Does the P in PCI stand for “Painful”?

Let’s see if we can do something about that…

At a recent tradeshow I attended, I was involved in many customer discussions about PCI DSS.  PCI compliance continues to be a big deal for many HP NonStop users, and the issue isn’t going away.  Indeed, the card schemes are mandating PCI compliance in more and more countries for the card issuers, in addition to the merchant acquirers who have had to be compliant for some time now.

Many software vendors offer products that assist with PCI compliance, but at the end of the day, compliance is an ongoing process, not just a product.  For a lot of organizations who process Cardholder Data (CHD), achieving compliance will take a multi-month project.

At XYPRO we’ve been helping customers achieve PCI compliance for many years – as one of our customers said sometime back “XYGATE software was integral to us achieving PCI compliance” – so we’ve spent some time thinking about how we can make that process less painful, quicker, and more manageable.

The result of that thinking is XYPRO’s latest product and services solution bundle – XYGATE PCI XPress.  XYGATE PCI XPress consists of the XYGATE products and functionality required to achieve PCI compliance, along with a set of packaged services to simplify your PCI DSS compliance process.  XYGATE PCI XPress ensures that:

• CHD is only accessible by authorized users and processes
• Role-based access controls are in place
• All necessary NonStop resources are secured according to the granular subject-operation-object model
• Access to any/all sensitive data and applications is tracked
• All relevant security and audit events are centralized, and optionally sent to your Security Information and Event Management (SIEM) device of choice
• Users can be authenticated against whichever user data store is in use in your environment, be it RSA SecurID, Active Directory, LDAP, or many other sources
• All necessary Best Practises are being followed

Many other important areas are also covered.

When installed and configured through the XYGATE PCI XPress package, XYGATE PCI XPress will help address at least 9 of the 12 high-level PCI requirements.

As part of the PCI Package, XYPRO will also provide a statement of work covering the services to be provided to implement these products, along with other system configuration work that will be required.  A project plan outlines all steps that we will undertake, all tasks that the customer is required to perform, and those that we will perform together.  Realistic timeframes are provided, and we will optionally manage the entire project if required.

From the onset of the project on through to its completion, we may also be engaged to coordinate with your QSA to ensure that your NonStop platform and application compliance proceeds smoothly. What could be simpler?

Our new Manager of Professional Services, Sales Support and Education, Rob Lesan, has put this solution together. If you would like more information on XYGATE PCI XPress, please contact Rob or me.

Andrew Price
Director, Product Management
Andrew_P@xypro.com
XYPRO Technology Corporation

Rob Lesan
Manager of Professional Services
Rob_L@xypro.com
XYPRO Technology Corporation

XYPRO Announces Global Distribution Agreement with IdentityForge

XYPRO to exclusively distribute the IdentityForge Advanced Adapter for HP NonStop servers

SIMI VALLEY, Calif.--XYPRO® Technology Corporation, specialists in HP NonStop server software since 1983, have announced their agreement to become the exclusive worldwide distributors of the IdentityForge (IdF) Advanced Adapter for the HP NonStop server.

Centralized User Provisioning is becoming an important solution to enterprise security, and helps to reduce the risk of data breaches. Identity Management solutions are widely deployed in many enterprise environments, but prior to the IdF Advanced Adaptor for HP NonStop, NonStop, users could not be managed by those Enterprise Identity Management systems. The IdF Advanced Adapter provides an industry standard, enterprise LDAPv3 interface for User and Alias provisioning and reconciliation and native real-time, bi-directional identity synchronization between the HP NonStop server and your enterprise identity management infrastructure or external application.

“Becoming a worldwide distributor for the IdF Advanced Adapter is another step XYPRO has taken to further our global footprint and reinforce our position as a worldwide leader of HP NonStop server security software and solutions,” said Lisa Partridge, President at XYPRO.

Using the IdF Advanced Adapter, the Oracle Identity Manager for User Provisioning and Identity Management can fully participate with the HP NonStop server software. The same is true for RACF, ACF2, TOP Secret, RED HAT, Oracle Solaris, Salesforce CRM, or HP /UX – the IdF Advanced Adapter for NonStop is compatible with them all.

“IdentityForge is excited to be working with XYPRO Technology, the acknowledged leader in HP NonStop security. This partnership was a natural fit for us as we look to expand our footprint in the NonStop market, and other mission critical environments,” said Chad Cromwell, Chief Technology Officer at IdentityForge.

