And to be clear about it: All PCI DSS requirement apply, even if you are a L4. It is just how you prove it that differs.

So security and compliance is not only about understanding the standard, it is about putting it into the context of the client and find the best fit. Something a security expert seldom can do but something a security architect with large business acumen could.

I´m fully aware that many companies are good and hold the security standard high but there are also quite a few that isn´t. Many of my clients sadly bear witness of that.

I sometimes get involved in fraud investigations, CSA (child sex abuse) or intellectual property theft where proving the crime is a rather simple process. Still I need to read hundreds of e-mails, look at thousands of photos and in general take a really long peek into a person’s life. When discussing with my fellow investigators most of them tell me that ‘getting to know’ a person that we prove to be criminal sometimes is the hardest part. Along with CSA you could find pictures of family vacations, loving mails from their spouse or just in general get to know the relationships the person have with all friends. It takes its toll on you to still be able to focus on the investigation knowing that your report will destroy the person’s life.

Sometimes it is even worse to conduct computer forensics when you have to investigate a colleague’s computer. I know that it could be expensive to hire a professional investigator but sometimes it is worth the cost. You need to be able to live with yourself.

The strength of using this methodology is that you get a quantifiable way of measure the effectiveness of your security mechanism. This could be done either by making sure that all steps in your attack tree are blocked or by measuring how many steps a single mechanism actually blocks. Both of them are usable to provide a measure of effectiveness.

A word of warning! Those figures should ONLY be used as a way to select between different mechanisms that blocks the same steps, not as a way to select to block certain steps but not others.

Using it as a way of describing risks is all well and good but using it to analyse risks and map security mechanisms and impact is something completely new. A common flaw in security is the lack of understanding when a security mechanism actually is active and when it is not. A simple example is hard drive encryption that is active only when the computer is turned off. So if you run a 24/7 business why would you then invest in such a mechanism?

It all falls back to the risk analysis and the understanding of who the culprits are (internal or external). Mapping the actors towards You3 helps you have a sound discussion with any type of security vendor and actually make sure that your money is spent on effective tools rather than something you already have paid for twice.

Looking at the possibilities of Compliance as a service I started to look at BCM, Business Contingency Management. One of my colleagues, Hans Hjertsäll, excels in that standard and I challenged him if it was possible to do. After a few minutes thought we started analyse it and I a matter of hours we found possibilities to create it as a service. The biggest challenge is of course that BCM, as opposed to PCI DSS, needs to be involved in all levels in the organisation from top management downwards. Having consultants everywhere will both be expensive and problematic as many firms tend to be volatile in their approach. However, with a sound framework, it is possible do put in a set of services for handling BCP testing, planning, workshops to create plans and so on. So after a few hours’ work I was tasked to create the plan for how such services should be implemented and delivered, something that have taken me an awful lot of hours but is finally done. Welcome BCM as a service! (and a number of British consultants will most possibly start to hate me even more now). ;-

PCI DSS as a service is in essence a concept where we use our PCI DSS reference architecture to map where the client currently is in the compliance process and how well the requirements are fulfilled. The GAP analysis, that is the outcome, gives us the information needed to provide a roadmap how to minimise the PCI DSS scope and what kind of services that is needed to become PCI DSS compliant. A couple of the services are log management, incident response, CIAAS (compliant infrastructure as a service) to name a few. The goal for us is to help the client to become compliant with as little effort as possible without compromising the overall security.

So PCI DSS as a service is mainly a tightly controlled infrastructure paired with all the services needed to fulfil all PCI DSS requirements. This could be delivered either as a cloud service that we provide, as an in-house service if the client wants to have control over the infrastructure or as a concept for those that wants to run it by themselves but would like to have a streamlined and secure setup that is easy to maintain.

But I will still of course blog here twice a month. I enjoy it and hope you are too.

I created a presentation with a few colleagues a few months ago we named: How about an unstealable car? We took a modern car with all its gadgets and computers and applied Jericho Style Security on it. I can´t say that it is possible to build but it sure was an interesting experience to see that Jericho holds true even if applied to everyday objects, not only it-systems.

Going back to the poor car dealer, I asked him several questions regarding internal communication, possibility to access the onboard computers and so on…I got the car quite a few €100´s cheaper.