How IKEA Does PCI-DSS
Attaining PCI-DSS compliance is no easy task, but IKEA's common sense approach makes it a bit less taxing.
Swedish retailer IKEA, which has built a reputation around its common sense approach to furniture, applies the same kind of common sense approach to how it deals with security and compliance across its distributed IT infrastructure.
In a session at the recent Red Hat Summit, Magnus Glantz, who manages Linux system design and technology worldwide at IKEA, discussed how the retailer uses a repeatable, scalable process for managing IT infrastructure.
"PCI-DSS is not a joking matter," Glantz said. "It's quite a harsh data security standard, and it's about mitigating the risk of credit card number theft."
PCI-DSS was recently updated to version 3.1, with new requirements around security and penetration testing. It's easy to be impacted by PCI-DSS, Glantz said, and the requirements can spread through a full IT infrastructure like wildfire.
He stressed that IKEA's method of solving its own PCI-DSS challenges is not rocket science.
Automating Security Best Practices
"We simply have a configuration of our Standard Operating Environment (SOE) where we put the world's best security practices into an automated process," he said.
The IKEA SOE includes a definition of the hardware platforms used, as well as the Linux and application software that is installed. In addition, an installation and configuration management layer helps enforce the SOE across IKEA's distributed IT footprint.
"The neat thing about having an SOE that meets PCI-DSS requirements is that if anyone comes up to me and says they need a secure deployment for compliance, I just tell them to run the PCI-DSS SOE," Glantz said. "They don't have to worry about compliance; they just need to be worry about their own application."
The SOE approach to defining standard, repeatable infrastructure is an approach that Glantz said has helped IKEA pass its PCI-DSS audits for many years.
IKEA patches all of its PCI-DSS SOE servers in 30-day cycles up to the latest version of Red Hat Enterprise Linux (RHEL). It's a process that Glantz says has been in place for the last four years. The retailer also makes use of the Red Hat Satellite server-management technology to track and manage its Linux servers in a standardized manner.
The updated IKEA servers run dozens of different types of applications and databases.
"We haven't yet experienced any major incident in an update; stuff doesn't break," Glantz said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.