HEMAL SHAH's Blog

PCI-DSS : Payment Card Industry Data Security Standard

2011-11-17T09:39:00.008-05:00

PCI-DSS
Payment Card Industry (PCI) Data Security Standard (DSS) is a standard that all organizations including online retailers, must follow when storing, processing and transmitting their customer's credit card information.

The DSS was developed and the standard is maintained by Payment Card Industry Security Standards Council (PCI SCC).

Listed below are the twelve requirements for PCI DSS Compliance.

Build and Maintain a Secure Network
• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program
• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy
• Requirement 12: Maintain a policy that addresses information security

Different Ways of Virtualization

2011-03-04T13:51:00.006-05:00

Introduction:
What does “virtualization” or in simple terms “going virtual” really mean in today’s IT world? Virtualization is an old concept that is now being widely used for its benefits.

Virtualization can almost be applied to any and all parts of an IT infrastructure. Since virtualization is more versatile term and each of has its own significant; let’s discuss each one it in brief.

Virtualization falls into three basic categories:
Operating System
Storage
Applications.

But these categories are very broad and don’t passably outline the key aspects. It is helpful to refine these categories into eight, specific categories to thoroughly understand the differences and similarities between the definitions of virtualization.

Operating System Virtualization:
This is the most widespread form of virtualization today. Virtual operating systems (or virtual machines) are quickly becoming a core component of the IT infrastructure today. Generally, this is the form of virtualization that most of the end-users are most familiar with. Virtual machines are typically full implementations of standard operating systems, such as Windows or Red Hat Enterprise Linux, running concurrently on the same physical hardware machine. Virtual Machine Managers manage each virtual machine individually. Each operating system instance is unaware that it is a virtual and other operating system instances may be running at the same time. Companies like VMware, Intel, Microsoft, and AMD are leading the way in breaking the physical relationship between an operating system and its native hardware and extending this pattern into the data center. Data centre consolidation being a primary driving force is bringing the benefits of virtual machines to the mainstream market, allowing enterprises to reduce the number of physical machines in their data centers without reducing the number of underlying applications. This trend ultimately reduces infrastructure costs.

Application Server Virtualization:
Application Server Virtualization is often used as a synonym for advanced load balancing. The core concept of application server virtualization is best seen with an appliance or service that provides access to many different application services transparently. The virtual interface often referred to as a Virtual IP is exposed to the outside world representing itself as the actual web server, and manages the connections to and from the web server as needed. This enables the load balancer to manage multiple web servers or applications as a single instance, providing a more secure and robust topology than one allowing users direct access to individual web servers.

Application Virtualization:
While this may sound very similar; Application Server and Application Virtualization are two completely different concepts. What we now refer to as application virtualization we used to call “thin clients.” The technology is exactly the same, only the name has changed to make it more correct. One of the best examples of this includes Microsoft Terminal Services and browser-based applications. These implementations depend on the virtual application running locally and the management and application logic running remotely.

Management Virtualization:
If you implement separate passwords for your root/administrator accounts between your mail and web servers, and your mail administrators don’t know the password to the web server and vise versa, then you’ve deployed management virtualization in its most basic form. The pattern can be extended down to segmented administration roles on one platform or box, which is where segmented administration becomes “virtual”. User and group policies in Microsoft platform are an excellent example of virtualized administration rights. This is also referred as Management Virtualization.

Network Virtualization:
Network virtualization may be the most vague, specific definition of virtualization. A simple example of this is IP virtualization (VLAN): a single Ethernet port may support multiple virtual connections from multiple IP addresses and networks, but they are virtually segmented. Each virtual IP connection over this single physical port is independent and unaware of others’ existence, but the managing hardware (switch) is aware of each unique connection and manages each one independently.

Hardware Virtualization:
Hardware virtualization is very similar in concept to operating system virtualization, and to some extent it is required for virtualization to occur. Hardware virtualization breaks up pieces and locations of physical hardware into independent segments and manages those segments as separate, individual components. Although they fall into different classifications, both symmetric and asymmetric multiprocessing are examples of hardware virtualization. In both instances, the process requesting CPU time is not aware of which processor it is running on. As far as the process is concerned, it could be spread across any number of CPUs and any amount of RAM.

Storage Virtualization:
Storage virtualization can be divided into two classes:
- Block virtualization and
- File virtualization.

Block virtualization is best summed up by Storage Area Network (SAN) and Network Attached
Storage (NAS) technologies: distributed storage networks that appear to be single physical devices. SAN devices themselves typically implement another form of Storage virtualization: RAID.

File virtualization moves the virtual layer up into the more human-consumable file and directory structure level. Most file virtualization technologies sit in front of storage networks and keep track of which files and directories reside on which storage devices, maintaining global mappings of file locations. When a request is made to read a file, the user may think this file is statically located on their personal remote drive; however, the file virtualization appliance knows that the file is actually located on a server in a data center across the globe.

Service Virtualization:
Service virtualization is consolidation of all of the above into one phrase. Service virtualization connects all of the components utilized in delivering an application over the network, and includes the process of making all pieces of an application work together regardless of where those pieces physically reside. This is why service virtualization is typically used as an enabler for application availability.

References:
F5 WHITE PAPER - BY ALAN MURPHY

Database Security

2011-02-17T10:05:00.002-05:00

DATABASE SECURITY WHY?

