Subscribe in a reader
Compliance
What the F is with Visa?
March 4, 2009 - Volume 4, #22
What the F is with Visa?
Good Morning:
Sometimes I just sit in my office and scratch my head. It's rare that
I'm speechless (very rare, just ask the Boss), but when I came across this article in NetworkWorld on Visa's
latest perspective on the "new" data breach, I was pretty
much paralyzed. Yesterday, SC Magazine covered it as well.
In a nutshell, Visa is
either being run by lawyers or the Three Stooges. It's not clear to me
which one, though I'd have to side with the lawyers at first glance.
In a classic Clintonian "it depends on what the definition of is is"
moment, it turns out Visa's statement on the "new" breach didn't
indicate it was actually new. And now they are saying it wasn't new.
Maybe customers were compromised. Or maybe they weren't. Holy crap I'm
confused.
With all due respect to my Dad and all the other lawyers I call friends (most of the time), I hate lawyers. You see, this gets back to the disclosure issue. These attacks are happening, RIGHT NOW. These attacks are being successful. Financial institutions and retailers are sitting under a two ton anvil called the recession (some would even say depression).
These folks need to optimize their resources and make sure their defenses are in place against new and innovative attack vectors. Instead, you have their lawyers trying to decipher what Visa and Mastercard's lawyers are saying or not saying. All the while the attackers continue to have their way with pretty much anyone and everyone (PCI compliant or not).
I know I'm asking a lot, but to hear the truth would be nice. It's all fine and dandy that Visa is now "risk scoring" each transaction to look for fraud (didn't they do that anyway? If not what the hell do I pay my 2% per transaction for?). But they are still reacting to the attacks, not helping to address them.
Makes me want to do my best Moe imitation and give an eye poke to Larry (Visa) and a head slap to Curly (MasterCard).
Have a great day.
Photo credits: “Three Stooges” originally uploaded by NYCArthur
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
 |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
I M HIPAA: Hear me roar!
February 20, 2009 - Volume 4, #18
I M HIPAA: Hear me roar!!!
Good Morning:
Through the years, I've been pretty vocal about the fact that HIPAA has
become a joke. A toothless tiger, if you will. I literally had
discussions with healthcare security folks who's organizations made the
decision to risk the limited HIPAA fines, rather than put the proper
security controls in place to meet the spirit of the legislation.
The good news is that I wasn't the only one
jumping on HIPAA. The Office of the Inspector General (OIG) got about
two knuckles deep into the eyes of HHS (Dept of Health and Human
Services) calling them out about the lack of enforcement relative to
HIPAA.
Evidently the folks at HHS were listening and what they needed was a
nice, costly public execution to prove to folks that they mean
business. It looks like they got one, fining CVS $2 million for privacy violations
in 2006. It seems that some of the pharmacists would just
toss bottles with labels on them containing names and details of the
medications. Obviously that's a no-no.
And it gets even better, check out this quote from the SearchSecurity article:
Lax enforcement may be changing. President Barack Obama's stimulus package signed into law on Tuesday included new rules significantly expanding HIPAA. The rules govern the privacy and security of medical records for healthcare organizations and now their so-called business associates. The new rules include a breach notification law, forcing healthcare providers to notify individuals publicly if more than 500 people are impacted by a breach. Stricter enforcement and penalties are also outlined in the law. It authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA.
That is just outstanding, especially the part about allowing State AGs to bring civil actions against individuals. Lord knows an Attorney General never met a law suit (especially if it shows how his/her citizens have been wronged) they didn't like, especially when it comes with lots of PR coverage.
So what does that mean for us practitioners? Basically, if you are in the healthcare business, your HIPAA vacation is over. I suspect there will be a number of other public executions to show that the new HHS regime means business, especially with the explicit direction from the Obama administration to push forward with electronic medical records.
It's time to revisit the training procedures relative to making sure your employees understand how to handle private data. It also probably makes sense to look at that DLP technology (even if it's poor man's DLP built into email and web security gateways) and possibly NetFlow analysis/data to see if there are strange network flows indicating information leakage. If you've been trying to get a project funded, this kind of data point will be pretty useful (remember about Selling Fear?).
Finally get ready for the HIPAA FUD bonanza coming from the vendors. All 800 vendors left will be frantically figuring out how to renew their pitch around HIPAA compliance for the healthcare space. Once again, the regulatory Gods are shining their warm lights down on the information security business.
Have a great weekend.
