Friday, April 9, 2010

Real-world PCI-DSS: identity is key

March 3, 2010 - 10:08 A.M.

Amir Lev
Security Levity


In this week's Security Levity, I'm interviewing Abhilash V. Sonwane, vice president of product management at Cyberoam. Abhilash has extensive experience building credit card data loss-prevention solutions that help organizations achieve regulatory compliance. I'm sure you'll agree that in this interview, he brings some thoughtful insights into real-world Payment Card Industry Data Security Standard (PCI-DSS) compliance and the importance of user identity.


Abhilash, give us a quick backgrounder on PCI, as a starting point...

Here's how we describe it ... our elevator pitch, if you will.

PCI-DSS aims to give cardholders the assurance that their card details are safe and secure when their debit or credit card is offered at the point-of-sale. To be compliant with the standards, merchants and other service providers holding cardholder data need to do 12 things:

1.use a firewall,

2.change default passwords and other vendor-supplied security parameters,

3.protect stored cardholder data,

4.encrypt data in transmission,

5.use anti-virus software and keep it updated,

6.develop and maintain secure systems and applications,

7.keep access to cardholder data on need-to-know basis,

8.assign a unique ID to each internal user,

9.restrict physical access to the data,

10.track and monitor all access,

11.regularly test security systems and processes,

12.maintain an information security policy.


Those seem like sensible precautions.


[Laughs] You'd surprised how many merchants weren't implementing some of those best practices, or were implementing them in a half-hearted way. That's why the industry got together to form the PCI Security Standards Council.


OK, so any thoughts on which of those requirements are most important?

From the perspective of actual compliance with the regulations, they're all important. But it's too easy to forget the need to link true user identity to network security. It's a fundamental part of PCI compliance, but too often overlooked.

You really need complete visibility into who is doing what in the network, as well as access controls based on the user’s work profile. Identity becomes particularly significant in dynamic environments like retail stores, e-stores, hospitality, banking and other service provider industries -- anywhere that multiple users and customer service executives work in shifts over shared machines.


What does that mean for technologies that help enterprises comply with PCI?

A chosen technology should allow user-identity-based access policies. Based, for example, on work profile, department and individual user. It shouldn't depend on IP addresses to identify internal users. The point is that you need to have protection even in often-changing environments that incorporate DHCP, Wi-Fi and shared machines.

In other words, you need to bind user identity to security features.


OK, that sounds reasonable, but can you tell us why you think user identity is so important?

It allows granular policy creation in enterprises. You're able to create schedule-based or temporary web access policies, or policies allowing certain people access to applications like IM and P2P but which restrict file transfer over these functions to ensure data security.

You also need to be able to easily make dynamic changes to security policies -- while accounting for user movement in the network -- and maintain visibility into network access by individual users. This enables enterprises to modify the user access policies for tighter security controls and to prevent probable security breaches.


But this all sounds like a lot of extra work for IT administrators. How can they be expected to track users' movements?

In the real-world, identity isn't an island. You need to integrate with Active Directory, LDAP, RADIUS or an enterprise's custom internal database.

Centralized authentication, authorization and single sign-on maximizes security, employee productivity and convenience -- particularly in shared workstation spaces.


So, in summary, focusing on user identity is a Good Idea, especially in enterprises where multiple users share the same machine.


In fact, identifying users and taking proactive action isn't just a good idea -- it's a key part of PCI-DSS compliance.


I want to make this an interactive place: where I can answer questions and cover topics that you suggest. Feel free to add comments and ask Amir!


When he's not interviewing PCI-DSS experts, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...


Disclosure: Cyberoam, a division of Elitecore Technologies, has been a partner of Commtouch since 2007, when the company licensed the Commtouch RPD anti-spam engine as part of its identity-based UTM appliance. However, no consideration has been exchanged in respect of this interview, and Amir Lev retained full editorial control

No comments:

Post a Comment