By Zach DeMeyer Posted August 5, 2018
For any company involved with online credit card transactions, the Payment Card Industry Data Security Standard (PCI DSS) audit is the IT admin’s annual hurdle. In order to be compliant, sysadmins need to make sure their networks are up to snuff. So, when approaching your PCI day (or weeks/months in reality) of reckoning, consider preparing for your PCI DSS audit by leveraging JumpCloud® Directory-as-a-Service® for some of your PCI Section 8 and 10 needs.
Coalfire’s Take on JumpCloud for PCI Compliance
In their recent white paper, the widely respected PCI compliance assessor, Coalfire Systems, evaluated JumpCloud’s usefulness in regards to PCI DSS compliance, as well as its overall effectiveness in supporting compliance activities (Coalfire also reviewed JumpCloud for HIPAA and GDPR compliance as well). Coalfire’s assessment consisted of six main tasks.
- A technical overview of the JumpCloud Directory-as-a-Service platform as a whole.
- A review of installation of the JumpCloud Agent for each of the three major operating systems (Windows®, macOS®, and Linux®).
- An assessment of JumpCloud’s authentication functionality.
- An assessment of the same functionality with regards to PCI standards.
- An exploration of JumpCloud’s event logging API with regards to PCI standards.
- A comparison of JumpCloud password management against PCI standards.
Before we explore Coalfire’s results, let’s look into what PCI requires for section 8 and 10 compliance.
PCI DSS Requirements
During their assessment process, Coalfire mainly tested the JumpCloud Directory-as-a-Service platform against PCI DSS Requirements 8 & 10. At its core, PCI DSS Requirement 8 is all about ensuring the right users are securely accessing critical IT resources – mainly systems. This concept is generally the underlying goal of a directory service such as JumpCloud, but with the complexity of the modern IT scene, having a secure, unified user identity is harder than it seems.
PCI Requirement 10 is all about monitoring the flow of company information, most importantly regarding credit card and other financial information. Having the ability to see a repository of logged events is crucial in doing so. Thankfully, JumpCloud has a built-in event logging API feature, which keeps track of attempted accesses, success/failure events, and the IP address of access. The goal of Section 10 is to effectively ensure that all of your other controls are working properly and you can prove that.
Both JumpCloud’s centralized user authentication and event logging functionality were put through Coalfire’s PCI DSS gauntlet.
In summary, Coalfire found that JumpCloud Directory-as-a-Service, when properly implemented, is compliant with both of the PCI DSS requirements they tested it against. By using JumpCloud, IT admins can create a centralized directory of their users, giving each of those users a single identity to access all their required resources. These identities are backed by secure passwords, which are never save in clear text on the system or the JumpCloud agent. All traffic between the the JumpCloud agent and the cloud platform is done securely through the TLS v1.2 protocol. In regards to event logging, Coalfire determined that JumpCloud adequately can track and log access throughout the system per PCI DSS Requirement 10.
An underlying PCI requirement is that end users cannot remove or disable a authentication controls and security measures. Per Coalfire’s findings, the JumpCloud Agent is only capable of being uninstalled by an authorized admin, ensuring that access to systems will be securely handled through JumpCloud. Coalfire also found that the JumpCloud Agent integrates with all three major platforms (Windows, Mac, and Linux) both securely and with relative ease.
Preparing for Your PCI DSS Audit with JumpCloud®
To learn more about how your organization can leverage JumpCloud while preparing for your PCI DSS audit, be sure to check out Coalfire’s white paper. You can also ask JumpCloud’s support team directly. If JumpCloud Directory-as-a-Service seems like the compliance solution for you, you can schedule a demo or even sign up for free and try it yourself. Your first ten users are free forever and no credit card is required to sign up.