Meeting the requirements of PCI DSS 3.2 standard to user authentication

Transcription

1 Meeting the requirements of PCI DSS 3.2 standard to user authentication Using the Indeed Identity products for authentication In April 2016, the new PCI DSS 3.2 version was adopted. Some of this version s innovations become effective at February 1st, These are changes in user authentication upon access to cardholder data environment (CDE). In particular, starting from February 1st, 2018, multi-factor authentication becomes mandatory for a number of access scenarios. The PCI DSS defines the following factors or methods of user authentication: Something you know; Something you have; Something you are. Here are some examples of the mentioned factors, that are the most frequently used in practice of multi-factor authentication. Something you know USB token or smart card PIN code. PIN is stored in device memory only and is used to access the protected data area of a smart card or USB token to perform various cryptographic operations, including the authentication ones. Answers to security questions. As a rule, this method is used as backup authentication for access recovery. For security reasons, it is recommended to require correct answers for several questions. Classic conventionally static password. Something you have USB token or smart card. Such devices have private key stored on them to perform asymmetric cryptographic operations, and also other key data. 1

2 OTP-token - one-time password (OTP) generator. This is OTP hardware generation device. The most commonly used standard of one-time password generation are OATH TOTP and HOTP algorithms. There are also proprietary OTP generation algorithms (RSA, for example). User smartphone. A user smartphone can be used as: (a) mobile application for OTP generation; (b) device to receive OTP via SMS; (c) mobile application for out of band authentication using push notifications. Proximity card (RFID). Such cards can be used both for logical access to information systems and for physical access to company premises. Something you are This category holds all the technologies based on the biometric data. Currently, the most widely spread biometric authentication method is fingerprint verification. Today, this technology has one of the best quality-price balance among the biometric technologies. Vein pattern. This technology uses hand or finger vein pattern to create a biometric template. The advantages of the technology are high recognition accuracy and hygienic cleanness, as vein pattern recognition is performed at distance, with no direct contact between palm or finger and scanner. Photo (2D face image). This technology is one of the cheapest biometric authentication methods, as it does not require usage of special devices. A disadvantage of the technology is that recognition accuracy is dependent on the room illumination. 3D face image. For authentication with 3D face image, Intel RealSense technology is used. This allows for obtaining of highly accurate face image (in IR band as well) and thus for higher authentication accuracy. Voice biometrics. As photo image, voice biometrics is one of the cheapest authentication methods. The technology advantage is the opportunity to use phone calls for authentication. The drawbacks are relatively low recognition accuracy and limited number of usage scenarios. It should be noted that the standard requires combined use of at least two different authentication factors. In other words, use of two passwords or two fingerprints is not multi-factor authentication. The most frequent practical combinations of various authentication factors are listed below: Smart card (with private key and certificate) + PIN code Static password + one-time password Proximity card + static password Proximity card + fingerprint verification Fingerprint verification + static password Smartphone application (push notification) + static password Smartphone application (push notification) + fingerprint verification 2

3 The Indeed Identity products allow for deployment of all the mentioned authentication factor combinations and also support the implementation of additional scenario upon request. The following is the list of Indeed Identity software, that can be used to build the multi-factor authentication system to meet the PCI DSS requirements. Indeed Card Management Indeed AirKey Enterprise Centralized lifecycle management system of key media (smart cards and USB tokens) and digital certificates. Indeed Card Management (Indeed CM) makes it possible to reduce the PKI infrastructure usage expenses and increase its efficiency by applying a centralized smart card and certificate usage policies, routine automation and user self-service. A virtual smart card (software implementation of a hardware smart card). This makes it possible to use Indeed AirKey Enterprise (Indeed AKE) in any scenarios available for classic smart cards. And the organization does not bear the costs of hardware. Virtual card infrastructure is controlled centrally by the administrator, including the remote delivery of a card to the user PC and card cancellation procedures. Indeed Enterprise Authentication Indeed Enterprise Authentication (Indeed EA) is the universal authentication system, designed to implement the strong and/or multi-factor authentication in any enterprise systems: OS, web- and mobile applications, VPN, VDI, SAML-compatible applications etc. Enterprise Single Sign-On technology is also supported. The following are comments on implementation of certain requirements of PCI DSS 3.2 to authentication using the Indeed Identity software. PCI DSS 3.2 requirement Immediately revoke access for any terminated users b Verify all physical authentication methods such as, smart cards, tokens, etc. have been returned or deactivated Limit repeated access attempts by locking out the user ID after not more than six attempts a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts. Comments The Indeed Card Management contains the service for monitoring of account statuses of smart card and certificate users. When an account is disabled, the service automatically revokes the user s digital certificates. This allows for timely prevention of dismissed employee s card and certificate usage. The Indeed CM also stores the information about the cards and USB tokens assigned to the user to control the devices application. The Indeed CM uses centralized management of PIN code policies. This allows for unified settings to be applied for all smart cards, including the number of logon attempts until smart card is locked. The Indeed Enterprise Authentication also allows for centralized definition of authentication method locking upon exceeding the defined number of 3

4 logon attempts. 8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: Something that you know, such as a password or passphrase Something that you have, such as a token device or smart card Something that you are, such as a biometric Verify user identity before modifying any authentication credential for example, performing password resets, provisioning new tokens, or generating new keys Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above Change user passwords/passphrases at least once every 90 days Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. Indeed Card Management and Indeed Enterprise Authentication allow to use all the mentioned authentication methods. At that, depending on the environment, different authentication variants may be available to employee (for example, smart card + PIN code for OS logon and password + OTP for VPN access). The Indeed СМ supports the backup authentication technology that uses security questions to perform smart card unlocking operations. This allows to meet the requirement when performing operations with smart card PIN code. the requirements to PIN code complexity. the requirements to PIN code validity terms. the requirements to PIN code history. the requirements to generation of random PIN codes and mandatory change of PIN code upon the first logon. The requirement can be met either using PKI (public key infrastructure) or without it. Combination of technologies is also possible. For example: 4

5 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity s network. - Smart cards and digital certificates are used for authentication in local operation mode (OS and applications); - One-time passwords are used for remote access (e.g., for VPN authentication). The choice of technologies usually depends on hardware and software used. Moreover, the choice of technology can be dependent of the user role and privileges (e.g., employees can use certificates, and third parties - SMS only). The Indeed CM and Indeed EA software allow for implementation of any authentication scenario, not dependent on certain technologies. How to contact us inbox@indeed-id.com +7 (495) [Moscow] +7 (812) [St.Petersburg] Our Internet resources Web: indeed-id.com Linkedin: Video: youtube.com/user/indeedid 5