PCI DSS 2.0 changes ‘virtually’ improve IT compliance ROI and TCO

Most compliance officers know the change in calendar years brings with it operational changes driven by new legislation. And with the broad assortment of new rules and regulations kicking in this month, 2011 will be no different than any other year.

But it is not the expected regulatory changes by themselves that will have the biggest impact on how compliance strategies evolve this year. Rather, it will be the impact of their hidden changes that hit the hardest.

For example, take the Payment Card Industry Data Security Standard (PCI DSS) 2.0 standard, which brings with it several changes to how credit card transactions should be processed. Arguably, the most significant of these changes is the acknowledgement of virtualization.

With PCI 1.2.1, it was necessary to keep distinct functions physically separate to satisfy auditors. Simply put, each function needed to have its own dedicated processor, storage and memory, thereby creating a tangible separation of functions. PCI 2.0 changes all of that with the recognition of virtualization, because now that functional segregation can take place using virtual machines.

This may not seem like a big deal for many compliance officers. They may feel it is merely an acknowledgement of technology that has become entrenched in the data center. In practice, however, PCI 2.0 proves to be one of the biggest advances for those bound by version 1.2.1′s archaic rules.

With PCI 2.0, all of the money saving capabilities of virtualization can now be realized. Implementers can now reduce server footprints; require fewer physical machines; and can lower electrical and management costs.

The lesson this story teaches is you need to look closely at the true impact of compliance rule changes. These new technologies and accompanying rule changes can significantly improve ROI and lower the total cost of ownership (TCO) compared to many compliance regulations of the past.

And, as such, an expensive burden can actually become the pathway to savings.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

Complex technologies complicate compliance officers’ role in 2011

The task chief compliance officers face in routinely crafting multifaceted solutions involving complex technologies doesn’t figure to get simpler any time soon.

Complexity is usually the enemy of any working process. The more complex a technology or environment, the more likely the process will fail. Nowhere is this more evident than in the compliance arena, where the rules and regulations change as frequently as the technology it must work hand in glove with.

So the question compliance officers need to ask is: How do I deal with the complexities of IT change? As a number of complex technologies take deeper root over the course of 2011, it will be an important question to answer.

For instance, many companies are piloting virtual desktop infrastructure (VDI) projects, setting the stage for a future world where PC operations take place back in the data center and rendering desktop PCs to little more than dumb terminals. Because the promise of VDI is multifaceted, including the hope that it will solve many security and support problems, many are predicting that VDI will become prevalent in 2011.

But if you ask most VDI projects leaders how VDI affects compliance, you will get a blank stare. While there is plenty of finger pointing to go around in cases like this, it all comes down to simple communication. However, nothing is simple with compliance, even communications. The very nature of compliance leads to secrecy, and that secrecy is both the enemy and ally of IT projects.

Similar issues are bound to arise as virtualized applications, Software as a Service solutions and even cloud computing initiatives take hold in the enterprise, all of which will continue to be hot technologies well into 2011 and beyond.

Meeting the challenge of new IT implementations will take more than a little finesse on the part of the harried compliance officer, as he or she becomes enveloped in network security, technology planning, human resources and executive management.

Happily, many vendors have recognized the dilemma facing compliance officers and are launching services to help with compliance. EMC, for instance, has announced expanded consulting services to help organizations meet the Payment Card Industry Data Security Standard 2.0, which becomes effective Jan. 1. Other vendors are sure to follow with services and solutions aimed to accelerate compliance. It would be nice if these vendors decide not to wait until just a month before a new standard hits the streets to announce plans to help.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

WikiLeaks shows how better compliance technology can protect data

The latest WikiLeaks debacle hopefully pounds home the point to corporate IT shops why implementing sound compliance technology can better protect data, and what the consequences can be if they do not.

Whether or not people take heed, compliance issues are certainly coming to the forefront in most analyses of the latest WikiLeaks flap. But in most of these analyses, it is unmistakable how ineffective technology was at enforcing compliance.

Consider this: There is an abundance of compliance requirements, including regulation for credit card holders (FCRA), for merchants (PCI DSS), for public entities (Sarbanes-Oxley), for privacy (HIPAA/HHS) and for children (COPPA), as well as regulations for insurance, securities trading, telecom and many more.

