The Role of the Dedicated OS in Enforcing PCI DSS Privileged Access Requirements
If your business handles credit cards, you know that malicious actors are gunning for the cardholder data your systems process. Perhaps no other digital asset is as frequently and intensely attacked as the data infrastructure that handles payment card information. For this reason, the Payment Card Industry (PCI) has mandated that any organization handling branded credit cards, like Mastercard and Visa, must comply with its Data Security Standard (DSS). The PCI DSS standard is designed to enforce security controls affecting the cardholder data environment (CDE). The purpose of PCI compliance is to reduce fraud and cyber risk affecting cardholders and companies that accept credit cards.
PCI DSS Requirements
The standards are set by the PCI Security Standards Council. Compliance with PCI-DSS is validated through an audit conducted by either an external Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The auditor looks at how well the organization complies with the PCI DSS requirements. Highlights of the requirements include:
- Install and maintain a firewall configuration to protect cardholder data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
Controlling Privileged Access, a Critical PCI DSS Requirement
These PCI DSS requirements each address a different aspect of protecting cardholder data. However, they all have something in common: They rely on securing privileged access in order to function properly. The concept of privileged access relates to what are known as ”privileged accounts.” These specialized user accounts allow a “privileged user” to enter the administrative back-end of a system, such as a database containing cardholder information.
Privileged accounts—as well as privileged user credentials—are prime targets for hackers. After all, a hacker who can gain access to a privileged account could steal or manipulate an entire credit card database along with transactional data. To mitigate such risks and become compliant with PCI DSS, many organizations secure privileged access by implementing controls including:
- Who can access the account – controlling which privileged users have access to which accounts
- What users are allowed to access the account – implementing least privilege
- Where users can access privileged accounts from – requiring dedicated privileged access workstations in order to access any privileged assets
- When users can access accounts – applying behavioral analytics to monitor the usage of privileged accounts
- How users access accounts – managing privileged credentials in a secure vault and allowing users to only login to accounts directly from the vault
How a Dedicated OS Helps with PCI
Privileged access risk is challenging to manage, especially at the endpoint. Such access points create risk exposure. The privileged user has to log into privileged accounts, using a laptop, workstation or mobile device of some kind. If an attacker can compromise the privileged user’s device, he or she can then gain access to the company’s “Command and Control” (C&C) server and sensitive digital assets like credit card account information. This kind of penetration is possible even if the privileged accounts are on a segmented subnetwork.
One mitigating best practice is to provision a privileged machine to the privileged user also known as a privileged access workstation. For instance, a privileged user may have two work laptops: one for regular corporate work and another for privileged account access. This practice reduces the likelihood that an attacker can breach the privileged endpoint using a phishing attack, web-borne malware or by abusing a public Wi-Fi network.
The problem with this approach is that it’s neither practical nor realistic. Outside the office, the majority of privileged users are not going to lug two machines around with them. They will invariably log into privileged accounts using a general-purpose work device or even a personal machine. This results in risk exposure. And, even if they use the two machines, the switching back and forth becomes a drag on productivity.
A more viable and secure solution is to deploy a single machine with two completely segregated operating systems (OS’s). As exemplified by Hysolate, an isolated operating system environment keeps sensitive data completely separate from the user’s corporate and personal data. A PC running Hysolate provides the user with two totally separate virtual machines (VMs) on the same hardware. Hysolate enables secure access to privileged assets while allowing open access to non-sensitive assets on one machine.
If malware deploys on an Internet-exposed virtual machine, it cannot reach and will not affect, privileged resources on the same machine. The malware will not even be aware of the other VM running on its own isolated OS.
PCI DSS is a strict, necessary standard for the security and integrity of credit card transactions. Control over privileged access is elemental to compliance with the standard. Such control relies on robust protection of privileged accounts and privileged user credentials. At the endpoint, where risk exposure is high, an isolated OS approach enables optimal enforcement of privileged access policies for PCI DSS.
