A few weeks ago I had a conversation with a customer of mine and we discussed this very topic. How do you measure perfection? It’s a good question worthy of inquiry. I was really surprised at the different answers suggested in the conversations that ensued.
Perfection is, as stated by Merriam-Webster dictionary, “broadly, a state of completeness and flawlessness, an unsurpassable degree of accuracy or excellence”. Some would also would say perfection is the absence of judgment.
If you operate within a Math or Science context, the term perfection is actually used to designate a range of diverse concepts. These concepts have historically been addressed in a number of discrete disciplines, notably mathematics, physics, chemistry, ethics, aesthetics, ontology and theology.
To an extent, “perfection” is a state of mind. Why am I telling you all of this? I was asked the question “Is your solution Perfect for our situation”? So instead of pursuing a quest for the meaning of perfection (and the meaning of life) I thought I would take this opportunity to write a series of blogs within which I am going to highlight our solution capabilities and recent enhancements that may make our solution perfect for you! (You knew that plug was coming right)?
A few years back (I used to work for a competitor at that time), I was visiting a customer of ours to discuss a complex architectural issue they were having. I sat down with the Security Architect, Enterprise Architect, and the CISO of a big insurance company (who shall remain unnamed) to discuss an issue. At the time, to show me the issue at-hand, they pulled up a specific transaction to analyze. There it was, the admin password for the system (the holy grail), for their important backbone component, baring its nakedness to us in clear text. In all fairness, the ‘most verbose log feature’ was turned on to debug a specific issue in that situation. After we joked about the fact that I then knew the admin password for their the backbone and for their entire enterprise, I was told I was going to spend most of my life in a corner of their data center sleeping on a rug!
The conversation got very serious when we talked about how admin passwords should NEVER be displayed, in clear text, on any log for any reason. I took this noted and avoidable vulnerability back to my Product Management/Engineering teams. To my surprise, the concern was brushed aside as a non-issue.
A risk of this magnitude could easily be considered a major compliance issue if you are an organization that deals with HIPAA and/or PCI compliance. Regardless of whether you have the most verbose mode turned on or not, if you leave PCI or PII (personally identifiable information) clearly visible in logs, in clear text, you are creating potential breaches. As is sometimes the case, log data gets lost and at the most innoportune time — could be unearthed during an audit. Aside from exposing one’s self to the risk associated with not properly safeguarding data, those risks multiply when failed audits lead to very expensive fines.
The California supreme court recently ruled in a case, Pineda v. Williams-Sonoma, that zipcodes are really “personally identifiable information” (PII). In a California’s Song-Beverly Credit Card Act, California Civil Code section 1747.08, reversing the Court of Appeal‘s decision the supreme court made a ruling on this. Penalties of up to $250 for the first violation and $1,000 for each subsequent violation could accrue, without there even being any allegations of harm to the consumer.
Section 1747.08 of this law states that a retailer cannot ask their customers for PII information (including zip codes), or record it during credit card transactions. (I have distilled the legalese for you. However, those so inclined may read about the ruling in its entirety at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1747-1748.95. Though this information is applicable only to PCI compliance right now, there are laws pending in California (and in other states) around the essence of PII. This may end up being germaine to medical records, EHR (Electronics Health Records), and prescription Information, etc.
Initially it could be limited to include SS#, PAN (credit card info), date of birth, zip codes, address, age, gender, password (in the corporate world), etc. However, safeguarding data could potentially expand into several other domains. All organizations need to be cognizant of how the laws and regulations continue to change at a state and national level and how they may vary from one country to another. Imagine if you are using a cloud provider, which is hosting your data in a country (not of your) choice, where you have virtually no control.
In the next few blogs I am going to talk about our Log Redact, Data Redact, Data privacy, Compliance, Encryption and Tokenization capabilities, which will help address some of the aforementioned issues. They not only help you address today’s needs but will also enable you to “change direction” as necessary as incipient changes come to fruition.
You may already know that Intel acquired McAfee, the leader in the security software business, over a year ago. We are quickly seeing the successful integration of both entities. However, as part of this perfection series, I’m going to share with you in greater detail, our integration efforts with McAfee security components. At the end of this series, you’ll get a sense of palpable energy abound, and the synergies that are helping us to bring even better solutions together for our customers.
As far as that company that had given me a rug to sleep on in the datacenter corner for sharing their family secrets? I wish I had this solution set handy when I was at that meeting! Oh well, comfortable sleep is often over rated anyways.
If you would like a sneak preview of some of the solutions that I’m going to address in this blog series, please visit:
Andy Thurai — Chief Architect & CTO, Application Security and Identity Products, Intel. Andy Thurai is Chief Architect and CTO of Application Security and Identity Products with Intel, where he is responsible for architecting SOA, Cloud, Governance, Security, and Identity solutions for their major corporate customers. In his role he is responsible for helping Intel/McAfee field and technical teams and customer executives. Prior to this role he has held technology and architecture leadership and executive positions with L-1 Identity Solutions, IBM Datapower, BMC, CSC, and Nortel. His interests and expertise include Cloud, SOA, identity management, security, governance, and SaaS. He holds a degree in Electrical and Electronics engineering and has over 20+ years of IT experience.