Hard on the outside, soft and chewy on the inside…

The title refers to a great quote from a recent Tom Kemp article on Forbes.com http://blogs.forbes.com/tomkemp/2011/07/05/as-hacks-proliferate-new-security-technology-emerges-to-monitor-privileged-it-users/, explaining that the old way of securing a computer system (let only trusted people logon, then let them do whatever they want), no longer suffices.  Of course, on NonStop we’ve always had more control over our users than that, but it’s worth considering whether further improvements to security are in order. 

These days, with SOX, HIPAA and PCI regulations insisting that we more closely monitor all actions performed by all users, the “hard on the outside, chewy on the inside” approach is not enough.  Guardian and Safeguard allow some level of control over file access, and utility program execution, but do not give the fine-grained access control, nor the necessary level of auditing, that is required. 

The XYGATE Access PRO suite, and the Access Control module it includes, greatly extend the basic access control capabilities providing by the native NonStop security subsystem.  NonStop security administrators can control the specific commands and subcommands that each user can issue from any NonStop utility program.  Users can also be granted access to specific commands that would normally be outside their capabilities, meaning that shared access to Super and Manager IDs is no longer required for those users to be able to do their job.  All commands are audited, and full keystroke logging is also supported.

Once you have implemented more granular access control, the next step in securing your system is to put a good level of auditing in place.  The PCI Data Security Standard (DSS) requirement 10, for example, states “Track and monitor all access to network resources and cardholder data”.  What this means will be specific to your application and environment, but again, it will require more than the standard Guardian/Safeguard levels of security to achieve compliance. 

XYGATE Access PRO supports all this functionality, and has done so since 1990, back when PCI was just a glimmer in someone’s eye.  Whilst the NonStop has always had an enviable security record, my new colleagues at XYPRO have constantly been thinking of ways to ensure that our customers reduce their risk of finding themselves on the front page due to a security incident.  For more information on XYGATE Access PRO, see https://www.xypro.com/index.php?id=24 or contact me at andrew_p@xypro.com.

Andrew Price

Director, Product Management

XYPRO Technology Corporation

Large European Payment Processor Selects XYPRO to Meet its HP NonStop Server Security and PCI-DSS Requirements.

(July 6, 2011) Simi Valley, CA – XYPRO today announced that Equens SE has successfully implemented its XYGATE suite of security and compliance solutions. Equens will leverage XYGATE to improve its HP NonStop security and achieve PCI-DSS (Payment Card Industry Data Security Standard) compliance.

Equens is one of the largest pan-European payment processors, leading the market for future-proof payments and card processing solutions. With clients and partnerships in multiple European countries and an annual processing volume of 9.7 billion payments and 3.9 billion POS and ATM transactions, Equens SE has a European market share of more than 12.5%.

“When our security team started its PCI-DSS compliance project, we faced the same dilemma as many other large firms,” said, Stefan Dusée, Equens’ Security and Control Manager.  “We needed a solution that would allow us to meet PCI-DSS as cost-effectively as possible, but also went well above the minimum standards set out by PCI-DSS, thus potentially future-proofing our security standards.”

Equens created a detailed list of requirements, prioritised from “essential” to “desired” and developed a comprehensive RFP. Equens determined that XYPRO’s XYGATE security, compliance and auditing suite offered the best solution to meet their existing and future security and audit needs.

The XYGATE security suite includes role-based access control (RBAC), keystroke audit, user management, real-time alerts, user authentication and the most comprehensive audit and compliance software available for the NonStop server. Equens is using XYGATE security software not only to make its systems as secure as possible, but also for essential, time/labor-saving functionality.

 “We’re confident we made the right choice in selecting XYPRO for our HP NonStop security and compliance enhancements,” said Dusée. “Configuring such an extensive range of products presented quite a challenge, but XYPRO has provided excellent support and training services and the new tools are proving to be worthy investments.”

Barry Forbes, XYPRO’s VP of Sales and Marketing said “We are thrilled to announce Equens’ selection of XYGATE for its PCI-DSS security requirements.  As a valued customer, we know that Equens will continue to enjoy the same security benefits and efficiencies all XYGATE customers are accustomed to.”

