Verizon Study Finds Few Organizations 

in Compliance with Payment Card 

 Security Standards

According to the Verizon 2014 PCI Compliance Report, which was released today, more than 82 percent of organizations were compliant with at least 80 percent of the PCI standard at the time of their annual baseline assessments in 2013, compared to just 32 percent in 2012.

The study, which aggregates data from actual PCI assessments done by Verizon during the course of the year, offers a look at the actual experiences of businesses that must comply with PCI DSS, which is the mandated set of guidelines for any organization that handles credit card transactions.

While assessment-time compliance is up, many organizations tend to fall out of compliance between audits, the study says.

"We continue to see many organizations viewing PCI compliance as a single annual event, unaware that compliance needs to have a 365-day-a-year focus," stated Rodolphe Simonetti, managing director for the PCI practice at Verizon Enterprise Solutions.

Areas where businesses struggle the most in achieving initial compliance include security testing (23.8 percent); security monitoring and the ability to effectively detect and respond to data compromised (17 percent); and protecting stored sensitive data (55.6 percent), the report says.

The compliance problem is not an issue of technology or flaws in the standards, but in the ongoing implementation, Verizon states.

"Anything less than 100 percent compliance is an issue for businesses today," Simonetti said . "We have seen time and time again that noncompliance leaves an organization open to credit card theft, which can potentially cost hundreds of millions of dollars when you factor in all the damages -- not to mention lost consumer trust and the impact on brand reputation. Organizations need to rethink how they factor in maintaining a PCI-compliant environment, whether it's devoting more resources or working with a managed security services provider."

Creating Enterprise Data and Mobility Security

February 5th, 2014By: Bill Kleyman

As more enterprise users are taking advantage of mobile devices, there’s a growing and important need for mobility security.

More end-users are bringing in their own devices into the corporate setting to get their jobs done. In fact, some users are now utilizing three or more devices, all of which may have access to corporate data.

Furthermore, the numbers around just how much data is being passed through these devices really paints the picture. According to the latest Cisco Visual Networking Index, “The increasing number of wireless devices that are accessing mobile networks worldwide is one of the primary contributors to traffic growth. Each year, several new devices in different form factors, and increased capabilities and intelligence, are being introduced in the market. By 2017, there will be 8.6 billion hand-held or personal mobile-ready devices and 1.7 billion machine-to-machine connections.”

A growing number of wireless devices, including smartphones, tablets and laptops, are accessing mobile networks worldwide.

There are some inherent benefits to creating corporate mobility – productivity, worker happiness, less end-point management – but there are also many concerns. IT administrators are already responsible for many devices on their network. Now, there’s the potential that they have to monitor and manage even more.

The most efficient way to approach mobility is to have a well-planned out deployment with good policies in place. Without a doubt, one of the first planning points will revolve around security and how to best manage it with so many devices being brought in.

Here’s the first mind-shift that has to happen. Instead of trying to control the device – you should care more about the applications, workloads, data and experience being delivered to the device. This way you create an optimal delivery methodology which is truly agnostic to the device itself. Still, security must be wrapped into these policies and around the workloads that are being delivered. To that extent – here are some great ways to create mobility and data security.

• Use Enterprise/Mobility Management Platforms. The rise of the mobility revolution meant that there had to be a technology that would help administrators manage both devices and the data flowing through them more efficiently. Working with these management platforms can have a lot of benefits for organizations allowing personal devices to connect to internal network components. Scanning for things like rooter or hacked devices and stopping access from malicious software are all MDM/EDM features. Furthermore, administrators can leverage granular control mechanisms to have better visibility and manageability of end-point devices. If a device is lost or stolen, administrators have the option to wipe only corporate data or the entire device remotely. Finally, these platforms can directly optimize how applications and other content is delivered to the user – by creating adaptive orchestration policies.
• Lock down applications and workloads. A large part of the mobility and data control environment resides with various virtualization technologies. In creating a good mobility security policy, administrators have to find ways to lock down their applications, various data points and even desktops. By usingnext-generation technologies, administrators can limit access to all or even part of an application or workload. Above and beyond just controlling how the end-point accesses the environment, user and data controls should be deployed to better manage mobility-enabled devices.
• Deploy next-generation security. Enterprise security has come a long way. Physical firewalls are no longer the end-all security solutions. Now, administrators can deploy specific security processes on dedicated virtual or physical devices. In working with next-generation security products, administrators are able to really lock down the access into their network.

