« Silver Bullet Security Podcast | Main | Identity Relationships »



Hi Gunnar,

Thanks for the post. I was surprised that you characterized the article as "how supposedly you would meet PCI reqts in MQ deployment". I don't believe it is possible to take any product out of context and make it PCI compliant because compliance is more about the human processes and disciplines than it is about a configuration checklist. But, in the absence of a checklist for a particular product, little or no attention is paid to securing it. This is unfortunately the case with many WMQ installations today. The resources go to the components that are likely to be scrutinized in an audit and WMQ is not one of those components.

The intent of the article was to prop up a straw man that would provoke discussion about what PCI compliance might look like in a WMQ context and to suggest that maybe WMQ security deserves some attention despite the fact that it isn't on many checklists yet. The article was not supposed to be the missing checklist but to engage stakeholders in possibly working to fill that gap. From the article: "In this article, I will discuss some of the PCI DSS requirements to see how they might be applied in a WebSphere MQ context. This area is still emerging and there is not yet a consensus on how these standards might apply to WebSphere MQ -- even within the payment card industry -- but I hope to spark a dialog on the subject."

Hopefully most folks will not come to the conclusion you did that the article was a tutorial on making WMQ PCI compliant. All it was supposed to do was get the WMQ folks talking to the security folks so we could build some consensus about how to apply the PCI criteria to WMQ in a meaningful way. Short of that it also makes a case that a reasonable WMQ administrator evaluating the prevailing practices should find them deficient without needing an audit to point that out. From the article: "I hope this got you thinking about what 'reasonable care' or 'due diligence' means in a WebSphere MQ context. Most of the mitigations discussed here are not widely practiced in the WebSphere MQ community today. However, that doesn’t make them any less reasonable."

I think we have more common ground here than the tone of your post would suggest and I'd certainly welcome any other interpretations of how to apply PCI DSS to WMQ other than my own first stab at it.

-- T.Rob

Gunnar Peterson

T. Rob- I am glad you published this doc - my comments are not negative towards your paper whatsoever, and I think you described the field level pluses and minuses of real world MQ deployment quite well. Whenever I see MQ in the field I expect to see vulns,

I have never understood how a messaging system can have a coherent security model that does not include message level security. I think the authZ without authN gives people the impression there is far more security than there actually is.

I have been encouraged to see some architectural progress in MQ over the last 4 years, but these things are buried very deep in IT shops and more awareness of what the threats and capabilities is needed, which your article is a great starting point for.

The comments to this entry are closed.