Photo credits: “Tiger face portrait in a square” originally uploaded by GavinBell
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
|
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Compliance is SO a Cost Center
February 5, 2009 - Volume 4, #13
Good Morning:
Another quick intro because I found such a "compelling" post on
McAfee's blog that I just had to vent a bit. Enjoy.
Have a
great day.
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
|
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Compliance is SO a cost center
Holy crap, I thought the idea of position security and/or
compliance as a "profit" center died along with the dreams of millions
Internet entrepreneurs during the .com implosion a few years ago.
Evidently I was wrong. Check this out on McAfee's
blog:
No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).
OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on. But it gets better. Here are the justifications the author (Lawrence Pingree) uses to justify his position.
Normally I would excerpt an entire post, but this is too good to let it go. Check this out.
Business process improvements
* Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization
* Security separates duties so decisions that occur are more accurate and accountable
* Security provides checks and balances reduce internal risks thus saving costs
* Security reduces business impacts of change
* Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
* … and much more
Technical Improvements
* Firewalls clearly reduce un-needed load on the network saving bandwidth costs
* Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
* Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
* Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
* Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
* Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
* Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
* Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
* Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
* …and much more
Threat Reduction
* Lower reporting costs for disclosure laws
* No bad PR to respond to
* Lower liability to your customers
* Less outbreaks of worms/viruses (less system damage repair/replace)
* … and much more!
It's hard to know even
where to start. My first comment would be that a
"Compliance Driven Company" is the next Heartland or TJX. Listen I've
been trying to position security as a benefit and "revenue center" for
the better part of my career. I'VE FAILED MISERABLY. And the rest of
our industry has as well. Because of a very simple truth, which hurts
my ego, but is absolutely true in the real world:
CEOs don't care about security or compliance.
Period. They only care to the degree that they 1) end up in an orange jump suit, 2) end up on the front page of the Wall Street Journal. Other that than, they don't care.
And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.
All of the points in the post are not really false, but they are irrelevant. Most of that stuff is simple business common sense, but is still like pulling teeth - especially in a down economy. For instance, "Security separates duties so decisions that occur are more accurate and accountable." That's actually false because security doesn't separate duties. A business process (which is usually driven by Sarbanes-Oxley) may be defined to require separation of duties, but that requires more people. That costs more money, no? And there is no guarantee that the decisions will be either more accurate or accountable. It just means you have more cooks in the kitchen.
How about this one: "Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach" Spoken like someone that works for an anti-malware company and hasn't really read the paper lately. Or even worse actually believes the crap in the marketing slicks. The best way to reduce the threat of identity theft is to fire all your employees or take away their computers. And even if this were true, how does reducing identity theft make security less of a cost center?
Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water.
I could literally dismantle almost every statement in the post, but you get the picture. Folks like me have been trying to position security as revenue positive for a long time and it's not going to happen. So we sell using fear, uncertainty and doubt and we try to convince the buyers (whether you work internally or for a vendor, it's all the same) that it's cheaper in the long run to do the right thing. But you never go in trying to position squishy security benefits. CEOs and CIOs will slice you into little pieces and feed you to the fish.
OK, off soapbox. And part of me appreciates Lawrence's
idealism. But I've just seen too much through the years to believe this
will really change. So, click the link, get your chuckle
for the day and get back to work fighting the good fight to convince
your senior executives to do the right thing and accept the reality
that we ARE a cost center.
The Increasing Irrelevance of PCI
January 26, 2009 - Volume 4, #9
Good Morning:
Quick intro today, since I spent most of my allocated TDI time ranting
about PCI. It's got a major problem of relevance, given the second
(that we know of) massive data breach on a PCI "compliant"
organization. So what will they do? Let's just say I have some ideas
about what they should do...
PS: Last call for the Pragmatic CSO Forum I'm launching
with the Business of Security folks. We start the Forum sessions
tomorrow, so this is the last opportunity you'll have to learn the
methodology. We're running a promotion now for anyone that signs up for
the Forum will get a PDF of the book included.
Have a
great day.
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
|
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
The Increasing Irrelevance of PCI
This is a hard post for me to write. I've been a big fan of PCI, pretty much since it's inception. It was a lot more specific than previous regulations. I may not agree with all of the requirements (like the AV mandate), but at least there were a list of things that merchants could do to start on the road to security.
I'm a pretty Pragmatic guy, so I knew that most folks would look at the 12 requirements and figure that's all they needed to do. That once the PCI Assessor delivered the report, that they'd be secure and their credit card data would be safe. Of course, they would be wrong - but I figured we needed to start somewhere and PCI was a good start.
And it was for a little while, but it's like
sending your playbook to the opponent before the big game. Your
adversaries know exactly how you plan to defend against them.
