PCI Compliance Thought Leader Q&A: Dr. Anton Chuvakin
This month we’ve interviewed PCI Compliance Thought Leader Dr. Anton Chuvakin, a recognized security expert in the field of log management and PCI DSS compliance. He is an author of two books and a contributor to several others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS and security management. His blog, Security Warrior, is one of the more popular in the industry.
In conjunction with this interview, we are giving away one copy of Anton’s latest book on PCI Compliance. In order for your name to be entered into the contest, begin following us on Twitter (if you are not already!) and tweet out the following:
Read @elementps interview with Anton Chuvakin and enter to win PCI compliance book: http://bit.ly/a9hv3q
The contest ends this Friday, March 26 at 5:00 pm EST.
PCI DSS Compliance Blog: You recently launched a new security consulting practice. What are your offerings as a consultant?
Anton Chuvakin: Indeed, I have switched from being employed by the security vendor to being an independent consultant. Given my expertise in log management and SIEM, as well as PCI DSS, this is where I focus my efforts. For example, in one recent project I helped at Fortune 1000 company with their log management and log review implementation for PCI compliance. I have developed operational procedures and daily tasks they’d need to follow in order to review in scope and application logs for PCI DSS, security as well as other issues. Another set of projects I have completed involved helping security vendors with their PCI DSS focused products and services. So far, I had a good balance of exciting enterprise and vendor projects. You can see a complete list of my services as well as examples of recent projects on my consulting site.
What are the areas of greatest confusion for your clients?
If I have to name one issue it would be “What to log for PCI DSS compliance?” We all know that security and compliance concerns can rarely be reduced to simple questions like this, but many people are still looking for a simple checklist on what to log, what to review, what to configure, and other such things. For example, one of the famous confusions is a reference to ”system-level objects” in PCI DSS Requirement 10.2.7. I’ve yet to meet a person who knows what exactly that means, thus the issue of logging granularity is left to interpretation by curious and other experts.One could call you a logging evangelist…in fact, you were the Chief Logging Evangelist for LogLogic at one point. Why is logging important for PCI compliance?
As I mentioned in a recent presentation, logging is a key IT accountability mechanism. And accountability is a key feature of all regulatory compliance mandates, frameworks, logs and other governance documents. Without accountability, compliance is pointless or – which is worse! - turns into an exercise of “who can lie better?”
Thus, on a high level, the value of logging is obvious. As it happens in many cases, the devil is in the details: tying system configurations and application settings to such high level and worthwhile goals is not trivial and has been the focus of some of my recent consulting projects.
Is it realistic for small businesses to monitor their logs? If so, what processes do you recommend they implement?
The simple answer is “yes” – if you operate Internet connected computers that are involved with payment processing or other critical business tasks, you have to monitor your logs. But before that, you have to actually have logs. For many businesses, an essential steppingstone to log monitoring is actually a log collection and retention. This will allow them to investigate (or hire somebody to investigate) a security incident and then adjust the controls to prevent the recurrence. Yes, it is reactive and not proactive, but let’s be realistic here: few organizations today are proactive about security. Being reactive – but reacting better and faster, based on solid information in the logs, is a more useful goal.
On a more practical level, there are plenty of free or low cost tools to deal with logs. I list some of them here.
A second edition of a book you co-authored - PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance - was recently released. Who would benefit from picking up your book?
As we say in the preface, “this book is for the Information Technology (IT) managers and company managers who need to understand how PCI DSS applies to their organizations. This book is for the small- and medium-size business that doesn’t have an IT department to delegate to. The book is also for large organization whose PCI DSS project scope is immense. It is for all organizations that need to grasp the concepts of PCI DSS and how to implement an effective security framework that is also compliant.”
To put simply, the book is for everybody in the PCI ecosystem: merchants, service providers, vendors, consultants, etc. While most of the content is useful for those actually implementing PCI DSS controls, a few of the chapters will be enlightening even to their bosses and likely even their bosses’ bosses’.
Without giving too much away, what are one or two points that emerge from the book that you think every business should know about PCI compliance?
I would like to make two points here and still risk oversimplifying an incredibly complex issue of payment security.
The first is: don’t think of protecting the data first, think of eliminating the data first. Building a business process that does not touch sensitive card data is actually simpler than protecting said data (by the way, nowhere in that sentence it says that it is simple – just simpler).
The second point is somewhat different for larger and smaller companies. If you are large and have to do an onsite assessment by a QSA, then don’t fear the assessor! We even have a chapter with that name: “Don’t Fear the Assessor.” You are much more likely to be successful if you treat his visit as a valuable service and not as intrusion. If you’re small and have to self-assess, the lesson is similar: PCI is actually useful for you. We should have written a chapter called “PCI DSS is good for you”, but we haven’t – this information on the benefits of PCI DSS is all of the book.
You are very active on social media platforms like Twitter and deli.icio.us and blog regularly. What are your favorite resources for PCI compliance information on the web?
My co-author Branden Williams’s blog deserves a special mention, because it is awesome.Where do you see the PCI compliance industry in five years?
To be honest, I don’t want to see “PCI compliance industry” at all: not now, not in a year, not to five years. Admittedly, there is a cottage industry of people profiting off PCI compliance, but I would not want to call it “PCI compliance industry.”On the other hand, secure payments industry will hopefully make a few significant leaps and bounds in five years. I hope to see almost total elimination of merchant side payment card data storage, I hope to see the mag stripe to finally bite the dust (won’t happen, I know) and I hope to see truly merchant-to-issuer encryption (used to be called “end to end encryption” ) which not only limits but prevents the exposure of all entities to cardholder data. Also, I hope to see a way to do secure micro payments –something that has not yet materialized at all.
Personally, I'd take tokenization over E3/E2EE any day now. Philosophically, "kill the data" approach just beats the "protect the data" approach with the way people approach security today. It is just harder to screw up if there is no data to protect. Still, I see them both facing increased use since in some cases you just have to use one and not the other (or both).
Read our previous PCI Compliance Thought Leader Q&A with Rick Dakin, President of Coalfire and don't forget to enter the contest to win Anton Chuvakin's book!