PCI is Not Enough

by Paul French
VP, Product & Solutions Marketing
Axway

If you Google “Heartland Payment Systems CEO auditor,” you’ll find a recent interview with said CEO, Robert Carr. Heartland is a credit card processor, and they recently got dinged because a whole lot of credit card numbers got stolen. And the CEO’s position was that the company was PCI compliant, they did everything right and the auditors were the ones who screwed up. Now, he wasn’t completely passing the buck (maybe a little bit) but he was trying to make the point to all who would hear it, and that’s this: PCI is not enough.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported.

And I completely agree. PCI is just one part of many complex and comprehensive data privacy standards that need to be evaluated and supported, but it’s not enough to treat it like a box of soap (e.g., “Big Name Bank—Now with PCI compliance!”).

There was a time in the recent past when that was enough to get you off the hook. But that’s not going to help Heartland. It didn’t help a company called Hannaford Brothers, which had a data leak problem and was also PCI compliant.

It’s important to actually think about compliance as a modular effort. You have a certain set of tools and policies that evolve to satisfy the external regulatory bodies you’re forced to comply with. And that’s great. But it’s absolutely critical to go above and beyond the call of compliance so that legislative, regulatory, customer, partner and contractual requirements aren’t summarily forced upon you. Everyone will believe that you have what’s necessary to be secure, and rightly so.

You shouldn’t buy one solution that only addresses PCI any more than you should buy one car that only takes you to the office, one car that only takes you to the grocery store, one car that only takes you to the theater, and one car that only takes you to the football game. You should buy one car that takes you everywhere you need to go, and you should buy a comprehensive data security and compliance solution that will account for all the different needs of all the different venues, jurisdictions and industries that you participate in.

(Photo by djlicious: http://www.flickr.com/photos/djlicious/ / CC BY 2.0)

What to Demand From Your Company’s Anti-Spam Product: A Quick Primer

by J. Kirk
Sr. Product Solutions Manager
Axway

In Davos, Switzerland, in 2004, Bill Gates predicted a spam-free world in two years. That, of course, didn’t even come close to fruition, and if you consider what happened from 2006 to 2009—Gates’ predicted utopian era of squeaky-clean inboxes—you have to confront the fact that spam outbreaks actually spiked consistently every twelve months.

Nothing beats human intuition in security matters, and a robust anti-spam product empowers its users with the information they need to make executive decisions on all inbound email.

Nothing beats human intuition in security matters, and a robust anti-spam product empowers its users with the information they need to make executive decisions on all inbound email.

You’ve heard all the scary numbers before. Up to 90 percent of all email is spam. One in 300 PCs has a virus. Three hundred thousand PCs get compromised every day. Only about six percent of inbound email is legitimate.

But what should you demand from your company’s anti-spam product to tackle these numbers head on and perhaps make Gates’ wild dream a reality (at least for your inbox)? And what analogy can you use in your organization’s anti-spam chats that pushes these features out of the abstract?

How about the airport?

What analogy could be better?

First, if your anti-spam product has IP reputation and content filtering, it’s performing like that first line of TSA guards who won’t even let you onto the concourse and up to the X-ray machines without a ticket and ID. Spam that can’t prove it has any business being near your inbox simply won’t be near your inbox.

Next, if your anti-spam product has artificial intelligence and image filtering, it’s performing like concourse security, checking IDs and luggage and waving the metal-detector wand. If something’s fishy at the airport checkpoint, the suspect probably isn’t going to make their flight, and likewise, even though the spam might’ve been able to get by the first line of defense, its contents betray it, and the spam is stopped dead in its tracks.

Finally, if your anti-spam product supports a human view, it’s allowing your IT department to perform like the hawk-eyed security guards in the unseen offices at the airport, standing before a large bank of monitors and taking action on the fly. Nothing beats human intuition in security matters, and a robust anti-spam product empowers its users with the information they need to make executive decisions on all inbound email.