It's
not too hard to devise a new attack to circumvent those lowest common
denominators. Which is exactly what the attackers that successfully
compromised both Hannaford and most recently, Heartland did.
I wrote on the eIQ blog about how I think we can add incremental defenses to protect against these new attacks, but that still doesn't answer the crisis of confidence facing PCI right now. Sure the 12 requirements are a good start, but clearly they are not enough and the general consensus-based process of updating the requirements means PCI is always solving the attacks of 2 years ago. For instance, the mandate to eliminate WEP from wireless networks is only going into effect this year. WEP has been severely broken for over 2 years.
So I believe the PCI Security Standards Council has some serious soul searching to do. The Council needs to act quickly and decisively to stem the rising tide of irrelevance. Or else they'll need to acknowledge that PCI is the next HIPAA and organizations will continue to due the bare minimum to comply, while secretly snickering at the ridiculous hoops they have to jump through to little benefit.
The first step is to announce they are going to do a 45 day review of the current set of requirements to determine if they are still relevant and to pinpoint gaps, maybe even publish some new guidance and clarification on the weakest requirements (or the one's that just aren't working). The first step is always the hardest, and thus far the public stance from the Council has been one of "not my problem." They only set the rules, they don't enforce them. That's the wrong answer, but it's the predictable one.
In terms of the massive change needed, as you would expect, I have some ideas about how the requirements should evolve. The reality is that security is not binary. No one set of guidelines is reasonable for every organization out there. Larger organizations (with more to lose) should spend more than a mom and pop shop. The current process of requiring a real assessment for Tier 1 merchants (as opposed to a self-assessment) tries to factor this in, but everyone is working off the same set of requirements and that's wrong.
I would define a set (probably 3) of different security levels. The lowest level would be today's bar. We know it's not sufficient, but again it's a start. Then they add at least two more levels beyond that, including maybe a full monitoring level and perhaps an end to end encryption level, depending on the merchant's threshold for risk, their size and their willingness to invest in security.
The sad truth is that it's probably not cost effective for every retailer to get to the highest level. Even if they do suffer a breach, the cost of doing whatever the highest level may be (especially if it involves widespread use of encryption) may outweigh the cost of cleaning up the mess. Not for everyone, but for enough that requiring the highest level of security doesn't make sense for them.
But how is this different?
So what if there are three levels of security (that merchants can
market to), where is the catalyst to get anyone to the highest level of
security? Drum roll please.... the answer is TRANSACTION FEES.
Merchants live and die on transaction fees. It's a huge part of their
cost model and if they can reduce those fees, then investments can
easily be justified.
By the way, this makes sense for the upstream side of the equation as well. Given the potential risk of having a low level of security and the associated fraud costs that accrue to the system, issuing banks and credit card brands can also make money by reducing the transaction fees - for an increased level of security.
I've spent two decades paying attention to the drivers of what makes businesses do things. I've spent a lot of other people's money proving that you cannot make a market. Latent demand needs to be there based on a good business decision for the customer. They need to be able to either save money or make money by deploying technology. It's a simple as that. So it's just simple economics that drives me to believe the only thing that will get organizations to invest in security is to help them reduce their costs. If they can't see a clear cost savings, they'll do the least amount possible. Not many organizations do security because it's the right thing to do.
It's Monday and I guess I'm being a bit idealistic, eh? The
likelihood this will happen is very small. There are a lot of folks
within the council that can't afford to rock the boat too much, and the
occasional black eye isn't enough to truly agitate for longer term
change. So with each data breach PCI becomes weaker and weaker until it
ends up similar to HIPAA. Unless something changes organizations will
continue to pay lip service to it, customers won't trust it (to the
degree they even know about it), and it becomes just another report
that is generated out of the security reporting system, which is my
definition of irrelevance.
Incite Redux: Day 2 - It's time for an Audit Revolution
Good Morning:
Some days I get to reflect on how lucky I am. I guess when you are
sitting on the beach, watching your kids enjoying life, it's as good a
time as any to appreciate all that I have. Of course, a unique
"feature" of my personality is to never be satisfied - to always be
striving for more. Yet, some days it just makes more sense to forget
about all that crap. My goals and aspirations of world domination will
be there when I return to the office and my daily rituals.
Until then, I think I'll just enjoy the fact that things could
be a lot worse.
Have a great day.
