Re: iSeries vs IIS web site

On 4/15/2011 4:36 PM, John Jones wrote:

Sorry I couldn't get back to this earlier. I'll be brief.

For your sake I hope your companies don't accept credit cards through these
web interfaces. Placing a database in the DMZ is a direct violation of PCI
DSS 1.3.7.

Be specific. This is only for cardholder data. The PCI doesn't say you can't keep a database on the DMZ, just not sensitive carholder data.

Even if you aren't subject to PCI directly, know that more and more security
professionals are using it as their gold standard. Systems set up with PCI
controls will pass SOX, HIPAA, and virtually all other forms of audit with
ease.

Sure. Third-party data that you collect is held to a different standard than corporate data, thus the extra precautions. And of course, the reason these protections are in place is because lots of sensitive data was stored on machines OTHER than IBM i's, and thus hacked. I've yet to hear of a single IBM i being hacked to gain access to data - cardholder, patient, or otherwise.

Here's an example. One reason I couldn't get back to this on Wednesday was
that I was helping with a client survey that was evaluating the security of
one app that we supply for them to use. The client is one of the top 5
largest banks on earth. This issue was directly addressed by an audit
question. Even though the data we store is not subject to PCI we're being
asked questions as if it were.

Have a good weekend, folks.

Yes, unfortunately auditors are not necessarily technical. If they were, they'd probably push for ALL data to be on an IBM i, with complete object auditing and integrated journaling. And they'd also be less likely to worry about terms like "DMZ", since the same level of security can be managed just as easily as simply firewalling off all but specific ports.

Joe