Overlapping techniques like these combine to create a surefire method for protecting your organization against spam. Is Bill Gates’ vision of a spam-free world here today? No. But the more organizations insist on quality anti-spam products that boast these features, the less attractive spam will become to the unsavory characters who send it. And who knows? At some point, it might not even be worth their time.

(Photo by Mulad: http://www.flickr.com/photos/mulad/ / CC BY 2.0)

The Dawn of eHealth Records

By Paul Fowler
VP, Healthcare Innovation, Office of the CTO
Axway

Whether they’re for or against socialized medicine, everyone agrees on one thing about healthcare today: if we apply technology toward exchanging information—if we increase speed, bolster accuracy, eliminate paper and save money—we’ll all be better off.

Today, whenever you go to the hospital, they ask you if there is a history of cancer, heart attack, or stroke in your family. But do you really know? How much of your family history do you really know?

Today, whenever you go to the hospital, they ask you if there is a history of cancer, heart attack or stroke in your family. But do you really know? How much of your family history do you really know?

But where’s this going? Is it as simple as making your medical information accessible to your physician?

In a word, no.

It’s much more complicated than that, but at the same time, it presents a wonderful opportunity.

The traditional approach to healthcare has been reactive. You get sick, you go to the doctor, you get something for it.

But patient wellness is changing that way of thinking.

I used to lecture on healthcare, and I’d often illustrate my point with a scale capped off by two characters. At the top, the Olympic athlete: a uniquely healthy individual well-suited for a given sport. At the bottom, a guy with a knife in his chest: a uniquely unhealthy individual who, without immediate healthcare, is not long for this world. At the midpoint between these two characters, I wrote a single word: pain.

Traditionally in the west, for better or worse, “healthy” means “a lack of pain,” and on this scale, everything above “pain” means “healthy,” and everything below “pain” means “requires medical treatment.” In the public consciousness, the focus has always been below this “pain” midpoint, but more and more, people are realizing that this is far too general an approach, that there are things happening throughout this spectrum that deserve attention, and that that attention must be recorded.

This is where medical eHealth records come in.

Your eHealth record would be issued the moment you were born, not the moment you first got medical treatment. It would be a comprehensive profile that takes into account everything that characterizes your physical makeup—from your ethnicity to your location to your parents’ medical history—and customizes a preventative approach to health. As you continued through your life, details about your lifestyle and activity would be added, optimizing your chances for maintaining your health—not merely, cynically chronicling those moments when your health was less than ideal. Additionally, your family’s medical eHealth records—your mother, your father, your grandparents and all your blood relatives—would be integrated with your eHealth record, creating a richly detailed account of your family history that would prove invaluable to your long-term wellbeing.

Today, whenever you go to the hospital, they ask you if there is a history of cancer, heart attack or stroke in your family. But do you really know? How much of your family history do you really know? With an integrated eHealth record, you’ll be able to say, “Let’s look it up!”

This is the wonderful opportunity that I’m speaking of.

And from a technical perspective, this wonderful opportunity should present an enormous challenge.

It should challenge health practitioners to be able to move information, structured and non-structured, from one point to another. It demands that we build communities and networks, that we move information securely and safely, and that we govern all the activity that happens across it, compile the data so it’s usable, provide analytics, and make it available to people who need it. It demands a system that connects securely with governance, and by governance I mean policy—government-mandated policy like HIPAA. With so much information available and constantly in transit, the potential for catastrophic breaches should challenge us constantly, because that potential must be countered with a robust security framework that guarantees the information won’t fall into the wrong hands while in flight yet will still be easily consumable when it arrives at its destination.

Why do I say it “should challenge”?

Because, in truth, it won’t.

The principles behind the solutions that enterprises rely on to securely move information in the course of business today will be the same principles that securely move information in the course of medicine tomorrow. With eHealth records, the dream of preventative medicine that yields true patient wellness finally has a chance to be realized, and with robust, infinitely scalable solutions like B2B communications, managed file transfer and secure email, the technical challenges that have long kept us from this dream will finally become moot.

(Photo by dougww: http://www.flickr.com/photos/dougww/ / CC BY-SA 2.0)

Compliance and the Network Solutions Breach

Does it make sense that “any company operating in (Network Solutions’) business could have become a victim of this type of invasion”?

