"The confluence of network security and network performance creates a secure sphere of vigilance from the core of the network to its edge, enabling IT managers to watch for internal breaches of established security protocols at the same time they are monitoring for external infiltration."
Now, I was interested because of the reference to PCI. I try keep up on this stuff because I'm a "QDSP" - which, though I would like to tell you stands for "Quasi-Delirious and Spasming with Pain," really stands for "(supposedly-)Qualified Data Security Professional"; what that means in practice is that I've been to VISA's "sit in a room and drink burnt coffee" training. It also means that I'm approved by VISA to assess people on their PCI compliance. Since the training didn't really prepare me for some of the things I'd encounter in the field, such as how to conduct a PCI audit or how to interpret the standards (preferring instead to concentrate on the format/structure of the magnetic stripe on a credit card, why it's important not to let criminals get credit card numbers, and why SET was a work of misunderstood genius), I tend to read any articles I can find about PCI to keep abreast.
Anyway, the point is that I read this in the light of trying to better understand PCI. Now, before I get into this, let me say that I have no axe to grind here - I think the article was on-track from a security perspective, and I think it was executed very eloquently by the author - I am not doing it down. However, that being said, I think it illustrates a point that I've been trying to make for a while now - which is that when it comes to compliance, it pays to take what's in the media with a grain of salt. For example, check this out:
[PCI] requires that network security managers know the established network conversation patterns of every employee, who has access to which servers, what data must be encrypted, and how to restrict access to the most sensitive data stores.That's a pretty bold stake in the ground, no? In order to do this, network managers would have to have detailed information about every user, every application in use, every machine on the network, and every little tidbit of data enterprise-wide. Wouldn't they? After all, how would they know what the "established conversation patterns" are if they didn't know what applications were in use? Or how would they know what data to encrypt if they didn't know what data there is to choose from? Now, I agree that this type of thing would be useful. For sure. But is it mandated? I don't think it is. Saying that this is "expensive and time-consuming" is an understatement akin to saying "some people don't really enjoy liver all that much."
PCI requires a new breed of security technology that can ensure the same level of security for internal operations as for the perimeter... The ideal solution would be able to track routine network usage by every employee, identify when and how critical servers are being accessed, harden and segment networks to proactively prevent unauthorized access to confidential information, and prevent attacks from compromising legitimate access to critical information.
Really? The same for internal as external? Look - I'm not saying these aren't good security measures. All I'm saying is that I don't agree that they're required by PCI; in fact, I would argue that the PCI requirements merely codify what most folks should be doing anyway.
Posted by Ed at December 28, 2006 08:14 AM | TrackBackEd, I like reading your blog but was offended when you said you learned nothing in the PCI training class. We posted a rebuttal online.
Posted by: Datasecurity at February 3, 2007 03:14 PMEd,
Thanks for the update and explanation in our comments. We agree that there needs to be more ongoing training so we recommended a number of different resources: online forum, email ask@pciwiki.com, email PCI SSC, email card brands (i.e. Visa, MC, AE, JCB, Discover), or call the instructor directly.
We want to keep everyone informed of their options.
Thanks,
-Datasecurity