Tuesday, 21 August 2007

Compliance causes arguments

I mentioned yesterday that I would write more about my conversation with Erich Baumgartner at Ingrian Networks. I believe a few of the SBN know Erich rather better than I do as a matter of fact. Erich mentioned that he knows Alan Shimel and Mike Rothman amongst others, in our whistle stop tour of the security community.

I've talked before about how I've worked with Ingrian for much of my career, from when they were a fancy SSL box up until now, when they have their fancy key management and encryption system, DataSecure. I helped them sell their first devices in the UK 6 years ago, and when I moved to distribution I helped them secure a relationship there too. Not that I feel like they owe me anything, I believe it to be great technology, and more importantly, I like working with them. I've always had the opinion that Ingrian's marketing machine is permanently on full steam ahead, and having met with their marketing lead at InfoSec this year, Betty Liang, I can understand why.

Something we inevitably got around to was Ingrian's "60 days to compliance" stance. Evan Schuman printed an article without speaking to anyone at Ingrian, and Mike Rothman waded in soon after, and then again a week later. Erich sounded genuinely hurt when he said "I don't know why Mike didn't pick up the phone to discuss this before going to press".

So to set the record straight, I'm going to attempt to present this from the their side, as explained to me briefly by Erich, and in the style you will be becoming accustomed to in me by now, belligerent Brit that I am. First of all I appreciate Martin Hack's reporting of this from a supportive viewpoint, I think the consultant here has taken this the right way. This is not meant as something which a compliance officer looks at and says to himself: "Phew, Ingrian will do everything for me" and forget about his PCI program. They are clearly addressing part of PCI, and not the whole thing. I don't think ANYONE would employ a vendor to do that, even if they could address everything in PCI with technical controls.

Let's start by having a look at what the press release ACTUALLY says:
"Ingrian® Networks, Inc., the leading provider of data privacy solutions, today announced a 60 Days to Compliance Program to assist companies in meeting the impending payment card industry (PCI) compliance deadline. The new program is designed to simplify the compliance process and offers a start-to-finish strategy that includes: Ingrian award-winning appliances, data discovery of credit card numbers, comprehensive customer training and support, and implementation in order to bring customers into compliance in 60 days or less."
OK, so there's a bit of marketing speak in there, but I think it's fairly clear with words such as "assist", "strategy that includes", etc. It goes on to say:
"Ingrian's new program will help companies worldwide implement encryption, and is especially timely as retailers scramble to meet the upcoming September 30 deadline for the PCI Data Security Standard."
That clarifies things even further for me. Maybe the issue is that it sounds like Ingrian are offering full compliance in 60 days, but realistically I think anyone who cares enough to be attracted towards this type of advertising is going to be savvy enough to work out for themselves that Ingrian is only offering to address the relevant PCI requirements around encryption and key management. I get that this is pedantry from Mike and Evan, and in their worlds everything should be clear and laid out straight down the line, but it's not particularly snappy to advertise a "60 days to addressing the requirements of PCI DSS concerning encryption and key management, as part of a full compliance program", no matter how correct that may be.

I can't see that Ingrian have crossed any sacred security line here. Maybe the issue is that they've credited their customers with too much intelligence? Maybe they've made too many assumptions about the type of research people will have done into PCI before going to look at vendor sites? I'm not sure that many potential customers will just be browsing around and think "Oh hang on, PCI, yeah, I could do with addressing that, ah, look, Ingrian can do that, I'll buy some of them... hey look, a pony!" [thanks Saso for the catchphrase :)]

They've cut back on unneccesary words and made people read their headline grabbing claims. It's a shame that it doesn't seem to have been read it in context, but then maybe this was a deliberate ploy. Free publicity in Mike Rothman's and Evan Schuman's blogs, whether negative or positive, is priceless.

People forget the context they read things in after all.

No comments: