Access control strategies for PCI and other security operations

* Extraordinary data protection is important during the holiday shopping season

Innovations in the access control solutions market have made it easier to align security and compliance objectives with business imperatives. Industry expert Cheryl Traverse talks about how next-generation access control solutions address very explicit requirements in the PCI DSS.

It's late November, and the holiday shopping season is well underway. That means it's also the season for increased hacking and data thefts. So many shoppers making electronic payments with their credit and debit cards is too tempting of a situation for digital thieves to ignore. Attacks have become systematized, and are so aggressive that every organization that handles cardholder information must take extraordinary care to protect that data from theft.

10 woeful tales of data gone missing

With the release of the Payment Card Industry Data Security Standard (PCI DSS) in 2007, merchants were given some very explicit guidance on how to safeguard the sensitive cardholder data in their possession. Sections 7 and 8 of PCI DSS require that access to data by high-risk users be strictly controlled. This includes partners, contractors, vendors and trusted insiders. Insiders may be database analysts, developers, system administrators, and perhaps even remote store managers.

One area of IT that's experiencing rapid innovation -- in great part to meet sections 7 and 8 of PCI DSS -- is the access control industry. While legacy access systems have focused on access, next-generation systems focus on the "control" component of access control. Next-generation access control solutions are designed to more effectively manage the current business issues facing today's organizations.

According to security expert Joel Dubin in an October 2009 article, "access control is strictly concerned with providing authentication credentials, such as user IDs and passwords or smart cards. The point is to provide users access, not prove their identity. This narrow focus, according to identity management experts, leads to cases of mistaken identity." Identity is one of several critical concerns legacy access control systems do not adequately address. Other key areas include entitlement, or credential management, user monitoring and auditing.

Legacy access control systems are simply not aligned with current business needs and are not designed to protect the organization against users gaining unauthorized access to systems and data. The consequences of that -- be it a breach or a compliance violation -- can be significant.

Next-generation access solutions evolved from the need to manage a smaller group of high-performing or trusted users, such as users accessing cardholder data; external auditors working remotely; or outsourcing or other business partners. These systems are now becoming widely recognized as an efficient, cost-effective way to integrate strong network controls that offer significant security and compliance benefits.

I recently talked with Cheryl Traverse, president and CEO of Xceedium, maker of a next-generation access control appliance. Traverse offered up her perspective on the functions that are top priority for a next-generation access control solution, specifically as it pertains to PCI compliance and audit:

* PCI DSS section 7 requires that access to cardholder data is restricted access by business need-to-know, with "need-to-know" meaning access rights are granted to only the least amount of data and privileges needed to perform a job.

Section 7.1 limits access to system components and cardholder data to only those individuals whose job requires such access. Section 7.2 requires merchants to establish an access control system for system components with multiple users that restricts access based on a user's need-to-know and is set to "deny all" unless specifically allowed.

Section 8 requires a unique ID be assigned to each person with computer access to ensure that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. In order to meet both the letter and the spirit of PCI DSS, next-generation access control systems should have the following attributes:

* Right-size permissions based on a zero trust model. At the start of any technology deployment, common sense calls for an audit of current access polices to see if they are aligned with the needs of the business. In response to a host of factors, many organizations are reevaluating their access policies and finding that they are way more open than the needs of the business dictate. As a result, they are recalibrating to both the letter and spirit of PCI requirement 7.2 to "deny all" unless specifically allowed, and taking it further to make sure that those who are allowed are closely monitored. This "zero trust" access model allows organizations to adhere to PCI mandates even when dealing with users such as vendors, outsourced personnel and other third parties who access systems from unmanaged endpoints.

* Implement fine grained enforcement. Because next-generation access control solutions address the need to monitor the activities of smaller sets of high-risk users, a solution should not only monitor but also enforce and remediate in real time if it is to offer any significant value-add. Access control without the ability to control user activities on the network is not access control, it's access management -- two different things.

* Integrate audit capabilities to validate controls. Section 8 of PCI clearly states that actions taken on critical data and systems must be performed by, and can be traced to, known and authorized users. When you also consider security, operational and internal or external compliance requirements, it's critical that access control solutions provide robust reporting and auditing capabilities. On the top end, there are solutions that record every session and offer Tivo-like search and replay capabilities. That kind of functionality provides an indisputable audit trail that can be used for PCI DSS compliance, and from an e-discovery and security operations perspective, eliminates any doubt of what occurred at any given point in time.

* Automate all the requirements from access to audit. Automation enables processes to scale. As employees, business partners, and others come and go, relying on manual upkeep of access policies is an open invitation to a security breach. Introducing automation eliminates manual error or intervention and dramatically streamlines management.

* Identity Aware. Sections 7 and 8 of the PCI Standard require that access to cardholder data be determined by an individual's need-to-know. In other words, only authorized personnel should have access. What this means in practical terms is that you must limit access to computing resources and cardholder data to those people whose jobs necessitate it. When credentials are bound to the identity of the individual and completely integrated with existing authentication and directory systems, it allows for the creation and management of granular and explicit access policies.

* Interoperability with the relevant set of related systems. In the case of access control, and to meet PCI requirements, the baseline integration points are with LDAP, Active Directory, remote and network authentication systems (TACS, RADIUS), configuration and change management systems, encryption applications and even Security Information Management systems. From an architecture perspective, many large companies keep PCI data on mainframe systems, which despite any potential interoperability issues, are still critical systems. As companies embrace virtualization as a way to maximize resources while minimizing costs, all potential support and interoperability issues specific to virtual environments must be considered as well.

Innovations in the access control sector have made it easier to align security and compliance objectives with business imperatives. If you haven't looked at the next-generation access control solutions lately, perhaps it's time to do so.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in