About XYPRO

Founded in 1983, XYPRO Technology Corporation is the market leader in HP NonStop server security, encryption, audit and compliance solutions.

www.xypro.com

www.equens.com


Barry Forbes, XYPRO VP of Sales and Marketing 

XYPRO Recent Events: Mobility, Passion, Sir Paul, NFC

HP Discover '11

HP Discover opened with a bang – over 12,000 attendees together in the first general session.  We heard Leo Apothekar’s views on mobility, WebOS, and the cloud – a recurring topic for the week.  Those of us coming to the show from a NonStop background were wondering how much airplay the NonStop would get in the general sessions, and with at least four mentions in the keynotes, along with almost forty NonStop-specific sessions, most of us left feeling pretty good about the platform and its future.  From my perspective, coming back to the NonStop after a few years away, I was impressed at the continuing passion and enthusiasm within the group, and levels of NonStop representation at the show from HP, ISVs and users.  Of course, it’s easy to feel good about participating in such a large show when one of the side benefits is a concert by Paul McCartney, just for conference attendees!

XYPRO had an extremely positive conference, with many good meetings with our customers and our partners at HP.  A number of the NonStop-focussed sessions spent time on the importance of security, auditing and compliance, and the role that the XYGATE product suite can help in these critical areas.  Our VP of Sales and Marketing, Barry Forbes, is now officially famous, having been video interviewed by one of the bloggers at the show – see http://bit.ly/jgJ91L for more.

The show finished in an even bigger way than it started, with that incredible show from Sir Paul.  There was hardly a single person in the MGM Grand Garden Arena remaining in their seats for the two encores that Paul and his band played.  Simply awesome.

Andrew Price

Director, Product Management

ACE 2011

XYPRO Technology attended ACE, the ACI User Groups Conference at the Del Coronado Hotel (The Del) in San Diego in June.  The conference boasted more than 200 attendees representing more than 70 companies.   Exhibitors represented 22 companies.

The conference began with introductory presentations by the product managers of the various ACI products, followed by a Q&A session.   ACI confirmed that BASE24 will be sunset in November,  however only 80 customers out of approximately 300 BASE24 users have migrated or are transitioning to BASE24-eps.   An interesting statistic is that out of 2,185 employees, ACI has 700 developers & 600 people dedicated to services.

The keynote speaker, Brett King, gave a very interesting presentation affirming the notion that the future of banking is mobile.  He stressed that banks need to change their approach regarding checking accounts, advertising, and local branches due to younger generations' expectations of mobile transactions. Mr King also stressed the importance of social media for banks.  No amount of advertising can overcome bad experiences recorded on Facebook, Twitter, and other social media sites.

There is a new trend to use NFC (Near Field Communication) devices in the industry.   These devices are contactless and passive as their function is triggered by an Initiator sending a RF signal that powers the Target device, which does not require batteries.   The Initiator can read the contents of the Target and in some cases write to it.

Nick Puetz from Fishnet Security and Gregory Rosenberg from Trustware gave an valuable presentation covering PCI Best Practices & Securing Sensitive Data, two topics of the utmost importance for the financial industry. Greg Brett from Opera Solutions explained the statistical techniques used to detect credit/debit card fraud on-line prior to a transaction’s approval.   These techniques, which are used with BASE24 and BASE24-eps, are helping reduce the amount of fraud experienced by financial institutions running those solutions.

Barry Forbes

Vice President, Sales & Marketing

XYGATE Compliance Pro Now Available from HP

XYGATE Compliance PRO simplifies compliance of HP Integrity NonStop server environments

Simi Valley, Calif. – May 26, 2011 – XYPRO Technology Corporation, a leading provider of security software and services for HP NonStop server environments, today announced its security and policy compliance solution, XYGATE Compliance PRO, is now available directly from HP on HP Integrity NonStop servers – including the recently released, HP Integrity NonStop BladeSystem NB54000c.

With Compliance PRO, HP NonStop customers can effectively manage aspects of security compliance on their HP NonStop server systems. XYGATE Compliance PRO is a powerful and sophisticated software solution specifically designed for the NonStop platform to better monitor the state of mission-critical systems.  It enables enterprises to:

·       Analyze system security settings and configurations;

·       Gather extensive system data to compare changes in the system from different points in time;

·       Track and audit security settings to address risks and protect valuable mission-critical data and intellectual property; 

·       Build an efficient governance, risk and compliance program that can address regulations, such as PCI, SOX, and HIPAA, across NonStop systems.

“Around the world there are more than 20,000 security and compliance regulations that businesses must meet and more are emerging every year,” said Barry Forbes, vice president, Sales and Marketing at XYPRO. “Organizations today are looking for solutions that simplify risk management and increase the effectiveness of system monitoring in complex information security environments. Compliance PRO does just that, and with this solution now available we have made it even easier to implement security solutions that meet mandated compliance requirements such as PCI.”

