[Default] On 31 Jul 2019 14:44:53 -0700, in bit.listserv.ibm-main jesse1.robin...@sce.com (Jesse 1 Robinson) wrote:
>One frequent selling point for cloud solutions is that WE the hired-hand >storage experts can take better care of your precious data than you can. I >sense Death of a Salesman... > Figuring out who should have access to what is an ongoing zoo where who can either be a person or an entity (another program, etc.). Someone should have it today but not tomorrow. Then for problem determination purposes is it always feasible to obscure copies for production data? How well protected are test and quality assurance environments? mirror data centers? Customer Service Representatives by the nature of their jobs may require access to confidential data on any customer who might call in as would any online customer application. In both cases the representative or the application is the one who determines whether a customer is entitled to the information with the added problem that the customer service representative can misuse their access. In the Capital 1 case, apparently someone at Capital 1 failed to do their part and it brings up the point as to how much expertise is required on the application owner's part and how much any service provider can do to make sure the client organization has got the security it needs. If some entity can get into the system and look like an authorized service user, that system will decrypt and format the requested information. A straight disk dump (FDR/ABR, DF/HSM or IDCAMS for example) is not going to provide anything that is easily readable or decipherable. Clark Morris >. >. >J.O.Skip Robinson >Southern California Edison Company >Electric Dragon Team Paddler >SHARE MVS Program Co-Manager >323-715-0595 Mobile >626-543-6132 Office ?=== NEW >robin...@sce.com > >-----Original Message----- >From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of >Clark Morris >Sent: Wednesday, July 31, 2019 8:51 AM >To: IBM-MAIN@LISTSERV.UA.EDU >Subject: (External):Re: Capital One Data Breach-100 Million Customers affected > >[Default] On 31 Jul 2019 06:58:19 -0700, in bit.listserv.ibm-main >jcew...@acm.org (Joel C. Ewing) wrote: > >>And I noticed a reprinted Washington Post article in my local paper >>today "Bank data stolen despite cloud push", which clearly indicates >>bank management had the perception that somehow removing data from >>Capital One's direct physical control to Amazon Web Services on the >>cloud would "improve" security rather than just add different paths for >>attack. Can't help but wonder if this move to "cut back" on Capital >>One's data centers also involved laying off the people that might have >>been smart enough to configure their firewall correctly and avoid the >>breach. > >Since configuration problems have hit the mainframe, I suspect that platform >didn't matter. I am beginning to believe that the most secure platform is the >one where it is easiest (and mostly by default) to secure to the limits of the >platform. Since this isn't a set and forget issue, good practices need to be >in place so that ex-employees don't have access. Why was the person accused >of the breach able to access the cloud? Did she need credentials in order to >get by the >improperly configured firewall? I suspect that all companies need an >HR application that causes review of an employee's/contractor's access every >time they change position and when their employment is terminated. > >Clark Morris >> Joel C Ewing >> >>On 7/31/19 8:32 AM, Bill Johnson wrote: >>> She breached an incorrectly configured firewall. >>> >>> >>> Sent from Yahoo Mail for iPhone >>> >>> >>> On Tuesday, July 30, 2019, 7:48 PM, Edward Finnell >>> <0000000248cce9f3-dmarc-requ...@listserv.ua.edu> wrote: >>> >>> https://www.usatoday.com/story/money/2019/07/29/capital-one-data-brea >>> ch-2019-millions-affected-new-breach/1863259001/ >>> >>> A CLOUDy day in data processing. > > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
