Guest post by Simon Parker, Minerva
Building a Case for Next-Generation Access Control
Identities are stolen more during the holidays than any other time of the year. That’s because this is the season in which shoppers use their credit and debit cards the most. And unfortunately, the stores at which they shop have a lot to do with these losses.
You see, as technology advances, shoppers become easy targets to thieves who are becoming more and more systematic with their attacks. So if retailers want to protect their customers from data theft, they should take special care when processing payments through cards. And many say that part of the answer lies within next-generation access control.
Let’s take a moment to discuss the goals of next-generation access solutions as well as the ideal characteristics of next-generation access control systems. But first, let’s start by talking about access control as it relates to the PCI DSS.
Access Control and the PCI DSS
When PCI DSS was first introduced in 2007, retailers were given strict guidelines as to how to protect the data of the cardholder. Requirements 7 and 8 stress that all access is to be controlled, especially in the case of high-risk users such as contractors, partners and vendors. Even trusted insiders have a certain protocol to uphold.
All of these changes and protocols mean that IT has experienced a significant amount of innovation. Today that innovation is no longer focused simply on access; it is now more concerned with controlling that access. Therefore, next-generation access systems are determined to find solutions which exceed the requirements of sections 7 and 8.
It is important to not just confirm the identity of a user, but to actually take time to examine their credentials. By only putting emphasis on identity, you are weakening your security posture. Ironically, focusing on the identity of the user can often lead to mistaken identity. It is much more practical and effective to take entitlement into consideration as well as monitor and audit the user’s behavior. This could potentially put a stop to unauthorized access, thereby better protecting the company’s data and IP assets.
The Goal of Next-Generation Access Solutions
The goal of next-generation access solutions is to offer security and compliance benefits that are both inexpensive and effective. These solutions seek to give companies the ability to manage smaller groups of trusted users. Whether users are external auditors, outsourced employees or third-party partners, you can be assured that with these systems you will have more control.
There are a few functions of access control systems that should be emphasized when it concerns PCI Compliance. For instance, the user should only be given access on a need to know basis—seeing no more than they need to in order to complete their job function. Also, this information would be specific to that user and all others would expressly be denied access.
The Ideal Characteristics Of Next-Generation Access Control Systems
PCI DSS requirement 8 addresses the need for unique user identification. In this way, the company can easily track the actions of the user. In the ideal scenario, the next-generation access control systems should govern itself according to a “zero trust” policy. In this case, the user would not be allowed access unless that have been given expressed permission. This cuts down on potential threat when working with third parties in uncontrolled environments.
After the system has been put into place, the company should monitor the users and work to enforce the rules should they be compromised. There is hardly any value in a controlled system unless there is real time monitoring present. User activities must be controlled.
It’s important that companies do more than monitor the system; they should perform regular audits. This ensures that you will always be able to trace the actions of the users and can make changes in your security operations if needed. When done correctly, an audit will help to leave a very visible trail of each and every user session.
Systems should be managed with explicit access policies. No user should be able to access a cardholder’s information unless it fits within their job description. As discussed earlier, credentials are an essential part of next-generation systems. And by ensuring that the user is working on a “need to know” basis, the company can ensures that only authorized personnel are granted certain permissions.
Finally, the system should be interoperable. It is understood that most companies do possess certain mainframe systems that users have access to, but they should also consider adding a few solutions which allow for interoperability. When it comes to virtual environments, it’s best to ensure that all systems are in some way related.
If you are a business owner who is interested in both compliance as well as security, then it’s important that you have the right access control system in place. Next-generation access control solutions will certainly take your organization’s security posture to the next level.
Simon Parker is Director of UK-Based Security Industry for Minerva Integrated Security Services Ltd., which provides a wide range of access control systems trusted by some of the biggest companies in industries including healthcare, finance and government. Learn more here: http://minerva-security.co.uk/services/physical-access-control-systems/.