TOM KEMP'S CENTRIFY BLOG
PCI-A-Go-Go
Friday, April 6, 2007
OK, I admit it, I like the Payment Card Industry ("PCI") compliance standard. Now when I say the word "audit" or "compliance" and the expression "I like" I know a whole host of reactions will emanate from IT personnel, most of which are probably negative. So before I tell you why I like PCI, I am going to step back and give you my thoughts on the pros and cons of compliance in general.
On the positive side, compliance has done the following:
- Created more transparency in public companies and is hopefully reducing the impulse by executives to resort to "sleight of hand" when things are heading in the wrong direction. It is also putting pressure on private companies to make sure they run a cleaner ship if they ever want to go public themselves or even get acquired by a public company. So investors in both public and private companies benefit.
- Helped to protect customers and consumers, because bars are now being set on protection of financial information as well as privacy data including healthcare-related information.
- Given the impetus to IT organizations to make themselves more efficient and agile to the needs of the business. As Michael Dortsch from the Robert Frances Group says in this Centrify-sponsored whitepaper on addressing SOX in a cross-platform environment, "Compliance efforts can significantly accelerate and expand the development and deployment of best practices for effective, business-centric policies, for IT and information security management. These practices and policies, in turn, will result in closer IT-business alignment, greater competitive elasticity and agility, and higher ROI from IT ….These benefits can help to transform the perception of IT as a cost center or simple source of cost savings to an enabler of immediate and sustained business benefits."
- Created new market opportunities for startup vendors such as Centrify to emerge to address compliance in a cost-effective and standards-based manner, thereby sparking innovation in the identity and access management market that has historically been made up of vendors who offered expensive and proprietary solutions that were difficult to deploy.
On the less-than-positive side, here are some of the problems with compliance:
- A lot of compliance-related requirements are vague and open to interpretation. As this article in Network Computing states: "The problem is that the SOX regulations don't specify the exact requirements of IT systems and data, so companies must rely on independent auditors to advise them on what must be done to comply. The auditors don't know IT well enough to define what will be required, and the IT people don't know what the auditors will ask them to do. Hence, no one knows what SOX compliance will cost from company to company, or whether there are standard steps to reach that goal."
- The cost associated with getting compliant can be significant. I have seen studies stating that public companies with less than $1 billion in annual revenue are spending at least $1 to $2 million per year on compliance. These are resources and money that are potentially being taken away from R&D and moving the business forward. Likewise, this cost is impacting the desire of some private companies to go public and making M&A a more attractive exit (thereby potentially stifling industry innovation as fewer vendors exist to compete for business).
Having been an officer at a public company, I have seen the drag compliance can put on a company in terms of diversion of resources and time, but as an investor and consumer I do appreciate the added regulations to protect me, and of course I like how compliance is a key driver for my company's business.
With all the pros and cons of compliance, there is one industry compliance standard that does get a big thumbs up from me — the Payment Card Industry Data Security Standard (PCI DSS). Here's why I like PCI DSS:
- It is being driven by an industry consensus that the industry has to do better, versus being mandated by different government bodies (i.e., local, state, national) that may have conflicting requirements. Since the majority of commercial transactions between businesses and individuals are increasingly being performed using some form of electronic payment involving a payment card instead of cash, there is an increased need to protect card holder data to prevent fraud and identity theft. The Payment Card Industry Security Standards Council was formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International with the mission to enhance payment account data security by creating the Data Security Standard, which describes a common set of best practices that must be enforced on all systems that are involved in payment card processing.
- The requirements are clear and explicit versus vague and open to interpretation as you see with, say, Sarbanes-Oxley. In other words, unlike the Federal SOX legislation, which lays out a general principle regarding data security and auditing, PCI is a detailed, multi-point standard with unambiguous guidelines. Here are some examples taken from this document:
8.5.8 Do not use group, shared, or generic accounts/passwords. 8.5.9 Change user passwords at least every 90 days. 8.5.10 Require a minimum password length of at least seven characters. 8.5.11 Use passwords containing both numeric and alphabetic characters. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID. 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal. And: 10.2 Implement automated audit trails to reconstruct the following events, for all system components: 10.2.1 All individual user accesses to cardholder data 10.2.2 All actions taken by any individual with root or administrative privileges
So you can see they are nice and specific, where an auditor can tell if you have these control "in place" or "not in place"!
