PCI compliance matters when managing identity and access for remote third-party service providers.
This is the third article in an ongoing series on PCI DSS Requirement 8 compliance. In a nutshell, PCI Requirement 8 is about identifying and authenticating all users to protect data and systems. When you can identify every user, you can control access and hold them accountable for their actions.
Many companies rely on out-sourced technology service providers for network operations, database management, and application development. These service providers remotely manage IT infrastructure with PCI data traversing networks and stored within databases. Companies may also have business processes that are out-sourced, like customer service, help desk, or loan origination services for a bank.
These service providers may have access to business-critical systems, corporate data and customer records. To provide a highly-trusted and secure environment for all users, it’s incumbent upon the enterprise to protect and control the who, what, and how of information access.
For years, we have witnessed a constant flow of news reports on cybersecurity breaches. In fact, Target recently suffered a security breach that came from a cybercriminal who gained access to their network from one of the company’s third-party service providers. It resulted in the data breach of millions of debit and credit cards, and a significant hit to Target’s brand reputation.
Trusted and secure access management for remote third-parties
PCI Requirement 8 applies to all users; internal employees, third-party service providers, IT administrators, etc. However, PCI Requirement 8.3.2 specifies multi-factor authentication for all remote network access originating from outside the entity’s network. And PCI Requirement 8.5.1 stipulates service providers with remote access to customer premises must use a unique authentication credential for each customer.
Complying with PCI Requirement 8 is critical for managing these remote third-party service providers. Accomplishing this requires technology, documented policies, and processes that ensure the appropriate people are aware of the policies. This holds true for systems located within a corporate data center and in the cloud. The challenge and responsibility in upholding proper governance and administration for remote user access and authorization applies across the board – no matter where your systems and data reside.
Many organizations have multiple entry points to access systems and data. For example, one point of entry is through the application itself, where a customer service representative might need to access customer data. Another point of entry is the database, where an administrator other than the “super-user” might have root access. Identifying and authenticating every user at each point of entry provides greater protection of systems and data.
At the point of entry into a system, when you assign a unique user identification, you can pinpoint their individual actions. By authenticating each user, you can confirm those accessing your system, and substantiate that they are who they claim to be.
Simeio Identity Orchestrator elevates trust and protection for third-party access
Simeio’s Identity Orchestrator delivers unparalleled flexibility, portability, reliability, and security. Simeio’s single platform manages identities, simplifies the operation of complex functions, and supports:
- Multi-vendor identity and access management (IAM)
- Platforms for privileged access management (PAM)
- Federated identity management (FIM)
- Identity governance and administration (IGA)
Third-party relationships present a significant threat, even as we rely upon them to simplify technology and business operations, lower costs, and help us stay competitive. Without a robust identity and authentication solution to securely manage the widespread utilization of diverse third-party service providers; the success of your company, your name, and reputation are on the line every day. The Simeio Orchestrator supports PCI Requirement 8 for all environments and users, including remote third-party service providers with access to on-premises and cloud applications.
I encourage you to follow this series as I address more sub-requirements of PCI Requirement 8 compliance and learn how IDaaS addresses them to help you protect your business, and comply with the mandate for the information security standard.
Shawn Keve is responsible for sales, business development, channel partners and marketing at Simeio. He played a key role in growing the business 20 times, making Simeio one of the fastest growing companies in North America.
Previously, Shawn was Consulting Director at Oracle and Director of Professional and Managed Services for Sun Microsystems (prior to Oracle’s acquisition of Sun), where he was responsible for the sales and delivery of a $100M portfolio of IT services. Before joining Sun, he held leadership roles at Netscape (acquired by AOL), KPMG Consulting, and MIT Lincoln Laboratory.
Shawn has over 22 years of experience servicing clients in the strategy, architecture, design and implementation of enterprise solutions across several industries, including financial services, healthcare, life sciences, manufacturing, media & entertainment, telecommunications and retail. He holds a Bachelor of Science degree in Business Administration (Management Information Systems) from Northeastern University.