Well, I am finally back in Minneapolis with no scheduled plans for travel until COMMON at the beginning of May. Of course, that can change at a moment’s notice so if you need any security services, let me know. Have bag; will travel!

I’d like to give a “Thank You” to Jill Martin for updating us here last week about her activities while I took a couple of (almost) vacation days in and around London with my children. What a spectacularly intense city that is! There is so much culture and history shoe-horned into a fairly small geographical space, and when you add in the vast population of commuters and visitors, you could be excused for becoming totally overwhelmed. One of the keys to a successful visit to London is understanding the incredible public transportation systems, and to not run yourself ragged trying to accomplish too much. (Easier said than done!)

From a professional perspective, it was a very successful trip. Although phones and e-mail are quick, cheap, and efficient methods of communication, there is something irreplaceable about an old-fashioned, face-to-face meeting and a firm handshake. Spending time with the Help/Systems International sales teams from the UK, France, and Switzerland was very enlightening, as we discussed and compared the security requirements of IBM i customers in the United States and Europe. I also ran through the PowerTech security information with the technical support team prior to a customer workshop in Farnborough. We had to move the event due to more registered attendees than seats in the Help/Systems office, and it was a fantastic four hours that flew by as we covered everything from user profile configuration to system values, to best practices for object authority configuration.

Since last visiting the U.K., one of the things that was noticeably different for me was how credit and debit retail transactions are now entirely “chip-and-PIN” based. If you are reading this from the U.S., you may have no idea what I am talking about—just as I had no idea until I got there. There are two main challenges with credit cards transactions at the point of sale using the more traditional “swipe and sign” technique:

1. Determining that the physical card is not a counterfeit. The availability of swipe devices that read all of the data from a card’s magnetic strip means that it is not difficult to manufacture cards that appear to be completely legitimate, and that swipe with all of the information of a genuine card.
2. Verifying that the card user is the actual owner of the card. This is normally accomplished by comparing the signature of the user with some form of formal identification such as a driver’s license. Unfortunately, this puts the responsibility of identity verification on the shoulders of the retail organization, instead of with the card user. Comparing a (commonly out-of-date) photo to a person’s physical likeness slows down transactions, and is fraught with human error. In my U.S. travel experience, it is rare for a sales clerk to even check the signature. Although it is against most cardholder agreements, I often write “Ask for ID” on the signature panel of my cards, and that does seem to help prompt a clerk to check my credentials. Unfortunately, if they “catch” a person trying to use someone else’s card, I have witnessed people successfully justifying it to the clerk.

By the end of 2006, U.K. retailers joined the initiatives of several other European nations and fully adopted a new point-of-sale mechanism that uses so-called smart cards, more commonly referred to “chip-and-PIN” cards. These cards, which look like regular credit cards, contain a small micro-chip that is read by a special reader device that looks similar to any other credit card processing machine but allows the card to be inserted. The embedded chip helps authenticate the card, thereby addressing the first challenge above. The requirement for a personal PIN to be entered instead of a traditional signature solves the second challenge, as the assumption is that your PIN number is highly confidential.

Use of smart-cards provides a couple of additional advantages over traditional signature transactions. First, most of the readers are portable devices, so the entire transaction can be handled without having to hand over your credit card to a complete stranger, as is common in the United States. Second, disabled users can now more easily use credit cards even when signatures are difficult or impossible.

While countries that use smart cards report significant declines in credit card fraud, there are currently a few disadvantages to this technology—especially for foreign travelers. Card numbers from PIN-based cards are being used fraudulently more easily in non-PIN countries, as no PIN is required. While most locations still have the capability to swipe cards from chipless cards, this becomes more difficult with unattended point-of-sale devices such as ticket machines and, from my own personal experience, clerks that are not particularly well-trained on processing a transaction using a chip-less card. Naturally, as additional countries adopt the smart card technology, these challenges will become less and less of an issue.

Upon my return last week, I began to research why this type of technology is not currently in-use in the United States. I was surprised to learn that it appears to be based purely upon the massive cost of replacing every point-of-sale terminal in comparison with the relatively low cost of credit card fraud here. However, as more and more countries adopt this technology, it will place pressure onto the U.S. to adopt it as well. I personally think that it would be a huge step forward in getting control of international credit card fraud.

Before I wrap up for this week, I would like to thank everyone that sent me 40^th birthday wishes, and also to my Minneapolis cohorts—I mean colleagues—that “decorated” my office in black prior to my return. Payback is a …. Well, you know the expression!

