I had know idea that there was a genre of online comedy videos that used scenes of Hitler from movies coupled with fake closed caption information….

Didn’t really think Hitler could be all that funny, but this one is pretty good.  Mind - I don’t speak a lick of German and have no idea what is really being said here, but the captions are hilarious…

Thanks to ReadWriteWeb for the spot.

YouTube - Hitler and Cloud Computing Security.

The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic was significantly better than last year.  Last year we had all kinds of time to hang out in people’s booths and talk with technology clients and vendors about security - this year most of the significant vendors had retailer traffic a lot of the time.  I will say that it was hard to tell with Motorola (who had one of the largest booths) who apparently brought every employee within a 200-mile radius of New York to the show - seriously….

Our clients all seemed to be very busy (which is good) and while they certainly spent time with us, we didn’t infringe on their hospitality too much as they had clients to see and non-clients to (hopefully) impress.

In terms of security - there wasn’t much to be found on the expo floor.  We didn’t see any booths (I heard that one of NetSPI’s competitors was hanging out in someone’s booth, but we never found them) from major security and compliance players and, while security and PCI were certainly still being used to push product (it was printed on a ton of booth signs), it was very surface-level this year.  No one seemed to be at all that interested in a deep discussion - they just knew that their product did x, y, and z for PCI…  Most of the software companies didn’t even have their primary security person at the show.  Even AT&T and Verizon, both having acquired large security practices didn’t really talk about security - they focused their efforts on retail technology divisions or communications.

I think, with the economy and retail marketplace slowly improving, technology companies that really don’t understand compliance and security (and don’t want the burden of supporting deep discussions around the same) have decided that they are going to relegate compliance to a ‘check-box’ activity.  In other words, ‘I am PA-DSS compliant, so I don’t really have to talk about security anymore, thanks…’

My reaction to this attitude - I see opportunities for vendors that really are willing to understand compliance, it’s impact on retailers, and their own ability to positively influence a retailer’s compliance efforts.  I see problems for companies that check their box and then wash their hands of clients’ compliance concerns.

For the organization I work for, I think it might actually be a good thing in the long term as we help our clients take the first path and better prepare their teams (both on the technical and marketing side of the house) for supporting their clients.  It certainly seemed to be playing out well for our clients at the show - they not only had their compliance box ‘checked’, but they were using that experience and the knowledge that they actively gained from the relationship to better position their clients and, therefore, their own brands and products.

Regardless, the show this year was a big improvement over last and most likely indicates an improved outlook for the retail community and the broader economy (retailer spending tends to foreshadow economic conditions) and that’s good news regardless.  Again, I’m disappointed about the lack of security-focused discussion at the show this year, but happy that retail might be slowly coming out of a very difficult time.

Related articles by Zemanta

• Ingenico Launches Secure Multimedia Powerhouse iSC350 to Kick-Off 99th NRF Show (pindebit.blogspot.com)
• Retail Faces Uncertainty as CIT Enters Bankruptcy (abcnews.go.com)
• Late Season Surge Helps Retail Sales Gain 3.6% Over Last year (shoppingblog.com)
• Source Technologies Introduces Next-Generation of PilotPoint™ Self-Service Bill Payment Kiosk (pindebit.blogspot.com)

Bad Alex!

Well, I’m heading out to another NRF this weekend and I promise that I’ll post something either from the show or shortly thereafter.  It might have something to do with how poorly security is represented at the show (other than at least 25 ‘Instant PCI’ offerings and Trustwave throwing money around…), but we’ll see.

If anyone out there is actually going to be at NRF and is interested in connecting, please let me know - alex.crittenden@yahoo.com - and we’ll figure something out.

Thanks and Happy New Year!

Related articles by Zemanta

• NRF Discusses $1.1 Billion V/MC Payout (pindebit.blogspot.com)
• The Card Game: How Visa, Using Card Fees, Dominates a Market (nytimes.com)
• Late Season Surge Helps Retail Sales Gain 3.6% Over Last year (shoppingblog.com)

These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:

PCI Council Webinar Release

Guardium - IBM Acquires Guardium.

Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit

What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold their providers responsible.

Should be interesting to see how this plays out for all parties involved - it could have a real impact on POS software providers, the service organizations, and merchants of all sizes…

With the Microsoft SharePoint conference having recently taken place, I have been thinking a lot about SharePoint lately (haven’t you?) and about what a powerful and dangerous tool it can be.

Before I get into what I’ve been thinking about, here are a few things to consider:

• A Microsoft employee recently told me that SharePoint has been the most rapidly adopted product in Microsoft’s history. While I haven’t been able to confirm this, it doesn’t really matter - what matters is, it’s everywhere and it got there quickly…

• A large number of the installations where first put in as side projects or experiments that ended up proving out.

