fhs
Volume 7, Number 46 -- December 11, 2007

Putting the 'i' Back Into PCI

Updated: January 9, 2008

by Alex Woodie

When the folks at the major credit card companies created the Payment Card Industry (PCI) a few years back, they defined the information security specifications using terms and architectures they were most familiar with. As it turned out, that meant Windows and Unix. After some analysis by customers of IBM and IBM engineers, the PCI specification was updated to reflect two other architectures prevalent among retailers: System i and System z.

Before he left IBM to found Group8 Security last month, Pat Botz worked with several groups involved in security, including a stint as security architect for i5/OS (formerly OS/400), analyzing information security on virtualized IBM servers, and working directly with large customers in IBM Lab Services.

At some point along the way, Botz was called upon to look into the cardholder industry's new PCI security standards, which aim to ensure that credit card numbers and other personal information are handled securely by retailers and the computer equipment they use to process credit card transactions.

When he looked into the specifications, he realized it would be difficult for customers of large IBM servers--namely, System i (iSeries and AS/400) and System z (zSeries and S/390) mainframe--to comply with the security mandate as it was written in its first draft, he said during an interview last month.

"It was obviously written by people who originally came from the PC or Unix environments," he says. "Some of their wording the first time around assumed a Wintel or Unix network architecture. They had to go back and clean that up."

The problem had to do with how many applications can be running on a single server, and the necessary separation between applications running on other servers. In its first draft, PCI assumed that retailers would be running only one application per server--a common practice in the Windows world.

But that obviously wouldn't work with big iron. Many big-name retailers rely upon proprietary, multi-million-dollar System i and System z servers that scale from here to the moon to run ERP, MMS, and other critical business applications. In these architectures, virtualization is built-in and fully integrated with the rest of the system stack, providing a degree of security and reliability that virtualized Wintel environments have mostly lacked.

"While the behavior they were trying to describe was valid, the wording implied that, in a Windows world, you're going to run one application per Windows server, and therefore you need to do that one application per server regardless of what server," Botz says. "They actually went back in and cleaned it up and clarified that because there are mainframes out there, there are multi-user computers like, oh, System i that were designed and have mechanisms built in so you can have the darn things run more than one business function."

While the change, which was made earlier this year, was necessary to prevent mass confusion on how System i and System z shops can institute PCI compliance, the issue actually helps illustrate (in a round-about sort of way) a broader point about information security and regulatory compliance--one that Botz is hoping to make with his new security consulting company, which we covered two weeks ago.

The point, Botz says, is that PCI and other industry regulations like the Sarbanes-Oxley Act (SOX), were written to be platform- and process-neutral (SOX a little more so than PCI). While PCI, in its first draft, had some platform-specific deal-breakers (and is still more to-the-point from a technical point of view on how to institute compliance), the mandates are doing the right thing by laying out the security goals that customers must obtain, and mostly leaving it up to them on how to get there.

Of course, customers and IT vendors have been railing for years against SOX for being vague in laying out the exact steps they need to take to comply with the regulation. But the law's makers were doing exactly what they should have, Botz says.

"Do you really expect the Congress of the United States to pass a law that includes all the system value settings, all the access control settings, for every different computer system, for every different application, including custom applications? It's ludicrous," he says. "But SOX does tell you what to do in an abstract, behavioral form. And in my opinion, it rightly leaves the best possible way of enforcing that abstract behavior up to you."

The source of this problem, Botz says, is a widespread misconception on what IT security is all about. People commonly mistake security processes and procedures--the platform-specific stuff dealing with settings and technology--with security policies, which primarily deals with the human- and business-level stuff of people, their roles, and what data they should be allowed to access.

Mixing the two, or allowing the technologists to define security policies (quite common) or to allow business leaders to deal with procedures and technical settings (less common but perhaps more dangerous), results in wasted time and money, and lower overall security, according to Botz. It's his goal at Group8 to help companies separate technical security procedure from the business-oriented security policy stuff.


RELATED STORY

Redefining Security the New Goal of Former i5/OS Security Architect


                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
PROFOUND LOGIC SOFTWARE

Give Modernization with RPGsp a try.

RPGsp offers more Modernization Options
and has greater success in the marketplace
than any other product.

It's the perfect fit for both large-scale and small modernization projects.

Take our demo and prove it to yourself.

www.RPGsp.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

looksoftware:  Present your core System i applications in Outlook, Google and Notes
COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40
 

IT Jungle Store Top Book Picks

The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95
 
The Four Hundred
Database Tool Maker Joins the System i Market

State of the System i: Other Software Makers Weigh In

IDC Says Server Buyers Weigh Economy and Power in Q3

As I See It: What's Past Is Prologue

The Linux Beacon
Emerging Markets and Virtualization Drive Q3 Server Sales

Novell Swaps the Kernel Guts in Real-Time Linux

IBM Readies Power Management for Power Servers

As I See It: The Sick Guys in Your Wallet

Big Iron
Emerging Markets and Virtualization Drive Q3 Server Sales

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
System i Developers and .NET 2.0, Part 2: Web Development Using ASP.NET AJAX

ON vs. ON

Admin Alert: Basic Tools for the System i Admin Tool Chest

System i PTF Guide
December 8, 2007: Volume 9, Number 49

December 1, 2007: Volume 9, Number 48

November 24, 2007: Volume 9, Number 47

November 17, 2007: Volume 9, Number 46

November 10, 2007: Volume 9, Number 45

November 3, 2007: Volume 9, Number 44

The Windows Observer
Windows Anti-Piracy Program Gets Stronger, Weaker with Vista SP1

Exchange Server 2007 SP1 Goes RTM

SAP-Microsoft Mega-Merger Rumor Surfaces, Then Dies

Be My Guest

The Unix Guardian
Sine Nomine Shows Off Solaris on System z

Q&A with Jim Herring: The View from the Top

Sun to Release xVM Virtualization Under GPL v3 License

Be My Guest

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

MKS
LANSA
Profound Logic Software
Krengeltech
Affirmative Computer


Printer Friendly Version


TABLE OF CONTENTS
Above Security Takes i5/OS Log Aggregation to Heart

Shield's Remote Journal-Based DR Solution Matures at V2R1

Putting the 'i' Back Into PCI

Pat Townsend and BalaBit Pair Up to Cover System i Logs

News Briefs and Product Shorts:
m-Power Generates Consistent Reports Across the Board . . . Agilysys to Sell J.D. Edwards Apps for Oracle . . . IBM Adds iSeries Support to WebSphere Dashboard Framework . . . Group 1 Launches E-Mail Marketing Software . . . BOSaNOVA Earns Storage Proven Cert from IBM . . . Now's the Time to Review Business Continuity Strategy, SunGard Says . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement