Michele Chubirka


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

PCI DSS Version 3.0: No Relief For Security Pros

It’s been almost a decade since the Payment Card Industry Data Security Standard (PCI DSS) was introduced to protect credit card data, but financial fraud seems to be getting worse, not better. If 2013 was the year of the data breach, then 2014 looks like the year of the data apocalypse with Target reporting a staggering 110 million records compromised.

Many security professionals accuse PCI DSS of being just one more in the confusing array of checkbox compliance initiatives bogging them down with paperwork instead of offering any real mitigation of risk. There's even an entire cottage industry of training classes, consultants and auditors focused on getting organizations compliant with this often-confusing standard. According to Verizon’s recently released 2014 PCI Compliance Report, organizations still struggle to maintain PCI programs, with the average level of compliance at 89.7% of all controls.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

While there are only 12 requirements, don’t let the documentation fool you: PCI DSS compliance is hard. The schadenfreude surrounding the Target breach is misleading and frustrating. For anyone who actually works in a payment-processing environment, sometimes PCI DSS seems like a hill and sometimes it’s a mountain, often tricking one into thinking it’s easily achievable. Unfortunately, the recent release of PCI DSS Version 3.0 does little to make the standard any clearer for those of us who wrestle with it daily.

In an age where a Web application can be comprised of a whole series of devices and servers, tracking dependencies and limiting scope can be challenging while still attempting to maintain some sense of manageability of those systems. Defining and documenting scope has always been a major point in PCI DSS, but it doesn’t get easier with version 3.0, with the addition of requirements 1.1.3 and 2.4 that call for network diagrams documenting cardholder data flows and a device inventory of the Cardholder Data Environment (CDE). Additionally, the updated standard introduces a new pen testing requirement to verify segmentation.

Keep it simple by treating the CDE like a childhood game of cooties: If a device or system touches cardholder data, then it’s infected and must be contained or isolated.

[Read why the National Institute of Standards and Technology standards provide a strong foundation for an information security program in "Do NIST Information Security Standards Matter?"]

Moreover, the new standard doesn’t clear up some common myths and misconceptions about PCI DSS. For example, contrary to what some think, a wireless network is still subject to the standard, even if cardholder data doesn’t transit it. It’s untrusted and must be verified as isolated from the CDE by a firewall. You also have to implement processes that detect and identify unauthorized access points on a quarterly basis.

However, the language in the standard still seems unclear on this point because of context. Wireless (whether in scope or not) appears in multiple sections of PCI DSS Version 3.0, and in a culture of tl;dr (too long; didn't read), a document of 112 pages will put all but the most dedicated technologists to sleep.

PCI DSS 3.0 does nothing to clear up the confusion surrounding the Self Assessment Questionnaire (SAQ) and its categories. Just because you’re at a level of processing which permits completion of a self assessment, that doesn’t mean the requirements are optional. Unfortunately, the documentation for self-assessments are on a separate part of the PCI Security Standards website and the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines document even seems to encourage the assistance of a Qualified Security Assessor (QSA) to ensure compliance.

Then there’s the dreaded compensating control. Used when an organization can’t meet an explicit requirement due to a technical or business limitation, this seems to be the infinite loop of PCI DSS and most likely to cause aneurisms in a security team. You’ll see professionals argue about compensating controls into perpetuity, with some trying to pass off the most ludicrous options.

While 3.0 doesn’t seem to make this easier to understand, the important thing to consider when implementing a compensating control is included in Appendix B of the standard: It must “meet the intent and rigor of the original PCI DSS requirement, provide a similar level of defense ...” and “be above and beyond other requirements.”

PCI DSS is a framework of specifications and guidelines, but vendors often add to the confusion by hyping their PCI-compliant products as an immediate solution to something that’s often less a technology than a people problem. Compliance often requires a change in business processes. If there isn’t leadership in place to drive collaboration across organizational silos, then those attempting to implement the initiative end up like Sisyphus crushed by the PCI boulder as it rolls down on top of them.

[Learn best practices for starting and maintaining a PCI DSS compliance program in Michele Chubirka's session, "Adventures in PCI Wonderland"at Interop Las Vegas March 31-April 4. Register today!]


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers