Links for PCI DSS 8 Nov 2011Posted by Tony Law in Impact of IT, IT is business, ITasITis, Managing IT, Tech Watch, Technorati.
Tags: PCI DSS
add a comment
I’m facilitating a workshop next week on PCI DSS and as usual here are some of the links I’ve identified, including some recent enforcement casework.
For the uninitiated: PCI is the Payment Card Industry and DSS is its Data Security Standard. PCI is an international body, and the standards are effectively set by the “acquirers” – that’s PCI-speak for those bodies such as card issuers and banks who “acquire” the transactions and transfer money.
National information security requirements are very much to the fore too. In the UK the Information Commissioner’s Office (ICO) recently took enforcement action against Lush, the cosmetics firm, and their press release uses that case to emphasise that organisations must implement PCI DSS, or some equivalent standard, in order to be meet the basic requirements for compliance. This issue was resolved by an undertaking from Lush, but ICO information outlines all the enforcement options and potential penalties.
Compliance to standards doesn’t replace the need to understand potential vulnerabilities, not least when using embedded page elements that can be hijacked!
PCI – Payment Card Industry
PCI DSS – PCI Data Security Standards
CSRF: Cross-Site Request Forgery
IDS : intrusion detection system
IPS: Intrusion Prevention System
ISA: Internal Security Assessor
QSA: Qualified Security Assessor
ISO: Independent Sales Organisation (in this context!)
• PCI SSC Data Security Standards Overview, from PCI Security Standards Council
• ICO warns retailers to implement PCI-DSS or face “enforcement action”, Security Vibes, 12 Aug 2011
• Online security must be a priority for retailers, says ICO, ICO Press Release, 9 Aug 2011
• Taking action: data protection and privacy and electronic communications, ICO information (including a list of recent prosecutions)
• PCI DSS: An Acquirers guide for PCI Compliance Best Practices, from the PCI Compliance Guide (an independent PCI source)
• Cross-Site Request Forgery (CSRF), information from the Open Web Application Security Project (OWASP)
Tags: investment, McKinsey, strategy
add a comment
McKinsey Quarterly poses this question in the latest issue with some case study information. The fundamental issue is an old one: the IT budget being spent on maintenance, with smart investment being what gets squeezed out. But the illustrations suggest ways to move forward. It’s not the old “Align IT with the business” mantra, which still starts from the assumption that IT somehow is outside and separate from “the business” and that the disconnect is IT’s problem.
This article admittedly starts by profiling a dysfunctional CIO who doesn’t understand the issue. But it looks at the issue from the whole business perspective – that is, the CEO’s. It shows how investment can be viewed, even when it’s core infrastructure that’s at issue; it talks about benchmarking capabilities against non-competitive industries, not just competitors; and highlights some of the perceived wisdom which can, sometimes, be plain wrong and a distraction from the real challenges.
How strategic is our technology agenda? McKinsey Quarterly, Oct 2011
Beyond gmail: Google apps event with BCS 11 Oct 2011Posted by Tony Law in Cloud, Consumerization, IT is business, IT marketplace, ITasITis, Managing IT, Tech Watch, Technorati.
add a comment
I’m at a BCS North London event at Google’s London office, listening to presenters from the AppsBroker consultancy extend my understanding of how Google Apps work. We’ve passed through the background stuff about using cloud apps in general and now getting to the meat. If you’ve wondered, like me, what Google APIs can really do, then this is an as-it-goes posting; watch the space! Any errors in understanding or interpretation are mine, of course.
How to write a Google-extended app …
1 – Appscript; 2 – Gadget APIs; s – Data APIs
Just seeing the down side of everything being online rather than on the device; the demo’s gone down through being unconnected. Notwithstanding that I’m doing this on Google’s guest network,, the demo doc is, it appears, “offline”. Embarrassing, even when the demo’s working on a ChromeBook, which admittedly does reboot nice and quickly!
When it’s come back, we get a quick view of the script code inserted into a Spreadsheet to quickly create a form with follow-on technology such as mail-outs based on the respondent’s input, or sending update notifications when an online document is changed.
2: Data APIs, based on REST rather than SOAP (HTML based, IIRC, but can use other languages eg. Java/script .NET, …). Can for example use Data APIs to push data into a shared spreadsheet in real time from multiple users/locations/sources, but maintaining one version of truth.
Google App Engine and Cloud Storage will have a >99.9% SLA from November. Cloud SQL (see Google Blog last week) is under beta.
— adding to the interest level, we just had a fire evacuation and a quick tour of Eccleston Square with the fire marshals. Now trickling back – at least, most of us. I think some people have decided to duck out.
In the pipeline: Google Big Query: online dataset analysis – data mining/BI application. And something called the Google Periodic Table (there’s an extra column in the Transition Metal section …) which visualises the family of applications and extensions. Prediction, for example, can look at web traffic and draw interesting conclusions. Lots of searches on “sore throat” might signal the start of a flu epidemic.
