IT Operations Challenges

 

Implementing and Validating Controls for Privileged and External Users

 
 

The PCI Kit

  • Reymann Group:  PCI Self-Certifications Just Got Easier!
  • Forrester: 
    The Top 10 Things You Should Know About PCI Compliance
  • Aberdeen:
     Protecting Card Holder Data
  • Xceedium: 
    PCI Compliance - Technical Note

Xceedium Resources

 
 

Eighty-six percent of all internal attacks come from current or ex-technical employees.(CERT/FBI). Additionally, 60% of all companies outsource, and most of this work is done by highly technical Application Developers or IT Operations personnel. This means that companies are now bringing a whole new group of 3rd party users who have privileged access to a company's broad heterogeneous infrastructure.

Privileged and external users refer to those who need access to your network to perform their jobs, and who have powerful access tools within their reach that, if abused, can be detrimental to your organization by exposing vulnerabilities to breaches of private data, failed audits and potential fraud. These highly-skilled, well-equipped users include outsourced database administrators (DBA's), hardware/software vendors, off-shore application developers, outsourced IT operations, internal IT staff and managed service providers (MSP's) who work within your mission critical systems. The characteristics of this user group makes delivering a compliance footprint extremely difficult.

Further complicating the satisfaction of compliance regulations is that the infrastructures themselves are likely to have legacy systems in place, such as Point of Sale systems, that require the locking of "back doors" and the encryption of legacy protocols which compromises data-in-transit requirements.

Although there are many solutions in the market that handle PCI compliance for applications users, existing solutions do not ensure PCI compliance and security policy enforcement for the privileged user.

How does a company satisfy PCI compliance in a cost-effective and unobtrusive manner for the privileged and external user group? How can they...

  • easily encrypt user connectivity to a heterogeneous environment without replacing legacy systems?
  • grant access to a user (remote or local) and guarantee they only access the approved systems?
  • provide separation of duties and containment for this user group?
  • monitor privileged users directly accessing systems and databases?
  • collect evidence for testing and forensics analysis?
  • easily deliver reports for continuous testing of controls?
share Xceedium