My Last three Identity Management Implementations : A Comparative Analysis

Stay tuned for key learnings and analysis....Till then good bye


Must Read Identity management links

Please follow the must read below if you want to learn Identity managementhttp://msdn2.microsoft.com/en-us/library/aa480030.aspxhttp://www.courion.com/http://www.oracle.com/technology/products/id_mgmt/index.html

What are the compliance requirement for PCI DSS ?

Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

The story of credit card theft - Part -1

The recent credit card theft that took place at TJX and Officemax retail stores are very common in spite of lot of Government and industry mandates. The moment you make a purchase using your credit card, chances are the device that is being used by the company aren’t updated for last 10-15 years – bit scary.

All Visa and MasterCard of this world at their level have instituted a good protection systems, security standards and policy but in the complete transaction cycle – Merchant application(RETAIL STORE ETC) remains at a risky state due to lack of awareness or support from business vis-à-vis becoming the MOST VULNERABLE POINT in the financial transaction. Hence, most of the security breach happens to the systems that involves large retail stores, Gas stations etc. They are largely an open invitation to part time computer geeks with an access to internet.

Here is how, the moment you swipe your card, the credit card details are captured raw(plain text/weak encryption) and then send it to the central system from the local retail center server as part of the daily consolidation. A hacker or a wrongdoer could gain access to this system and might be able to get 200-400 active credit accounts. However, smart hackers, look into the upstream system and find out way to get into the mail server. This number could be in range of 40-45 million CREDIT CARD ACCOUNTS - Once the hacker is able to get into the main central system - he can also get access to -

1) Credit card number
2) Expiration date details
3) CVV number (remember the security code that most of the websites ask for double validation - This is also no fool proof)
4) Private information - Home address, Telphone number etc
5) Your authentication details if the merchant holds websites to manage through e-business

This is what might have happened to TJX and OfficeMax stores.

Stay tuned for more information -
- How to manage this information ?
- What are the protections systems that are possible ?
- What are the various governmental and industrial mandates ?
- What is Credit Card companies doing to ensure better protection of your credit card account?

Till then STAY TUNED…