“For enterprises, complying with government and commercial regulations while protecting valuable mission-critical data is imperative,” said Bob Kossler, director, strategy and planning, NonStop Business Division, Business Critical Systems at HP. “XYGATE Compliance PRO on NonStop environments help clients adhere to these regulations and safeguard the data that keeps their businesses up and running.”

Customers who purchase XYGATE Compliance PRO license and support contracts through HP will receive product support from HP.  In addition, XYGATE Compliance PRO is available for individual purchase and direct support from XYPRO.

About XYPRO
XYPRO Technology offers more than 27 years of knowledge, experience and success in providing HP NonStop information systems tools and services.  Businesses that manage and transport business-critical data turn to XYPRO for a variety of solutions. XYPRO helps businesses to better manage security risks, protect assets and gain a competitive edge through compliance while improving efficiency.  www.xypro.com

XYPRO Technology’s XYGATE/ESDK Achieves NIST Validation for FIPS 140-2 Government Standard

Simi Valley, California, USA – May 18, 2011 - XYPRO Technology Corporation, a leading provider of security software and services for HP NonStop server environments, today announced the XYGATE Encryption Library (XEL)  module XYGATE/ESDK achieved Federal Information Processing Standards Publications (FIPS) 140-2 Validation: Security Requirements for Cryptographic Modules.

FIPS 140-2 validation is mandatory for any cryptographic product that is used in a U.S. government agency network.  The standard is a joint effort by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment Canada (CSEC), under the Canadian government. The Cryptographic Module Validation Program (CMVP), headed by NIST, provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. FIPS 140-2 provides stringent third-party assurance of security claims on any product containing cryptography that may be purchased by a government agency. 

To expedite the FIPS 140-2 validation process, XYPRO partnered with Corsec Security, Inc., a consulting firm with over 13 years of validation experience.  "Corsec is delighted to work with XYPRO on their latest FIPS 140-2 validation," said Matthew Appler, CEO of Corsec. "The FIPS 140-2 process is very detailed and time consuming and only well designed products can make it through validation.  This clearly demonstrates XYPRO’s devotion to provide its customers with a higher level of security assurance."

“Over the past several years, XYPRO has expanded the number of platforms on which we received FIPS validation for our encryption library,” said Lisa Partridge, XYPRO President.  “This most recent validation is a testament to our unwavering commitment to security and compliance. FIPS 140-2 validation of the XEL  XYGATE/ ESDK demonstrates XYPRO’s determination to continue providing customers with a secure and dependable solution.”

The FIPS standard, which is mandated by law in the U.S. and strictly enforced in Canada, is also being reviewed by ISO to become an international standard. FIPS 140-2 is gaining worldwide recognition as an important benchmark for third party validations of encryption products of all kinds. 

About XYPRO

XYPRO Technology offers more than 27 years of knowledge, experience and success in providing HP NonStop information systems tools and services. Businesses that manage and transport business-critical data turn to XYPRO for a variety of solutions. XYPRO helps businesses to better manage security risks, protect assets and gain a competitive edge through compliance while improving efficiency. www.xypro.com

ABOUT CORSEC SECURITY, INC.

Corsec Security, Inc. specializes in helping companies navigate through the complex process of receiving FIPS 140 and Common Criteria (CC) certifications.  Corsec’s consulting, document creation, and laboratory services deliver unmatched expertise in achieving government validation efforts at a firm, fixed price.  Corsec partners with companies around the world to achieve local and international certification and to add security functionality to a wide range of products. Corsec minimizes the time, effort and money a vendor needs to invest in validation while ultimately maximizing the return on that investment. For further information, please visit www.corsec.com.  

Raymond James Selects a Clear Standout for its Mission Critical Security Needs

Raymond James is a diversified financial services holding company with subsidiaries engaged in investment and financial planning, in addition to investment banking and asset management. As with any company that stores private, sensitive data, they required industry-leading security and audit solutions that would seamlessly integrate with their HP NonStop environment. “We had multiple challenges from multiple sources,” said John Anderson, Manager of the NonStop Engineering department at Raymond James.  “We wanted to enhance our overall security control on the NonStop, continue to meet specific privacy requirements from our internal and external auditors, and increase logging of user activity: All of these had to fall within our standard enterprise security model.”

After reviewing several security-related products, XYGATE emerged as the stand-out solution that could address Raymond James' comprehensive security and audit needs.

