Carol Woodbury is a co-founder and president of SkyView Partners, a company that specializes in security policy and compliance management software and offers security consulting and remediation services primarily to the System i user base. Prior to forming SkyView Partners with co-founder, John Vanderwall, Carol worked with IBM for 16 years in Rochester, Minnesota in positions that included the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. Well known as both a speaker and contributor of numerous articles and white papers on topics relating to security and compliance, Carol is often referred to as the world's leading expert on i5/OS security and compliance issues. iLink Digest recently talked with Carol to get her views on how the gamut of compliance requirements is impacting users of the System i.
iLink Digest: Some research shows that System i shops are spending anywhere from 25 percent to 100 percent of their development and maintenance resources on coming into compliance and staying there with standards that are dictated by outside agencies and forces. In other words a huge percentage of their resources are being spent not to improve their own business systems but to meet the requirements of others. Does that match your experience?
Carol Woodbury: Yes. Those numbers are consistent with my experience. There is definitely a broad range of investment taking place. Some companies have realized that they have issues that must be dealt with and they are spending lots of resources both in dollars for software and consulting and in their own employees' time. But there are still others that think that the regulations “don’t apply to them” so they can ignore them.
iLD: There are companies still out there who are ignoring compliance?
CW: Yes, unfortunately there are. But, for the most part, everyone is finally realizing that they can't ignore it. Particularly those who are touched by the payment card industry (PCI) Data Security Standards.
iLD: In your experience, is compliance generally driven up from IT, or down from top management and Boards of Directors?
CW: There is a growing realization on both sides. When it is driven upward from IT, it is usually because of something very concrete such as, "We can't be trading partners with Wal-Mart any more if we don't implement RFID," or "Unless we implement data encryption, we will no longer be in compliance with the PCI’s Data Security Standards." It is rare that I ever see something driven from IT upward just because it's the right thing to do from a business perspective. Those types of projects are the ones that are driven down from top management.
iLD: For some years when we talked about "compliance" we talked about SOX (Sarbanes-Oxley) and HIPPA for the health care industry as well as other industry-driven standards. Why is PCI so important now?
CW: PCI is one of the main drivers in compliance today. When a security breach is suffered and the credit card company has to eat fraudulent changes, they have only been able to pass those changes along to the major banks that issue those cards. But what you're seeing now is the member banks very strictly imposing the security standards back down onto the merchants (that is, anyone accepting credit or debit cards) – and they can be all sizes. So any organization accepting and especially storing credit card data is required to be in compliance with the PCI’s data security standards.
iLD: That involves a lot of companies, and as you said earlier, no one can now afford to think that just because the company is small company, it won't be affected. What has stimulated this new concern?
CW: The news of the security breaches at TJX earlier this year—exposing more than 45 million credit and debit card numbers because they failed to encrypt the data and stored too much of the credit card information—is a highly-published example for the need to comply with the PCI standards. TJX is now the poster child for security breaches, and that's driving everyone who deals with credit card information to pay more attention. For the first time, fraudulent credit card transactions are being traced back to the TJX breach. Of course, the consumer can fight these charges and most credit card companies won’t hold the consumer responsible for the charges. But in the past, the credit card company could only pass along the charges to the issuing banks. Now the organization who suffered the breach can be held responsible and the cost of the fraudulent charges passed along to them. As the technology for associating fraudulent transactions with the specific breach becomes more accurate and reliable, organizations – large and small - storing credit card information will find themselves financially responsible for fraudulent transactions should their data be stolen.
iLD: How difficult is that for companies that until now have given little attention to it?
CW: One of the biggest challenges is that, even though the standards themselves are not overbearing or unreasonable—in fact, they could have been much harsher and, in some cases, I actually recommend the implementation of stronger standards—encryption in general is not an easy topic to consume, and it can easily be done incorrectly. But encryption isn't the only problem. There are also times when companies have difficulty doing some of the most rudimentary things like changing passwords on a regular basis. And that's not just in smaller companies either. Certainly, smaller shops have a more difficult time allocating resources and they don't have the depth of staff or training. But in a lot of cases, a company simply hasn't realized that security and compliance have to be a part of their business processes. We also see this where large companies have grown up quickly from small companies, and their business processes just haven't been formalized or kept up with the growth of the company.
iLD: What about the long-held belief that the System i (and the iSeries and AS/400 before that) were ‘secure’?
CW: I like to say that System i running i5/OS or OS/400 is one of the most “securable” systems available on the market. It comes with its own integrity security – the best in the marketplace. But you have to use those integrated features. The system has the features needed – like object level security for complying with those regulations that require data’s access to be “deny by default” – but they must be implemented to be in compliance.
iLD: Coming into compliance with all of these standards and requirements is going to require a lot of resources, then, but it has to be done. Have you come across any companies embracing service-oriented architecture (SOA) or componentized business processes to ease the implementation of standards across the enterprise?
CW: I see people nibbling at it and starting to look at it, but I've not yet heard of anyone implementing a full-blown project to help them solve compliance issues. Organizations may have other SOA projects going on, but I tend to work more with the System Administrators than the System Development staff and programmers.
iLD: Relative to the whole compliance picture, what advice would you give to System i users?
CW: First, they really need to understand exactly what they need to be in compliance with. Rather than rely only on consultants or software vendors, they need to read the standards themselves. They need to evaluate what type of data they have on their systems, including things like health care information and credit card information, and they need to be aware of what standards drive their vertical sector. The word "compliance" can be overworked today. You can't move forward until you really understand what that word means to your organization.
iLD: Do you see any time coming when the amount of resources a company has to spend on compliance will decrease?
CW: On the security side, once companies bring themselves into compliance, they will presumably have to spend fewer resources maintaining that status. The big investment is in the initial phase. But from a trading partner point of view, technology is always going to be a moving target. Wal-Mart may dictate one thing one day and something completely different next year. There will always be investment going on. In the application development space, technology will always be changing, so the investment has the potential to remain high.