The PCI Compliance Paradox
Systems Administration can be frustrating at times, especially in the area of security compliance and vulnerability management. For all my development readers with friends in operations who are wondering why their sysadmins seem so cranky the first couple of weeks into the new quarter, it is most likely due to the sysadmin recently receiving the most recent pci quarterly vulnerability scan results from a scanning vendor.
PCI Compliance is a set of guidelines organizations handling credit card data need to achieve and is defined by the Payment Card Industry Data Security Standard. PCI has a number of problems associated with it; the most notable being outside of the security folks and the sysadmins who need to remediate the vulnerabilities, no one cares about PCI compliance. This isn't to say that PCI compliance isn't important because it is very important and the penalties and fines that can be levied against an organization for non-compliance can be quite heavy and, in some cases, business disrupting. It's just that no one cares about PCI compliance. Your development and business partners care more about releasing new functionality or fixing bugs. They don't care if you need to upgrade to a new version of apache as long as it doesn't interfere with their release dates or break their apps. Development does not care how you implement workarounds to their input handling bugs as long as they don't have to fix the code themselves. (If they do need to fix it, it will always take 6 to 9 months.) The security team doesn't care if there is no remediation for a particular vulnerability—just mitigate it. Dealing with these is part of the job and does not aggravate the sysadmin too much. What frustrates the sysadmin is what I call The PCI Compliance Paradox. The paradox is simple to express:
If you were certified PCI Compliant and suffer a breach, you were not PCI Compliant
This is Number 5 of my Unofficial Laws of General Systems Administration, by the way. The PCI Compliance Paradox leads to systems administrator frustration simply because one begins to think that an awful lot of time, effort, and money is going toward a sisyphean endeavor that one can never truly achieve because of the frequency of the appearance of new vulnerabilities or because you are one 0-day away from losing that certification.
Luckily, what helps me is a popular phrase the business world has coined to aid in combatting these feelings of helplessness: "It is what it is". To all my systems administration friends and colleagues out there reading this, how do you deal with the PCI Compliance Paradox and the organization-wide apathy?