Vicitude Client
Breakfast
November 2008
Volume 1 Issue 1
V i c i t u d e B u s i n e s s S o l u t i o n s ( P t y ) L t d , 3 H o h e i z e n P a r k , H o h e i z e n C r e s c e n t , Be l l v i l l e , 7 5 3 0
| w w w . v i c i t u d e . c o. z a | + 2 7 2 1 9 1 3 8 3 4 4 |
Security & PCI Compliance
Bernard Peacocke
INSIDE THIS ISSUE
High-profile data breaches continue to spotlight the growing risks consumers face
1 Security & PCI Compliance of identity theft and credit card fraud. Four highly visible data breaches disclosed
in the last 18 months are particularly worrisome because they show a systemic
1 Service Orientated failure in the procedures that both the public and regulatory agencies expect
Architecture & Integration companies to get right.
4 Systems, Network and
Infrastructure Management One notorious incident involved retail giant TJX. In that case, hackers stole
some 46 million credit and debit card numbers when they accessed the
6 Industry Skills Shortage computer systems at two TJX corporate hubs over a period of several years. By
some estimates, the intrusion was the biggest breach of personal data ever
reported.
Please see Security & PCI Compliance on page 2
Service Orientated Architecture &
Integration
Neville Nightingale
It is the same old story, business is changing at an ever-increasing rate and IT is
struggling to keep up.
Some of the most important reasons for IT’s lack of ability to keep up are:
IT applications are continually evolving to meet the demands of the
changing business and in the process are becoming more complex
Legacy applications have and are being integrated with each other and
with newly developed applications, leading to not only more complex
applications but also making the applications more dependent on each
other. Thus changing a single application is often causing a “ripple effect”
necessitating changes to many related applications
This is all happening in a time when there is a chronic critical shortage of
IT skills, which is getting worse rather than better.
Please see SOA & Integration on page 4
We have found that in many cases business growth is in fact being hampered by
the lack of the IT systems’ ability to keep up with the demand for change.
Businesses are starting to look towards implementing a Services Orientated
Architecture (SOA) to help make them more “change agile”, by:
Page 2 Vicitude Client Breakfast
Security & PCI Compliance from page 1
Merchants wanting to continue accepting credit or
debit card payments, regardless of their transaction
TJX officials reported that unauthorised software
volume, are required to meet the PCI standard. Failure
placed on its Computer systems stole at least 100 files
to comply may result in substantial fines or permanent
containing data on millions of accounts from systems
expulsion from card acceptance programmes.
that process and store transaction information there.
TJX officials believe the hackers were able to steal
payment card data from one system as transactions To accomplish this difficult task requires more than a
were being approved. once-off risk management project. It requires an
organisation to run an initial compliance audit to
identify and eliminate its current vulnerabilities.
In my investigation I have spoken to a number of
senior IT & Business people. Based on their
experience I have identified a number of key areas Thereafter it needs to continually audit its systems,
that should be addressed by companies. processes and infrastructure for new vulnerabilities
and resolve them as they occur.
The following quotes illustrate these:
• Security is about more than denial of service
This is a resource intensive task and is best done via
attacks or the latest worm variant, and
automated compliance tools that operate seamlessly
compliance is about more than a “check the
in the background and only require human intervention
box” process.
in exceptional circumstances.
• Sensitive Data Differs by Industry. Everybody
has it and it has value! However PCI is just one of many compliance
• Fraud is costly and becoming more pervasive standards – there are also compliance such as
SOX (Sarbanes-Oxley), IT Governance, ISO, etc.
• PCI Compliance is a crucial requirement for all
merchants to avoid fines by the Payment Card
Industry And what about other security risks? What about
things like viruses, malware, data breaches and
• Our industry has a requirement to create a set insider threats?
of security standards to protect their
customers from security breaches and identity
threat David Perry, Global Director for Trend Micro:
"Back in 1990 we were seeing a handful of new
Horror stories of companies carelessly losing viruses each week. Now, we're having to analyze
thousands or even millions of records containing between 2,000 and 3,000 new viruses per hour."
customers’ credit card information will soon be a thing
of the past. A new compliance standard, designed by So, “Blacklisting”, i.e. trying to identify and close down
Visa and MasterCard, and endorsed by other card “bad” applications, services, malware, etc. is becoming
giants, now forces merchants that retain clients’ increasingly difficult:
personal information to efficiently safeguard the
information.
Dave DeWalt, CEO, McAfee:
“Blacklisting - where vendors compile lists of known
The Payment Card Industry (PCI) Data Security malware - has become technically unfeasible. As
Standard creates a common industry security standard blacklisting becomes increasingly difficult, whitelisting
that effectively eliminates the possibility of careless or holds promise.”
malicious loss of information.
