Is That Your Data That Just Walked Out the Door?
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
There are a couple of lessons all merchants should take from the unauthorized release of confidential diplomatic cables by WikiLeaks. The first is that the use of personal technology—both computing devices and storage media—increases the risk of a data compromise. The Pentagon’s practice of banning flash drives didn’t stop somebody from bringing in a fake Lady Gaga greatest hits CD (which was the likely attack vector).
Another lesson is that the use of sophisticated personal technology is increasing, and with it comes further risk of a data leak. Many employees are returning to work in this new year with all manner of shiny new laptops, tablet computers, smartphones and other personal devices that Santa dropped off. Many of these devices will connect to your corporate network in some fashion and then to the Internet, where they will send, receive and process E-mail and other files.
From a PCI point of view, these devices increase your risk, and that is why they are already included in PCI 2.0. However, what is new is that with the changes in PCI version 2.0, all this personal technology might expand your PCI compliance effort, too. The reason is that under version 2.0 each merchant needs to “confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensure they are included in the PCI DSS scope.” If you have more devices, you have more endpoints and more possible “locations and flows of cardholder data.” Imagine your network diagram if it included every mobile device for every user in your organization.
The outcome is that every merchant and processor will want to document the full range of employee-owned devices that might access, store, process or transmit cardholder data, and then include them in the scope of their PCI assessment. The good news is, the scoping instructions included with PCI version 2.0 (see page 10) identify the steps to determine and document your scope. The bad news is, each step will be affected by the expanded use of these personal technologies.
-Marc
January 18th, 2011 at 7:07 pm
Great column Walt, but I thought you were going to take it a different way. My learning from the Wikileaks scandal is that if you inappropriately classify everything as a secret, then you risk losing sight of the real secrets in the files and files of “almost” secrets.
The correct approach should be the opposite: apply a cost to keeping a secret, so that you have incentive to not keeping things secret. The network of secret sharing things can be reduced until the result is of minimum size and of maximum efficiency – if you accept you must maintain secrets.
The parallel to PCI DSS is clear: it may be easy to put everything in scope (from a classification perspective), but the greater scope means too many systems and too many actors are handling sensitive data. It is more costly to segment networks, to use effective encryption, to tokenize, but the result should be an efficiently small network of card data handling actors. Just as we should be encouraging governments to avoid making all things secret, we should avoid putting all systems in scope.
The higher the cost incentive used to encourage these smaller and tighter domains, the less likely an accidental breach should have absurdly large ramifications.
Should Manning have had access to the thousands of files he did? Probably not. Should a computer system have easy access to a broad card processing network? Of course not.