Monday, February 26, 2007

Two Factor Authentication - Squared

I was working with a large SI last week who does a lot of work for the government. I was there to prove out a solution to protect their DHCP servers from unatorized users getting an IP address and subsequently on their network, and their customer's network. I showed them how the solution worked in 15 minutes and was done with that part of the discussion.

The next part was around authentication. Part of it was academic discussion, part was to think through a business problem - authentication, and how much is enough. We were able to figure out that with the same solution we just used to solve one problem would also solve another, and one that is on the minds of anyone working on HSPD-12 initiatives.

Long story short - four factor authentication. Two factor authentication, squared, or 2F2.

Here is how it works:

I identify the user in two ways - PIV Card, and Login credentials (PAC & LAC Controls)

I identify the machine in two ways - by unique machine ID (hardware serial numbers encrypted in every packet), and certificate exchange.

Unalterable, proven, and deployed in days.

Why does this matter for PCI?

Audit - Be able to see every network layer event, by who, from what machine, in real time.

Control - Make policy based access decisions based on 4 different attributes providing the ultimate in flexibility and rollout options. For example - known/trusted user AND known trusted machine on my LAN - access to what they need to do their job from DAY ONE (email). Known user/unknown machine (vendors/guests) get access to Port 80 only so they can demo, check webmail, etc.

At the macro level -

You have just scoped down your threat vector area to only those you know and trust, be they machines and people.

Add to it the functionality of immediate real time alerting in the event something bad looks like it is happening, and reporting to understand exactly how they tried to do what they did, were blocked, but still logged - Priceless...

Monday, February 19, 2007

PCI Fines and Compliance Dates - Hot topic

March 31, 2007 - must complete attestation, signed by an officer of the corporation, stating that no: Track data, PIN block data, or CVV2/CVC2 data is stored — else fines of $10,000 per month.

Sept. 30, 2007 - must be compliant or monthly fines of $5,000 are levied.

Dec. 31, 2007 - must be compliant or monthly fines of $25,000 are levied.

It has been almost 2.5 years since the original deadline for compliance on September 30, 2004. Companies that have not met the compliance requirements are in for a rude awakening. Hopefully you started the process long ago and are just finishing up now.

They can still revoke your ability to accept cards as payment which is a double whammy and pretty careless given that you can get a solution end to end (including documentation) for $100-150,000 USD.


Friday, February 09, 2007

Relentless Pursuit of Better...

Lifted from another blog...

An unusual post, but it is the New Year and we might as well start with a bit of reflection on innovation and elegance. Follows are excerpts from “Elegant Solutions - Breakthrough thinking the Toyota Way” by Matthew E. May. Thank you to Guy Kawasaki for pointing to this manifesto.

“An elegant solution is one in which the optimal outcome is achieved with the minimal expenditure of effort and expense.”

A big lesson - “Avoid the Temptations
Swinging for fences. This is the “homerun or bust” trap, which invariably destroys a strong batting average over time. It carries with it huge risk, usually accompanied by high cost.
Getting too clever. This is the “bells and whistles” trap, which can easily get out of control in an effort to outdo competitors. It carries with it the danger of complexity and customer alienation.
Solving problems frivolously. This is the “brainstorm” trap, which is misguided creativity far afield from company direction. It’s a symptom of poorly defined work, and fraught with waste. There’s a reason we call it an organization.

Small baby steps and keep the ideas simple. I am certainly guilty of number 3, but I believe in the same breath that without these activities my truly elegant solutions would never come to bear.

“The pursuit of perfection is not focused on achieving perfection, it’s focused on chasing it. Perfection is unachievable…it’ll never happen. We’ve become impatient with mastery. If you can’t achieve perfection, why bother? Because you have to. Otherwise you’ll always be a follower.At Toyota the mantra is: no best, only better.

“I love the idea that perfection is unattainable, yet is within our grasp. The idea of continuously redeveloping oneself and one’s art as a process of perfection is very inspiring.

“All artists work within the confines of their chosen media, and it’s the limits that spur their creativity. The canvas edge, the marble block, the eight musical notes—the resources are finite. So it’s how you view and manage them that makes all the difference.

And that’s the big question: Are limits preventing innovation, or enabling it?There’s only one right answer. Innovation demands exploiting limits, not ignoring them.”

Limits of resources is a forever challenge to those working in every industry around the world. The Toyota concept of embracing these constraints and finding innovation is an uncharacteristic way of viewing these deficiencies. It is very practical to consider constraints for those who (in our context) manage businesses and IT controls. There is always a budget and unfortunately only 24 hours on that clock. The ability to work within these boundaries and excel is a challenging and worthwhile path.

“Keep it Lean

Complexity kills—scale it back, make it simple, and let it flow.More is often just more. Unless it’s more simple, accessible, timely and efficient, which really means it’s less complicated and complex. When it comes to solutions, size and sprawl matter. Be-all, end-all, feature-rich solutions almost always miss the mark. Because they’re over-scoped and too complex. They’re usually proof that we lack real insight into our customer’s desires. Complexity destroys value, which is what matters most to the customer. The most elegant solutions always seem blazingly simple.

The opposite of most organizations and product solutions that try to throw a kitchen sink at a problem. Addressing a problem in a simple fashion is key to controlling costs - emotional, capital, and intellectual. Consider implementing a complex application for a single task - will it be used? Will every feature be used?

My favorite (and I admit I am an addict): How many features of Microsoft Excel do you use? How many versions have they been in the application (since the end of time you say?!) - why did you just buy another version to upgrade? Balance the simplicity with the problem at hand. Something that is paramount to addressing compliance and regulatory concerns. Documentation should be simple and direct.

Controls should be clear and operating. Long explanations are not necessary (to auditors or lawyers) if the work is elegant.

Wednesday, February 07, 2007

Stepping Up PCI Compliance

Common sense is entering the picture finally...

Although it was already too late to prevent the TJX data breach, Visa in December said it would begin offering $20 million in financial incentives and create new sanctions to spur merchant compliance with PCI through its Visa PCI Compliance Acceleration Program. "The initiative's goal is to eradicate the storage of full-track data, CVV2, and PIN data, and grow PCI compliance among this group of merchants," Visa said in a statement at the time. Merchants in full compliance with PCI by March 31, and who have not had any of their data compromised, will be eligible to receive a one-time payment, although Visa doesn't specify the amount.

Visa has for the past two years been handing out fines for noncompliance with PCI. In 2006, Visa assessed $4.6 million in fines, up from a 2005 total of $3.4 million. Banks that process credit card transactions for businesses will be fined up to $25,000 monthly for any of their largest merchants--those that process more than 1 million Visa transactions annually--not in compliance with PCI by the end of the year.

These banks also are required to assure Visa that their merchants aren't storing full-track, CVV2, or PIN data by March 31, or the banks will be eligible for fines up to $10,000 per month.