PCI Series: Requirement 7 - Restrict Access to Cardholder Data by Business Need to Know

This is my sixth post dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS).  This specific post is related to requirement seven (i.e. the requirement to restrict access to cardholder data by business need to know).  The outline and mapping of individual articles to the requirements can be found in the overarching post that started the series.

Section 7 of the PCI DSS standard talks about access control and limiting the privileges of administrative accounts.  IdM can play a big role in addressing these requirements.  IdM provides several key features that are related to access control and privileged account management.  The first one is

host-based-access-control (HBAC).  With HBAC, one can centrally define which groups of users can access which groups of systems using which login services.  Another feature is an ability to centrally define sudo rules that control which users can run which commands on which systems as other users (usually as root).  Yet another capability worth mentioning is the ability to define how user account are mapped to the SELinux user.  Using this feature one can, for example, prevent developer accounts from touching executables on production machines while still enabling them read access to some of the parts of the application data and log(s) for better troubleshooting of potential bugs or misconfigurations.

Questions about how Identity Management relates to requirement seven? Reach out using the comments section (below).