We will be closed Monday, September 1st in observance of the U.S. Labor Day holiday. More info »

PCI DSS Compliance

Meeting PCI DSS for IT

Any organization that accepts, stores or transmits data has likely heard of PCI DSS compliance requirements. Created and enforced by the credit card payment industry (Visa, MasterCard and American Express, among others) this mandate establishes 12 basic requirements and 200 sub-requirements to protect against credit card fraud.

Given that most data storage these days is digital, this puts a major burden on IT departments to ensure networks are protected and employees follow policies for network and password security.

Impact of PCI DSS on your network

The main goal of PCI DSS requirements are to secure the storage and transfer of credit card data. Primarily, this means setting up a network that:

  1. Includes defensive measures, like firewalls, encryption, anti-virus software, and regular testing.
  2. Is able to track user activity and know who is doing what and when, especially for network systems.
  3. Can limit or restrict user access.
  4. Enforces policies for password security.

From this list, the first item includes a host of solutions that are already used regularly in corporations. However, items two through four can be tricky and have key implementation differences between IT teams and end-user employees.

Managing your privileged IT accounts

IT accounts, such as IT admin accounts or application/service accounts, each grant a specific level of access on the network. Typically IT teams share these credentials amongst themselves to gain access to equipment as needed. This makes it very difficult to know who exactly is accessing which device and to restrict access amongst IT staff.

The second security issue is the potential for hundreds, if not thousands of accounts, each with their own password. To improve security posture, each password should be quite long, comprised of random characters, and changed regularly. For many organizations this means serious man-hours wasted by highly-paid IT professionals performing manual password changing on these accounts.

Key solutions for IT teams

Thycotic developed Secret Server Password Management Software specifically to address compliance for IT departments. The tool creates a centralized, encrypted location for password storage, the ability to restrict access by role, full auditing of credential usage and automatic password changing.

Add your security policy to Secret Server to automatically change passwords at required times, enforce password length and complexity requirements, and ensure sensitive systems maintain a high level of access control and oversight over privileged accounts.

  • Key compliance features

    • Full audit reports for users and system usage.
    • Role-based access and permission controls.
    • Session Recording.
    • Service account management.
    • One time password configuration.
    • Request access.
    • Customizable auditor role for streamlining audit process.

Improving security for end-user accounts

Securing end-user accounts is very important for overall network security, especially because of their susceptibility to malware and employees’ penchant for using weak passwords. To fortify a network, these accounts must have strong, regularly rotated passwords. Often the number one problem with a strong end-user password policy is the more complex an employee’s password is, or the more often they’re required to change it, the more likely they are to forget it!

Key solutions for end-user password resets

Security rules for end-user passwords, such as length, complexity and rotation requirements add protection to the network, but can quickly increase help desk cost when employees forget their login credentials. Added costs can include expanding help desk staff to field high-volume password reset calls, or missed deadlines when employees cannot log in to the network.

Password Reset Server eliminates the need for employees to call the help desk to reset their AD password. Now, they can simply answer security questions through Password Reset Server and automatically reset their password any time of the day, from any location. IT security teams can also configure Password Reset Server to enforce password length and complexity requirements, ensuring password compliance is met by all employees.

  • Key compliance features

    • End-users perform their own password resets and eliminate unnecessary help desk calls.
    • Self-service can be a faster option than phone calls and support tickets, minimizing employee downtime and frustration.
    • The solution is available 24×7, reducing off-hours burden on the help desk.

Controlling Active Directory group management

In addition to controlling account credentials and enforcing stronger password practices, it is important for organizations to limit risk from internal threats, such as disgruntled employees. One key solution is locking down access to company resources. For example, making sure employees in the marketing department only have access to marketing files and cannot access payroll files. This can be done by adjusting permissions in Active Directory (AD). Typically, the IT department will make AD changes, but from a security standpoint, this adds potential for error since the IT administrator is not always familiar with the complexities of each department’s AD groups and may inadvertently assign an employee to the wrong group.

Key solutions for AD group management

Active Directory (AD) group management may not be the first topic that comes to mind when creating a security policy. However, it is an important example of how system design can produce errors ripe for exploitation later on. Delegating one point of contact in IT to make AD group changes is a typical practice in most organizations. That person is responsible for adding newly hired employees to the appropriate AD group. For example, a new marketing associate would be given access to marketing files and email distribution lists. But without being privy to specific department workflows, the IT admin might mistakenly sign up the new employee for the wrong access. This problem typically gets worse as employees change teams, roles and responsibilities within the organization.

Auditing and restricting access not only applies to critical systems and servers, but controlling security within AD group management as well. These controls can easily be added through Group Management Server, a tool that enables non-IT team leaders to make AD group changes for their department. With Group Management Server, the marketing manager can add new employees to the marketing AD group, or make changes within that group. For security, all changes are audited and each manager’s ability to make changes is restricted to their direct AD groups.

  • Key compliance features

    • Reduce time spent by the help desk and expensive AD administrators.
    • Provide a faster resolution to the manager or employee’s request through self-service.
    • Reduce errors by keeping responsibility with the manager, who best understands their team’s access needs.
    • Maintain a full audit log of changes to easily find and correct mistakes.