Information Security in the Real World. Confidentiality, Availability, Integrity, Practicality.

Monday, 12 July 2010

The case for PCI-DSS and Ripped Abs.

I just caught up with this post (which I had squirrelled away to read later with my Google Bookmarks toolbar and just rediscovered). Some nice work here by Bob Tarzey in summing up the main requirements of PCIDSS, the advantages of getting ready and the basic implications of breach. PCI might be the kick that some firms need to re-assess security: the regularity of the audits might just make the difference. It's easy to put off spending money to counter a threat with an Annual Rate of Occurence (ARO) calculated as 0.1 (i.e. every 10 years) - human nature and available time dictate that the auditor landing on your desk every quarter wins hands down.

Check out too the comments on this post, also on The griping about variable approaches from the assessors is to be expected with any new standard, I think this will settle down in time. On the particular issue about voice recordings of CCV2 numbers, I would hope encryption and strong access control over the voice recordings would suffice but would welcome clarification from the PCI on this or any views from QSAs reading this.

In any case, as I have blogged before, don't make compliance with the standard your goal, make good security your goal and you will achieve compliance as a direct consequence. Or as Papa_K puts it rather nicely on that comment thread: "If you prepare for compliance audits like you prepare for a punch in the stomach to prove your abs are strong then you'll not be prepared for the sucker punch."

Thursday, 8 July 2010

New IBM developerWorks blog: zSecurity

I've opened a new blog on the excellent IBM developerWorks platform called zSecurity. My readers who are not interested in System z issues will be delighted, as I will keep System z-specific content to that blog (and it might spill out into wikis later but that's another story) and stick to wider InfoSec stuff here.

zSecurity is here, please take a look and subscribe to the feed if you're interested in RACF, zSecure, Tivoli Security Software for z/OS and Linux on z and Enterprise Security with a Mainframe.

If you're already following me on Twitter as @alanjharrison then you will be happy to know that I will tweet my dW blog updates just as I tweet these Blogger ones, so nothing else to do there.

Thanks for reading, InfoSec people stay here, System z people: see you on dW! Thanks.

Thursday, 1 July 2010

zNext - One Box to Rule Them All?

The hype is building for zNext, the next generation of IBM System z servers. z10 brought unprecedented power, resilience and versatility to the large server market. But the next generation - first dubbed z11 and more recently zNext - is rumoured to be a step change in architecture that some are suggesting will change the datacenter game completely.

We know some stuff already, that the processers will be down from 65nm to 45nm junctions and run around 5GHz giving up to 43000 MIPS [PDF] which represents about a 25% improvement on the z10. So far so impressive, but not earth-shattering.

But more recent rumours from Poughkeepsie have suggested something bigger is happening. The word "Hybrid" has been used in connection with POWER systems, suggesting that the new architecture will cross traditional platform boundaries. And one source told me that Teradata will be in the frame.

A System z that also runs native AIX and Teradata right out of the box? Wouldn't that be groundbreaking?

IBM have now announced the reveal will be in a July 22 webcast to partners. If you can't make it, come back soon, I'll be blogging about it here shortly after. Follow me on Twitter, LinkedIn or by RSS feed to get the news first. Might this be the game-changer, the killer blow to IBM's high-end server opposition, and then some?