For an enterprise mobility initiative, next-gen security can help with some of the following tasks:

• End-point device interrogation.
• Access based on the device, location, and user.
• Using application firewalls.
• Deploying virtual appliances as secondary checkpoints or isolated controllers for end-user personal devices.
• Deploying adaptive two-factor authentication methods driven by secure certificates.
• Data access monitoring.
• Data Leakage Prevention (DLP), Intrusion Prevention/Detection Services (IPS/IDS)

The term “next-generation” security really focuses on the new types of IT initiatives currently being deploying by many organizations. A part of that includes mobility, device, and data management. Terminology aside, if you’ve purchased a network access controller, security appliance, or some type of gateway technology – chances are that your device has some next-generation security features already built-in. Use your appliances – both virtual and physical – to their fullest capabilities to deliver a truly powerful computing experience.

Create Mobility and Data Usage Policies

An organization may have the best infrastructure in place for mobility; however, an uninformed user can still be a very dangerous asset to have to manage. User empowerment and education has come a long way in the IT field and many are much savvier than they are given credit for. In light of this, their usage of corporate data on personal devices may actually make them (accidentally, in most cases) more dangerous. First of all, there needs to be a corporate mobility policy in place. In many instances, this is an extension of the existing computer usage policy. Users must know that although the devices they are using are be personal, the data they are viewing is still corporate-owned. Because of this, their data usage or even working session may be monitored and controlled. Although visibility into the personal device will be limited by privacy regulations – all data accessed from the central data center may be monitored and user activity logged.

Creating a happier worker can have many different benefits. However, security and integrity of corporate data must be one of the top priorities. The beauty of today’s security technologies is that administrators are able to still deliver a powerful computing experience while locking down their infrastructure. When working with modern mobility trends, the main rule is simple: never allow a free-for-all to occur.

Although many devices may be allowed – IT administrators should still limit the types of devices they allow on their network. In many cases, to access corporate data, the end-user may need to install some client software. To ease management, IT should supply a hardware list which is capable of supporting the client on various end-point platforms. In doing so, the user can still bring in their own devices, access the data, and IT will be able to secure and control the experience.

How 3D Printing Will Change Everything!

What if I were to tell you that one day printers will be able to build homes, manufacture guns and cook food? That would be pretty remarkable progress, and to my surprise, it's quite possible.

The potential of 3-D printers reaches beyond revolutionizing the printing market and into transforming entire industries.

To be honest, the term "3-D printing" doesn't do justice to the true capabilities of this technology. Lucas Mearian, a senior writer at Computerworld wrote about this topic. In December, he wrote about the first 3-D printed organ (a liver), which is expected later this year. The month before, he explored the dangers of 3-D printed guns exploding.

Both of those examples highlight how 3-D printers can produce very complex products, one through advancing medical science, the other with thermoplastic materials.

If you take it one step further, you can see that once these printers can scale in size, much larger items can be built with little human labor. Construction of homes from 3-D printing becomes a real possibility. (There's already a video on YouTube from a TEDx talk last year about "contour crafting" and the automated construction of a house.) But if you really want to dream big, imagine sending these printers to the moon, where they could build facilities that are managed from Earth.

Not crazy enough for you? Think about the ability to actually have food available wherever there is electricity. The food would be freeze-dried, crushed and placed into "ink cartridges." With the push of a 3-D printer button, the heat it produces could cook your food.

Imagine having a 3-D printer available to print replacement parts at your business or home. When something breaks, you simply download the specs and print it out wherever you are. No customer service calls, no shipping and handling costs, no waiting.

When I think of the ramifications all this will have on intellectual property protection in just about every industry, it's more than a little mind-boggling. No wonder the Harvard Business Review wrote about this last spring under the headline, "3-D Printing Will Change the World."

I'd love to hear what you are thinking about the potential of this technology. Write to me below.