Regards,

- rt

Robin’s not the only one on the road!

As Robin has been criss-crossing the U.S. and flying over the pond to visit the Old Country, I have been on a whirlwind tour myself. I started by visiting RSA in San Francisco, CA for a few days, before stopping in our Seattle, WA office.

I have attended COMMON and the IBM Technical Conference several times over the years, and I have to say, the number of people at RSA is just mind-boggling! If you have never attended the RSA conference, it is quite a sight to see! Here I found thousands of people, hundreds of vendors, and a large selection of security topics to participate in. It was quite exciting to see such a buzz around the topic of security. If RSA is any indication, 2010 will be a big year for security projects!

My second week of travels brought me back to San Francisco, CA to kick off my workshop tour. I started in Oakland, CA, traveled to Irvine, CA, and then to Las Vegas, NV. The goal of these workshops was to help people get started with their IBM i Security Policy.

Some of the things we discussed included:

• Why a security policy is so important in today’s environment
• What government regulations and standards are driving the security policy projects
• Components of your security policy, both from a corporate perspective and specific to IBM i
• Business requirements considerations for your security policy
• Who to include in your security policy review team
• How to audit your IBM i
• What reports are available to support your security policy and how they are executed
• How PowerTech can help – tools available to help assess your system and simplify reporting

I really enjoyed working with everyone who attended my workshop, and hope everyone learned something valuable that can be applied to their security policy – I know I learned something from each workshop!

If you are interested in attending a workshop on this topic watch our newsletter, PowerNews, or check the blog for more cities and dates. I will be continuing my workshop tour over the next few months. I hope to see you in the future!

Well, a lot has happened for me since last week. After returning from Portland on Wednesday, I quickly laundered my clothes and repacked my suitcase. Less than 24 hours later, I headed back to the Minneapolis airport, this time with my two teenage kids; Jodan 15, and Sydney 13. We boarded a non-stop flight to London’s Heathrow airport. At 33,000 feet, and a temperature of -70 degrees Fahrenheit, we all said a temporary goodbye to the United States coastline, and I said a permanent goodbye to my “30’s.” A big sign of advancing years was that I had completely forgotten about the event until my daughter reminded me with a “Happy Birthday, Dad!” as we passed midnight.

As many of you know, I was born and raised in the United Kingdom and came to the U.S. twenty years ago as a high school foreign exchange student. I fell in love with Iowa back then, and upon my return home I started planning how I could come back. I took a job as a trainee programmer, and found myself learning to write RPG code on an AS/400. Eighteen months later, I took the plunge and packed all my worldy possessions into several large suitcases and never looked back.

For a number of reasons, eleven years has slipped by since my last return. I am now retraining myself in the art of driving on the left,and steering on the right! I am also quickly (re)adopting the accent of my ancestors, and reaquainting myself with the mighty Fish ‘n’ Chip.

The business purpose for my traveling here this week is due to the growth that we are seeing in security conversations in Europe. After a successful year at PowerTech, our Help/Systems International division is looking at ways to expand their contribution to that success. I will be working with the sales team to identify ways to best service new customers, for example by leveraging our fantastic no-charge compliance assessment offering. The technical teams are going to be briefed on a number of pertinent security topics, as well as discuss some aspects of product and operating system security.

Wednesday afternoon (10am CST in Minneapolis) Jill Martin, PowerTech’s product manager, and myself will connect the 4,000 miles between the two Help/Systems offices via WebEx to host our weekly Webinar security session. On Thursday, I am excited to be hosting a security workshop in the vein of the ones that I have been holding across the U.S. during the last couple of months. This session is now bordering on being “sold out,” so if you are interested, go to www.powertech.com and register.

Finally, I am taking a couple of days off at the beginning of next week to enjoy a little time with my UK-based family, and to show my kids more of “the old country.” I will be back in Minneapolis later in the week.

Have a great week everyone!

The  Oregon Trail covered  2,000 miles and took about six months to travel. Used up until to the mid-1800’s, the trail led travelers across what later became six states: Missouri, Kansas, Nebraska, Wyoming, Idaho, and Oregon. Some 150 years later, my trip took only a week and involved Nevada, Utah, California, and Oregon.

My trip started in Reno, Nevada, with a visit to the local Reno/Sparks user group. I presented the popular “Top 10 vulnerabilities of IBM i that you need to fix NOW” and gave away another gift card and a number of great PowerTech t-shirts.

