Why Compliance Starts with the Logon

Compliance mandates used to be an annoyance to IT; Sets of rules established by a bunch of bureaucrats that know next-to-nothing about IT weren’t a primary focus for IT, unless told to do so by management. But today, IT recognizes the importance of data security (a key component to most compliance mandates) and how compliance standards provide a framework around which to establish proper security.

Most IT organizations focus efforts on establishing and maintaining levels of security – a necessary step, of course. But, in trying to continually verify an environment remains compliant, the answer isn’t to keep checking whether the walls are still standing; you need to see how the environment is being used, and determine whether that usage falls outside the acceptable.

So, the question becomes just how far down the usage “rabbit hole” do you go before determining if you’re compliant or not? Surely, you don’t want to wait until a breach happens to realize you’re not compliant. You need a way to test out compliance much earlier in the usage process.

Fortunately, one such compliance test exists – the logon.

Logons aren’t just a matter of security protocol to keep unwanted eyes out; it’s a pivotal point at which time a specific user identifies themselves. And not just the ID and password; there is so much more detail provided at logon when you dig a bit deeper. Other details, such as the day and time of logon, the IP address and workstation logged on from, even the frequency of logon all play a role in identifying whether an environment may fall outside compliance.

Take the following example:

A user with access to data subject to a compliance mandate logs on after hours several times in succession from a remote computer.

There are three red flags here –

  • the time of day
  • the number of logons
  • the location from which the logon occurred

The bad news is the logon doesn’t tell you flat out you’re in breach of compliance, but it does provide you with leading indicators there may be a problem well before any access (read: compliance breach) occurs.

Many standards are keenly aware of the importance of the logon and successive actions. Take the example of one of the most detailed standards today – PCI DSS – to see how logons play a role in compliance.

The goal of the PCI Data Security Standard is to protect cardholder data from any unauthorized access. Take the following precautionary measures found in the current PCI standard:

  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data

Each of these requirements are necessary to ensure cardholder data is secure. But each is dependent upon one key word found in each of the requirements: access.

This single word represents the process of an account being used to actively connect to a system and open/read/copy/download cardholder data – an action that begins with them logging on.

Even the authors of PCI get it: Requirement 8 (Identify and authenticate access to system components) exists to establish individual access and usage of the environment. This requirement exists to ensure there is a way (in requirement 10) to audit each user’s interaction with the network and, eventually, cardholder data.

Start Compliance with the Logon

While implementing compliance controls requires efforts on many fronts (depending on each mandate), the actual monitoring to ensure an organization remains compliant is really about whether you’ve had inappropriate access to sensitive data or not. And, because, the organization cannot afford to wait until that inappropriate access occurs, it becomes necessary (and just plain smart) to leverage any and all leading indicators.

The logon is the most compelling point at which to both monitor compliance, as well as (providing you have the proper security solution in place) to stop potentially inappropriate access (again, read: compliance breach) from ever happening. By taking advantage of this necessary step in the access process, you simplify where IT needs to monitor in order to ensure compliance is maintained.