PCI Series: Requirement 8 - Identify and Authenticate Access to System Components

This post continues my series dedicated to the use of Identity Management (IdM) and related technologies to address the Payment Card Industry Data Security Standard (PCI DSS).  This specific post is related to requirement eight (i.e. the requirement to identify and authenticate access to system components). The outline and mapping of individual articles to requirements can be found in the overarching post that started the series.

Requirement eight is directly related to IdM. IdM can be used to address most of the requirements in this section. IdM stores user accounts, provides user account life-cycle management

(from creation to termination), and controls the different types of credentials that users can use to authenticate (e.g. passwords, certificates, and one-time-password tokens); it also defines policies related to a number of associated credentials (e.g. password complexity, strength, and expiration policies or account lockout and retry policies). The details about these capabilities can be found in different chapters of the Linux Domain Identity, Authentication, and Policy Guide.

Requirement 8.3 explicitly calls for multi-factor authentication. IdM has an integrated support for open standard OTP tokens (e.g. Yubikey, FreeOTP, and Google Authenticator) and can also leverage existing authentication systems like, for example, RSA Authentication Manager. IdM can even be used as a back-end for RADIUS/TACACS or for a VPN server - allowing 2FA for remote access into a given network.

Questions about how Identity Management relates to requirement eight? Reach out using the comments section (below).