Last week also marked an exciting time for the PowerTech team back in Minneapolis with the release of a new version Network Security. Version 6 of our popular exit program solution includes a cleaner user interface, several new reports, and the ability to set rules for specific objects and IFS stream files. Watch for the formal announcements and press release.

I opted not to return to Minneapolis for the weekend, and instead drove the 90 minutes to South Lake Tahoe which straddles the Nevada/California state line. If you haven’t visited this part of the world, you are missing a treat. I visited when I was in town last Spring for COMMON, but seeing it in the midst of perfect winter conditions is spectacular, and skiers—cross-country and downhill—are in heaven here! The highlights for me included the bizarre sight of snow covered beaches, and the breathtaking Emerald Bay.

I arrived in Oregon late on Sunday night. On Monday, I conducted a security workshop at the offices of MSI Systems Integrators in downtown Portland. Afterward, I met with Sirius Computer Solutions, another PowerTech security partner, to talk about their growth in their security practice, and how PowerTech can provide additional sales support to their extensive organization. I am looking forward to following up on some of the action items that we put together.

The main purpose of my visit to Portland was to present to the local user group. On Tuesday, I repeated the popular session on the “Top 10 vulnerabilities of IBM i that you need to fix NOW.” This was one of the most engaging groups I have had the pleasure of meeting, and the normal 60 minute presentation ran close to two hours based on great questions and pertinent side discussions.

After the session, I followed the recommendation of one of the session attendees and took a short drive to the Columbia River Gorge. Even though the light was beginning to fail, I was able to capture some memorable images of the impressive Multnomah Falls, a combination of two water falls with a combined height of 611ft, more than three times the height of the Niagara Falls that I visited last month.

I fly back to Minnesota on Wednesday for a quick turnaround to repack my suitcase and then I am off to the Help/Systems, International office in the U.K. On a personal level, this trip has special significance as I was born and raised a short distance from the office location in Fleet. It has been almost 11 years since I last returned, and my two teenage children will be accompanying me back “home.”

I look forward to speaking with you again next week from England!

March is a big month for Massachusetts! On the 5^th, we see the official kickoff of “Maple Month,” which is a celebration of “all things maple.” Scheduled events include numerous pancake breakfasts and tours of local sugarhouses that open their doors to show visitors how sap from the maple trees is boiled into a syrup. If you would like to learn about the interesting syrup-making process, including how to make your own, check out the Massachusetts Maple Producers Association. Just be aware that it takes 40 gallons of sap to make one gallon of maple syrup!

On the compliance front, March 1^st marked the deadline to comply with the wide-reaching Massachusetts Law 201 CMR 17.00, which requires any business with 1 or more records of information about a Massachusetts resident to adequately protect their data. This new law complements the existing state breach notification law (General Law 93H), which allows for civil penalties of up to $50,000 for data breaches. What is groundbreaking about this law is that it is much more specific than other data protection laws about how the data is to be protected, and the fact that it affects companies not otherwise in a regulated industry.

201 CMR 17 consists of 5 sections which outline the scope, responsibility, and requirements for compliance. There is a definition of what is considered a “data breach;” primarily described as the unathorized acquisition or use of unencrypted data (or encrypted data in conjunction with the encryption key). All data that meets the “personal information” criteria requires protection, and it is the responsibility of the data owner or licensee to safeguard that information with a comprehensive security program.

Highlights of that security program include the requirement of a documented security policy, regular monitoring to ensure that the security program is working to prevent unauthorized access (or use) of personal data, and detailed documention of incident response. To ensure incidents may be investigated, the law also requires data breaches to be reported to the state’s Attorney General.

PowerTech is well positioned to assist organizations running IBM i that are required to comply with 201 CMR 17. Our Network Security access control and Authority Broker solutions work together with the IBM i operating system to satsify section 17.04 2a, which states that methods be implemented to “restrict access to records and files containing personal information to those who need such information to perform their job duties.” And Compliance Monitor can assist with paragraph 4, which requires personnel perform “reasonable monitoring of systems, for unauthorized use of or access to personal information.” But it doesn’t stop there! Our security experts can assist with configuring the operating system controls, and our leading technology partnerships can assist with encryption and anti-virus requirements.

The law was written to make companies take a “risk-based” approach to compliance that takes into account the size of the company, the type and amount of data being stored, as well as the nature of the business. There was also a well-publicized shift in the deadline for compliance from August 2009 to March 2010. That day has now come!

