Richard,
Your comment about "Stop trying to cut Bill out from the bait-ball and isolate hime [sic] from his traditional support networks. ..." is uncalled for.
Things may be far different in the "land down under", but here in the USA, compliance is a serious legal responsibility issue [emphasis on "legal"]. Everything on ITRC is cross-referenced by various search engines. Today's New York Times providentially had a front page article entitled "How Privacy Vanishes Online" by Steve Lohr noting how statistical correlations of mined data can strip anonymity (see
http://www.nytimes.com/2010/03/17/technology/17privacy.html ).
If there is a future breach of security, this conversation could quite possibly be used against the poster. I have seen it happen to people. It can be extremely embarrassing for all concerned.
When I sense the presence of an issue that is best not left in a public forum, I routinely speak to people off-line and offer some guidance, as a contribution to the community, pro bono.
I would not want Bill to have to be confronted with that contingency. I would rather he have a solid understanding of the issues and limitations without the dialogue being public.
Several years ago, we had an episode in the US involving a self-help group. The end result was a ruling that anything said in a self-help group was fair game in a legal context. If it had been said to a health care provider, attorney, or cleric, it would have been protected.
While IT professionals can sometimes operate without worrying about non-technical issues, compliance is a mix of both, which makes it a potential mine field.
All of that said, I disagree with most of the solutions proffered. The requirement, as I understand it (some background with the PCI specification outside of this thread) is an implementation of the two-man rule (sexism unintended, that is the terminology, it is really the "two-person" rule).
This means:
- NO SHARED PASSWORDS
- INDIVIDUAL AUTHORITY/ACCESS REVOCABLE AT ANY TIME
How does one accomplish this? Not by checking whether another user is logged in. This can be hacked in any number of ways.
One can do this in a variety of ways, but they all involve some degree of subtlety. One way to do it is leveraging time limited certificates issued by a CA, ala Kerberos. Then each user can separately approve the action without creating the potential for Trojan Horse attacks. Each user would log into their normal OpenVMS account or menu. Requests would only be valid if they were digitally signed by at least two authorized requestors (and the data could include the PIDs to ensure that the PIDs were both in the machine room).
The preceding is only a rough approximation of what is needed.
Applications level security outside of the OpenVMS model is always limited to the trustworthiness of the application (which may be spoofed). Additionally, such home-brew security does not leverage the audit and other features of OpenVMS.
- Bob Gezelter,
http://www.rlgsc.com
