I’ve recently been in talks with clients on the subject of remote network access, and event logging has come up more than once in conversation. Although nobody likes to have their hand forced by regulations, the fact remains that compliance is often more economically viable than the alternative.
As Arik Kasha writes: PCI-DSS Requirement 10 (“Track and monitor all access to network resources and cardholder data”) is all about using logs for vulnerability management and event forensics. These logs must record every time someone accesses regulated data (including cardholder data and log data) to enable a “who-did-what-and-when” audit trail. This requires[sic] means implementing a comprehensive system to log every time any employee or remote vendor accesses a server or application which processes protected data.
If your business has geographically dispersed architecture managed by centralized operations, this should be of great interest. Ostensibly, if you run a distributed network you currently have Out-of-Band Management access to sites, via secondary network connections, or PSTN. In the past, information about who is accessing switches, routers, and firewalls in off-the-map locations has not raised any eyebrows. You may want to reconsider.
When reviewing your Out-of-Band Management configuration, ask the following questions; do I do a good job of managing access control to remote sites? (This is important if vendors access the network). Do I have the ability to keystroke log- who’s accessed exactly what equipment (OOB) and when? Are these logs archived securely? If any type of payments (via credit cards) cross the network, a logging audit trail is critical.
Don’t be too hard on yourself. Given Out-of-Band Management’s typical use as a method of last resort, it’s not surprising there remains a lack of security.OOB often does not get the consideration it deserves from network architects until called upon.Have your Infrastructure and Security teams talk and see if you have any gaps. According to popular research, perfect adherence to PCI Requirement 10 is often missed. Seek progress rather than perfection.
About Communication Devices, Inc. (CDI)
CDI is solely focused on providing Secure Out-of-Band Management technology to commercial and Federal clients. The company offers appliances and management tools that help ensure networks operators meet all compliance requirements for remote access. www.commdevices.com