Most, if not all, of these requirements rely on technology to enforce compliance. WikiLeaks teaches us that it is the human factor and not technology that leads to the most damaging of breaches. All it takes is one disgruntled employee to destroy the security around intellectual property, private data or corporate secrets. But how can one build technology to prevent that?

There is no simple answer. Perhaps the only way to handle these situations is with the threat of severe penalties, and therein lays the secret to compliance technology. The enforcement of severe penalties requires incontrovertible evidence. In this particular case, technology that monitors activity and audit usage can become the key to plugging leaks.

If users are properly educated on the implications and penalties involved in disseminating unauthorized information, and are informed that access is tracked in numerous ways, perhaps technology can prevent the issues now plaguing the U.S. Defense and State Departments.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

Microsoft unveils online privacy features for Internet Explorer 9

On the heels of the Federal Trade Commission report encouraging the creation of an online “Do Not Track” mechanism, Microsoft has announced that its upcoming release of Internet Explorer will include Tracking Protection, a feature designed to give users more online privacy protection.

Tracking Protection, which will debut in Internet Explorer 9 (IE9), will identify and block multiple forms of undesired tracking, according to a Microsoft blog post announcing the feature. In addition, “tracking protection lists” will let consumers control what third-party site content can track when they are online.

“We believe that the combination of consumer opt-in, an open platform for publishing Tracking Protection Lists, and the underlying technology mechanism for Tracking Protection, offer new options and a good balance between empowering consumers and online industry needs,” said Microsoft corporate vice president Dean Hachamovitch.

Anyone can author and publish the tracking protection lists, and consumers can install more than one. By default, there are no lists included in IE9, which Microsoft says is consistent with previous IE releases with respect to privacy.

The lists include Web addresses for IE to treat as “Do Not Call” unless the consumer visits the address directly. The lists also include “OK to Call” addresses to make sure that the user can get to these addresses even if one of his lists has it as “Do Not Call.” Once the consumer has turned on tracking protection, it remains on until the person turns it off.

Microsoft representatives said they designed the feature so users can have a clear opt-in mechanism that enables more control over sharing their browsing information. There has been speculation that the FTC’s proposed “Do Not Track” mechanism could harm companies that rely on advertisements geared towards users based on Internet activity.

In response, Microsoft said the enhanced privacy settings in IE9 simply represent an evolution in privacy and security tools that are available to users in Internet Explorer 8.

“IE9′s privacy settings, like those contained in IE8, will not be on by default, but they will allow users to create lists of sites they wish to share information with, as well as sites they do not wish to share information with,” wrote Rik van der Kooi, corporate vice president of Microsoft’s advertiser and publisher solutions group, on the Microsoft Advertising Blog. “The settings do not take a position on managing information; instead, they provide an improved platform for consumers to exercise choice.”

Currently available in beta, IE9 is scheduled for final release in 2011.

Can you help us predict the IT compliance future?

What will be the issues, trends and developments that will have the biggest impact on the IT compliance world in 2011? We here at SearchCompliance.com have our own thoughts about that, but we would like to know what you think.

Will the proposed national cybersecurity bill give the government too much control over the Internet? Will this be the year that most companies get serious about formulating comprehensive e-discovery programs that properly harness the power of social media tools? Will proposed online consumer protection efforts, such as the recent “Do Not Track” option outlined by the FTC, result in new standards for the industry? Which new technologies do you think have the potential to change IT compliance as we know it?

So after you have spent some quality time with your crystal ball, let us know what you think by emailing Executive Editor Ed Scannell at escannell@techtarget.com or me, Associate Editor Ben Cole, at bjcole@techtarget.com. We’ll incorporate these ideas, along with our own humble opinions, in an upcoming article next month. We will also use some of your ideas to develop stories that will be included in our 2011 SearchCompliance.com editorial calendar.

FTC endorses ‘Do Not Track’ option to enhance online consumer privacy

Federal Trade Commission Chairman Jon Leibowitz says that while a lot of people in Washington, D.C., spend a great deal of time considering the spending deficit, the FTC has instead focused on the “privacy deficit” facing American consumers.

To help with this lack of privacy, especially online, the FTC today released a preliminary staff report titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”

“Technological and business ingenuity have spawned a whole new online culture and vocabulary … that consumers have come to expect and enjoy,” Leibowitz said during a conference call to discuss the report. “The FTC wants to help ensure that the growing, changing, thriving information marketplace is built on a framework that promotes privacy, transparency, business innovation and consumer choice.”

