The Fire is Almost Out …PCI #5

Problem to Solve: How can we use our APM/NPM solution to meet Network Authentication, Database Access, and Video requirements of PCI compliance??

Contributing Author – Robert Wright, Network Engineer with 15+ years experience

fire extinguisher cartoonThis article will cover PCI requirements 7,8, and 9, all of which have the high level subject of access control. Access control must not simply be limited to the raw content but also the systems which have access to card holder data. For example, APM/NPM instrumentation and aggregation switching should have appropriate access controls applied.

Requirement 7

“Limit access to system components and cardholder data to only those individuals whose job requires such access” PCI DSS 3.0 Requirement 7.1

This horse has been rather beaten in this blog… When deploying an APM/NPM solution, be sure to review the various authentication types which are supported. Common authentication types are as follows:


But don’t forget to also configure these protocols and servers as a service in your APM/NPM suite. As these protocols can be considered a service enabler, and their failure or increased latency can directly impact numerous areas of your organization.

But simply focusing on authentication isn’t enough! You must spend time on developing your plans for authorization. Determining which teams will have what specific access is easier said then done. These types of questions should be considered.

  • Should everyone have access to all packets?
  • Can all users perform decryption of secure protocols?
  • Should they be permitted to do these tasks?

If your APM/NPM solution supports “group” security functionality, it always best to utilize these to better organize and reduce administrative tasks. Remember as well, requirement 8.1.1 and 8.5 requires every user to have a unique username. No team based accounts!

Requirement 8

The very first few rule sets (8.1; 8.1.1) start defining the need for a solid user identification systems. Arguably the most prevalent solution today is Microsoft’s Active Directory. This requirement now places a higher level of importance on the successful implementation of this application and its primary protocol, which is LDAP.

Requirement 8.3 requires the use of two-factor authentication for remote access which originates from outside the network. The most common two factor authentication methodology that comes to my mind is an RSA token.

Given the wide breath of technologies and connections between the user’s home network and the VPN termination point, the likelihood of something going wrong is much higher. Further, many users are “less forgiving”when they are asked to perform additional steps to login, no matter how small. By ensuring that your APM/NPM solution has viability around this authentication traffic, provides the ability to troubleshoot it when an issue arises. From the workflow perspective that if your solution supports the ability to isolate users by their originating networks or streams by errors, this will further reduce the mean time to repair (MTTR).

The ability to support these client/server groups has additional benefits to those looking achieve PCI compliance. Requirement 8.7 dictates that database access, which contains cardholder data, can only be accessed through programmatic methods. Only administrators should have access to query the database directory. Many times in a multi-tiered application design, this means we should only see access from application servers to the database servers. These groups provide an easy, “at a glance” ability to validate this requirement enforcement.

Requirement 9

PCI not only addresses the digital threat but also the physical. Requirement 9.1.1 requires that video be taken of sensitive areas and must be stored for at least 3 months. As with other technologies, surveillance camera equipment has moved IP protocols for its transport. If we utilize an APM/NPM solution platform which has support to monitor video traffic, we can meet the 3 month requirement.

Requirement 9.1.1.c states that the video cameras are being monitored, which obviously means that we have actual “eyes on the video stream”, and not just on the IP layer of this communication. However, what happens if the video stops working and no one notices? Why not have a second set of eyes (your APM/NPM) solution monitoring such things as packet loss and jitter?

To be PCI 3.0 compliant, access to physical network jacks are to limited per requirement 9.1.2. Often this is done by physical controls such as card/key access, or more simply, not cabled. However depending on your situation, this may drive you to wireless 802.1x projects. This again places Radius/TACACS front stage and becoming a critical service. No radius? no pingy pingy!

One more section to go to complete the PCI DSS 3.0 compliance series.   The final article will address PCI requirements 10 and 11.