Site icon Liquidmatrix Security Digest

Chan On Monoculture & PCI

Seven years ago I moved from the wilds of Toronto to the US. I packed up my things and sold the double wide igloo and drove my dog team down to sunny Charleston SC. This career change was a welcome one and needless to say working for a US defense contractor would soon introduce me to all sorts in interesting characters. (note: I had a co-worker in the US that honestly thought I had lived in a double wide igloo…I kid you not)

On my second week in the new office a strange looking character rolled in. He looked very much like a lost member of the band Temple of the Dog. He paused as he crossed the floor turned his head and tipped his shades up onto his crazy hair cut (a la Sideshow Bob minus the evil). Then he acknowledged my presence and said, “Dude. S’up?”. He then proceeded to pick up one of the longest ethernet cables I had ever seen and walked over the to window. “Dude, could you pitch this out the window when I get outside?”. “Um, OK?” I replied. Being the new guy I was hesitant to argue. My other office mates seemed disinterested in this event so I figured this was a normal occurrence. When he got outside and all set up he was leaning back on a lawn chair with his laptop, shades and soaking in the South Carolina sun. Thus was my introduction to Jason Chan.

I have managed to stay in touch with a lot of the folks that I have worked with over the years. Jason is one of these people. Recently, I was in his stomping ground, San Francisco, for the RSA conference. I was unable to hook up with him for his birthday but, I did find out that he was leaving Symantec (formerly @stake) for LogLogic. On Monday Jason joined the throngs of the blogging community and I would offer that we will be better for it. This is a guy that I have had the privilege of working with and can safely say that I will be reading his future posts.

For his inaugural post Jason tackles the question of monoculture and the PCI standard. This discussion cost the job of Dan Geer, the former CTO of @stake (his paper). But, to put that in context, at the time Microsoft was a major client of @stake. While I firmly agree that corporations should diversify their computing footprint I also understand that to say as much when Microsoft is a client would be fool hardy. The other side of the argument being that it is “easier” to support a single system. I believe that having multiple systems in an enterprise is a benefit simply due to the fact that some operating systems are better than others in certain tasks. Well, tell me I’m wrong.

From Jason’s post:

I see the merits of each side and tend to be pragmatic about platform and application selection, advocating solutions that work best for the given problem, with additional decision inputs around security, supportability and vendor relationships being considered based on organization-specific criteria and risk management approach .

I share this view in no uncertain terms. It’s foolish to wave the firebrand of one application/operating system in favour of another. The tools have to be the right ones for the client. Too often vendors approach this by trying to jam a square peg into a circular opening. Sorry, got a little distracted there. Jason goes on to tackle PCI compliance and for that, I will ask that you read his post. Thankfully. I have been spared this particular standard (at least until I move to another outfit someday.)

The security industry is a small community. It’s amazing how many people I cross paths with time and again. Please welcome Jason.

Article Link

[tags]New Blogger, Monoculture, Jason Chan[/tags]

Exit mobile version