Previously in Part 1: PCI DSS – Where to Start?, we dove into the technicalities and scope of PCI DSS and strategies for planning for audits and compliance. Within this article, we’ll introduce JumpCloud® and the capabilities it provides, bringing IT administrators a simple way to unify, manage, and secure their environments. The JumpCloud directory platform combines an organization’s resources into a centralized IT management platform, extending identities to countless resources such as devices, networks, applications, files, and more.
PCI DSS Section 8
We’ve outlined what PCI DSS requires of organizations to meet before passing an audit. Referencing the PCI DSS Quick Reference Guide, we’ll focus on section 8. Approaching configurations around security and access, implementing strong access control measures need to be top of mind. By implementing the security principle of least privilege, you can ensure that only specific users can access the resources they need while denying anyone without assignment.
Section 8: Identify and authenticate access to system components
PCI DSS requires organizations to secure authentication to any system within the cardholder data environment (CDE). This could encompass databases, devices, applications, networks, datastores, and many other types of resources. This creates a heavy lift for admins without a centralized authentication mechanism or directory service in place. Even harder still, is the ability to manage access, configurations, and consistent password requirements across the entirety of the environment.
Traditional directory services, such as Microsoft® Active Directory®, may work if compiling multiple ad hoc solutions together, but this creates friction for admins to manage efficiently. Resources outside of Active Directory or Azure®’s control (e.g. macOS® or Linux® devices, AWS, GCP, etc.) may either not be fully covered, or just barely. JumpCloud’s directory platform takes directory services to another level by managing IT resources in a secure unified platform anywhere they are.
Meet Compliance with JumpCloud
Organizations are constantly on the move to improve their security without impeding workflow. This could create some challenges for their IT teams integrating multiple point-solutions within their environment. The panacea would be a platform augmenting admins’ abilities to unify, manage, and secure all resources in an easy-to-use platform.
The JumpCloud directory platform can be related to a Swiss Army Knife — a versatile multi-tool covering a wide array of jobs to be done in an easy to handle package. There are hundreds of different tasks admins execute daily. Underlying each task are security compliance considerations to ensure risk is mitigated. JumpCloud provides this multi-tool like functionality for any IT resource, while ensuring that security compliance requirements are met in tandem.
Industry standard compliances such as HIPAA, GDPR, PCI DSS, and SOC are examples of the rules and regulations organizations need to abide by when executing any task within the business. It is the duty of admins to ensure that all communications and work is secure at all times. JumpCloud’s platform deconstructs into 3 major sections — Identity, Access, and Device . JumpCloud blends together the lines separating tasks into a unified approach. Unify an employee’s identity to their end device (eg. macOS, Windows®, or Linux), enforce security configurations and policies (eg. Lock Screen, Full Disk Encryption, Disable USB), extend the identity to have access to the corporate VPN, provision access to SSO apps, and more from one dashboard. Admins have one central location where they can manage all employees, devices, access, apps, and cloud service integrations.
JumpCloud approaches security through creating a framework on principles of least privilege and zero trust. Default configurations of deny all sets the precedent that no one is trusted or authorized until specified by an organizations IT and/or security team. This approach secures assets by limiting access to any resource anywhere, thus assisting in meeting an organization’s compliance requirements. Admins can quickly and easily implement granular or group access within seconds, allowing allocation of time to more pressing tasks.
JumpCloud provides the ability to unify management of SSO, G Suite™ or Microsoft 365™, Active Directory, RADIUS, and device management requirements for an organization’s compliance needs (eg. PCI DSS Sec. 8 & 10 or SOC). Integrating organizations’ pre-existing application stacks by extending identities and credentials doesn’t require exorbitant CapEx or OpEx costs.
JumpCloud blurs the lines among IAM, IdM, MDM, and EMM into a holistic platform. Common examples of how current customers use JumpCloud for device management for compliance could be enforcing Full Disk Encryption across their Windows and macOS fleet. In a recent case study, PayWith achieved SOC 2 compliance with JumpCloud, and the team is now preparing for a PCI audit as well using JumpCloud directory platform.
The main thing I wanted to accomplish was to check all the boxes that SOC 2 required. The other thing was — coming from an IT management perspective — I wanted to slip in a bunch of controls that I needed to be able to manage the system.— Todd Wade, Head of Information Security & Compliance at PayWith
Next in the series: PCI DSS — Monitoring & Reporting
As we continue this three-part blog series, the next article will cover how admins can use different parts of JumpCloud’s cloud directory platform to monitor and report on the events carried out by admins and employees in an organization using Directory Insights™ and System Insights™.
Try JumpCloud Free
Evaluate JumpCloud Free today to see why 100,000+ organizations trust JumpCloud to help secure and easily manage their resources. With JumpCloud Free, you receive up to 10 users and 10 systems, as well as 10 days free of premium in-app chat support to help you explore the entirety of the platform.