Protecting privileged accounts
Organizations are facing escalating complexity in every aspect of their IT operations, including the datacenter, identity and access management infrastructure, cross-platform systems and staffing. Establishing and maintaining a security and compliance posture, in what is often a disparate and dynamically changing environment, is regularly cited as the top concern of IT leaders who are responsible for mitigating risk and protecting the information assets of their enterprises.
On top of that, the myriad of compliance regulations create ongoing challenges for enterprises in every industry and many companies that must meet multiple requirements for internal controls (Sarbanes-Oxley Act or SOX); payments data security (Payment Card Industry Data Security Standards or PCI DSS); patient health information (Health Insurance Portability and Accountability Act or HIPAA); and other industry-specific requirements, including the Graham-Leach-Bliley Act, and the Federal Information Security Management Act (National Institute of Standards and Technology SB 800-52).
Common to every major compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity; privileges are limited to only ones needed to perform job functions; and user activity is audited with enough detail to determine what events occurred, who performed them, and to what outcome.
User activity auditing can create the accountability required for security and compliance, including:
- Captures and search historical user activity so that suspicious actions can be examined to determine if an attack is occurring – before the damage is done
- Change privileged user behavior through deterrents, ensuring that trustworthy employees are not taking shortcuts and disgruntled employees know any malicious actions will be recorded
- Establish a clear, unambiguous record for evidence in legal proceedings and dispute resolution
The financial services, health care and other industries that accept payments using credit and debit cards are governed by the PCI DSS regulations created by the card-issuing industry. The stiff penalties defined by PCI members are designed to ensure that all merchants and service providers work to maintain consumer trust of payment cards, since loss of that trust could negatively impact revenue.
The PCI DSS 3.2, due to go into effect Oct. 1, 2016, consists of 12 requirements spread across six domains. Since the core concern of PCI is the protection of cardholder data, these requirements focus on user access to the servers that host this data, or through which such data passes.
Server Suite (Standard, Enterprise, and Platinum Editions) and Privilege Service, which are called out specifically in the revised standard, contribute to your PCI DSS compliance posture in a number of different areas. They provide security controls to manage and constrain privileged user access to PCI DSS systems and data. They can also help reduce PCI scope by isolating PCI resources, controlling user access, server-to-server communication (i.e., their communication to untrusted servers), and the encryption of data between them.
One of the realities of Windows domain administration is that virtually every organization of any size can run afoul of the principle of separation of duties (also called segregation of duties). This principle manifests in multiple ways. For example, it could mean that an employee who can create an invoice in a billing system should never have the ability to audit the creation of said invoice. Or, in what is probably the single most common violation of this principle in Windows domain administration today, it could mean that a very high percentage of your domain admins who have zero business justification for access to sensitive and regulated data do, in fact, have access to your sensitive and regulated data.
This is a near-perfect example of why the “least access” privilege model is required by regulatory compliance acts designed to protect consumers and businesses from exposing sensitive information, such as credit card data, health care records or financial data.
While passing compliance audits are an essential part of business, remember that compliance does not guarantee security and security does not guarantee passing compliance audits. However, for compliance or security reasons, you must ensure your privileged accounts are protected.
To learn more about becoming PCI DSS compliant, download Centrify's whitepaper.