Control Objective 4: Implement Strong Access Control Measures

This objective ensures that access to cardholder data is restricted to only authorized users with a legitimate need. Access is to be controlled by business need-to-know, and each person with computer access is assigned a unique identifier (ID). Access is to be authenticated to all system components ensuring individual accountability. By regulating who has access to certain systems, networks, or files, organizations can reduce the risk of unauthorized actions, data breaches, or fraud. This control objectives covers the following PCI DSS requirements:

Requirement 7: Restrict access to system components and cardholder data by business need-to-know.

Requirement 8: Identify users and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data. **

Note: ** Notes related to Requirement 9. This requirement is related to the controls around physical access to cardholder data or systems that store, process, or transmit cardholder data. While this requirement is not supported by Tenable directly, the recommended practice here is to restrict data and access to authorized individuals only and remove systems or hard copies containing this data.

PCI Requirements Under This Objective Supported by Tenable

Requirement 7: Restrict access to system components and cardholder data by business need-to-know

Controlling and restricting access to sensitive systems and devices is important for many reasons, especially in protecting cardholder data. Strong access control maintains the confidentiality and integrity of systems, and ensures that only authorized users can access sensitive data, such as financial records, personal information, and proprietary business information. By controlling who can perform certain actions within a system, strong access control prevents unauthorized modifications, deletions, or additions to data, maintaining the integrity and reliability of the systems and information. PCI DSS requires that access levels must be “need to know” and “least privilege”, providing the least amount of access, with minimum privileges to perform a job. These requirements apply to all service and user accounts for employees, contractors, consultants, and internal or external vendors and other third parties.

Requirement 8: Identify users and authenticate access to system components

PCI DSS states, two additional fundamental principles of identifying and authenticating users are to 1) establish the identity of an individual or process on a computer system, and 2) prove or verify the user associated with the identity. The identity aspect is the account identifier, such as a user, system, or application ID. The element that proves or verifies the identity is the authentication factor. Authentication factors are something you know, such as a password, something you have, such as a token or smart card, and something you are, such as a biometric element. These elements are based on industry standards and best practices. NIST 800-63, Digital Identity Guidelines provides additional information.

Tenable Identity Exposure helps organizations validate Active Directory and Entra ID environments for weakness, misconfigurations, and activity that can lead to damaging attacks. Such as removing inactive accounts not used for 90 days, verification of timeouts, or idle time, and Multi-Factor Authentication (MFA).

For more information on getting started with AD Security, and Tenable Identity Management, reference this Identity and Access Control guide.

The Implement Strong Access Control Measures widget covers topics within PCI requirement 7 and 8.

Audit items checked and validated include, but not limited to: Ensuring accounts are secured, root accounts are secured, permissions to files related to authentication are correct, SELinux policies are configured (if appropriate for the system in question), and more.

Both of these requirements cover the need to restrict access to cardholder data by business need to know, identify and authenticate access to system components, and restrict physical access to cardholder data. This widget provides details on each of the compliance controls for the compliance family group being referenced. The compliance control reference number is followed by a count, and compliance result for the compliance control. The specific controls being referenced are: 8.3.1 | 8.2.2 | 7.2.1 | 8.2.3 | 7.2.2 | 8.4.3 | 8.2.1 | 8.3.4 | 8.2.8 | 8.2.6 | 8.4.1

Tenable Identity Exposure measures security maturity of the AD infrastructure through Indicators of Exposure assigning severity levels to the flow of events that are being monitored and analyzed. Alerts are triggered when security regressions are detected. To view these indicators select the Indicators of Exposure icon from the navigation pane. All Indicators of Exposure can be displayed by toggling the Show all indicators to Yes, or a keyword can be typed into the search pane. In the following example indicators based on the keyword “password” are displayed.

Selecting a result presents a series of details allowing the analyst to view:

  • Information - Which provides an executive summary, including known attack tools, affected domains, and relevant documentation.

  • Vulnerability Details - More in-depth information about the misconfiguration.

  • Deviant Objects - This information highlights misconfigurations in AD that may contribute to broader attacks.

  • Recommendations - Provides guidance on effective configuration strategies to minimize the attack surface.