Does it make sense that “any company operating in (Network Solutions’) business could have become a victim of this type of invasion”?

By Kathryn Hughes
Product Marketing Director
Axway

A breach on Network Solutions’ servers last month may have led to the theft of 573,928 individuals’ credit card data. These individuals made purchases on Web sites hosted by the company.

The coverage doesn’t mention this specifically, but it looks like the data was lost during the transfer—perhaps intercepted and captured in transit or insecurely stored prior to sending or after receipt. A secure managed file transfer solution would protect the infrastructure from that sort of penetration.

When you’re using a comprehensive managed file transfer solution, you both exchange data securely and store it within your infrastructure securely, and that yields comprehensive, end-to-end secure data flow and storage. That’s just one benefit. Another benefit of a true managed file transfer solution is that it’s not just about the exchange of data, it’s about the auditability, the reporting, the management of data and process flow, and layered onto that, visibility, so that you can actually see where the data is at every point in the process flow or the transaction flow. You have risk alerts and monitoring and elaborate policy control around that data flow or structure.

Because, ultimately, it’s not just about moving data. Around the data movement itself, you have to secure the data in transit and at rest, and on top of that you have to have auditing, reporting and logging of the whole process flow. You need to know where your point of failure will be. Layer visibility on top of that, and now you have a console for easy management and insight into—and elaborate policy notifications in—any place there is a potential risk. You take proactive, corrective measures if something is triggered or if it’s taking longer to process than it normally would, so that you can alleviate and be ahead of the game as opposed to being caught in a breach situation.

What unauthorized code are they speaking of? Was this unauthorized code sitting on the network and sniffing the file traffic? Were they not using secure communication? Or did someone actually breach their system—physically breach their system?

That’s not clear. But if you have the data protected in transit so that it’s sent and stored securely, you’re in a true managed file transfer solution that has management and policy around it. Other people can’t add data to the system and can’t change transaction flows outside the policy guidelines or without policy triggers. If they do, then you get an alert, a warning, a message that something’s happened, and you can then be quicker to take action.

So what does this say about companies where, once they’re compliant, they feel that they’ve done their job? What does this event say about companies being concerned solely about being compliant and not being genuinely secure? Compliance is a lot of security, but it’s not everything—there are different ways of showing that you’re compliant, and different interpretations of what compliance means. So there’s some wiggle room for interpretation, and the gaps created by that wiggle room are exactly what made this happen.

What do you think? Does it make sense that “any company operating in (Network Solutions’) business could have become a victim of this type of invasion”?

(Photo by The Consumerist: http://www.flickr.com/photos/consumerist/ / CC BY 2.0)

On the Subject of the Cybersecurity Czar

By Taher Elgamal
Chief Security Officer
Axway

There’s no common thread that says, “All of you are really important to the cybersecurity of this country, and we need to collaborate to actually improve it.”

There’s no common thread that says, “All of you are really important to the cybersecurity of this country, and we need to collaborate to actually improve it.”

The role of cybersecurity czar will surely be a challenging one for the Obama administration to fill.

But truly, before the choice of the actual person is made, a number of tasks need to be decided on. A single cybersecurity czar doesn’t have to solve all the issues at hand. If somebody stays in the role for a year or two and just sets certain things in motion and actually starts to improve the situation—rather than talk about improving the situation—then somebody else can pick that up and continue the implementation. A succession plan can be designed to improve the entire situation.

What we need to see from the next cybersecurity czar are programs that will incentivize organizations to implement the correct things. I’m not talking about bailout money; I’m talking about actual, measurable tasks. If you’re a bank or another important company, the cybersecurity of your particular part of the network is really just as important to the country as any other part of the network because everything’s connected together. And with government networks, putting together programs and improving the situation, rather than talking about what it is that needs to be done, is the way to go. People already know what needs to be done!

