Java Reference
In-Depth Information
7.3 Security Compliance and Web Application Access Control
Access control is a basic security requirement and all security compliance standards and risk manage-
ment frameworks discuss access control in great detail. We have already discussed the growing inlu-
ence of security compliance standards on organizations. hey need to comply with several laws and
compliance requirements if they are to stay in business. Certain compliance laws and requirements
are speciic and they detail requirements that are granular and speciic, while others are not speciic
and they draw their access control requirements from an assessment of risk or other best practices. For
instance, the PCI standards are very speciic with reference to access control requirements, whereas
HIPAA advocates the use of risk assessment to formulate the security controls for an organization.
We will explore the speciic requirements with respect to access control in this section.
7.3.1 PCI-DSS
PCI-DSS is the Payment Card Industry Data Security Standard. his standard has become one of
the most far-reaching compliance requirements in the world today applicable to entities storing,
processing, or transmitting cardholder information. We have explored the PCI-DSS extensively in
Chapter 5. he PCI-DSS consists of 12 requirements encompassing network security, host secu-
rity, application security, and physical security. Access control is covered as part of Requirements
7 and 8 of the standard.
◾
Requirement 7: Restrict access to cardholder information by business need-to-know.
◾
Requirement 8: Assign a unique ID to each person with computer access.
7.3.1.1 Requirement 7: Restrict Access to Cardholder
Information by Business Need-to-Know
Requirement 7 of the PCI Standard is
restrict access to cardholder information based on business
need-to-know
. his requirement discusses the concept of least privilege and role-based access
control in detail. he requirement calls for ensuring that only individuals who need access to
cardholder information are allowed to access the said information. he requirement calls for
restriction of user IDs based on job function for access to cardholder information. he require-
ment also states that this access control system should be automated and not operated manually,
thereby necessitating a situation where access controls are driven from the system without any
manual intervention.
he requirement also states that there should be a default
deny all
setting enabled for all users
in the system. A default deny all setting is enabled to ensure that unless access is explicitly granted
for a resource by the administration, the access to information is denied to all users in the system.
he requirement also propounds the assignment of user privileges based on job function, which is
the essence of role-based access control.
7.3.1.2 Requirement 8: Assign a Unique ID to Each
Person with Computer Access
Requirement 8 of the PCI Standard discusses the implementation of access control, with a
focus on authentication controls. Requirement 8 of the PCI Standard provides a granular
Search WWH ::
Custom Search