Thursday, April 30, 2009

Feeling Good? Or praying for a guardian!

For the better part of three months I have been converting to Mac. I have a new MacBook Air and, with the frequent travel that I do, I was drawn to its lightweight design. But I am not finished, and there are still a few small things I need to do before I can finally switch off my PC. I will persevere, mind you, as it was at Tandem in the late ‘80s, early ‘90s where I was first exposed to the world of Mac.

This weekend I am off to Prague to participate in the European BASE24 User Group (EBUG) conference, and I was hoping that I would be giving my presentation from the Mac. But it’s not to be. The picture I have included at the top of this post is of my Simi Valley office, littered with supporting peripherals and documents from both systems, and only after posting to the blog did I notice the jar of antacid tablets next to the PC!

My company emailed warnings to us all, a few weeks back, about the potential damage that could be unleashed come April 1st, as the much-publicized Conficker worm “activates.” As I read the email, I was anxious to comply so I began to follow the instructions for ensuring I had the latest anti-virus protection in place, but I soon became a little confused. When I went back to IT I was politely told that, as a Mac user, none of these warnings were for me. The infiltration of the worm was only affecting PC users –there are some benefits after all from working on a Mac.

Our eldest daughter is a school teacher and she works with the younger crowd. Each year, checking that the students have all been immunized, is an important undertaking. I can remember how, as a child and even though the vaccinations were available, very few of us had them. But today, it’s mandatory and the regulations now in place forces community wide conformance – or no education. And for that, I have to say I am pleased.

Is there too much intrusion by legislators and is it all really necessary? Is regulation a form of insurance? Is compliance just a “feel-good” experience? In other words, do we really go out of our way to see if the steps we take are effective, or are we simply feeling good in just going through the motions? Just as today, in most countries, you cannot drive your car without proof of insurance, does our compliance with the rules (immaterial of what’s a stake or even putting the “remedy” to the test) all that concerns us?

As a society, Australian’s like to have a drink. We go to the beach and we pack the “esky” full of beer. We go to the cricket, or the footie, and load up with as much of the “liquid amber” as we can carry. A few years back a commercial that aired on television depicted an old, dilapidated “ute” loaded down with cases of beer in preparation for the annual visit by the “shearers.” Before the ute heads out, the driver jumps back into the liquor store to get a bottle of sherry “for the misses” but when it’s tossed on top of the ute, the axles snap and the ute collapses on the ground. The only response coming from the driver, “I guess we overdid the sherry!”

But the culture had to change, as the death toll climbed each year (among the worst in the world), and legislation was the only option. The blood alcohol level was dropped to .10, then .08, and finally .05. “Peter Perfect,” Australia’s most famous racing car driver, even changed his racing number to “05!” The police, enforcing the law, equipped special transit busses as test facilities, and then would park them down a side street, pulling over everyone as part of a “random” breath testing program to ensure “compliance!” Within a few short years, what was socially acceptable changed radically. Designated drivers became routine and “protected” through the night – and stories about driving with a buzz were no longer tolerated or considered funny under any circumstance. Complying with the regulations quickly changed Australian society.

IT has changed, as our businesses have changed, and as they have pursued greater market share. Every company can maintain a global presence, and provide real time support, for their customers and business partners. The infrastructure in place that connects us all has ceased being just in support of entertainment and our hobbies, and crossed over into the mainstream of business. Everyone is networked to everyone else – and it’s still only early days as we climb the upward slope of the technology lifecycle, far from showing the maturity associated with other more familiar technologies such as newspapers and television. The internet has changed how mainstream business is done, and the NonStop platform is, once again, squarely in the middle of it all.

Not everyone, however, plays by the “rules” – with so much commerce being undertaken on the web, with so many financial transactions passing between anonymous parties, the temptations to cipher off “just a little” has become a major concern. The teenager who abuses the phone system to make free calls is slowly being overshadowed by the professionals, and each time I return to a former Eastern Bloc country I am reminded of how many smart people there are out there! The corner store is no longer the target, but retailers and banks. I wouldn’t be at all surprised if one day I awoke to the news that a country’s central bank was hit by rogues with PhD’s who redirected wire transfers between countries and stole billions of dollars!

But again, as with child vaccinations, having our cars insured, not drinking and driving – governments are being forced to step in and legislate. Systems have to be secured, identities protected, money and goods shipped only to trusted parties. The scale is just so much greater these days and it’s no longer individuals cashing a couple of bad checks or a credit card holders failing to make payments – fraud is now big business. Economic times have forced highly educated individuals into well-run organizations intent on penetrating any business capable of providing them with something of value.

The NonStop computer, to the best of my knowledge, has never been broken into – but the open system message has the potential to change this – the more commodity applications find a home on NonStop, the more I anticipate something ugly coming along for the ride.

What never ceases to amaze me is that up until the legislature was introduced, and rules put in place, financial institutions were not prepared to take the precautions. Rather than implement sensible security measures, they were prepared to lose money from fraudulent transactions and to write it off as a cost of doing business. It took the Payment Card Industry (PCI) to create a security standard, with stiff penalties imposed for non-compliance, to get the leaders of these financial institutions to start implementing safety measures! And the NonStop user community sits squarely in the cross-hairs with PCI, given more than two thirds of credit card traffic continues to pass through NonStop and its role in support of mission critical applications.

The PCI regulations simply call for financial institutions to comply with a few items. Build and maintain a secure network. Protect cardholder data. Maintain a vulnerability management program. Implement strong access control measures. Regularly monitor and test networks. And maintain an information security policy. The more I look at what’s being called for the more I am perplexed that it even has to be spelt out like this. The NonStop folks I interface with have, for the most part, been aggressively pursing activities like this for years!

PCI is calling for compliance and reminding financial institutions of the penalties associated with non-compliance. Jay walking is illegal, and punishable with costly fines. It never ceases to shock me that we need to be told this, and to be reminded that stepping out into traffic doing 55+ mph can be pretty reckless. It wasn’t until I was stopped, and threatened with a ticket for crossing the road against the red light where I live in Simi Valley, that it became obvious I still needed a little gentle reminding after all. Non-compliance could have fatal consequences.

There is going to be an interesting round table at EBUG 2009, I’m told. The three otherwise competing security vendors will be hosting a round table to gather the requirements from the BASE24 users so that collectively they can work on addressing them before severe penalties for non-compliance will kick in for these companies. In a rare, harmonious show of unity, the security vendors will be attempting to shield BASE24 users from the unkind eyes of the regulator’s auditors.

It’s not so much the fear of being defrauded that prompts financial institutions to take security measures, but being found non-compliant within their community, and being locked-out of the network, that frightens them the more than anything else. NonStop applications may not have been penetrated yet, but it’s no excuse for failing to comply with the regulations.

As for the Mac – I should have it all sorted out soon. As for being secure, and feeling good – there’s something reassuring in knowing that the origins of the NonStop operating system are in a kernel called Guardian!


Robert said...

Actually, Richard, there are now viruses targeting Macs. As Mac use grows, I'm sure we'll see more. So while the risk is not as great today, it is growing.

Richard Buckle said...

You're right, of course, and I am afraid it's only a matter of time and I was cautious. But it was good for the story and I will leave it at that!