This release of the HP NonStop (Tandem) Advanced Adapter includes certified, “out-of-the-box”, integrated solutions for Oracle Identity Manager (OIM), Microsoft Forefront Identity Manager (FIM 2010), IBM Tivoli (ITIM), SAP Netweaver, CA Identity Manager, VOICETRUST Biometrics, the Dot NET Factory EmpowerID, and any other standard LDAPv3 Client or LDAP Adapter. Businesses worldwide are already benefiting from the HP NonStop Advanced Adapter by utilizing the Oracle Identity Manager (OIM) NonStop solution to automatically incorporate NonStop accounts into their existing Identity Management infrastructure.

Read more news at: https://www.xypro.com/xypro/resources/news

Barry Forbes

VP of Sales & Marketing

XYPRO Technology Corporation

www.xypro.com

From the CEO's Desk

It’s been a while since I’ve had the time to write this column because of how busy we have been at XYPRO over the last year.  In part, this was fueled by the HP decision to bundle our XYGATE Merged Audit (XMA) software with the HP NonStop Operating System Mission-Critical Edition software package.

While we cannot speak for HP or the NonStop product group, I can tell you that we have seen tremendous growth in the market for our products.  So much so, that we outgrew our website, our staff, and even our building.

After 26 years in the same building, taking over more and more space as other tenants moved out, we finally took over the last bit of space that was available to us.  We had another challenge; because of the great range of NonStop servers we support, we were about to exceed the maximum weight that our second floor computer room could support.

So this past November, over the long American Thanksgiving weekend, we packed up our bags and our systems and moved to a 15,000 square foot ground floor suite with a larger datacenter capable of supporting our accelerated growth.  This office is twice the size of the old one, positioning us for the future.

Some old-timers may remember that Jimmy Treybig tried for years to get the city of Cupertino to rename Tantau Avenue to Tandem Avenue.  Well Jimmy, we hope we made you proud because our new office is located on Guardian Street.  Even better, our new datacenter is non-stop, with redundant power, dedicated climate control and connectivity.  Now how cool is that?

As I said earlier, we also outgrew our staff, allowing us to hire from the outside and promote from the inside.  Lisa Partridge has assumed day-to-day responsibilities for XYPRO and was named President. Barry Forbes was promoted to VP, Sales and Jim Hinsch to architect.  We hired Andrew Price as our Director of Product Management, Rob Lesan as our Manager of Professional Services, Dave Teal joined as a pre-sales support and education specialist, Gabe Alvarez joined our Sales Team in Latin America and we even welcomed our summer intern, Rayna Burgess on as a full time member of our QA staff.  Most recently, we extended a heartfelt welcome to Mr Feng Lin to represent XYPRO in Asia Pacific.

Scott Uroff is still part of the management team as our Chief Architect, and several of our employees passed the new PCI SSC Internal Security Assessor Program (ISA).  At our upcoming internal Kick-Off event, one employee will receive a plaque in recognition of 5 years of service at XYPRO and three employees will receive their 10 year plaques.  Add those milestones to the 4 of us who already have our 20 year plaques and everyone in between!  All the better to serve our rapidly enlarging number of customers.

Our website is completely new too, with easier navigation to the information that you want to see, including access to our datasheets, whitepapers, and on-demand webinars.

I would like to move to our products for a moment.  HP understood for a long time that separation of duties is important to help prevent insider attacks.  This was the main driver for the multiple levels of security administration within the Safeguard security software.  But HP couldn’t fund every possible feature that customers wanted or needed, so XYPRO stepped up our game to help keep NonStop servers secure from hacking, even by insiders.

We like to say that we wrote the book on NonStop security (twice!), because it is true.  But we could only write the books after we spent a lot of time determining the current and future product functionality required for NonStop customers to be successful in their industries. At the time we didn’t think of it as predicting the future, but of course HP is now bundling some of our products within the NonStop OS to help protect our customers from the rise in cybercrime, so I guess we were.

And the insider threat has only gotten stronger, which is why XYPRO took separation of duties to its logical conclusion within XYGATE Access Pro.  Our peerless auditing capabilities within each XYGATE module, and collectively within our Merged Audit module, allow all NonStop server audit information to be sent to off-board and Enterprise audit logging solutions, such as those from ArcSight® an HP Company and  RSA® enVision.  XYPRO’s ability to work with virtually any of the SIEM devices and enterprise audit consolidators allows companies that use these systems to manage audit records generated by their NonStop servers, and preventing the audit from being changed after the fact.

We hope that you will visit with XYPRO staff either by attending a class or by coming by our booth at the dozens of HP NonStop server and security-related events that we attend all over the world.  We love meeting our customers so that we can better understand and serve your security needs. Remember to visit our blog, and follow us on our many social media channels, such as Facebook, Twitter, and LinkedIn.

