Special Report: Standards Rule: Security

Two of the standards driving the security industry will have as much strategic impact on the enterprise as technological. PCI DSS, targeted at organizations that handle credit card information, provides a set of best practices that will benefit any organization. Meanwhile, 802.1X offers more control over the authentication process to keep the bad guys off the network.

PCI DSS

Identity theft is likely the top security concern for businesses and consumers alike. So the Payment Card Industry Data Security Standard isn't really a standard--it's more of an ultimatum. Any organization that processes, stores or otherwise handles credit card information (Visa and MasterCard have driven the standard) must comply with the requirements, which address everything from "Thou Shalt Have a Firewall" to "Thou Shalt Know Who Hath Touched Thine Data."And even if you don't handle credit card data, PCI is a good checklist for assessing your security architecture, policies and procedures. While simple in scope (the entire document is only 12 pages), it provides specific details about the minimum requirements to protect your data, covering everything from key rotation to segregation of wireless access points.

PCI's technology dictates are its weakest components. Tying a security standard to technological solutions will require maintenance of the standard and the occasional update to keep it in line with current technological innovations. Thankfully, the areas where these ties exist are few and will likely be eliminated as technology matures.

» Visa/MasterCard PCI DSS 1.0

802.1X

Though 802.1X has been around for years, the standard is receiving newfound attention thanks to network admission schemes such as Cisco NAC (Network Admission Control), which rely on 802.1X for device authentication. While the standard was first embraced by the wireless community, NAC and its clones are driving adoption in the enterprise.802.1X controls access in ways that could not be done with any previous standard. It requires all devices such as computers, PDAs, printers and the like to be authenticated before gaining access to your network, even to an exposed switch. The only communications an 802.1X-compliant switch will allow are between client-side supplicant software and an authentication server.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

To accomplish this goal, the 802.1X-compliant switch calls upon some form of authentication server. This lets you manage your credentials separately from your network, but each edge device must have connectivity to an authentication server to do its job.

Another weakness is 802.1X's dependence on RADIUS authentication services. Larger enterprises will require racks of RADIUS servers just to support the standard, but it's likely that ADS and LDAP connectors will become the norm rather than the exception. Vendors like to point out the success of RADIUS in the field, but avoid talking about installation costs or the fact that RADIUS wasn't originally intended to support everything on your network. The standard also requires a software supplicant on each device requesting network access, which, except for an initial installation burden, isn't a problem for PCs but will be a problem for devices such as network printers, which cannot support supplicants.

» IEEE standard

Don MacVittie, an NWC senior technology editor, can be reached at [email protected].0