Monday, May 21, 2012

Nightmare on PCI street


Here are two stories about two hypothetical NonStop platform owners ‘Joe’ and ‘Jane’ dreaming about the PCI security standard. For dramatic reasons, the stories are written in the first person.


Joe’s dream

The last couple of years have been tough for me: budget cuts, staff cuts, increased workload. However, being blessed to work in a great team my folks and I have been able to keep the NonStop humming away quietly, happily processing millions of transactions per day. It’s 3 pm on a Friday and I am already planning my weekend when my boss (“manager midrange servers”) walks into my office. ‘Hey Joe’, he says, ‘did you hear that all midrange boxes will be PCI-audited next month?’ Three months later: the auditor was a savvy one and came up with a long list of things he would like us to change, from procedures to technical things. Unfortunately, my boss’ direction on PCI was pretty clear: no extra budget, no extra staff. As I ponder my options driving home, a large semi-truck suddenly veers widely across the four lane highway coming directly my way. I hectically grab for the steering wheel when … … I wake up in a cold sweat … in my bed! Too bad that only the part about the semi-truck was a dream – I certainly wish that this whole PCI project were a dream only.


Jane’s dream

The last couple of years have been tough for me: budget cuts, staff cuts, increased workload. However, being blessed to work in a great team my folks and I have been able to keep the NonStop humming away quietly, happily processing millions of transactions per day. It’s 3 pm on a Friday and I am already planning my weekend when my boss (“manager midrange servers”) walks into my office. ‘Hey Jane’, he says, ‘did you hear that all midrange boxes will be PCI-audited next month?’ Three weeks later: I am sitting in the cafeteria with our CISO (Chief Information Security Officer). ‘Are you telling me this box is processing 5 million transactions per day keeping a full log of every single credit card number? And you manage all your systems with a team of five?’ he asks me. ‘Yep’ is my short reply while I enjoy watching the impact sink in. He finally catches himself. ‘Well, I guess I should have known of these boxes long ago. If nothing else, they seem crucial to our business and important from a risk perspective. Fortunately, the audit is still 2 month away so why don’t we do the following: I give you two guys of my security team who will brief you and your team on what’s going on in the cyber-criminal world lately (APTs, Zero-Day-Flaws, arp cache poisoning, SSL man-in-the middle attack, backward HTTPS shells, and so forth). It will not get too technical, but you need to understand how the attack landscape and technology has changed. Then, they’ll work with your team to work through some of these attack scenarios and see whether they apply to NonStop or not. Next, I’ll make sure you get an extra person on your staff that can focus solely on security. We meet again in four weeks and I’ll make sure you get the appropriate budget to put together an action plan for the next four weeks and two years. Oh, and if you want to get in some external consultant who combines security expertise with NonStop platform expertise, by all means do so.’ … … The birds have woken me up again. Well THAT was a nice dream for sure and it can only be a good omen for my meeting with the CISO today.


Reality Check

As most of you reading this blog know, I am not a NonStop platform owner in the typical “NonStop user” sense. Instead, I am the CTO of comForte, a software company selling security software for HP NonStop systems (among other things).

I do talk with NonStop users a lot and from these talks I feel most of you are living Joe’s nightmare rather than Jane’s (pipe?) dream. I don’t want to oversimplify things, but I do believe that a big problem of securing NonStop systems is serious underfunding and under-staffing.

What is your experience? Is keeping up with security requirements a Nightmare or a pipe dream?
Did you manage to raise awareness of this issue with your management and did you get the resources to keep up with security mandates like PCI-DSS? If so, how did you do it?

I’d love to hear your comments on this … You can comment either here on the comForte lounge BlogSpot or on the LinkedIn discussion I’ll start separately. If you cannot publicly comment you may send me an e-mail instead at t.burg@comforte.com

No comments:

Post a Comment