Finally, while I cannot tell you who these companies are, or what the arrangements will entail, I am happy to announce that we are in the process of forging partnering agreements with several other vendors in the NonStop space. While Larry Ellison is trying to take out HP by dropping support for Oracle on Itanium, we know that HP has a secret weapon called NonStop SQL and we have the tools to properly secure this advanced database.  It’s certainly one of many reasons we are excited to be part of the NonStop community and intend to take full advantage of this evolving market.

No matter how you measure it, 2011 was our best year ever.  Revenue, customers, professional services, partners, products, head count - all grew at rates greater than previous years.  Important to our customers is that our expansion this year is based on executing long term growth plans.  So, as the economy continues to recover, we will have more solutions to protect your precious business information and reputation that will help grow the NonStop community beyond anything that has been seen before.

I hope that all NonStop community members join us and have as good a year as we have planned for ourselves.

Sheila Johnson
CEO, XYPRO Technology Corporation

XYPRO Opens New Headquarters

XYPRO Technology Corporation proudly announces the grand opening of its new, larger Headquarters located at 4100 Guardian Street, Suite 100, Simi Valley, California, 93063 USA.

XYPRO Technology has experienced tremendous growth over the past few years and is forecasting a continued positive growth rate for the next 5 years and beyond. We had been at our original Cochran Street location since 1986.

After expanding as much as we could there, we are excited to work every day in our new home. It was more than a great street name that prompted us to choose this particular new location, XYPRO employees enjoy the benefit of a modern, 15,000 sq. ft, ground floor suite, a larger datacenter capable of supporting accelerated growth with redundant power and connectivity. Our new digs also offer enhanced telecommunications and wireless infrastructure, expanded training/education and conference room facilities and room to grow……

The property at 4100 Guardian St. is a beautifully maintained, two-story, 136,000-square-foot office building built in 1999, on 10.3 acres in the foothills of Simi Valley, California.

XYPRO Presents: A Witham Laboratories Presentation:

PCI DSS - Lessons from the Field

If you were unable to attend our webinar on November 1st, please visit our website to view the recorded presentation featuring Dr. Sajal Islam, a Qualified Security Assessor (QSA) from Witham Laboratories, that focuses on what QSAs look for in a  when assessing PCI DSS compliance in a NonStop environment.  Witham Laboratories is a leading independent provider of information security evaluations, offering specialist consultancy and advice in payment industry security.

This Webinar provides specific scenarios from the field and covers the following:

•           Views and experiences gathered by Witham Laboratories from numerous PCI DSS assessments for NonStop clients.

•           A detailed breakdown of the PCI DSS with specific focus on how the PCI DSS requirements apply to the NonStop.

•           What issues and areas QSAs typically look for when performing PCI DSS assessments on NonStop.

Achieving PCI Data Security Standard (PCI DSS) compliance is critical for every organization that stores, processes, or transmits card holder data, from the smallest merchants to the largest card issuers.  In short, this Webinar will give you valuable information to help you with your next PCI DSS assessment.

View our recorded webinars here: https://www.xypro.com/xypro/webinars

Representatives from XYPRO are available after your viewing to help explain how XYPRO’s XYGATE suite of security solutions assist you in meeting your PCI DSS obligations.

                                                                                                                                                                                          

Barry Forbes

Verizon 2011 Data Breach Investigation Report – breaches down, or are they?

The 2011 Data Breach Investigation Report (DBIR) from Verizon (http://bit.ly/pt5xV9 ) now incorporates data from the United States Secret Service and the Dutch National High Tech Crime Unit as well as Verizon’s own data.  It is a comprehensive report, extensively covering data breach activity in 2010, and it draws some interesting, and sometimes almost contradictory, conclusions.

2008 saw a record number of 361 million records compromised, 2009 saw a reduction to 144 million, and in 2010 that number dropped to 4 million.  Hang on, 144 million -> 4 million?  As the report says, that’s almost a rounding error!  Not to say that 4 million records compromised is good, that’s still 4 million more than we’d ideally have to deal with, but it’s a pretty radical reduction.  So, one question might be “Why?”.  As it turns out, the main reason is that, for some reason, 2010 had virtually no “mega” attacks, which typically bump the numbers up by a million or more.  But let’s continue to look…

In actual fact, now that we are more than 9 months through this year, we know enough to determine whether 2010 was part of a long term trend of data breach reduction, or an anomaly.  And with Sony, Espilon, RSA and Citi breaches already behind us in 2011, the unfortunate news is that the numbers this year are likely to be back up.  In fact, numerous industry observers are now saying that 2011 is likely to be the worst year on record, in terms of number of records compromised.