Incite #2: It's time for an audit revolution
Contrary to
popular belief (and
desire), compliance is far from dead and remains a major buying
catalyst (and funding source) for all sorts of information security
tools, services and the like. Yet, the acrimonious relationship between
the auditor and the audited continues to create problems and needlessly
burn resources. Forward-thinking security professionals jump on the
bleeding edge of innovation treating the auditor as a peer and viewing
the audit as a learning opportunity.
Read the original Days of Incite post on this topic.
6-month grade: B-
I need to come clean. Sometimes I get what's right and what's realistic
confused. Now there is no doubt that my ideas about how auditors and
auditees can work together are right on the money. I've heard enough
feedback from enough people I trust that not treating an audit or an
assessment like a 15-round fight is a much more productive way to go
about things. This approach is laid out in the Pragmatic CSO.
But then again, what's
realistic tends to be constrained by people, and people don't really
change readily - if ever. It reminds me of one of the great lines
in You
Don't Mess With the Zohan: "They've been
fighting for 2000 years, it will be over soon." Unfortunately, that
seems like the story we tell in the security business. We've always
fought with auditors and not fighting with them is kind of like asking
for peace in the Middle East. Except I do think it's possible.
Just keep in mind that we are all fighting for the same thing - and
that's to protect the information and assets of the organization. The
auditors want to be able to prove that things are happening. Is that
all bad? Of course not, it's quite good - but it takes a different kind
of security practitioner to realize that.
What about the whole compliance golden goose? It's still alive and
well. As we look forward to the end of 2008 and into 2009, it seems the
global economy isn't going to be improving much at all. So we will face
even more budget tightening and scrutiny of our investments. Since
security is still largely an overhead function, it's going to be even
more heavily scrutinized.
So using the compliance card is not a bad thing at all. But do you buy something that is purported to help with compliance? Of course not. After all, a smart guy figures that GRC is dead. Buy what you need to protect your stuff. That hasn't changed at all. You still need to focus on Security FIRST! If you do that well, you'll be in decent shape for your audits and assessments.
In terms of a grade, the long term trend is intact and the
approach is solid. But it'll happen more slowly than I anticipated - so
I get a B-. Or go hug your auditor and prove me wrong.
Photo credit: "Monster
Hug" originally uploaded by Alberto+Cerriteno
Steaming Brown Bag Awards
My friends over at SearchSecurity asked me to come up with some compliance "worst practices" for their April Fool's theme set of tips. Thus I started what I hope to become an annual tradition, which is to give out a series of awards for these nincompoops.
I'm calling the awards the "Steaming Brown Bag Awards." That's right, the award is a bag of steaming brown love, hot off the presses. A Great Dane did the honors after being fed a family of goats and a tub of Ex-Lax.
It was a tough job, but someone had to assemble the bags. Thankfully I read the 4 hour workweek and decided to outsource the awards packaging to my virtual assistant in Asia. They assure me it was an authentic Great Dane and real goats, but alas it was generic Ex-Lax. I guess it's very expensive to import Ex-Lax.
I've also picked a certain express delivery company to make sure that the brown bags get there absolutely, positively overnight. This is important because the shelf life of a steaming brown bag isn't very long. Signature is not required and I'm slipping the delivery guys a few simoleans on the side for them to light the bag on fire before they ring the bell. Hopefully before the cat gets in there.
This will be an award they don't soon forget. So without further ado: check out the list of award recipients:
WORST PRACTICES: RECOGNIZING THE BIGGEST COMPLIANCE MISTAKES
Mike Rothman, Contributor
As the season of entertainment awards comes to a close, I want to
weigh in and do my first annual "Steaming Brown Bag Awards" or
STiBBAs for short, which recognize the biggest compliance blunders of
the past year (or so), and the award is - of course - a steaming
brown bag.
And without further ado: The Rip Van Winkle STiBBA goes to...
http://go.techtarget.com/r/3408753/832109
Report Card: 2007 Incite #10 - Time to get PC(I)
So this is it. The final Incite for 2007. Overall, I think I did pretty OK, given how dicey it is to predict anything. I'm a bit ahead of the curve on some things - but I'm good with that. If I'm not a bit ahead, then I'm not thinking hard enough.
Look for the 2008 Incites to appear in February, and then I can spend the rest of 2008 poking myself in the eye. Which I hope is good fun for you.
Incite #10 - Time to get PC(I)
PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.
Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-10-time-to-get-pc-i
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007
Final grade: D
I started the Incite Redux post with the following quote: “Much to my chagrin, compliance is still alive and well. This goose continues to lay golden eggs. Of course, the eggs are stamped with PCI, as opposed to other regulations – but it seems every time that compliance is on the ropes, a new set of legislation emerges from Mount Sinai to save everyone.”
