Speaking of Security – The RSA Blog and Podcast

In case you missed it last week, VMware announced their latest version of vShield App with Data Security, which has RSA’s DLP technology embedded to help discover and classify sensitive data in virtual machines. One of the key points here is that data discovery and classification capabilities are now built-in to the virtual infrastructure, making the virtual infrastructure content-aware for the first time. So you may ask, what’s the big deal about being built-in instead of bolted-on?

On June 28th the Federal Financial Institutions Examination Council (FFIEC) formally released the supplement to its “Authentication in an Internet Banking Environment Guidance” which was first issued in October 2005. RSA offers insight on the latest guidance and what it means for U.S. financial institutions.

I recently returned from Berlin after attending the EMEA RSA Channel Partner Council with the purpose of discussing RSA’s Security Management and GRC strategies within Europe. For many of the RSA channel partners, this was their first exposure to these concepts. Channel partners have a unique perspective because they are on the front lines selling products and providing implementation services Their success is directly influenced by RSA’s ability to provide the right training, messaging and tools to make them effective.

To my amazement, I still get asked “if I do everything I am asked to do for compliance, am I secure?” To be fair, this question often comes from non-security people.

I’ll start with the bottom line: for eGRC to work it has to be true at all Human and system levels of abstraction in an organization and it must have common elements across all function in a company. With the release of the most recent study by the Ponemon Institute (with EMC) , there are some clear pointers to the need for more strategic and, frankly, systemic mechanisms for managing enterprise governance, risk and compliance. Let’s cover a few ideas before coming back to those.

Staying at the Venetian/Palazzo in Las Vegas last week for EMC World, I was struck by the amount of personal information they must be managing for the guests in their 7,000 suites.  Even with repeat guests, they could well average 10 individuals per week per suite, well into the millions of guests per year. And [...]

Interesting note from Visa yesterday. They have given non-US merchants an escape hatch for validating PCI DSS compliance annually if they meet four specific requirements.

PCI DSS compliance may be a bad indicator for the way merchants handle card data for a simple reason: it is a holistic standard which refers to many aspects of security – from the storage of sensitive data to securing wireless networks and applications. While those who are truly PCI DSS compliant can dramatically decrease the risk of suffering a breach, it is not uncommon for some merchants, once they receive their badge of approval, to fail to maintain that compliance.

The release of PCI DSS V2 is a welcome update, even though most of the changes from PCI DSS V1.2 are relatively minor. But there are a number of areas that PCI DSS has not addressed and that are critical to the security of credit card information. Some of these, such as the impact of virtualization and cloud, are already recognized as concerns. But at least one area has, at least as far as I know, not yet been put on the table for discussion. This area concerns best practices for protecting against increasingly sophisticated social engineering attacks. These attacks may attempt to steal credit card information directly. Or they may seek to install malware that can steal the information, such as through man-in-the-browser attacks.

There has been a great deal of talk about making business processes more transparent. While I think gaining visibility across complex business operations or complicated IT infrastructures is a very important concept, I think there is another concept that is just as important yet is sometimes overlooked. When it comes to truly seeing something for what it is, the dimensions of an object allow us to more clearly define it.