy systems are simply not aligned with current business needs and at the end of the day offer limited value in today’s dynamic business and regulatory environment. Next generation access solutions evolved from the need to manage a smaller group of high performing or trusted users, such as database administrators, users accessing credit card data, external auditors working remotely, and outsourcing or other business partners. 

Focused on the “control” piece of access control, next generation systems are lightweight, agile and plug into existing network infrastructure.   As a result, they are becoming widely recognized as an efficient, cost effective way to integrate strong network controls that deliver the security and compliance benefits required for today’s business landscape. 

For instance, PCI DSS section 7 requires that access to cardholder data is restricted access by business “need-to-know”, meaning access rights are granted to only the least amount of data and privileges needed to perform a job.  Section 7.1 limits access to system components and cardholder data to only those individuals whose job requires such access. 

Section 7.2 requires merchants to “establish an access control system for systems components with multiple users that restricts access based on a user’s need-to-know, and is set to “deny all” unless specifically allowed.

Section 8 requires a unique ID for each person with computer access to ensure that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.   In order to meet both the letter and the spirit of PCI DSS, next generation access control systems should have the following attributes:

1) Right-size permissions based on a zero trust model: At the start of any technology deployment, common sense dictates an audit of current access polices to see if they are aligned with the needs of the business.  In response to a host of factors, many organizations are revaluating their access policies and finding that they are way more open than the needs of the business dictate.  As a result, they are recalibrating to both the letter and spirit of PCI requirement 7.2: deny all unless specially allowed, and taking it further to make sure that those who are allowed are closely monitored.  This “zero trust” access model allows organizations to adhere to PCI mandates even when dealing with users who access systems from unmanaged endpoints, such as vendors, outsourced personnel and other third parties.

2) Implement fine grained enforcement:  Because next generation access control solutions address the need to monitor the activities of smaller sets of  privileged users they should not only monitor, but also enforce and remediate in real time, if they are to offer any significant value add.  An analogy can be drawn to IDS/IPS systems.  The potential downside of a false positive of an IPS disrupting business resulted in a significant barrier to their prevention capabilities being turned on.  However, access control without the ability to control user activities on the network is not access control, it is access management – two different things.

3) Integrate audit capabilities to validate controls:  Section 8 of PCI clearly states that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Add security, operational and internal or external compliance requirements, and access control solutions must provide robust reporting and auditing capabilities.  Next generation access solutions record every session and offer Tivo like search and replay capabilities.  That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance, and from an e-discovery and security operations perspective, eliminate any doubt of what occurred at any given point in time.

4) Automate all the requirements from access to audit:  Automation enables processes to scale.  As employees, business partners, and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach.  Introducing automation eliminates manual error or intervention and dramatically streamlines management.

5) Deploy an “Identity Aware” infrastructure: Sections 7 and 8 of the PCI Standard requires access to cardholder data be determined by an individual’s need-to-know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to those people whose jobs necessitate it. Not the device –-- but the person.  When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, it allows for the creation and management of granular and explicit access policies.

6) Create backward and forward compatibility –interoperability with the relevant set of related systems should be a given with any emerging technology.  In the case of access control, and to meet PCI requirements, the baseline integration points are with LDAP, Active Directory, remote and network authentications systems (TACS, RADIUS), Configuration and Change Management systems, encryption applications and even Security Information Management systems.  From an architectural perspective, many large companies keep PCI data on mainframe systems, which despite any potential interoperability issues are still critical systems.  As companies embrace virtualization as a way to maximize resources while minimizing costs, all potential support and interoperability issues specific to virtual environments must be considered as well.

As the first mandate developed specifically for ensuring a specific set of best practices for information security, the PCI DSS standard has been instrumental in aligning security operations to business processes.  With other mandates and laws – such as the Health Insurance Portability and Accountability Act (HIPAA) undergoing refinements to make security controls more clear cut and effective, the vendor community has stepped up and made compliance management a reality, enabling security managers to automate critical aspects of compliance –driven audit preparation and reporting. 

Security teams have learned time and time again, when you automate highly manual, error prone processes, the result is almost always an improved security profile.  In an industry not known for good news, it’s worth acknowledging the progress IT security professionals, lawmakers, vendors, and other members of the information security eco-system have made aligning security and compliance objectives.

David Olander
President and Chief Executive Officer

Dave assumed the President and CEO position at Xceedium in January 2010.  Prior to that he served as Senior Vice President, Engineering where he oversaw the evolution of the Xceedium GateKeeper, whereby his team has delivered key functional and quality improvements.
A seasoned executive, Dave joined Xceedium from netForensics where he was Vice President of Engineering. At netForensics Dave led strategic development of their Security Information Management product family. Prior to netForensices, Dave was at Raritan, where he instituted new engineering processes to accelerate delivery of Raritan's 2nd generation digital KVM switch.  Dave has over 25 years senior leadership experience and product engineering management with HP, AT&T Bell Laboratories, BEA, Novell, UNIX System Laboratories and Improv Technologies.  His product experiences span UNIX operating systems, middleware platforms, out-of-band access solutions and security software.
Dave holds an MS in Computer, Information and Control Engineering from the University of Michigan, and a BS in Computer Science from Clarkson University.

About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY