Subscribe

Your email:

Popular Posts

Posts by Tag

Cloud Compliance Blog

Current Articles | RSS Feed RSS Feed

Is Compliance the New Security Standard?

Posted by Robbie Forkish on Thu, Oct 15, 2009
Submit to Digg digg it | Submit to Reddit reddit | Add to delicious delicious | Submit to StumbleUpon StumbleUpon | Share on Facebook Facebook | Share on Twitter Twitter | Share on LinkedIn LinkedIn 

I went to an informative "Cornerstones of Trust 2009" conference yesterday in San Mateo, CA. One of the sessions I attended was "Compliance is Not The Same as Security!". It's an important topic, especially for IT/security staff facing challenges getting their security initiatives funded during these tough economic times.

There was a theme that ran throughout the session which I can summarize as this: "CEOs are being short-sighted by not investing in the [fill in the blank] security initiative. Don't they realize that a breach is inevitable, given enough time? And the cost of the [fill in the blank] security initiative is much, much lower than the cost of dealing with a breach (estimated at over $200 per record). Not to mention that preventing said breach provides other tangible and intangible benefits including protecting the brand, preventing customer erosion due to loss of trust, and avoiding a calamitous drop in stock prices."

Given the compelling case for securing the enterprise, why do CEOs fail to invest more in security solutions? Does this simply represent a failure of IT and security staff to make a compelling business case? Or are the CEOs in fact being short-sighted?

Let's try looking at this from the CEO's perspective. He or she is continuously under scrutiny by Wall Street, and the most common measure of the CEO's and the company's performance is by comparing various financial metrics to a relevant peer group, typically the company's competitors and other players in the same industry. Investors want to know - especially in an economic downturn - whether the CEO is keeping expenses in line. In other words, does the company spend a higher percentage in any category than peer company XYZ? If so, is there a measurable ROI from this higher rate of spending? If not, it looks to an investor like wasteful spending or lack of discipline. How should a CEO respond to that?

Risk management is the only rational way to frame the debate. But now we've entered the world of probabilities and risk assessments. What we know to be true is that no amount of spending can guarantee there will be no breaches. The management decision is one of making rational trade-offs between the probability of an event, and the cost of reducing that possibility - but not eliminating it.

In recent years, a new dimension has entered the debate: compliance. Regulatory standards apply now to public companies (SOX), healthcare (HIPAA), card handlers and retail (PCI), various aspects of financial services (primarily GLBA, but including the entire range of FFIEC audits), and other sectors. Most companies therefore have a mandatory level of security that's required in order to meet compliance requirements; failure to do so results in audit findings, and possible material weakness reports. No CEO wants that.

Security spending for compliance, then, is a given. And while compliance spending may not comprehensively protect the enterprise against a breach, it does provide one important bit of protection: liability. From the CEO's perspective, while the cost per record of responding to a breach may be high, it's nowhere near the potential cost of lawsuits resulting from said breach. And achieving compliance appears to provide a liability shield.

Therefore, the CEO thought process might go something like this: Security spending for compliance is mandatory. And while additional security-related spending might make us more secure, it doesn't add anything in terms of liability protection. Furthermore, there's no guarantee that additional security spending will prevent a breach, but there's a strong likelihood that it will increase spending compared to industry benchmarks. By spending on compliance we are protected against the biggest exposure, which is legal liability. It's not perfect, but given the pressure on margins it will have to do.

If compliance standards are strengthened, then of course the company - as well as all of its competitors - will increase spending to comply. And there's plenty of room for improvement in reducing IT audit findings; see here and here to read about top IT audit findings.

Cloud Compliance is developing an Identity and Access Control (IdAA) solution to improve the efficacy of compliance solutions, and reduce the cost of achieving compliance. Due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks and ensuring that their security spending is in line with their peers. Finally, in contrast to most identity management systems, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.


Tags: , , , , , , , , , ,

Comments

The short answer to your post is that compliance is an external requirement imposed by a government or industry regulator. 
 
Unlike compliance, security is about protecting the digital, physical and people assets of a business. 
 
The viewpoint you propose, namely that security is a bolt-on the business, is incorrect. Security needs to be built into the business strategy and process. 
 
For example - security must be part of customer service, part of the interface with suppliers and part of the product development process. 
 
Not all security is about credit cards and the 200$ number you mentioned is meaningless by the way, most businesses like BoFA who have a breach don't sustain any real financial damage at all - and the card holders are insured. At any rate - please don't confuse the time it takes for a BoFA card holder who had their identify stolen to rebuild their life with the actual damage to BoFa bottom line. 
 
Finally - security is about making a practical and business-oriented analysis of the threats, vulnerabilities and asset value in your business and deciding what are the most cost-effective controls. Notwithstanding all the security vendors who want to ride the wave of security breaches to sell their products - a business would be well-advised to talk a thorough look at their threats and calculate their Value at Risk. Although it requires more effort than calling up a Symantec reseller and installing a product - the return on investment for a CEO of simply estimating his data security value at risk is immensely higher than installing a piece of software or hardware and never knowing how effective it is. 
 
I totally reject the nihilistic approach that some people propose that it is impossible to estimate risk. 
 
It is possible to estimate anything. 
 
Best regards 
Danny Lieberman 
Software Associates - the data security specialists
Posted @ Saturday, October 17, 2009 3:33 PM by Danny Lieberman
I agree that compliance and security are driven by different market drivers, the former by regulations and the later by the dangers posed by the potential of malicious attacks that can be disruptive to an organization's business continuity and critial assets. 
 
 
 
Compliance is a "measure" of security. It is how an organization should calibrate its security posture and investment. It is a flaw to discount security as a function of process management in its entirety, as has been the case with security in the virtualization space. 
 
 
 
I have heard too often these days, at many levels from architects to CTOs, that virtual servers are as secure as physical servers, so why the paranoia? No one has attacked any hypervisor yet? In a flat network, where any packet can be put on the wire anywhere on the planet and routed diligently to a target application anywhere across the globe, without guarantees of content inspection, both Federal and commerical network managers ought to ask themselves “What if it did happen on our watch? Would we be ready to quickly plug it and ensure business continuity for cloud based services?”. 
 
 
 
Risk management has two aspects - Security and Auditability. Together they help achieve a reliable gauge of compliance. If you manage and mitigate risks, with processes and security, you may achieve a level of compliance and improvise. 
 
 
 
Security in the cloud requires a paradigm shift. It is a great opportunity to look at network and application level security from a holistic perspective. Application's are not designed with “intensive security” from “fine grained malicious attacks” on the agenda - they never were. Networks are designed as a vehicle of transport, not security – their never were. Over the decades, the network stack and application protocols have been tweaked to retro-fit security. Simply put, that is one way to do it, not necessary the only way. If everyone had adopted IPSec, and discounted the necessity for network monitoring controls, there would not be a security problem, right? Security enforced by one entity and independently verifiable by another entity leads to better security (no fox guarding the hen-house). 
 
 
 
The problem is not only “how” and “where” to enforce security policies, but the even more fundamental question of "who" and "how" will such “rules” be defined in the first place. The era of physical assertions based on MAC/IP/Port based rules is coming to an end. A higher level of abstraction is required in the public/private cloud. The open-ended security model is outdated and a closed-loop end-to-end security model is required. In the cloud, neither endpoint can be trusted without authoritative checks and balances. 
 
 
 
The traditional approach to security has been to apply a combo-pack of encryption, tunnelling, deep packet inspection, string matching, regression expression based pattern matching, and lately with a pixie dust of authentication. These are half-measures that will not scale as the volume of users, applications and application layer protocols proliferate in the emerging cloudy network. Hypervisor platforms today lack the level of hardware accelaration that physical switches/routers/firewalls have leveraged through the years. In the virtual network, inter-VM traffic is harder to manage in the fluid enviroment that is typical of virtualization. 
 
 
 
A good debate today is on how to define a network access control (NAC) standard so customers dont have to choose between disparate point solutions that lack interoperability and portability across multi-vendor solutions. The responsibility for security is split across directory, IT and policy administrators and the rules are tightly inter-woven in the workflow. 
 
 
 
I am not advocating deployment of security products like land-mines without being part of a bigger “strategy” of access management for compliance. However, I am suggesting that any multi-layer defense strategy should include scalable security as either a bump-in-the-stack or bump-in-the-wire, to participate in achieving regulatory compliance and critical asset protection. 
 
 
 
Best Regards, 
 
Srinivas Kumar 
 
Posted @ Monday, October 26, 2009 9:02 PM by Srinivas Kumar
Srini, 
 
Well written but I disagree on two fundamental points. 
 
1) Security is not a "market driver" even though Symantec and Mcafee see it that way (and I suppose rightly so...) 
 
2) Compliance is NOT a "measure" of security. When you do a PCI DSS 1.2 self assessment you don't measure anything. When a QSA does an onsite PCI audit - the auditor follows a 4 year old procedure and only has to: "The assessor may select a representative sample of system components to test." 
 
Regarding threats to virtualization and hypervisor there is abundant literature and several commercial products. 
 
 
Danny Lieberman 
Danny on data security
Posted @ Tuesday, October 27, 2009 1:49 AM by Danny Lieberman
I am no expert on PCI-DSS, however referring to the "Requirements" section on PCI-DSS (http://en.wikipedia.org/wiki/PCI_DSS) it appears that "access management" to physical and logical resources (i.e. servers, files, DB tables, etc) are suggested. Whether the monitoring and enforcement occurs at the application layer or below is a matter of implementation. 
 
 
 
Even if regulatory standards do not require metrics (i.e. level of compliance - analogous to EAL in common criteria), from a vulnerability assessment standpoint it makes a lot of sense. Question is whether compliance is mandated at the "application level" or "network level". What needs to be compliant? Is the application certified as PCI compliant or is the network? If it is ultimately "data" that is protected under the umbrella of regulation, then both networks and applications are in the loop and become liable. Network level firewalls, in their traditional embodiment, deliver much of this capability today. It is the physical constraints in ACLs that should be addressed. 
 
 
 
Since threats to "data" can originate from either malicious applications or users, both AV and IAM solutions have a role. And both have the stretch potential to improvise - AV solutions can leverage application white-listing and provenance services, and applications can extend authentication attributes to include technologies such as smart-card and OTP. Both require some level of reengineering. 
 
 
 
I would agree that there is no measure for compliance only in the sense that either you are compliant or you are not. There is no middle ground - it is an all or nothing deal. From a security perspective, there is no such thing as “perfect security” and so it is only a measure – therefore monitoring becomes a necessity as the attack surface is broad. 
 
 
 
Regards, 
 
Srinivas Kumar 
 
Posted @ Tuesday, October 27, 2009 6:35 PM by Srinivas Kumar
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.