"Remote Access" in PCI DSS 3.2
Here is the list of requirements of PCI DSS 3.2 associated with the notion of Remote Access:
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed, disabled when not in use and monitored when in use.
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
This requirement is intended to apply to all personnel--including general users, administrators, and vendors (for support or maintenance) with remote access to the network--where that remote access could lead to access to the CDE. If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.
8.5.1 Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows: Enabled only during the time period needed, disabled when not in use and monitored when in use.
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
This requirement is intended to apply to all personnel--including general users, administrators, and vendors (for support or maintenance) with remote access to the network--where that remote access could lead to access to the CDE. If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.
8.5.1 Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.
How to define "Remote Access”?
Examples of definitions of "Remote Access” found on the Internet:
- Remote access is the ability to get access to a computer or a network from a remote distance.
- Remote access provides end users with the ability to access resources on the corporate network from a distant location.
- Ability to log on to a network, or to another computer over a network.
- Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN. This latest definition is given by the PCI glossary V3.2
Obviously the term "Remote access" is associated with the notion of distance. This raises another question in my wicked mind: How distant should one be from the target server to be considered remote? ... I leave it with you.
The origin of the term "remote access" brought us back to a time where activities were performed directly on the system consoles. Nowadays the majority of accesses could be considered as remote, hence in my humble opinion the whole term “remote access” does not make sense anymore and should be replaced by something more appropriate such as “multi-security level access” considering the different security level between the source and destination. In this context the CISSP definition seems to be the best fit.
Remote access = access for authorized users external to an enclave established through a controlled access point at the enclave boundary.
Applied to PCI, the definition becomes: Access for authorized users external to the CDE established through a controlled access point at the CDE boundary. In other words, access from a computer located outside the CDE to the CDE or a network segment/server connected to the CDE.
Remote access = access for authorized users external to an enclave established through a controlled access point at the enclave boundary.
Applied to PCI, the definition becomes: Access for authorized users external to the CDE established through a controlled access point at the CDE boundary. In other words, access from a computer located outside the CDE to the CDE or a network segment/server connected to the CDE.