|
On 4/17/2011 3:26 PM, John Jones wrote:
"Be specific. This is only for cardholder data. The PCI doesn't say you
can't keep a database on the DMZ, just not sensitive carholder data."
True, but then PCI only addresses cardholder data. To stay in scope that's
all they can mention.
But think about it. What this standard is really saying is data in the DMZ
cannot be considered secure.
Balderdash and tommyrot, I say! :) Seriously, it's saying nothing of
the kind. It's saying they require extra precautions for this class of
information. Consider it a belt and suspenders approach to security.
" I've yet to hear of a single IBM i being hacked to gain access to data -
cardholder, patient, or otherwise."
Comments like this really make me shake my head. Why are you entitled to be
notified of every or even any breach on the i platform? A breach has to
meet certain criteria before public notification is required and even those
laws have not been in existence the entire time that OS/400 has been
around. Pre-California SB1386 no notifications were required by anyone.
And breaches need to be a certain size before disclosure is mandatory. And
that's only US state law; in other countries YMMV.
I'm not "entitled" to anything. Just as you're not entitled to use a
narrow regulatory policy to impute a lack of security onto an entire
architecture, and more specifically onto the i. If you claim that port
80 access to an IBM i is enough to hack the database then you ought to
be able to provide at least one case of it happening. If you cannot,
then your assertion is as valid as claims to yetis or alien abduction.
Possible, but hardly plausible.
Which means there are still security issues being addressed. Which means
our beloved platform's security is not perfect. Which means we still need
to take every reasonable precaution.
I agree. Every reasonable precaution. Putting the database on a
separate machine just guard against a hypothetical security breach that
has never happened is no more reasonable than wearing a tinfoil hat to
guard against "government mind rays".
In my opinion.
Joe
--
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.