There are hundreds of CIOs in the federal government, and everybody has their own budgets and desires and priorities and so on. There’s no common thread that says, “All of you are really important to the cybersecurity of this country, and we need to collaborate to actually improve it.” We need to be more quantitative with our incentives—if this or that happens, your budget gets improved, or you get to hire more people. Something.

I’m not a fan of somebody sitting at the White House writing policy about cybersecurity. It was already written during the Clinton administration and it looks fine. It still applies. Why are we second-guessing it? Any baby steps we take to improve the situation will probably lead to the right place. The trick is finding a czar who is going to take those baby steps and adjusting certain policies as we go on.

President Obama talked about change during the campaign, but hiring someone to write policy is not change. It is completely status quo. Change is about putting things in motion. Is protecting the cybersecurity of the country just as important as protecting the financial system or the auto industry? History will have to judge that, ultimately, but in the short-term, the answer is yes: protecting our nation’s cybersecurity has to be a priority. It can’t be relegated to being a mere political gesture. It must be replete with the spirit of change.

(Photo by declanjewell: http://www.flickr.com/photos/declanjewell/ / CC BY 2.0)

Why Service Level Agreements Fail and What Steps Will Help Yours Succeed

by Daryl Eicher
VP, Industry Solutions
Axway

Is there ever a reason to believe that unmonitored SLAs are worth the paper they’re written on?

Is there ever a reason to believe that unmonitored SLAs are worth the paper they’re written on?

Why do service level agreements (SLAs) fail? There are three big reasons why SLAs don’t work out the way people expect them to. For starters, too often, SLAs just aren’t detailed enough. They don’t focus on specific expectations for the parties involved. There are too many ways around SLAs like that, because too much is open to interpretation.

The second big reason SLAs don’t work out is lack of clarity around incentives. It’s critical to make sure there are consequences. Unless there are financial consequences for non-performance (i.e., you don’t get paid as much, you don’t get paid at all, etc.), it’s unlikely, just based on human nature, that you’re going to get the level of service you’re looking for. There are two camps here: one’s more pejorative and Draconian, the other is a little looser. But you always get what you measure. And an SLA needs to be considered a binding, contractually valid commitment between two parties about a service that’s being delivered and about what the quality of that service needs to be in order to warrant full payment.

Finally, SLAs that are not effectively monitored tend to have more issues with quality of service than those with automated mechanisms for continuous, fact-based evaluation.

While these fundamentals are pretty basic, it’s surprising how difficult it is to actually get business partners, customers, suppliers and agencies aligned on what is most important to their working relationships. What are the rules of engagement? Since that is often vague or unenforceable, there may not be mechanisms to automatically monitor performance against that service level. If you’re missing either one of these keys —if you don’t have enough detail or a mechanism for monitoring it—you’re not going to get full SLA compliance. Period.

That’s why SLAs fail. So what can you do to avoid these common pitfalls?

First, think about what is important to you as the provider or the buyer in terms of quality of service. You have to negotiate and adequately document performance expectations. Next, you have to make sure there is an automated, fact-based way to monitor compliance. Periodic audits and anecdotal problem escalations are often used to give indications of compliance, but they’re expensive, disruptive and sporadic. Make sure that compliance is financially lucrative for the provider. If they perform as expected, then they get an upside from it, or, conversely, a financial penalty for non-performance.

Second, realize that automatic monitoring depends on a level of confidence in the data about the service. Since many services are delivered in the cloud or from a third party, the data about quality of service is often self-reported by the provider. This is another thing you’ve got to be careful about. You’ve got to be very explicit about the quality of that data. Everything—definitions, calculations, how it’s collected, when it’s reported and what to do when there are problems in the data—needs to be in writing. In fact, the quality of data about the service is an important part of the service. So include data quality as a key metric in the SLA and tie it to financial incentives.

Remember, if you can’t trust the numbers, you don’t know what you’re looking at, and you won’t have effective performance monitoring. Without that data, how will you ever know whether you’re truly getting what you pay for?

What do you think? Is there ever a reason to believe that unmonitored SLAs are worth the paper they’re written on?

(Photo by Andyrob: http://www.flickr.com/photos/aroberts/ / CC BY 2.0)