So perhaps a better idea is to look at the trends indicated by the Verizon report, along with the knowledge of the 2011 breaches, to identify what we could and should be doing better.

One of the interesting facts from the Verizon report is that, even though total number of records compromised was (WAY) down, the actual number of breaches was up (761 in 2010, versus a total from 2004-2009 of 900).  This is partly due to the inclusion of the Dutch data, but it also shows that cybercriminals are now willing to perform their exploits for smaller returns, which itself is a little worrying.

Another interesting statistic - 83% of all attacks were opportunistic, meaning the victim was identified because they exhibited a weakness or vulnerability that the attacker could exploit.  Often these were due to POS and other systems being installed with default user information, which became known within the criminal community.  Put another way, closing down these relatively simple (and obvious) loopholes could drastically reduce the occurrence of data breaches.

The other 17% of attacks were targeted, meaning that the victim was first chosen as the target, then a method of exploitation was determined.  Unfortunately, but not surprisingly, the financial industry was most represented in the ranks of the targeted attack victims.

Following on from the targeted attack point, 96% of all records compromised were card numbers and/or card data, a truly worrying figure.

So, what can we learn from this?

We know from the number of attacks in the first half of this year that cybercrime is not decreasing.  Both the number of attacks, and the cost of those attacks, continues to rise.  Cybercriminals utilise opportunistic attacks for relatively small gains in many cases, and targeted attacks on financial institutions.  Card numbers continue to be stolen, in large volumes.

It remains critical to protect sensitive data, both at rest, and in transit.
• Use SSL and file encryption solutions when possible.
• Ensure that the platforms/applications receiving the sensitive data also protect it.
• Get to know the security administrators on those platforms and ask them to do the same with the applications/platforms they share data with.


Remove as many areas of opportunistic attack as possible:
• Don’t use default userids and passwords.
• Put granular access control and auditing in place.
• Feed your audit data (from all platforms and applications) into a SIEM device to get an enterprise-wide view of your security events.

XYPRO’s XYGATE security suite can address all these areas, and more.  For more information on how XYGATE can help secure your HP NonStop platform, applications and data, please see our website www.xypro.com, or email me at andrew_p@xypro.com

Andrew Price

XYPRO Technology Corporation

www.xypro.com

EDB Card Services AB Brings its HP NonStop™ Audit Into The Enterprise

SIMI VALLEY, California – XYPRO® today announced that, as part of its PCI-DSS project, EDB Card Services AB has successfully implemented its XYGATE Merged Audit (XMA) tool to integrate EBD’s HP NonStop™ servers with its RSA® enVision SIEM (Security Information and Event Management) system.

EDB Card Services AB, part of EDB ErgoGroup, is one of the leading payments services companies in Scandinavia. It provides a wide range of card-related services including issuing, acquiring, processing, switching, national card blocking etc. for banks and payment operators in Sweden, as well as greater Scandinavia and Europe.

XYGATE Merged Audit (XMA) gathers security audit data from various sources on HP NonStop systems (such as EMS, Safeguard, ODBC, BASE24, XYGATE tools, custom programs etc.) and intelligently merges the security audit data together to form a single SQL database. Log Adapters then export that data to almost any SIEM or central compliance repository. XMA provides extensive reporting capabilities as well as customisable real-time alerts.

“As part of our PCI-DSS (Payment Card Industry Data Security Standard) compliance project, we had to bring our HP NonStop security audit data into the enterprise” said Sissel Johnsen Head of Production & Operation at EDB Cards Services AB. “Our previous log tool wasn’t suitable, so we selected XYGATE Merged Audit, which has a far more user-friendly interface and gave us exactly what we needed in terms of collecting the necessary data from our NonStop systems.  XYPRO’s RSA Log Adapter  ensures all NonStop audit data feeds seamlessly to our RSA enVision SIEM.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said, “We are very happy that EDB Card Services selected XMA as its PCI-DSS NonStop audit solution.  Since HP selected XMA in 2010 , as  the NonStop operating system recommended Audit Solution, we’ve seen a large expansion in our XMA customer base.  As our most recent European customer, we know that EDB Card Services will continue to enjoy the same security benefits and efficiencies XYGATE customers around the globe are accustomed to.”

About XYPRO

Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, FIPS-validated, cross-platform encryption, audit and compliance solutions.

www.xypro.com

Contacts

XYPRO Technology Corporation
Barry Forbes, 705-799-0247
VP-Sales and Marketing
barry_f@xypro.com