Abbreviated in response to the disruption: Dalim, chair of the Branch, talking about governance. What changes with the cloud? Some of the controls e.g. for change management; assurance from third parties, and provider management; identity and access management (d0 you still have super users?) and monitoring; evolving technology, complexity and challenges. Dalim offers an app assurance checklist [see BCS NLB website in due course].
Q&A … references to Google’s global infrastructure capability; e.g. guaranteeing at least four copies of data on different continents (that is, replication like Lotus Notes used to do). Regarding data protection issues – Google can’t at present commit to (for example) segregating data into the EU though this is being worked on. The offering currently may not be appropriate for heavily regulated in-country enterprises e.g. some areas of government, finance. Google, though, takes the approach that they are not data owners; they are data holders, and would pass access requests to the data owners. And there are data online about which countries request legal discovery, how often, and when. From the security point of view, just a glimpse of the multiple levels of protection applied to data.
Thinking about a portfolio of services: Google Apps will integrate both on-premise (e.g. with AD) and other cloud services (e.g. a strategic partnership with salesforce.com). And there’s a commitment to back data out if a service relationship is terminated. Cloud, to Google, is short term contractable (e.g. 12 month; or a little as 1 month) – no lock-in.
• Google Apps (follow the links)
• Google App Engine, Cloud Storage and Prediction API are open for business, Official Google Blog, 11 Oct 2011
• BCS North London Branch: Past Events 2011 (you may have to scroll for this event; presentations are not yet posted but are expected)
• AppsBroker consultancy
“Cloud” has become a FUD word 7 Sep 2011Posted by Tony Law in Cloud, IT is business, ITasITis, Tech Watch, Technorati.
add a comment
A LinkedIn post flagged me to a Forbes report about a spat between Mark Benioff (that’s salesforce.com to you and me) and Larry Ellison (Oracle). About the definition, or the understanding, of Cloud.
Well, the first interesting thing about the report is that it’s not in some tech geek publication. It’s in Forbes, which rich people read. If ever there was a candidate for airline management’s key publication, it could be this one. It does rather confirm, doesn’t it, that Cloud (we used to say Cloud Computing) is mainstream business news.
And the second thing is that it confirms, as we already knew, that Cloud has become one of those Humpty Dumpty words. You know: When I use a word (said Humpty Dumpty to Lewis Carroll’s Alice) it means exactly what I tell it to mean, neither more nor less. It’s happened in every IT generation. Working backwards, we certainly include Grid, we include “e” (as a prefix, such as “eServerFarms”), and we probably include client-server. And more, I’m sure.
As an adviser, facilitator and consultant I need to understand what people are thinking when they say “Cloud”, and it can be a lot of things these days. It’s my perception (and I’m by no means alone) that a lot of what’s marketed as Cloud today is one of:
• old-fashioned hardware-based outsourcing to a remote data centre
• web services
• some newer form of outsourcing
always with long term contracts, fixed prices, security, and and and …
We can do better. But first, there are a couple of things Cloud doesn’t need to be.
It doesn’t have to be “cheap”. This is a benefit in many cases, but not a fundamental. And in any case it’s relative: a service used for a short period may be expensive per unit, but still cheaper overall than provisioning your own “stuff” which you have to lay in for the long term. A comparison: taxi fares aren’t “cheap”, but if you don’t need permanent access to your own car then occasional taxis have the edge over the long term capital and recurrent costs of running one. But the key point is: no payment in advance, no commitment to spend levels, no true-up.
And it needn’t be “public”. I’m perfectly happy to include what are called “private cloud” services in the definition, so long as they are still true Cloud by the criteria below. But the key point here is: Cloud is not just a new word for a conventionally provisioned in-house data centre.
Many, many service vendors are rebranding their outsourced or managed services as “Cloud” to cash in on the hype. There’s a massive overlap between what we consider “virtualised” and what we consider “Cloud”. And service buyers are adding to this by insisting that cloud services must be as secure, stable and long-term an investment as any other outsourcing deal. Fear, Uncertainty and Doubt ride again.
Some (many) years ago, I was part of the team operating a then-new ICL 2980 for London University. The “V” in “VME/B” stood for “Virtual” and we had to learn (and explain to the users) the differences of a virtualised system and the advantages it could offer in the way they approached its use. Yes, this was the totally modern 1980s. Other operating systems were “going virtual” too, and one of the trade papers (I think it was Computer Weekly) ran a definition I’ve always remembered:
If it’s there, and you can see it: it’s REAL
If it’s there, and you CAN’T see it: it’s TRANSPARENT
If it’s NOT there, and you CAN see it: it’s VIRTUAL
If it’s NOT there, and you CAN’T see it: it’s GONE.
I think we add one more:
If it’s NOT there until you WANT it: it’s CLOUD.
And here are my criteria for a service to be called Cloud:
• accessed over the network using Internet protocols
• available immediately on demand
• de-provisioned immediately after use
• easy sign-up
• no long term commitment to the service provider …
• … nor by the provider to the customer
• payment strictly by usage metering
• payment after the fact, not in advance
• as near infinitely flexible capacity as can be
• Larry Ellison and Marc Benioff Just Can’t Agree: What Is the Cloud? Forbes, 6 Sep 2011
• ICL VME, Wikipedia