A complete copy of the law may be found at: 201 CMR 17.00.

The Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) also maintains a number of online resources regarding identity theft, including an FAQ on complying with law 201 CMR 17.00.

I fly out again Wednesday, on my way to Reno, Nevada. I am looking forward to this trip as I fell in love with the Reno/Tahoe area during my visit for COMMON 2009. I will be conducting a security workshop at the impressive Grand Sierra Resort & Casino, and also presenting the popular “Top 10 Security Risks You Need To Fix NOW” to the Reno-Sparks Midrange Users Group. From there I head to Portland, a new city for me, but one that I have heard is spectacularly beautiful. This will involve another workshop at the offices of a regional PowerTech partner, MSI Systems Integrators, and then a session for the Portland Users Group.

Have a great week, and I will be sharing an update from Portland next week.

After spending the first half of the week in Nashville, Tennessee, I jumped on a plane to make the trek north to Buffalo, New York. My first stop was the beautiful Seneca Niagara Casino & Hotel in downtown Niagara Falls, 15 miles north of Buffalo. The hotel is just a short walk from the three famous waterfalls that are the city’s namesake, and that impact the Niagara River that straddles the border between the United States and Canada. Although not exceptionally high, these falls are the most powerful in North America and are an important source of hydroelectric power, and one of the most recognized landmarks in the world.

Seneca Casino, one of PowerTech’s valued customers, graciously offered to host our 3^rd IBM i security workshop in their well-appointed conference facilities. The half-day session was another highly interactive one, and was accompanied by a fantastic lunch and free PowerTech giveaways. After bragging that previous sessions had finished within 5 minutes of the scheduled 4 hours, of course this session ran over; simply because of the great interaction and discussion with the attendees. For that reason, no one seemed to mind, and everyone seemed happy with the content that we provided, with topics that included system values, exit points, and object-level security.

Before heading back to Buffalo, I did make the short walk down to the breathtaking American and Bridal Veil Falls. If you have never seen this stunning sight—especially in the Winter—then it is hard to describe the power and sheer natural force of these natural wonders. While I had previously seen the view from the Canadian side in July, this was my first visit to the U.S. side. While a still-photograph doesn’t really do it justice, I hope my panorama conveys a fraction of its majesty.

The remainder of the evening was spent with the large group that comprises the Midrange Users Group of Western New York (www.mugwny.com). On this night, I presented a combined session called The Top 10 IBM i Security Vulnerabilities and The State of IBM i Security Study, which is based on the popular PowerTech white paper that is published annually. From the reaction of the crowd, some of the issues were quite eye-opening. Hopefully the information I provided will assist them with performing security improvements that might prevent corporate data from flowing out of the network as fast as water over the falls! As always, I offered to conduct a no-charge security review for anyone interested in using our fabulous automated Compliance Assessment solution.

Fortunately, the “lake effect snow” that I had been told about plaguing the region held off for the most part, and I was able to start my return travels on time. Ironically, while everyone had cautioned me about the likelihood of flight delays in and out of Buffalo, and my knowledge of the prevalence of seasonal delays at my connecting hub of Chicago’s O’Hare airport, it was my final destination of Des Moines, Iowa, that almost derailed my return. As we were beginning our descent into Des Moines, the pilot informed us that airport had just closed due to the blowing snow from a winter storm. We immediately went into holding pattern awaiting further instructions. The captain indicated that we had an extra 40 minutes worth of fuel in addition to the fuel required for a return to Chicago! Fortunately, we didn’t require much of either as the airport subsequently reopened and we were cleared to land after about 20 minutes of circling. I was so relieved that I didn’t have to end a fantastic work week with a winter travel horror story!

Thanks again for everyone’s continued hospitality on the road, both for the workshops and the user groups. I would be remiss if I didn’t also thank my team back in Minneapolis, especially Katie Carnicom, who tirelessly facilitates the numerous agendas (for me, as well as other members of staff), complicated travel schedules, and shipments of the t-shirts and presentation materials. It takes unbelievable organization to put these events on back-to-back, and she does an amazing job that allows me look good with little effort on my part!

This week will be a week to try and catch up, and then next week I will be off again, taking the workshop and user group presentation to Reno, Nevada, billed as “The Biggest Little City In The World.” That will be immediately followed by Portland, Oregon, the week of March 8^th.