Musings about PCI in the press

First of all, my apologies for not blogging in a while… even after I said that I was back and that I’d be blogging more. It’s the holidays, and trust me, I really needed the downtime. Anyway, now I’m back and should be keeping abreast of things – at least until the new year. Anyway, I came across an interesting thing the other day; it was an article from -Rob Pollard entitled PCI Data Security Standard Calls for Next-Generation Network Security. Check out the following excerpt:

“The confluence of network security and network performance creates a secure sphere of vigilance from the core of the network to its edge, enabling IT managers to watch for internal breaches of established security protocols at the same time they are monitoring for external infiltration.”

Now, I was interested because of the reference to PCI.  I try keep up on
this stuff because I’m a “QDSP” – which, though I would like to tell you stands for “Quasi-Delirious and Spasming with Pain,” really stands for
"(supposedly-)Qualified Data Security Professional”; what that means in
practice is that I’ve been to VISA’s "sit in a room and drink burnt
coffee" training.  It also means that I’m approved by VISA to assess
people on their PCI compliance.  Since the training didn’t really prepare
me for some of the things I’d encounter in the field, such as how to conduct a
PCI audit or how to interpret the standards (preferring instead to concentrate
on the format/structure of the magnetic stripe on a credit card, why it’s
important not to let criminals get credit card numbers, and why SET was a work
of misunderstood genius), I tend to read any articles I can find about PCI to
keep abreast. 

Anyway, the point is that I read this in the light of trying to better
understand PCI.  Now, before I get into this, let me say that I have no axe
to grind here – I think the article was on-track from a security perspective,
and I think it was executed very eloquently by the author – I am not
doing it down.  However, that being said, I think it illustrates a point
that I’ve been trying to make for a while now – which is that when it comes to
compliance, it pays to take what’s in the media with a grain of salt.  For
example, check this out:

[PCI] requires that network security managers know the established network conversation patterns of every employee, who has access to which servers, what data must be encrypted, and how to restrict access to the most sensitive data stores. 

That’s a pretty bold stake in the ground, no?  In order to do this, network
managers would have to have detailed information about every user, every
application in use, every machine on the network, and every little tidbit of
data enterprise-wide.  Wouldn’t they?   After all, how would they
know what the "established conversation patterns" are if they didn’t
know what applications were in use?  Or how would they know what data to
encrypt if they didn’t know what data there is to choose from?  Now, I
agree that this type of thing would be useful.  For sure.  But is it mandated? 
I don’t think it is.  Saying that this is "expensive and
time-consuming" is an understatement akin to saying "some people don’t
really enjoy liver all that much." 

PCI requires a new breed of security technology that can ensure the same level of security for internal operations as for the perimeter…
The ideal solution would be able to track routine network usage by every employee, identify when and how critical servers are being accessed, harden and segment networks to proactively prevent unauthorized access to confidential information, and prevent attacks from compromising legitimate access to critical information.

Really?  The same for internal as external?  Look – I’m not saying
these aren’t good security measures.  All I’m saying is that I don’t agree
that they’re required by PCI; in fact, I would argue that the PCI requirements
merely codify what most folks should be doing anyway.