- It is democratic in terms of who it applies to. All merchants, payment processors, point-of-sale vendors, and financial institutions must comply with in order to retain their right to use the payment system. So no loopholes here on who it can apply to.
- It is has some teeth behind it if you don't comply with it. Members such as Visa have defined stiff penalties, starting with fines and ultimately resulting in the loss of the right to use payment cards, as incentives to comply with these security standards. These penalties are designed to ensure that all merchants and service providers work to maintain consumer trust since the loss of the ability to use payment cards would drastically impact their ability to do business with consumers.
- It clearly documents who is certified to do PCI audits. Which means the bar is set in terms of who is qualified to actually do the audit, and there is one "white pages" to find an assessor.
- It helps protect billions of people, including me. Many regulations apply to only specific vertical industries that have little direct impact on consumers. But PCI impacts everyone who has a credit card, and does so to protect against breaches of confidential financial information. I want to know that whomever I am giving my credit card does in fact have a firewall in place, is auditing all actions being taken by administrators on those systems holding credit card information, etc.
- Finally, it is something that Centrify has done a great job of helping customers address and make their environment more secure. Through many months of working with analysts, auditors, customers, and partners, Centrify has gained expertise in identifying issues that spell trouble for customers addressing PCI. For example, some of the largest retail organizations in the world use our software to meet many sections of the PCI requirements.
So thumbs up from me as it relates to PCI. At a high level, here's how Centrify solutions can you help address your PCI audit:
- Our DirectControl solution allows IT to extend the infrastructure investment it has already deployed - Microsoft Active Directory - to address the management and administration of its non-Windows systems and applications. In addition, Centrify DirectControl's patent-pending Zone technology is an innovative, next-generation solution for delivering the type of fine-grained access control and delegated administration that IT managers need to comply with PCI requirements and manage a diverse and distributed server environment. Beyond authentication and authorization policy enforcement, DirectControl also provides for the enforcement of Active Directory Group Policies to ensure that non-Windows systems are configured to comply with the desired security policy and stay that way. These Group Policies are leveraged in combination with the sudo command to control privileged access to non-Windows systems by enforcing the appropriate policy for sudo on each system.
- Our DirectAudit solution goes further by providing detailed auditing, logging and reporting on user activity within your UNIX or Linux environment in an easy-to-use, secure and reliable manner. DirectAudit helps you detect suspicious activity and lets you granularly track activity down to which users accessed what systems, what commands were executed, and what changes were made to key files and data. This enables the auditor to see not only actions taken by a specific user, but also the actions as well as the responses to those actions taken by a user while their privileges were elevated due to running su or sudo. The combination of DirectAudit for logging all user actions and DirectControl which associates those UNIX users with a specific person will provide the auditor with the information required to meet the requirements set forth by the PCI Data Security Standard.
If you want more information on how Centrify can help you address your PCI requirements, definitely check out this whitepaper.
Bookmarks:
< Previous Article: Now Entering the Room: DirectAudit
> Next Article: Centrify Customers Speak Out
About Tom
Tom Kemp is President and CEO of Centrify. He blogs regularly on the topics of Entrepreneurship and Centrify. (Full biography.)
Recent Posts
- Centrify LISA Presentation on Integrating Linux with Microsoft Active Directory
- Strong Authentication for the Mac
- How DirectAuthorize Compares to sudo for Root Access Control
- How DirectAuthorize Leverages Active Directory to Enable Privilege Account Management on UNIX/Linux
- How DirectAuthorize Addresses Root and Shared Account Management in UNIX/Linux Environments
- Introducing DirectAuthorize and the Centrify Suite
Categories
- Centrify (54)
- Centrify Suite (3)
- Group Policy (37)
- Mac OS X (19)
- Regulatory Compliance (35)
- DirectControl for Databases (26)
- DirectControl for Systems (47)
- DirectControl for Web Apps (24)
- DirectAuthorize (4)
- Customers and Press (36)
- DirectAudit (12)
- Partners (9)
- Open Source Tools (7)
- All (71)
Other Blogs
Subscribe
RSS Feed
