http://www.networkworld.com/news/2013/100113-pci-274386.html
By Ellen Messmer
Network World
October 01, 2013
Organizations that make use of SSH keys for secure access to servers
should be aware that they may need to make some changes soon when it comes
to managing any of their networks related to payment-card processing,
according to the CEO of SSH Communications security, Tatu Ylonen.
That’s because the next version of the Payment Card Industry (PC) standard
to be published in early November, PCI v.3, is expected to include some
new guidance on authentication and remote access to any network segment
that processes or stores payment cards that could impact use of Secure
Shell (SSH) cryptographic technology, Ylonen says.
“Key access clearly can be used in a PCI environment,” Ylonen notes. “But
key access across from a boundary forces problems.” Any organization
storing or processing payment cards must follow the PCI standard’s
requirements for network security. SSH keys are often used for automated
machine to machine security and SSH keys grant access with a password,
Ylonen notes. Boundaries for PCI networks define segments in which card
storage or processing takes place — often called PCI network “scope” — and
it must conform to PCI requirements as defined in the PCI Data Security
Standard (DSS) published by the PCI Security Standards Council.
Ylonen says he is encouraging systems administrators — the individuals
often responsible for setting up SSH key management for enterprise
networks — to start discussions about the upcoming PCI DSS v.3 standard
with those in their organization most involved in making sure there will
be PCI compliance. These individuals might be chief security officers,
CIOs or internal auditors, for example. From what he’s seen of the draft
of the PCI v. 3 standard, Ylonen says, “the rules themselves are good but
guidance is vague.”
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