One method the FTC endorses is a “Do Not Track” mechanism that customers can use to opt out of the collection of information about their Internet activity for the development of targeted advertisements.

FTC representatives said the most practical method would most likely involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads.

“A ‘do not track’ browser setting would serve as an easy, one-stop shop for consumers to express their choices, rather than on a company-by-company or industry-by-industry basis,” said Leibowitz, adding that a coalition of organizations that includes Microsoft, Google, Mozilla and Apple has experimented with such a setting.

Other recommendations presented by the FTC to enhance consumer privacy include:

• Companies should build consumer privacy protections into their everyday business practices, including security for consumer data, limited collection and retention of that data, and procedures to promote data accuracy.
• Consumers should be presented with choices about the collection and sharing of their data at the time and in the context of which they are making decisions, rather than “after having to read long, complicated disclosures that they often cannot find.”
• Allowing consumer access to the data that companies maintain about them, “particularly for nonconsumer-facing entities such as data brokers.”

The FTC is seeking public comment on the report now through Jan. 31, and will issue final recommendations next year after working with stakeholders to refine and implement the policy recommendations.

“At this point we are making recommendations for best practices,” Leibowitz said. “We are putting this out for comment — we want feedback, then we will move forward.”

Leibowitz added, however, that at least from his perspective, “a legislative solution will surely be needed if industry does not step up to the plate.”

New alliance for social networking tools complicates protecting data

One of the biggest challenges facing compliance officers is ignorance. Ignorance in the form of end users not familiar with the all the requirements of protecting data as demanded by compliance regulations.

A real culprit in such scenarios is email, in which users accidentally email protected information, violating some obscure regulation. There is no malicious intent — typically they’re just trying to solve a problem or grease the wheels of a transaction, but in so doing produce an auditable event.

Many times the data involved may have been a Social Security number, medical information or some esoteric piece of information. Most businesses solve the problem by incorporating data loss protection (DLP) solutions, which can scan email to ensure that protected information never leaves the building. This approach has worked relatively well.

But today we have a new challenge, one presented by sites such as Facebook, LinkedIn, Twitter and other social networking tools. These tools have made it far too easy to post protected information, putting a business at risk for violating any number of compliance regulations. But thanks to an alliance between Microsoft’s Bing and Facebook, the problem has become an even bigger threat.

Simply put, this alliance allows anyone to use a powerful search engine to find content on social networks, a trend that is only going to grow. While that may be great for users looking for movie reviews, it won’t be long before someone starts using this technology to search for proprietary information across the millions of Facebook posts.

The simple solution is to block access to Facebook and other social networking sites from the corporate network, but that may not be feasible. For instance, how do you handle a worker who goes home, uses their personal computer to update their Facebook account, and accidentally violates a compliance rule?

Obviously, there are no easy answers to that situation, but educating users on what data fits under the realm of compliance may be the best start to solving what may appear to be the unsolvable problem of properly protecting data.

How is your company dealing with the effect of social networking tools on compliance? I would love to hear about it.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

As GRC platform sales increase, will GRC vendors improve quality?

Things are looking up in the GRC platform market as users appear to be finally putting their money where their mouths are. Many organizations talk about the importance of GRC technologies and how they could better harness the behavior of deviant executives, but much of it so far has been about it just talking the talk but not walking the walk.

But according to a recently released Forrester Research Inc. report looking at the market’s 2010 performance, sales jumped an impressive 15% to $749 million, following two dismal years. In even better news, Forrester believes sales could remain strong throughout 2011.

“After talking with some of the larger vendors we cover as well as the indications we get from the buyers, next year looks like it is going to be a big one for this [GRC platform] space,” Forrester analyst Chris McClean told us when we talked to him about his yearly report.

McClean added that this steady growth is contingent on GRC vendors delivering more value to users in future offerings, particularly in the area of risk and compliance content, as well as integrating those products more tightly with existing infrastructure.

I have little doubt that many smaller GRC vendors will put in an honest effort to improve the content quality of their products, many of which are narrowly focused point solutions. I think they will also put in the time to maintain close relationships with customers and really listen to what they need to better their particular GRC solutions.

But whether the larger vendors, most of them armed with sweeping soup-to-nuts product suites, put in a good-faith effort to improve features for vertical markets with each release, well, we’ll have to see. I am certain they will do their very best to integrate these suites tightly with users’ existing IT infrastructure products, since they are the ones who also sold users many of those key pieces of infrastructure.

