Access control strategies for PCI and other security operations

The CIO-level business angle on the latest tech

It's late November, and the holiday shopping season is well underway. That means it's also the season for increased hacking and data thefts. So many shoppers making electronic payments with their credit and debit cards is too tempting of a situation for digital thieves to ignore. Attacks have become systematized, and are so aggressive that every organization that handles cardholder information must take extraordinary care to protect that data from theft.

10 woeful tales of data gone missing

With the release of the Payment Card Industry Data Security Standard (PCI DSS) in 2007, merchants were given some very explicit guidance on how to safeguard the sensitive cardholder data in their possession. Sections 7 and 8 of PCI DSS require that access to data by high-risk users be strictly controlled. This includes partners, contractors, vendors and trusted insiders. Insiders may be database analysts, developers, system administrators, and perhaps even remote store managers.

One area of IT that's experiencing rapid innovation -- in great part to meet sections 7 and 8 of PCI DSS -- is the access control industry. While legacy access systems have focused on access, next-generation systems focus on the "control" component of access control. Next-generation access control solutions are designed to more effectively manage the current business issues facing today's organizations.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

It's late November, and the holiday shopping season is well underway. That means it's also the season for increased hacking and data thefts. So many shoppers making electronic payments with their credit and debit cards is too tempting of a situation for digital thieves to ignore. Attacks have become systematized, and are so aggressive that every organization that handles cardholder information must take extraordinary care to protect that data from theft.

10 woeful tales of data gone missing

With the release of the Payment Card Industry Data Security Standard (PCI DSS) in 2007, merchants were given some very explicit guidance on how to safeguard the sensitive cardholder data in their possession. Sections 7 and 8 of PCI DSS require that access to data by high-risk users be strictly controlled. This includes partners, contractors, vendors and trusted insiders. Insiders may be database analysts, developers, system administrators, and perhaps even remote store managers.

One area of IT that's experiencing rapid innovation -- in great part to meet sections 7 and 8 of PCI DSS -- is the access control industry. While legacy access systems have focused on access, next-generation systems focus on the "control" component of access control. Next-generation access control solutions are designed to more effectively manage the current business issues facing today's organizations.

According to security expert Joel Dubin in an October 2009 searchsecurity.com article, "access control is strictly concerned with providing authentication credentials, such as user IDs and passwords or smart cards. The point is to provide users access, not prove their identity. This narrow focus, according to identity management experts, leads to cases of mistaken identity." Identity is one of several critical concerns legacy access control systems do not adequately address. Other key areas include entitlement, or credential management, user monitoring and auditing.

Legacy access control systems are simply not aligned with current business needs and are not designed to protect the organization against users gaining unauthorized access to systems and data. The consequences of that -- be it a breach or a compliance violation -- can be significant.

Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users, such as users accessing cardholder data; external auditors working remotely; or outsourcing or other business partners. These systems are now becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that offer significant security and compliance benefits.

I recently talked with Cheryl Traverse, president and CEO of Xceedium, maker of a next-generation access control appliance. Traverse offered up her perspective on the functions that are top priority for a next-generation access control solution, specifically as it pertains to PCI compliance and audit:

* PCI DSS section 7 requires that access to cardholder data is restricted access by business need-to-know, with "need-to-know" meaning access rights are granted to only the least amount of data and privileges needed to perform a job.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.