Database security is given much importance only in the last couple of years, however, that it is beginning to draw more attention from industry analysts and security and database professionals. The combination of worsening and highly publicized data breaches on the one hand, and stricter regulatory compliance demands on the other hand are pushing database security to the foreground.

Today many database professionals are not familiar with security aspects of database management, while many security professionals are familiar with network and desktop security, but not with database security. This is beginning to change as the importance of securing databases becomes apparent.

UNDERSTANDING THE THREAT

Databases are subject to some unique types of threat that cannot be handled by firewalls, intrusion detection and prevention systems and other perimeter defenses. The threat scene is constantly evolving and becoming more stylish and specialized (e.g. attacking through memory backdoors inside databases).

Who Are The Intruders?

The Intruders could be any; the high-school student hacking into the Pentagon just to prove that he can do it; could be a professional hacker doing so with the aim of making a profit; or could be a sick person doing for fun.

This has changed the nature of intrusion attempts from ones that try to penetrate, then perhaps deface or wreak havoc, to ones that strive to be stealthy and leave no tracks with the aim of stealing data for financial gain.

Insider Threat, Privileged Users

Concurrently with the change in the nature of the external threat, there is increasing attention being given to the “insider threat”. This umbrella term refers to damage caused by individuals within the organization, either maliciously or accidentally.

Is the insider threat serious? It certainly is. Recent breaches such as the one at Fidelity National
Information Services, where a senior DBA sold millions of customer credit card records is proof of that. This does not mean that all insiders are suspects – however it is clear that insiders bent on stealing data have a greater chance of succeeding at it than outside intrusion attempts.

VULNERABILITIES

As database management systems have grown in complexity, they have become more vulnerable to attacks. The nature of these vulnerabilities ranges from relatively gentle to ones that allow unauthorized users to own the database through privilege elevation.

Much has been said and written about how DBMS vendors cope with vulnerabilities and how quickly they should patch them. The reality over the past few years shows that the number of reported vulnerabilities is rising, and while vendors are doubling their efforts to patch them, the number is constantly rising.

Additionally, it usually takes the vendor several months or more to distribute a patch, and it takes an additional several months for customer to install the patches, which usually require testing and database downtime. Many customers do not apply the patches at all, and their databases remain vulnerable to severe attacks.

The existing steps taken by organization towards database security measures are not adequate and could potentially allow intruders to attack. The organizations need to understand severity of these attacks and should take strong measures to prevent them.

Soft Skills for Technology Professionals

2009-06-24T09:59:00.003-04:00

I found an interesting article "Sexy Soft Skills" on Computer World magazine that i would like to share with.

In this article the author focuses on 10 soft skills that technology professionals need for their career advancement and suggest 5 ways to learn them. In this world of technology advancements, the expectations for IT professionals are changing. The requirement of soft skills has considerably increased over the last few years. With the technical skills the soft skills are also required to meet the business goals. The following are the listed 10 soft skills that every technology professional should learn it.

1. Listening
2. Communication
3. Confidence
4. Project and Time Management
5. Teamwork
6. Empathy
7. Appreciation
8. Leadership
9. Public Speaking
10. Business Knowledge

The easy way to learn these skills are;

a. In-house mentoring
b. Private coaching
c. Classroom or online courses
d. Book reading
e. Extracurricular group Memberships

Reference:
ComputerWorld Canada magazine.

Handbook of Overseas Indian

2008-11-03T13:13:00.001-05:00

Handbook of Overseas Indian

Excellent source of Information for Indians located Overseas.

http://moia.gov.in/shared/linkimages/177.pdf

Thanks,

Hemal Shah

Microsot Tech Days 2008 Event

2008-10-08T12:48:00.002-04:00

Microsot Tech Days 2008 Event

The rich learning experience of Tech·Ed, without the travel. You've probably heard of Tech·Ed, the annual technology education and networking conference on Microsoft-based technologies. Perhaps you've even attended. Now, we're happy to help save you the time and expense of travel by bringing the Tech·Ed experience to your city with Tech·Days 2008. With Birds-of-a-Feather lunches, and a customizable schedule from up to forty 200+ level sessions, you can connect with Microsoft experts, consultants and your peers while strengthening highly specific skills such as:
planning for Server Virtualization; applying Workload Resource Governance on SQL Server® 2008; building rich Internet applications using the Silverlight™-based platform; and a lot more.

PLUS, put your knowledge to work after the event with a FREE Tech·Days Learning Kit—with an approximate value of $1,000, plus bonus offers!

All IT Professionals must attend this event for sure.

Book Review : Confident Conversations

2008-10-05T08:49:00.002-04:00

CONFIDENT CONVERSATIONS
by Brad DeHaven

How important are the words in our communication. In fact, our communication is actually 93% non-verbal and only 7% of our words comprise of total conversation!

The major contribution of any conversation comes from voice inflection, body language, appearance and listening skills. In this book author describes The Seven Conversation Principles which influence the conversation and shows the technique of handling these principles for effective conversation.

It is an excellent book which every professional should read.

My Website

2007-11-24T18:24:00.001-05:00

My website http://www.hemalshah.com/ is a new venture of creative innovation. I launched the website in 2006 with a positive desire to publish information about me. The website is easy to browse and contains all the information about my profile.

I welcome suggestions from the viewers and would appreciate any comments made to improve it.