• SharePoint, particularly when it’s an experiment, seems to be initially managed by someone that takes it on as an additional responsibility because they realize the power of the solution and want to wake their company up to the possibilities – it’s not a core focus of their position.

• If SharePoint is embraced by an organization, it quickly expands to include huge amounts of data - often including data that is very sensitive.

• Once SharePoint becomes part of how a company functions, new SharePoint functionality is often built and implemented by the organization (often these efforts are out-sourced, particularly before internal SharePoint expertise is built-up.)

I think the entire concept of SharePoint (and the other knowledge sharing solutions out there) is fantastic. I’m a big believer in collaboration and data sharing and the positive impact that can be had when a company empowers its employees. The ability to manage, through a common platform, access to company data is great.

Now, If you read the points above, you should quickly see that there is also a real potential for disaster here as well - a complicated environment, access to huge amounts of potentially sensitive information, and application customization that could possibly have an impact on access to all of that information…

Maybe it’s not cardholder data and the card brands aren’t threatening you with fines and the like, but I don’t think any retailer would like to have their quarterly numbers leaked before the official release date. How about trade or manufacturing secrets sold to a competitor? Employee’s personal information exposed and used in identity theft? Information about an upcoming merger leaked to the competition?

These issues are real and can be just as damaging as any compliance issue.

I guess my point is this - SharePoint can be a very powerful tool for an organization, but, just because it may not include PCI-relevant data doesn’t mean that security isn’t important. SharePoint provides access to data that you typically don’t want leaving the company and it needs to be considered a potential security risk – not shut down, not curtailed to the point where it’s useless, but it does need to be considered when looking at your security strategy.

And yes, you certainly can use SharePoint itself to handle user management and access, but don’t place all your hope in managing users - understand the overall security picture of your SharePoint implementation. It’s the only way of really understanding the risks involved.

Interestingly enough, it doesn’t seem like there are many out in the security community that have really been able to show expertise with SharePoint security assessment and gap analysis - plenty that claim to understand user management, but very few have experience looking at SharePoint security holistically.

There are a few firms that have developed expertise and proven themselves, but I think the SharePoint user community is currently hard-pressed to find good, independent partners that aren’t also trying to sell them SharePoint development or hosting services (which I find sorta funny because none of these companies seem to recognize the inherent conflict of interest involved with that model.)

Related articles by Zemanta

• Eight Pros and Eight Cons to SharePoint 2010 (cmswatch.com)
• Closing thoughts on SharePoint Conference (cmswatch.com)

After asking you all to give me some questions for PA-DSS, I finally am getting around to posting up some answers.  Some of them are also taken directly from numerous conversations that I have had with software vendors over the last several months and, truthfully, I’m glad that I waited to put that post together…It’s not entirely retail focused, as PA-DSS crosses most industries, but I hope it proves useful in answering some common questions…

It’s located over at the NetSPI blog again and you can find it here - PA-DSS Questions.  Still no comments yet on the NetSPI blog (we’re getting closer) so feel free to leave any commentary here and thanks for taking a look.

What seems to really happen is that these large firms that don’t have a focus on security see an opportunity and spend a bunch of money to acquire well-known brands and, far more importantly, the teams of consultants and managers and the processes that have actually made the brand so well-known.  The problem is, the companies getting acquired aren’t really product companies - they are consulting firms.  Pretty soon the consultants and business managers start realizing that they are now an afterthought at an organization that doesn’t really know what the hell to do with them - so they start to leave. 

I haven’t been in the field as long as many and haven’t seen the various waves of acquisition that have occurred over the years in the security industry, but I have seen enough to believe that AT&T is going to mess up VeriSign.  They won’t be able to help themselves - they’ll turn the VeriSign consulting organization into an AT&T company - making them an add-on services offering and most of the decent people are going to get very quickly sick of their new-found position as a loss-leading line item in a huge telecommunications contract.

Maybe I’m wrong and, for the sake of those at VeriSign, I hope that I am, but I won’t be surprised if there are suddenly a lot of the better VeriSign people rapidly looking to make a change. 

This one’s over at the NetSPI blog as well (I swear that I’m still going to be posting over here on a more regular basis, but, since NetSPI’s doing a good job with the blog, I’m going to blend my posts between the two blogs…).  Any feedback is going to have to come here, though.  They still don’t have the commenting turned on…

Beyond the PCI Audit:  Helping Merchants and Service Providers as a Partner

Technorati Tags: PCI DSS, PCI, NetSPI, security