Decouple an App From the OS Before You Move to the Cloud

Virtual Application Appliances

Subscribe to Virtual Application Appliances: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Virtual Application Appliances: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

VAA Authors: Destiny Bertucci, Ray Parker, William Schmarzo, Pat Romanski, Gilad Parann-Nissany

Related Topics: Cloud Computing, Security Journal, IT Strategy, Secure Cloud Computing, Virtual Application Appliances, F5 Networks

Cloud Computing: Blog Feed Post

PCI Turns 2.0

It’s been an interesting ride for PCI with supporters

…Or 6 years old in human time.  When PCI DSS was born, it was actually five different procedures from each of the major credit card issuers: Visa, MasterCard, American Express, JCB and Discover.  Each program was comparable in that they wanted merchants to have minimum security requirements when handling (process, transmit, store) cardholder data as a protection mechanism.  The industry came together and formed the PCI Security Standards Council (SSC) which aligned the distinctive policies and then released the Payment Card Industry Data Security Standard (PCI DSS) v1.0.  Over the years there have been clarifications, slight revisions, wireless guidelines, the addition of PIN Entry devices and of course, version updates – 1.1, 1.2 and 1.2.1, the most recent standard.  PCI DSS v2.0 was released on Oct 28, 2010 and went into effect January 1, 2011.  Organizations have until New Year’s Eve 2011 to implement and comply with the new changes and can actually still validate compliance against v1.2 until the ball drops again in 360 days.

It’s been an interesting ride for PCI with supporters hailing it’s mission and others complaining that it’s expensive, confusing and subjective.  If nothing else, it’s made business focus on and consumers more aware of Data Security, which is a good thing.  PCI v2.0 does not have any extensive new requirements but it does clarify some requirements for easier understanding and makes adoption, especially for small merchants, simpler and easier.  Some of the important updates include the need for a comprehensive audit prior to assessment to understand where all the cardholder data resides within the infrastructure.  Knowing all the locations and flows of sensitive data can help in protecting those assets.  An evolving requirement is allowing merchants to execute a risk-based approach, based on business circumstances, for ranking, addressing and prioritizing vulnerabilities.  I’ve mentioned before that Security is really about Risk-Management, and while I’m not sure that merchants with limited IT security experience could determine if they are more susceptible to Forceful Browsing, Hidden Field Manipulation, or SQL Injection, I do think it’s a step in the right direction in terms of an exercise.  It encourages organizations to conduct a risk-assessment and focus on areas that are the most vulnerable.  This can help a smaller merchant target their limited resources to a specific area of concern.

Another evolving requirement is the need for more effective and centralized log management.  Scouring logs from various systems looking for that one nasty IP address can be cumbersome and the ability to centralize log management is important whether you’re trying to be PCI compliant or not.  Cloud Computing comes to mind as a big beneficiary of centralized management.  And speaking of the Cloud, there is also some guidance on virtualization – not much – but some.  For one, they’ve included virtualization in that, they’ve expanded the definition of system components to include virtual components.  You can only implement one primary function per server, so functions like web, app, db, DNS and so forth should be running on separate virtual machines.  They want to avoid situations where different functions that may have different security levels are cohabitating on the same server.  Also, since VMs can move around, if only one of your VMs is handling cardholder data, then the entire virtual infrastructure must comply.

The following is taken directly from the PCI DSS 2.0 and PA-DSS 2.0 Summary of Changes – Highlights document.



And so begins the new 3 year lifecycle for standards development but minor revisions can be added, if necessary, during that time.  While the temptation is to wait until you absolutely have to comply or just test against the old standard, it’s better to get going on two-dot-oh sooner than later.  You really don’t want to be worried about implementing PCI updates when the 2011 holiday shopping season is in full swing or when staff is limited due to the holidays.  If you need to comply, do yourself a favor and get it done early.



Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_facebook[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet, cybercrime, holiday shopping, identity theft,

Read the original blog entry...

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.