Home > Storage > PowerScale (Isilon) > Product Documentation > Security and Compliance > Dell PowerScale OneFS: Security Considerations > Implement strong access control measures
The fourth set of requirements focuses on ensuring access to payment card data is based on strict security measures.
This requirement ensures that only authorized individuals access system components and payment card data. Enforcing this requirement is achieved through systems and processes that ensure access to payment card data is based on a “Need to know” basis, where the least amount of data is divulged to perform a job.
Once the roles and access controls are defined, they are implemented on a PowerScale cluster through OneFS Role Based Access Control (RBAC). RBAC ensures that an administrator only grants specific functions and access based on a specific role. For more information about the OneFS RBAC feature, see the Dell PowerScale OneFS: Authentication, Identity Management, and Authorization white paper.
The other requirements in this section are enforced through policies, procedures, and processes external to the PowerScale cluster.
Requirement 8 ensures that every individual with access to a system has a specific identification and is authenticated through a secure process. The identification and authentication processes provide accountability for all actions within a system.
Administrators define user identification and authentication within a PowerScale cluster. Local authentication is available, allowing each ID to be locally created. On the contrary, external authentication is available through Active Directory or an LDAP provider. For more information about defining user identification and options, see the Dell PowerScale OneFS: Authentication, Identity Management, and Authorization white paper.
This section includes requirements defining lockout duration, idle sessions, cryptography, password complexity, and password expiration. The OneFS Security Configuration Guide for the relevant OneFS release at PowerScale Info Hubs explains how to implement these requirements.
PowerScale OneFS can audit system configuration events, through APIs, allowing events to be tracked and recorded. For more information about auditing in OneFS, see the Dell PowerScale: File System Auditing with Dell Common Event Enabler white paper. Configuring audit in OneFS is also explained in the OneFS 8.2 CLI Administration Guide.
OneFS also supports multifactor authentication for SSH. For more information about multifactor authentication, see the Dell PowerScale OneFS: Authentication, Identity Management, and Authorization white paper.
The other requirements in this section are enforced through policies, procedures, and processes external to the PowerScale cluster.
Physical access to cardholder data or systems that host cardholder data should be restricted to ensure that systems or hard copies of data may not be removed.
PowerScale nodes can be installed in locked racks and placed in a secure data center, protecting physical access to the nodes. SEDs further enhance physical security in the event any drives are removed from a node. The data on the SEDs are not readable by any other PowerScale cluster or other systems, as the drive keys are wrapped in encryption keys on the node itself. For more information about SEDs and Data at Rest Encryption, see PowerScale Data at Rest EncryptionPowerScale Data at Rest Encryption.
OneFS supports encryption for SyncIQ, ensuring data replication traffic between two clusters is secured. SyncIQ encryption offers over-the-wire end-to-end encryption for data replication, protecting and securing in-flight data. For more information about SyncIQ encryption, see the Dell PowerScale SyncIQ: Architecture, Configuration, and Considerations white paper.
The other requirements in this section are enforced through policies, procedures, and processes external to the PowerScale cluster.