This episode of The Deep Queue takes its inspiration from the thousandth time I was asked how to “turn on MQ security”. Yes, that’s right, the thousandth time. At least since I’ve been counting. There were perhaps half a thousand instances before I started keeping track. Unlike being the millionth customer at the local hair salon, you don’t want to be the thousandth person to ask me how to “turn on MQ security”.
“What do you mean ‘turn on’ security?” I asked. “What is it exactly you want security to do for you?”
“Well, you know…SECURE THE QUEUE MANAGER!” came the annoyed reply.
“What I mean is, are you trying to protect from eavesdropping, denial of service, message injection or what? And do you want prevention, detection or forensic capabilities?”
Since nobody there had thought about it in these terms, the answer back was “I don’t know, we will get back to you.” My dilemma is that if I have a ready-made answer for “how to turn on MQ security” it is likely not to address the real requirements…but at least I get work. If I try to drive out the real requirements, I put myself on the bench.
[display_podcast]
Links for this episode:
WMQ Security webinar for QSA’s, internal auditors, security professionals and anyone interested in knowing how to tell if your WebSphere MQ network leaks administrative access: PCIKnowledgebase.com http://is.gd/qqOX
The Black Swan by Nassim Nicholas Taleb: http://is.gd/qqXX