Showing posts with label pci-dss. Show all posts
Showing posts with label pci-dss. Show all posts

Friday, October 03, 2008

Is the PCI guy serious?

Version 1.2 of the PCI Data Security Standard was released yesterday. If you're really interested, you can find some analysis on what's new here, here and here (or via your favourite search engine of course).

I'm not sure how much more useful PCI DSS version 1.2 will be compared to the "worthless v1.1 incarnation" in a practical sense, but if comments by Bob Russo, General Manager of the Payment Card Industry Security Standards Council are anything to go by I'm not holding my breath.

On page 2 of an article today, he's quoted as saying:
"Today we say if you're going outside the network, you need to be encrypted, but it doesn't need to be encrypted internally. But as an example, if you add end-to-end encryption, it might negate some requirements we have today, such as protecting data with monitoring and logging. Maybe you wouldn't have to do that. So we'll be looking at that next year.
Is he serious? Or was he misquoted? Or maybe the comment was taken out of context? Or maybe my eyes are deceiving me?

Just because you have end-to-end encryption doesn't mean data is any more secure. Sure, if you have any of your disks stolen, then you're probably ok. But what about protecting consumers against your employees that have legitimate access to the data? If there's no monitoring and logging then there's no psychological deterrent and audit trail if something does happen!

I'm shaking my head in disbelief right now...
Posted by at No comments:
Labels: ,

Thursday, October 11, 2007

McAfee acquires SafeBoot

McAfee announced earlier this week that they were acquiring SafeBoot for $350 million USD. It's actually a good move, despite what I'm about to say.

It's almost like the McAfee product strategy people have been going through the PCI-DSS standards and acquiring technology to address gaps in their portfolio so they can sell a portfolio that "solves" all of a customer's PCI issues (or so they say):
  1. They've had their Anti-virus and Anti-spyware solutions for a long time.
  2. They acquired Onigma at the end of 2006 for its data leakage/loss prevention/protection (DLP) capabilities. They also just updated the DLP product with functionality to catch up with its competitors somewhat (although they're still behind in functionality).
  3. They've got network access control software.
  4. They've got a so called policy engine.
  5. And now they've just shored up their encryption capabilities with the SafeBoot acquisition.

The gaps left are:
  1. Firewall - but McAfee will probably say they've got that covered with their intrusion prevention solutions working in conjunction with their network access control solution.
  2. System passwords and restricting access to information. In other words, Identity and Access Management.
  3. Testing and monitoring all accesses to resources and data. Again, more Identity and Access Management - although McAfee will also claim their DLP product working with their network access control product and their policy engine gives them the tick in the box here.
It all looks very nice on a marketing slide of course. They still have to integrate all this technology. The technical integration of acquired products takes time and they usually don't play nicely with each other until the N+2 or N+3 release post acquisition.

Another thing. Their list of products is growing. If they aren't careful, they'll end up like Tivoli's portfolio from a few years ago, where half the products overlapped in functionality with the other half and very few of them worked nicely together. Tivoli have since fixed that, but it took a few years.
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)