Vicitude Client Breakfast Page 3
Security & PCI Compliance continued from page 2
SO WHAT IS WHITELISTING?
Application Whitelisting is a new way for enterprises to secure and control their
desktops, laptops and servers. It provides IT an efficient mechanism to identify and
control applications such that only programs that have been given permission to do
so can run. Thus, no malware can even start up. No home downloaded setup.exe
can create an imbalance in IT’s carefully crafted and stable standard workstation
“I’ll be chasing
configuration!
my tail forever
trying to block
JohnThompson, CEO, Symantec: every one of
those things“
“... additional investments in identity management and whitelisting technologies in
an attempt to better manage user behavior and data. I'll be chasing my tail forever
trying to block every one of those things. ” .
Mark Bregman, CTO, Symantec:
“If the trend continues and bad programs outnumber good ones, then scanning for
legitimate applications (whitelisting) makes more sense from both an efficiency and
effectiveness perspective. Eventually, a comprehensive whitelist of legitimate
software may be as close to a silver bullet as one can hope to find – one that best
serves the evolving security needs of the growing cyber community.”
John Stewart, CSO, Cisco: “Whitelisting is
the next
"I am not so sure that we can get to a place of feeling confident in our infrastructure generation of
without doing whitelisting. Whitelisting is the next generation of defense“ defense“
The best approach is to control, not only what software runs, but also devices (like
memory sticks) so that only what is TRUSTED runs.
For example, a call-centre manager interviewed expressed concern due to high
staff turnover because the more semi-skilled workers and “new-hires” one has in
such an environment, the greater the chance of one of them stealing confidential
client information (copying it onto a flash drive) and selling it. E.g. bank call
centre... Identity theft is becoming rife!
THE GOOD NEWS IS ...
Vicitude has excellent solutions
to help you
to address all of these.
Page 4 Vicitude Client Breakfast
SOA & Integration from page 1 The net result of this is that IT is getting more and more
agile in its ability to meet the demands of rapid business
This approach should help reduce the time taken for IT process change. The further IT travels down this path
to implement changed business processes. Changes the more agile it becomes.
to IT systems should not involve too much of
developing new, or changing existing applications, but
rather the “stringing together” of existing re-usable IT
Systems, Network and
services to implement the changes of new business Infrastructure
process. We can think of this as a Services Orientated
Integrated (SOI) approach to IT application coupling. Management
This means that:
Re-useable business services are Bernard Peacocke
implemented by means of re-useable IT
services The majority of Vicitude staff have their roots in
Systems Management. As one of our colleagues
Re-usable IT services are integrated in such a once said: “We manage stuff – with other stuff”
way that they:
o Each perform their designated service
without being interested or even Systems Management addresses the alignment of
aware of the other IT services Business and IT.
o The integration layer acts as a “postal
service” fetching and carrying Business has the job of making revenue targets and IT is
business information between the a tool set that, when implemented and managed
services. correctly, allows business to achieve their goals.
The challenges today with the ever increasing demand
BUT, what about the large number of existing on IT to deliver more and more are:
applications that are currently supporting the business The lack of IT skills
processes? In most cases they are not re-useable IT
services and they are already integrated in a way that Using expensive IT skills to manage minor tasks
makes changing them difficult and time consuming. The lack of integration
The lack of a structured approach
Vicitude has a team of SOI specialists that have, for a
number of years, helped businesses de-couple their
traditionally integrated IT applications and implement In terms of IT Asset Management (desktops, laptops,
SOI based technologies. This is normally achieved servers and software)
with the minimum amount of, and often without any,
change to existing applications.
I interviewed a number of CIO’s. Very few of them were
able to confidently claim that they have a cradle-to-grave
The results of this is that IT shops find that due to the approach to management of IT assets.
fact that individual applications may be more easily
changed/replaced without the so-called “ripple effect”:
Thus, the most serious short-coming of most
Changes to applications are much quicker and organisations I visited was an absence of clear
less error prone processes backed by supporting work-flow procedures
Applications can be more easily re-engineered and solutions in order to consistently manage the life of
into, or replaced with, “re-usable business IT IT assets from date of order to disposal.
services”
Please see Systems, Network & Infrastructure
Management on page 5
Vicitude Client Breakfast Page 5
But, secondly,
Systems, Network & Infrastructure Management
from page 4 Speaking to CIO’s and other high levels of management,
they say their biggest concern is with a viable
implementation of the ITIL set of best practises. To them
This inconsistent approach to IT asset management “IT is the business and the business is IT”. According to
leads to a huge loss in terms of Return on Investment in Network World “Forrester Research conducted a survey
IT Assets. which showed that IT management rated problem
management and service-level management as the top
two management areas in importance”
My investigations into systems, network and
infrastructure management identified two significant
levels of requirement: A service monitoring solution must be able to monitor the
performance of a service end-to-end. It is necessary to
move away from a silo view of the IT infrastructure.
