Payment Card Industry Data Security Standard (PCI DSS) 4.0.1 kicks in on March 31, and with it comes stricter security requirements – especially around Non-Human Identities (NHIs). These include system and application accounts such as service accounts, service principals, and roles, as well as their associated authentication factors, including storage access keys, applications, and database users. Despite their critical role in modern IT environments, NHIs are often overlooked in security strategies.
The new requirements emphasize the need for NHIs to be strictly managed. As the deadline nears, how should organizations prepare? Let’s dive in.
The New Requirements
The first step is understanding what the requirements entail. Here, we will hone in on the new policies outlined in Requirements 7 and 8.
- Least Privilege and Need-to-Know Principles (Requirement 7.2.5): Minimizing access permissions for applications and system accounts to essential functions is a cornerstone of this requirement. By adhering to the principle of least privilege, organizations can prevent over-privileged or outdated access rights, significantly reducing the risk of security breaches and unauthorized exposure.
- Identity and Authentication Policies (Requirement 8.1.1): Defining robust identity and authentication policies ensures consistency and reduces mismanagement risks for non-human identities. This is critical as policies addressing credential rotation, permissions control, and identity governance establish a secure foundation for managing non-human accounts.
- Deactivating Unused Accounts Promptly (Requirement 8.1.3): Dormant application accounts can act as backdoors for attackers. Proactive deactivation workflows mitigate this risk. Automated processes are essential to identifying and deactivating unused accounts promptly.
- Managing Shared and Generic IDs (Requirement 8.2.2): Shared or generic IDs should only be used in exceptional cases with documented justification and management approval. All actions performed with these IDs must be attributable to a specific individual to ensure accountability, traceability, and clear attribution of actions.
- Revoking Access for Terminated Users (Requirement 8.2.5): The immediate removal of access rights for terminated users is critical to ensuring that neither human nor non-human identities can be exploited post-termination. However, secrets such as Access Keys or other credentials left unrotated after an employee’s departure pose significant risks, as these orphaned accounts may still grant unauthorized access. Organizations must integrate robust termination workflows that include revoking human access and ensuring non-human identity credentials associated with offboarded employees are promptly rotated, invalidated or assigned to a new owner. Neglecting this step leaves systems vulnerable to misuse.
- Interactive Login Capabilities (Requirement 8.6): Interactive logins for system and application accounts pose unique challenges, as they increase the risk of unauthorized or misused access. This requirement emphasizes restricting unnecessary interaction with such accounts and documenting their activities. Organizations must monitor and log all interactive login activities, providing justifications and limiting the duration of access to align with security policies.
- Credential Rotation Based on Risk (Requirement 8.6.3): Periodic rotation of access tokens, certificates, and other credentials is critical to mitigate long-term exposure risks. Credential rotation policies reduce the likelihood of prolonged credential exposure.
Why Now?
The rise in attacks targeting NHIs has become too significant to ignore. NHIs are defined in the PCI compliance as application and system accounts used for automated tasks, sometimes shared with manual users, leading to potential misuse. NHIs now require dedicated focus, as their exploitation is increasingly tied to major cybersecurity threats.
Service accounts are a prime target for attackers exploiting weak or misconfigured authentication. As critical entry points into systems, these accounts represent a significant security risk. In fact, nearly 50% of organizations have reported NHI-related compromises, with 66% of those incidents resulting in successful cyberattacks (ESG Report 2024). Attackers frequently leverage exposed API keys, service accounts, and mismanaged secrets, which remain some of the most exploited entry points in recent breaches at Dropbox, Okta, Slack, and Microsoft. Recognizing this growing threat, PCI DSS 4.0.1 highlights the need for stringent controls to address these vulnerabilities, reinforcing the importance of secure authentication and access management practices.
Previously, auditors focused on human identities and overlooked NHIs, but the surge in applications and service accounts misuse and threats necessitates robust controls. As regulatory frameworks evolve, these requirements are no longer about just checking boxes; there’s a need for demonstrable implementation of frameworks, tracking, and remediation. Maintaining consistent and robust security controls across all applications and service accounts has become a key priority.
PCI DSS 4.0.1 encourages organizations to take compliance beyond just policies by actively resolving issues and providing framework implementation. This, and other industry benchmarks, emphasize the importance of securing NHIs, ensuring compliance, lifecycle management, and mitigating potential risks associated with service account misuse.
How Should Organizations Respond?
To ensure readiness for mandatory compliance, organizations should:
- Assign Ownership & Manage Orphaned Accounts: First, it’s key to map your NHIs and ensure ongoing visibility. Additionally, clearly define ownership for all NHIs and implement processes to detect and manage orphaned accounts, ensuring they are reassigned or deactivated promptly.
- Automate Access Management: Adopting tools that detect stale or over privileged accounts and enforcing least privilege principles are critical for secure application access.
- Enforce Authentication Best Practices: Implement MFA, restricting shared credentials, and ensuring credential rotation based on predefined intervals or risk levels.
- Monitor and Respond to Anomalies: Deploy ITDR solutions to continuously monitor and address suspicious activities related to authentication or application access.
- Secure Application Secrets and Credentials: Store application credentials securely (e.g., avoid hardcoding secrets) and enforce strict permissions control and to regularly rotate these credentials.
- Regularly Review Access Rights: Define clear access control policies and automate the assessment of each identity’s posture and compliance state through policy tests. Use tools to ensure adherence to least-privilege and “need to know” principles, and remove stale permissions to reduce risk.
- Rotate Secrets Regularly: Define a cadence for secret rotation and align it with the risks associated with each identity, and enforce it. Document your compliance activities throughout the year to demonstrate them to auditors. Generate compliance reports and track trends.
Taking these steps will help ensure organizations are meeting evolving compliance standards and enhance their security posture.
Ensuring Compliance in an Increasingly Regulated World
Enforcement of the PCI DSS 4.0.1 requirements is fast approaching, and organizations must prepare now to address the new requirements. Adopting an NHI management solution will help organizations navigate the new requirements and ensure compliance.
The post PCI DSS 4.0.1 and Non-Human Identity Management: What You Need to Know first appeared on Cybersecurity Insiders.
The post PCI DSS 4.0.1 and Non-Human Identity Management: What You Need to Know appeared first on Cybersecurity Insiders.
March 29, 2025 at 12:47PM
0 comments:
Post a Comment