The PCI DSS 3.2 framework multi-factor authentication (MFA) deadline is rapidly approaching and, not surprisingly, many organizations have been asking how SecureAuth can help them meet the new MFA requirements.
PCI requirement 8.3.1 states that organizations must incorporate multi-factor authentication for all non-console access into the cardholder data environment (CDE) for personnel with administrative access by January of 2018. Before getting into how SecureAuth can help maintain PCI compliance, let’s take a summarized look at the PCI guidance around this new MFA requirement:
- MFA requires at least two of the three methods described in requirement 8.2: Something you know, Something you have, Something you are
- Authentication methods should be independent of one another (ie. one authenticator shouldn’t give you access to the second authenticator)
- Authenticators should be conveyed through different network channels (i.e. out-of-band authentication)
- All factors in MFA are verified prior the authentication mechanism granting access or providing knowledge of the success or failure of any one authenticator.
In addition to the information provided by the PCI council, the advice many customers are getting from their QSAs (Quality Security Assessor) is to ensure that PCI network servers, routers, and firewalls are protected with MFA per the PCI requirements mentioned above. This helps to better define the scope of where these authentication changes need to take place. Although these requirements appear straightforward, determining how to apply them within your environment may not be.
So how can SecureAuth help? The solution may differ from one environment to the next but let’s take a look at a couple of examples.
MFA for Admin Access to Servers
Example 1: Utilize SecureAuth Login for Windows on Admin Jump boxes: In this example, SecureAuth Login for Windows (formerly SecureAuth Windows Credential Provider) is deployed to the Jump-Box-Servers to enforce multi-factor authentication at the Windows Login. Once logged in, the administrator can then gain remote access to the PCI systems. SecureAuth could also protect a VDI environment utilized for admin Jump boxes.
Example 2: Utilize SecureAuth in combination with a privileged session management solution: In this example, SecureAuth can be integrated with a Privileged Session Management solution such as CyberArk or BeyondTrust. The Privileged Session Management solution has access to the PCI servers but admins must authenticate through SecureAuth’s adaptive multi-factor authentication first, thus satisfying the PCI MFA requirements outlined above.
MFA for Admin Access to Firewalls and Routers
Example 3: Utilize SecureAuth RADIUS server to integrate with network appliances: This one is a little tricky since many devices like firewalls may have been built with MFA in mind for end users (for external VPN, etc.) but not necessarily admin access from the trusted network; however most enterprise network appliances to support RADIUS authentication for remote console access. SecureAuth offers a robust RADIUS server which can be leveraged to enforce MFA even when the RADIUS client does not support access-challenge (part of the RADIUS protocol that allows the RADIUS server to prompt the RADIUS client for additional information, commonly uses in MFA scenarios).
The example use cases above represent just a few of the ways SecureAuth can help organizations comply with PCI MFA requirements. SecureAuth has several capabilities that go beyond what is required for PCI to provide organizations with the best authentication security such as adaptive threat protection, geo-velocity, identity governance integration and many others.
Contact us to find out how SecureAuth can help solve your unique PCI use cases.
