PCI Question: Two Factor Authentication
In order to be PCI compliant - would all network logins in a company need to be two factor? Or could you limit factor say to just when people are VPN'ing in to the company? That is - in PCI compliant companies - when the employees come in to the office do they need to use two factor authentication to get onto their machines and the LAN and start working?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
for remote admin by those sys admin (regardless of VPN), likewise 2FA is critical and should be consider as mandatory. Ideally there is SSO across related apps using that single identity
ASKER
Hi Bread - can you clarify what you mean by remote administration? If I come into the home office and RDP to the Domain Controller so I can add some users say and that is reached via WAN and is in the data center 100 miles away - are you saying *that* would need 2FA?
yap :) VPN is to secure channel while 2FA is to the identity.
Home user access intranet - VPN minimally.
Sysadmin access remotely (no physically in server) - 2FA + secure channel minimally.
but typically VPN like anyconnect can tie to smartcard - so I do see as long as it is remote, 2FA comes together naturally (hopefully not resort to username passwd where possible)
Home user access intranet - VPN minimally.
Sysadmin access remotely (no physically in server) - 2FA + secure channel minimally.
but typically VPN like anyconnect can tie to smartcard - so I do see as long as it is remote, 2FA comes together naturally (hopefully not resort to username passwd where possible)
ASKER
Thanks much for the insight
ASKER