Compliance mandates used to annoy IT. Their primary focus wasn’t on following sets of rules established by a bunch of bureaucrats, unless management handed down instructions. But today, IT recognizes the importance of data security (a key component to most compliance mandates) and how compliance standards provide a framework around which to establish proper security.
Most IT organizations focus efforts on establishing and maintaining levels of security – a necessary step, of course. But, in trying to continually verify whether an environment remains compliant, the answer isn’t to keep checking whether the walls are still standing. You need to see how the environment is being used, and determine whether that usage falls outside the limits.
So, the question becomes: just how far down the usage “rabbit hole” do you go to determine if you’re compliant or not? Of course, you don’t want to wait until a breach happens to realize you’re not compliant. You need a way to test out compliance much earlier in the usage process.
Fortunately, one such compliance test exists – the logon.
Logons aren’t just a matter of security protocol to keep unwanted eyes out. The logon is a pivotal point at which time a specific user identifies themselves.
Enable MFA to verify user identity
Exactly how the user identifies themselves is critical. Because credentials are so frequently compromised, best practice calls for at least a second factor of authentication to prove that the user is who they say they are. Multi-factor authentication (MFA) provides an additional layer of security to ensure that the right person is indeed using the right ID and password.
Go beyond protecting ID and password
But the importance of the logon also goes beyond the ID and password – when you dig a bit deeper, there is so much more. Details, such as the day and time of logon, the IP address and workstation logged on from, even the frequency of logon all play a role in identifying whether an environment is compliant.
Take the following example:
A user with access to data subject to a compliance mandate logs on after hours several times in succession from a remote computer.
There are three red flags here:
- The time of day
- The number of logons
- The location from which the logon occurred
The bad news is the logon doesn’t tell you flat out you’re in breach of compliance, but it does provide you with leading indicators there may be a problem well before any access (read: compliance breach) occurs.
Many compliance standards and regulations are keenly aware of the importance of the logon and successive actions. Take the example of one of the most detailed standards today, the PCI Data Security Standard (PCI DSS), to see how logons play a role in compliance.
The goal of the PCI DSS is to protect cardholder data from any unauthorized access. Take the following precautionary measures found in the current PCI standard:
- Requirement 7: Restrict access to cardholder data by business need to know
- Requirement 8: Identify users and authenticate access
- Requirement 9: Restrict physical access to cardholder data
- Requirement 10: Track and monitor all access to network resources and cardholder data
Each of these requirements are necessary to ensure cardholder data is secure. But each is dependent upon one key word found in each of the requirements: access.
This single word represents the process of an account being used to actively connect to a system and open/read/copy/download cardholder data - an action that begins with the logon.
The authors of PCI get it: Requirement 8 (Identify and authenticate access to system components) exists to establish individual access and usage of the environment. This requirement exists to ensure there is a way (in requirement 10) to audit each user’s interaction with the network and, eventually, cardholder data.
Start Compliance with the Logon
While implementing compliance controls requires efforts on many fronts (depending on each mandate), the actual monitoring to ensure an organization remains compliant is really about whether you’ve had inappropriate access to sensitive data or not. And, because organizations cannot afford to wait until that inappropriate access occurs, it becomes necessary (and just plain smart) to leverage any and all authentication opportunities and leading indicators.
The logon is the most compelling point at which to both monitor compliance, as well as (providing you have the proper security solution in place) implement MFA to stop potentially inappropriate access (again, read: compliance breach) from ever happening. By taking advantage of this necessary step in the access process, you simplify where IT needs to monitor in order to ensure compliance is maintained.