× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Joe,
Just because we have this great architecture & OS doesn't mean we can ignore industry standards. Any public co not following industry standard security procedures for all the infrastructure (not just our server(s)) is putting the corp assets at risk and may Sox & the lawyers punish them mightily...
The defense "...it's an i..." doesn't work in court. But there are very standard methods of running i as the webserver, and for smaller non-public companies, with precautions and disclosure-go for it. Even IBM's i's own security people will tell you publicly (at Common & other events) the out of the box default settings should not be the end of your settings.
Jim Franz

----- Original Message ----- From: "Joe Pluta" <joepluta@xxxxxxxxxxxxxxxxx>
To: "Web Enabling the AS400 / iSeries" <web400@xxxxxxxxxxxx>
Sent: Sunday, April 17, 2011 5:35 PM
Subject: Re: [WEB400] iSeries vs IIS web site


On 4/17/2011 3:26 PM, John Jones wrote:
"Be specific. This is only for cardholder data. The PCI doesn't say you
can't keep a database on the DMZ, just not sensitive carholder data."

True, but then PCI only addresses cardholder data. To stay in scope that's
all they can mention.

But think about it. What this standard is really saying is data in the DMZ
cannot be considered secure.

Balderdash and tommyrot, I say! :) Seriously, it's saying nothing of
the kind. It's saying they require extra precautions for this class of
information. Consider it a belt and suspenders approach to security.

" I've yet to hear of a single IBM i being hacked to gain access to data -
cardholder, patient, or otherwise."

Comments like this really make me shake my head. Why are you entitled to be
notified of every or even any breach on the i platform? A breach has to
meet certain criteria before public notification is required and even those
laws have not been in existence the entire time that OS/400 has been
around. Pre-California SB1386 no notifications were required by anyone.
And breaches need to be a certain size before disclosure is mandatory. And
that's only US state law; in other countries YMMV.

I'm not "entitled" to anything. Just as you're not entitled to use a
narrow regulatory policy to impute a lack of security onto an entire
architecture, and more specifically onto the i. If you claim that port
80 access to an IBM i is enough to hack the database then you ought to
be able to provide at least one case of it happening. If you cannot,
then your assertion is as valid as claims to yetis or alien abduction.
Possible, but hardly plausible.

Which means there are still security issues being addressed. Which means
our beloved platform's security is not perfect. Which means we still need
to take every reasonable precaution.


I agree. Every reasonable precaution. Putting the database on a
separate machine just guard against a hypothetical security breach that
has never happened is no more reasonable than wearing a tinfoil hat to
guard against "government mind rays".

In my opinion.

Joe
--


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.