Messaging middleware audits and remediation for Data Security Compliance: The new frontier of PCI, SOX, HIPAA and Regulatory Governance
We’ve all heard “an email is like a postcard”, now let us introduce you to messaging middleware... messaging middleware is like industrial strength email and WebSphere MQ is the de facto standard for messaging middleware, with over 10,000 installations globally. Other vendor systems include MSMQ, Tibco and SonicMQ. When IBM created MQSeries in the early ‘90s, MQ administrators were not concerned about security regulations. Instead, they focused on installing and configuring the product in the fastest and most straightforward way that would provide the required connectivity for applications, without placing any constraints on usage. As use of MQSeries grew, it was still common to implement it in an “out of the box” configuration, which is designed for ease of implementation, and does not have any security constraints. Even though MQSeries provides for a secure configuration, this has not traditionally been the primary focus of MQ Administrators. However, the result of not implementing security within messaging middleware can lead to severe consequences. As security concerns are now paramount in the marketplace, messaging middleware networks are coming under increased scrutiny, and companies will now fail PCI audits due to non-configuration or mis-configuration of security constructs, and these issues will also apply to the failure of SOX and HIPAA audits as auditors are now being educated about messaging middleware. Security regulations such as HIPAA were enacted in 1996, SOX in 2002 and PCI in 2006, all later than the initial growth of messaging middleware. The default configuration of WMQ allows anonymous administrative access to the WMQ Command Server (console), permitting arbitrary remote code execution abilities to anonymous users across the network. The implication of this is serious and transparent to anyone in the security community. It has been determined that most current messaging middleware installations (over 90%) are not configured to properly utilize built-in product functionality that reduces and/or eliminates security threats. In addition, messaging middleware requires additional programming of security exits to ensure that all PCI compliance requirements are met. …BUT THE PROBLEM IS NOT A THEORETICAL ONE Card companies may impose fines on their member banking institutions when merchants are found to be non-compliant with PCI DSS. Acquiring banks may in turn contractually oblige merchants to indemnify and reimburse them for such fines. Fines could go up to $500,000 per incident if data is compromised and merchants are found to be non-compliant. In the worst case scenario, merchants could also risk losing the ability to process customers’ credit card transactions.
|
 |
|
|
|
Click Here to read the complete Whitepaper...
