Meeting TISAX Standards with PKWARE, Part 4: Access to Data

Automotive suppliers must meet TISAX data security standards in order to do business with any major German automobile company. PKWARE helps companies simplify TISAX compliance by providing a wide range of capabilities to address multiple requirements. In our TISAX blog series, we're examining the requirements auto industry suppliers and service providers must meet, and how PKWARE is helping organizations meet those requirements.

Today's topic: controlling access to sensitive information.

Section 9 of the VDA ISA security assessment (the basis of the TISAX process) deals with access control. In its subsections, it defines standards for policies and procedures related to user registration, permission management, data access, and other aspects of access management.

As with other areas of TISAX compliance, many of Section 9's requirements overlap with each other and with other sections of the assessment. And as with other TISAX standards, PKWARE's data-centric security technology can help organizations meet these requirements and demonstrate compliance to assessors, customers, and partners.

Here's a closer look at two of the six subsections that make up the TISAX access control standard.

Subsection 9.1 asks "To what extent are policies and procedures regarding the access to IT systems in place?" In addition to standards for creating and documenting policies, 9.1 also dictates a few specific approaches for controlling access to sensitive information. Data requiring "high protection" should to be protected by passwords at a minimum, while data requiring "very high protection" must be protected with measures that include multi-factor authentication.

Subsection 9.5 goes into more detail on limiting access to sensitive information. Most of the subsection focuses on internal processes for granting and reviewing access permissions. It also contains one specific requirement for data requiring very high protection—it must be secured using "Encrypted data storage in order to prevent access and viewing by unauthorized persons/roles (e.g. administrators) at least on file level."

Where does PKWARE fit in?

PKWARE's approach to policy management and encryption key management allows organizations to maintain strict control over the protection applied to sensitive data and the access different users and groups have to that data.

The PKWARE Enterprise Manager integrates with Active Directory and associates encryption keys, classification schemes, and other security features to user identities. This means that administrators can create granular policies that allow each user or group to access only the data they are authorized to use.

Automated encryption with support for MFA

As we mentioned in our previous TISAX post, PKWARE automatically applies persistent strong encryption to sensitive data based on organizational policy. This protection travels with data wherever it travels, ensuring that only authorized users can decrypt and access the data, even when it's stored outside the company network.

Thanks to PKWARE's integration with Active Directory, the encryption keys used to secure sensitive data are associated with user identities. So if an employee has an encryption key but leaves the company, the employee record can be removed from Active Directory and that person will no longer have access to the file. It’s as simple as that: no re-encryption is necessary, and there's no second user database to synchronize or update.

PKWARE also supports multi-factor authentication (MFA) for use cases requiring "very high protection" as described in section 9.1 of the TISAX assessment. When a user attempts to access a file that requires MFA, PKWARE will prompt the user to enter a token code (or other MFA credential), and validate the code through an integration with the organization's MFA technology. If (and only if) the user has entered a valid MFA code, PKWARE will decrypt the file.

This type of policy enforcement isn’t the only capability you’ll need to comply with Section 9, but PKWARE can be part of the solution to get you there. Integration with Active Directory—and the enforcement of information access because of it—isn’t available in many data security products on the market. But it’s a standard feature of PKWARE's data security platform.

Up next: cryptography, and more about PKWARE's innovative key management technology.