Contact us
PCI-GO
  • Dashboards
  • PCI eBook
  • Library
  • Blog

PCI Newsletter #47 - Defining Remote Access in the context of PCI

6/9/2016

0 Comments

 
Picture
The term "Remote access"  is one of these popularised terms whose meaning are so “obvious” that nobody dares to put it at stake.

​However as it pops up multiple times in PCI DSS 3.2 (see here under), its meaning and understanding should better be crystal clear for all of us. 
​

"Remote Access" in PCI DSS 3.2

Here is the list of requirements of PCI DSS 3.2 associated with the notion of Remote Access:

8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:  Enabled only during the time period needed, disabled when not in use  and monitored when in use.

8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication

8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network. 

This requirement is intended to apply to all personnel--including general users, administrators, and vendors (for support or maintenance) with remote access to the network--where that remote access could lead to access to the CDE. If remote access is to an entity’s network that has appropriate segmentation, such that remote users cannot access or impact the cardholder data environment, multi-factor authentication for remote access to that network would not be required. However, multi- factor authentication is required for any remote access to networks with access to the cardholder data environment, and is recommended for all remote access to the entity’s networks.

8.5.1 Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.

12.3.8 Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity.

How to define "Remote Access”? ​

Examples of definitions of "Remote Access” found on the Internet: 
  • Remote access is the ability to get access to a computer or a network from a remote distance.
  • Remote access provides end users with the ability to access resources on the corporate network from a distant location. 
  • Ability to log on to a network, or to another computer over a network.
  • Access to computer networks from a location outside of that network. Remote access connections can originate either from inside the company’s own network or from a remote location outside the company’s network. An example of technology for remote access is VPN. This latest definition is given by the PCI glossary V3.2
Picture

​Obviously the term "Remote access" is associated with the notion of distance. This raises another question in my wicked mind:   How distant should one be from the target server to be considered remote?  ... I leave it with you. ​

The origin of the term "remote access" brought us back to a time where activities were performed directly on the system consoles. Nowadays the majority of accesses could be considered as remote, hence in my humble opinion the whole term “remote access” does not make sense anymore and should be replaced by something more appropriate such as  “multi-security level access” considering the different security level between the source and destination.  In this context the CISSP definition seems to be the best fit.  

Remote access = access for authorized users external to an enclave established through a controlled access point at the enclave boundary.

Applied to PCI, the definition becomes: Access for authorized users external to the CDE established through a controlled access point at the CDE boundary.  In other words, access from a computer located outside the CDE to the CDE or a network segment/server  connected to the CDE.  

Resources

  • NEW - PCI DSS V3.2 Compliance Dashboard
  • NEW - List of documents required for PCI DSS V3.2 Compliance
  • PCI Calendar App - Never miss a milestone again
  • Ready to use PCI Procedures & Templates
  •  EBook: PCI, That’s the Way It Is.​
  • PCI Newsletter #46 - PCI - The State of Compliance
0 Comments

    Archives

    March 2023
    February 2023
    April 2020
    July 2019
    February 2019
    January 2019
    August 2018
    May 2018
    February 2018
    January 2018
    December 2017
    October 2017
    July 2017
    June 2017
    April 2017
    February 2017
    January 2017
    December 2016
    July 2016
    June 2016
    May 2016
    April 2016
    February 2016
    January 2016
    October 2015
    August 2015
    January 2015
    July 2014

    RSS Feed

Provided by DGOZONE SPRL.
Proudly powered by Weebly