Can IT beat the clumsy human pt1

One of the greatest challenges is securing data, especially for some reason data that contains information on people. It’s almost like personal data morphs into the people it represents and wants to break free of the constraints placed upon it within the database and applications. When you look at how many ways data can escape these constraints you often wonder is it possible to protect from humans from assisting in data breaches.

So let’s have a quick look at what can go wrong;

“Export” could be the greatest contributor to data breaches ever. How many people use this luxurious command to get data into excel so they can massage it with pivot tables. Now the clumsy human is a simple being so files are often labelled like “first half year forecasts” or “details of registered guests”. Once this data is exported from the confines of a structured data store and let loose in the unstructured world there is little that can be done.

“WEB2.0” have you noticed how easy it is these days to share files across the internet via social network sites, cloud computing, software as a service, online storage, instant message ect. Indeed except for twitter almost every other WEB2.0 technology is a haven for moving data. For the clumsy human it’s all too easy to store data somewhere in the cloud for convenience and backup assurance.

“eBay” unfortunately shows these clumsy humans like nothing else. Only last week it was revealed a poor and i suspect now unemployed individual sold a work PC via ebay that contained private customer data. Regardless what process’s are in place the clumsy human needs to follow them. Do we insist all devices with a hard disk be destroyed via some huge cheese grater when decommissioned? – Probably.

“Smartphones” are again a great leveller when it comes to corporate security. Almost everyone has a phone with at least 256MB of RAM. This amount of RAM seems small these days, but 100MB can store several volumes of an encyclopaedia. Or 1000’s of contact details. With email synchronisation being more common now, again the clumsy human doesn’t have a chance.

See part 2 of the clumsy human for some recomendations

Have you ignored PCI

Think about who has your credit card details, when you look at your household dealings they include council, electricity, gas, water, building insurance, car insurance, petrol and it goes on. I am sure all of us have at least 50 relationships with various organisations via consumer spending with credit cards. In fact it would be greater when you factor in frequent purchases like clothing. When you consider the rapid growth of internet espionage, fraud and identity theft what is being done to protect us. PCI is the best example of legislation that is designed to protect the mums and dads.

The PCI Data Security Standard is nothing new; it has been around for a few years and depending on the region it can be front of mind or ignored. In the land of compliance (USA) of course PCI has seen heavy adoption, but in Asia Pacific the adoption has been lagging.

So what is PCI, well to put it simply the card merchants AMEX, Diners, Visa, JCB and Mastercard came up with a set of recommendations or best practices for any organisation that deals with credit card data. For example encrypting card numbers or making sure your systems are patched to the current versions so they are less succeptable to hacking are examples of these recomendations. There are 12 in total, and on reviewing them you have to wonder why they wouldn’t be adopted. It just makes good sense.

That’s clearly the problem, when does “good sense” make a good business plan. Rarely if at all is my opinion. With the IT industry unable to propose anything it seems unless tied to an ROI, TCO, SLA or some other acronym, simply put compliance especially in Australia is a tough sell. Where is the pain!

Well the pain is coming, credit vendors currently do fine organisations for failing PCI audits, but the organisation may never suffer the fine. Banks can at their discretion choose to absorb the fine and not pass it onto their customer. If the organisation that has failed the audit has significant financial heft, and hence contributes a large revenue stream the bank would for the sake of the relationship simply eat the fine. But these fines are now becoming more frequent and larger. Plus the smaller Level 2 and 3 merchants are coming under closer scrutiny. So now the banks will be forced through the size and frequency of the fines to start passing more of them onto their customers. This of course is great news for consumers like you and me since we deserve a better deal when it comes to privacy and protection of our financial dealings.

With this changing dynamic of banks pasing down the fines, and the continuous IT mantra of “do more with less” IT automation is coming of age across the board. Most organisations have come to terms with automating employee on boarding or provisioning user accounts, offering self service to change your home address, mobile phone number or a password. So why not automate your compliance regime.

The following deck outlines the 12 guiding principles of PCI and shows how oracle IDM and Database Security solutions can overlay these requirements.

If you would like more information on PCI, and how to start. Give us a call.

PCI Presentation by Carl Terrantroy - Upload a Document to Scribd

Read this document on Scribd: PCI Presentation by Carl Terrantroy

ANZ Technology Kick Off Data Security and PCI DSS

I would like to thank Michael Ryan from Vectra Corp who presented at Oracles Technology Summit in Sydney this week. Mike explained how PCI DSS is impacting organisations in Australia that store credit card details. Mandatory compliance will be introduced later this year around PCI, this means that organisations that have been delaying their complaince run the risk of a fine or multiple fines being issued by MasterCard or Visa. At worst merchants may loose the right to transact with credit cards.

So is technology needed for PCI DSS? well the short answer is not really. In the USA organisations have survived through mosts compliance regimes without implementing technology solutions. But what they are now fining is that complaince is costing a lot of money. So now that organisations are compliant they are now looking at how to reduce the compliance costs. This is where technology has an important play since automation is the key to reducing costs. Some of the requirements of PCI include keeping patching upto date, user access secuirity, encryption and auditing. All of these can be supported by Oracle's security solutions that will lock the database down and manage access and authorisation requests.

Here is Michael's presentation

Window of Opportunity - PCI DSS Briefing external - Upload a Document to Scribd

Read this document on Scribd: Window of Opportunity - PCI DSS Briefing external

Here is my introduction slides

Datasecurity - Upload a Document to Scribd

Read this document on Scribd: Datasecurity

If you would like more information please contact myself or Vectra
Cheers