PCI-DSS Requirement 10: Configuration Port Security
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate a broad adoption of consistent data security measures globally. PCI-DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It is a comprehensive standard that is intended to help organizations proactively protect customer account data.
PCI-DSS Version 2.0, Requirement 10 covers tracking and monitoring of all access to network resources and cardholder data. The intent of this requirement is that logging mechanisms and the ability to track privileged user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. This includes all actions, taken by any individual with root or administrative privileges to configuration ports.
My IT operations customers often struggle with the intent of this requirement as it relates to providing highly privileged access utilizing configuration ports. Since configuration ports are, by default, the emergency access point for every IT device, they are critical for improving mean time to repair (MTTR). Common vendor names for these type of ports are iLO2 (HP), DRAC (Dell), ALOM, ILOM (Sun/Oracle) and CIMC (Cisco).
For a discussion on privileged access to configuration ports, the significant threat they pose as it relates to the intent of PCI-DSS Version 2.0, Requirement 10, see our whitepaper on this subject at: /whitepaper-pci-requirement-10-configuration-ports
ConsoleWorks provides a comprehensive solution for tracking, monitoring, analyzing and alerting on actions taken by privileged individuals with administrative privileges as required by PCI-DSS V2.0, Requirement 10.