Version 3.1 of the Payment Card Industry Data Security Standard (PCI DSS) expired on October 31, 2016. While companies are advised to adopt Version 3.2 as soon as possible, they technically have until Feb. 1, 2018 to implement the changes. Smart companies will take this time to get in front of new PCI regulations by deploying unified identity management across Windows, Linux, and Unix systems.
The PCI DSS 3.2 consists of 12 requirements spread across six domains. Since the standard is primarily concerned with protecting cardholder data, these requirements focus on user access to the servers that host this data or through which PCI data passes. Fortunately, a robust unified identity management solution can help organizations meet most the requirements. Such a solution not only provides security controls to manage and constrain privileged user access to PCI DSS systems and data, but also helps reduce PCI scope and bolster mechanisms in anticipation of future PCI DSS changes.
PCI DSS Requirement 1.2 requires firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. A unified identity management solution can help organizations meet this requirement through Group Policy-based enforcement of an iptables-based firewall. By using this policy, administrators can restrict inbound traffic to specific ports from specific IP addresses.
But it doesn’t stop there. Organizations can apply additional protections for the server by deploying a solution that also requires authentication before any communication. This can be applied to both inbound and outbound communications to ensure that PCI systems are only able to communicate with other PCI systems. This not only reduces the potential scope of compliance but also adds a layer of protection that the PCI Security Standards Council could later require.
Let’s look at another example. Requirement 2.3 requires organizations to encrypt all non-console administrative access using strong cryptography. Telnet is used on many systems, but it isn’t secure and should be replaced with SSH. Newer versions of OpenSSH support Kerberos for user authentication. When organizations combine OpenSSH with a unified identity management solution, they eliminate the need to manage static SSH keys. This reduces operational overhead but also reduces the risk of user error. Furthermore, some identity management providers provide a compiled and easy-to-install version of the latest OpenSSH, ensuring consistency across all systems as well as the highest levels of security.
Finally, a unified identity management solution can enable secure remote access without a VPN. While VPN traffic can be secure, it introduces other risks by allowing remote users broader access beyond the server they need to login to. By selectively establishing a remote session with a discrete resource, organizations reduce the scope of PCI compliance and improve on the PCI DSS’s baseline requirement.
These are only a few examples of how a unified identity management approach can help organizations get ahead of PCI DSS compliance. To learn more, download the white paper, Becoming PCI DSS Compliant.