Now, I am hardly ready to indict companies such as Oracle, SAP, EMC and IBM, four larger companies showing heightened interest in the GRC platform market, for using their GRC products to simply promote sales of their more profitable, enterprise-class products. There is genuine value they can add, such as stitching controls and monitoring capabilities into corporate databases, business intelligence applications and Web-based servers.

Like it or not, these larger companies will bring more credibility to the GRC market and make once hesitant Fortune 1,000-class companies feel more comfortable about aggressively investing in these products. They may push many smaller competitors out of the market or outright acquire them, but their presence has a lot more upside than down over the long haul in terms of growing the market.

But knowing the pressures facing larger public companies that must keep revenues and stock prices up, the temptation is there to produce just-good-enough GRC products that serve as loss leaders and worry about their quality only when they need to.

Hopefully, the fast-moving armada of 40 to 50 smaller GRC competitors will keep the bigger boys honest the old-fashioned way — producing innovative but practical products.

Will regulatory compliance, controlling user access bring Novell back?

There was a time when Novell was a giant and NetWare ruled supreme. But as with other giants before and after, it took only a few bad strategic decisions for the company to slide off its throne. One thing the fallen king still has is its expertise in dealing with enterprise-level problems. One area where the company is hoping it can leverage that expertise is regulatory compliance.

Trying to meet regulatory compliance requirements for many user organizations, at least from an IT governance point of view, is a complicated and costly process. Novell is looking to put some salve on those wounds with the next version of its Novell Access Governance Suite, a set of software products that simplify how customers govern users’ access to corporate resources and manage regulatory compliance.

Version 4.1 now includes Novell Access Request and Change Manager, a new solution intended to simplify granting user access to information, as well as closing the compliance gaps caused by multiple methods of requesting access.

Governance would appear to be Novell’s path back into the enterprise by managing the weakest part of the compliance chain: controlling user access to data. The concept is a relatively simple one: If you can control user access, then you can control the flow of data. However, in reality it is not that simple. Not only do you have to worry about user access, but you also need to worry about what users can potentially do with that access. Legitimate access can still lead to compliance violations, whether it is accidental or malicious.

Is governance the answer to that problem? Or does data leakage protection become the solution to that problem? At this stage, it’s hard to tell. Novell is seeking to cover all bases by injecting its technology into the flow and access of data.

This question begs a couple more: How are corporations dealing with data leakage issues today? Are current solutions delivering the protection needed, or is Novell really on to something here? I guess it’s going to take audits and e-discovery requests to truly find out how compliant a particular enterprise is. Until then, one may want to consider what Novell is proposing and see if an answer exists that can address thorny compliance issues.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.

Visibility the key to meeting compliance standards and data protection

As IT managers struggle to meet the latest compliance standards, there is one challenge that remains constant: knowing what types of data you have and which subset of that data must be protected, and bringing in the appropriate data protection. This may sound like an easy task, but in reality it can be quite difficult.

Administrators are finding out just how scattered across the enterprise their data is. Increasingly, it is being stored on a growing number of new portable machines, removable devices and desktops that make it hard to determine if you are compliant or not.

For example, take HIPPA compliance. Patient data must be protected and kept confidential yet, many times, X-rays or test results are stored on a CD and sent to another medical practice, sometimes carried by the patient. On the surface, if all the rules are adhered to, meeting compliance standards should not be an issue. But when the data is in transit, compliance officers no longer have control, which potentially poses a serious data protection problem.

While it may be impossible to solve such a data protection problem quickly, it does bring up a key issue: Visibility. Simply put, if administrators aren’t fully aware of this process, how can they ascribe to any meaningful compliance standards?

The answer to that dilemma comes in the form of management tools that offer visibility into IT operations. The problem is there is no one-size-fits-all solution that can offer full visibility. This is where administrators have to become creative.

For example, a combination of PC asset management tools, such as Intel’s LANDesk, Symantec‘s Altiris and Dell‘s Kace, can provide the visibility into what’s transpiring on PCs and other endpoints in the enterprise. These tools can be complimented by network monitoring and management tools, like SolarWinds and Paessler, and others can handle reporting on data in motion to round out visibility.

The last step administrators need to take is integrating these tools. By doing so, administrators have a clear map that shows where data can travel, allowing them to take preventative steps to eliminate the dreaded noncompliance discovery during an audit.

Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.