Oct 20 2011
I knew it had to happen eventually, but that doesn’t lessen my desire to strangle the marketing person responsible for what was probably just a reprinted press release! Or maybe the reporter who came up with the title of the article should be the one throttled. In either case, I can’t let an article that states “PCI-DSS Compliance in a Box” go by without raging against the very stupidity of the statement at least a little. It is SC Magazine, but I still hope for better.
If you have even a passing familiarity with PCI, you know exactly why this story about RandomStorm (I have another name for them, but I can’t put it in writing) making a box that meets all your PCI compliance needs is utter nonsense! It sounds like a UTM providing a bunch of related services, like IDS, log management and vulnerability scanning with a reporting tool on top of it, but these are only a small part of the PCI requirements. To state otherwise or try to sell a product as covering everything that PCI requires is disingenuous and dishonest at the least, and criminally misleading at the worst end of the spectrum. How someone could be reporting on the compliance market and not know that is beyond me, but then again no one at SC Magazine was willing to put their name on the post, so maybe they did know how much BS this press release was.
“MicroStorm is delivered on a single small form factor appliance that is
designed to help merchants monitor and prove their compliance on an
ongoing basis, with the reassurance that if anything breaches their
network, they will be immediately alerted.”
Given names like RandomStorm and MicroStorm, I’m hoping this is some sort of trolling attempt and just a joke. I can’t imagine anyone who knows how to spell PCI actually making a statement like this with a straight face. I can however imagine many marketing and sales guys trying to sell SMB merchants a small black box with blinky lights that they sit on a shelf somewhere that will protect them from PCI bug bears! After all, isn’t that what all too many vendors are saying about their products and “Standard Techniques Failed Uss”.
One box cannot meet with all of the PCI compliance requirements. Even ignoring the fact that a large number of PCI requirements are based on policies and have no way of being satisfied by a technology. And if you ever find one box that meets all of the technological requirements, back away slowly and get far away from it. I can almost guarantee that even if it meets any of the requirements in theory, when you actually have to sit down with a QSA or forensics investigator to explain how it works, half the technologies it’s supposed to incorporate will be so minimal as to be worthless. Less, since they give a false sense of security. I also predict it will be a forensics investigator you have to talk to, not the QSA.
Simply put, this is more snake oil. Enough said.
Update (10/24/2011): You can see a comment from the CTO of Random Storm in the comments along with my reply. Additionally, I received the following twetts from @phinessence on twitter taking the blame for the naming. Glad to see they’re on top of the situation, but it was a bad move, despite the use of quotes, inverted or otherwise.
Blame me for that headline. It was in inverted commas for the very reasons you state. Thanks for highlighting the dangers though.
My bad I’m afraid. It was to provide context, hence the inverted commas, buy your comments have been taken on board.