A Clear Standout

Raymond James turned to XYGATE Merged Audit to fulfill its requirements to increase its logging, monitoring and reporting of activity on the HP NonStop. In addition to being an industry leader with an excellent reputation and outstanding customer support, Raymond James selected XYGATE for its comprehensive security features and ease of use. The company also favored the solution’s simple integration.

Moreover, in Raymond James’ specific HP NonStop environment, the ability to send in SYSLOG format to its security data collection device is critical. “Each of the SIEM (Security Information and Event Management) solutions are fully supported by XYGATE Merged Audit with its ability to send all audit in SYSLOG format,” said Anderson. “We were able to confidently move forward with the XYGATE Merged Audit product knowing whatever choice we made for the SIEM, XYGATE Merged Audit would integrate with it.”

Benefits Across the Board 

 “Rule Based Security with the XYGATE Object Security has saved us an enormous amount of time and effort. A straightforward requirement from our auditors was going to require the implementation of hundreds, and maybe thousands, of complex Safeguard ACLs to meet this requirement,” said Anderson. “With XYGATE, we met the same requirement with a single rule. XYGATE Object Security makes it easier to design, implement, and maintain security for our NonStop servers.”

Anderson also notes that the overall security enhancement project using XYGATE has provided further management of the security environment on the NonStop. “The added control and oversight provided by XYGATE allows for requirements to be met and has afforded us peace-of-mind not previously enjoyed.”

 Looking Ahead

As with any change and especially the implementation of added security measures and controls, Raymond James is still learning XYGATE’s countless features and functionalities. “After meeting our initial requirements, we continue to find that new needs are also easily met with XYGATE,” said Anderson.

Moving forward, the company is reviewing additional XYGATE solutions. For their administrative needs, Raymond James is looking at the sophisticated capabilities of Safeguard Manager and for its compliance and integrity checking requirements; they are looking at Compliance Pro.

About Raymond James

Founded in 1962 and a public company since 1983, Raymond James is a diversified financial services holding company with subsidiaries engaged primarily in investment and financial planning, in addition to investment banking and asset management. Its stock is traded on the New York Stock Exchange (RJF).

Through its three broker/dealer subsidiaries, Raymond James Financial has more than 5,300 financial advisors serving 1.9 million accounts in 2,300 locations throughout the United States, Canada and overseas. In addition, total client assets are approximately $262 billion, of which approximately $33 billion are managed by the firm’s asset management subsidiaries.

Raymond James has been recognized nationally for its community support and corporate philanthropy. The company has been ranked as one of the best in the country in customer service, as a great place to work and as a national leader in support of the arts. 

www.xypro.com

XYPRO Announces HP CI-Ready Certification

XYPRO is pleased to announce its recent HP CI-Ready verification.  XYGATE Merged Audit (XMA) and XYGATE Compliance PRO have been validated in the HP Converged Infrastructure environment.

What Is HP CI?
The HP Converged Infrastructure helps businesses overcome the inflexibility and high costs created by IT sprawl to shift more resources to innovation and strategic initiatives – creating the ideal foundation for an instant-on enterprise. This is achieved through an architectural blueprint that eliminates silos and integrates technologies (e.g. servers, storage and network) into shared pools of interoperable resources – all managed through a common management platform and all based on standards and customer choice.

The result is a data center of the future, today, that delivers a whole new level of simplicity, integration, and automation whereby the IT environment is synergistically aligned to the needs of the business: Faster time to revenue; lower costs of acquisition and implementation; more quickly and flexibly respond to business changes; and, lower risks. And as your business grows, a Converged Infrastructure will accelerate your move to an Instant-On Enterprise. This type of organization shortens the time needed to provision infrastructure for new and existing enterprise services to drive competitive and service advantage.

What is Merged Audit & Compliance PRO?
XYPRO's Merged Audit and Event Monitoring module (XMA) collects data from multiple sources of Audit and intelligently merges them together to form a single NonStop SQL audit database. XMA will also deliver all collected audit data vis SYSLOG to remote logging devices or SIEMs.
XYGATE Compliance PRO enables you to easily research the state of security on your HP NonStop server, report on the information found, build policies that monitor the state of the security rules in your environment, compare your existing security against Best Practice and custom Policy recommendations, and verify the integrity of your system objects.

Learn more about HP CI by visiting www.hp.com/solutions/allianceone/ciready

To learn more about XYGATE Merged Audit and Compliance PRO, visit www.xypro.com

Lisa Partridge
XYPRO Technologies
www.xypro.com