Firstly,
Network administrators are interested in having a very
This they claim is much more than the ability to hook
graphical view of the network topology that not only
together monitoring of a certain database and its
allows them to quickly identify a fault with a link, a switch
supporting server, and with this portion of the network
or a router, but also to be able to perform bandwidth
and that application. True service monitoring involves
management, splitting network data in order to identify
understanding the inter-dependencies between
the usage of the network by specific applications
applications and network devices and using the
whereas
knowledge of these inter-dependencies to determine
where the bottlenecks involved in supporting the service
may lie.
Database administrators are concerned with database
performance issues –speed of data access -
benchmarking, SQL Tuning capabilities, Space &
Thomas Mendel, Principal Analyst at Forrester
capacity management, locks and data contention. They
Research: “What’s most important is being able to
not only need graphical tools that give in-depth
describe a service in meaningful terms to the user,
monitoring & reporting on databases, but also solutions
discover all the elements needed to deliver the service,
that can hone in on performance of SQL within an
measure service quality and deal with exceptions and
application. The aim is to push new applications into
breakdowns”
production faster, without having to waste time, down-
the-line with performance issues with production
applications that have poorly written SQL.
Of all the IT professional I interviewed for this report, the
ONCE AGAIN THE GOOD NEWS IS ...
requirements that are common to all of them, are:
Tools that can automate the correlation and
diagnosis process so that very little human Vicitude has excellent solutions to
intervention is necessary help you to
Automatic root-cause analysis and base-lining – address all of these.
getting away from solutions that are time and
skill intensive
Solutions that are cost-effective; easy to
implement and maintain
Having a consistent interface (for example same
tool for Windows vs Unix monitoring).
Supporting current and future
applications/devices; easily extensible
But, secondly,
Speaking to CIO’s and other high levels of management,
Page 6 Vicitude Client Breakfast
Industry Skills Shortage What do we need to do?
Gerhard van Rensburg
The IT industry has to work together to address this
The Scenario problem as it is only getting worse.
The unemployed are becoming younger. Young We need to engage with educational institutions and
adults under 35 years account for 75.7 per cent of help them understand the type of training that is
the change in unemployment between 1995 and needed.
2005. This is a very worrying trend as young people
Vicitude has resources with specialist skills who are
may become disillusioned, and as a result skills may
good at mentoring new employees and recruits from
be leaving the country causing an erosion of local
the market place. We can offer “learnership”
skills. opportunities for youngsters coming out of learning
institutions, but we need to do it in partnership with
There are many graduates, but there is a huge lack our clients as we “need” their projects as vehicles
of skills. Firms, policymakers and government agree to train these students.
that skills shortages are probably the most important
obstacle to accelerated growth in South Africa. We want to engage with our clients in terms of their
future plans regarding skills required so we can
position ourselves and recruit appropriate resources
A recent online article entitled “SA has the worst in time to be able to service these needs.
skills shortage” referred to a study by Productivity
SA and the 2007IMD World Competitiveness Vicitude also recommends that on-site training at
Yearbook. The results stated that the country has companies be made us of rather than sending
the highest brain drain and worst skills shortage of employees away for training, as the training is much
55 countries studied. more hands-on and “real”.
Corporate South Africa continues to lament the skills
shortage and the impact on future growth. Yet
thousands of youth graduate from colleges and
universities annually and cannot find positions in the
market place.
Another Survey done recently showed that there are
as much as 70,000 IT vacancies in the country. The
“Brain drain” is only part of the cause.
Youngsters are not interested in following a technical
study path but rather go for the legal, financial, Vicitude Business Solutions (Pty) Ltd
medical fields of study. This results in very little “new 3 Hoheizen Park
blood” entering the IT market. Hoheizen Crescent
Bellville, 7530
“Multi-tasking” is a very common occurrence in IT Phone:
departments of organizations i.e. the same resource +27 21 913 8344
having to do 3 different jobs instead of specializing
Fax:
and focusing on one. This makes them very +27 86 662 8106
marketable and “poachable”. If they leave the
company it’s even more difficult to find someone with Web:
www.vicitude.co.za
that combination of skills to replace them.