Last month, Oracle released a white paper entitled “Oracle Solaris 11 and PCI DSS: Meeting PCI DSS Compliance with Oracle Solaris 11.” The paper provides guidance to IT professionals who are implementing Oracle Solaris 11 within their Cardholder Data Environment (CDE) and to a Qualified Security Assessor (QSA) assessing those environments.
This guidance therein is not an in-depth technical assessment of the product or an installation guide, but rather an analysis of the product’s ability to meet and support compliance requirements. Indeed, after a careful evaluation, our assessors determined that it is fully capable of supporting compliance with the Payment Card Industry Data Security Standard (PCI DSS). In addition, the author points out that the same basic tenets can be used for meeting other regulatory environment standards such as the Gramm–Leach–Bliley Act (GLBA), Sarbanes Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Management Act (FISMA).
At Coalfire, we were proud to do work behind this paper, and we hope that Oracle gets a lot of mileage out it. It’s great for our industry when solution providers design compliance into their products, and we think it will provide great value to their customers. Thanks to this report, Oracle customers will:
Learn about some product features that might be new to them
Find creative approaches to compliance management, based on the frameworks put forth in the paper
Save time and money on their next PCI DSS assessment, particularly if the QSA doing the work isn’t an expert on Solaris 11 and hasn’t tested it before.
A paper like this is more than a compliance management tool; it can also be a sales aide, and that’s something that should make all product managers take notice. Security is now a boardroom issue and most executives won’t sign off on a major purchase without first considering the compliance implications. A white paper written by a credible, independent source is becoming the best way to address those very legitimate concerns.