PCI was that magic tablet in the hands of many auditors, whom continued to demand certain new capabilities (mostly database security gateways, application scanning and penetration tests) that saw growth in 2007. So I’m giving up the ghost on projecting the death of compliance. It’s just not going to happen, at least for a while.
So organizations need to be strategic in how they play the compliance card. Buy the things that are important for SECURITY, and will also make the auditor somewhat happy. Focus on reporting, since you will need to substantiate what you are doing. Yes, Pragmatic CSOs do see the value in a structured security program – that part is resonating. The idea of treating the auditor like a peer and communicating in business speak is spot on.
But compliance is the cat with at least 9 lives, and continues coming back for more. So I can’t feel good about giving myself anything higher than a D for this Incite because compliance continues to be alive and well. Very alive and very well, thank you very much.
I guess I shouldn’t complain too much because I personally continue to benefit from the fact that security is riding the compliance wave. Yet, I still feel bad because it’s not the right thing to do. Whatever, what’s right doesn’t usually correlate to what happens, now does it?
Once the PCI furor dies down, what will be next? I honestly have no idea, but I know it will be something. It always is, and just when you thought compliance was down for the count – it keeps storming back with a vengeance.
Maybe we can get Bruce Willis or Harrison Ford to star in the next compliance sequel. It seems those guys keep on ticking as well, so they are good role models.
Check out the other posts in the Report Card series.
2007 DOI: Day 10 - Time to get PC(I)
PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.
Read the rest of the 2007 Incites here.
I’ve been calling for compliance’s head on a platter for quite a while. Thus far, I’ve been wrong. Just when I think the gravy train is done – someone does something stupid, resulting in a new wave of legislation that then the security vendors can jump on and string out their compliance pipeline a bit longer.
But then a strange thing happened on the way to the treasure trough – basically none of these regulations have been enforced. The number of HIPAA enforcement actions is minimal, with penalties not even registering. In fact, it’s usually cheaper for a healthcare organization to just budget in compliance penalties rather then actually secure their infrastructure.
Now that’s scary, but true.
Sarbanes-Oxley runs the risk of fitting into the same category. Sure, we are still pretty early in the game, and the auditors make loud noises and grunt a lot about failing the examination – BUT WHERE’S THE BEEF? Where is a CEO’s head on a stick for bungling an ERP implementation? Until the SEC sends a high profile CEO on a perp walk, SarbOx will remain an empty suit.
Much to the chagrin of all the vendors out there trying to remain in the bandwagon.
But that brings up the regulation de jour – PCI DSS (Payment Card Industry Data Security Standard). Basically PCI is Visa and MasterCard’s power play to divert some of the risk of identity theft and fraud onto the banks. The banks then get to beat down the retailers in turn. Shit flows downhill and retailers tend to live in a pile of the slop.
Thus far, PCI has been an empty suit as well. We’ve “heard” of the beginning of costly enforcement actions, but all of this stuff has been handled in the back room. More like a bad guy disappearing in the middle of the night, as opposed to being executed in the public square. Unfortunately, in order to make a statement a retailer needs to be drawn and quartered in a very public fashion. Maybe it’ll be TJX, but thus far it’s been no one.
So now comes the rub. Even if a retailer (or anyone else) wants to comply with PCI, what the hell does that mean? Relative to HIPAA and GLBA, PCI is crystal clear. But that still makes it about as clear as mud. As with every other type of regulation, a vendor feeding frenzy ensued to position every security widget at the panacea to achieving “compliance” with the regulation.
For a little while, the way PCI was structure was actually pretty good and made it relatively clear where the line would be drawn relative to network and data protection. But then they introduced this concept of “compensating controls” back in November. That really screwed things up. Why? Because basically it gives every vendor a way to spin how their stuff offers an alternative to the right answer of actually protecting the data.
No less than 5 vendors talked about how they achieved PCI’s compensating controls language in my 10 meetings at RSA. That’s 50% for your math majors out there. And the other 50% were asleep at the wheel. These folks came from lots of different places, including NAC, UTM, leak prevention and database monitoring. Starting to get the picture yet? With the compensating controls clause, PCI is no clearer than any of the other regulations out there.
What to do if you are a customer? Nothing new here, just focus on executing your security program – which will provide you with the documentation to prove that you are compliant with whatever you regulation you are worried about. Sounds too easy, no? It’s not easy at all, but it’s the proper path. Continuing to focus exclusively on compliance is a fool’s errand.
Not to continually flog my own stuff, but the Pragmatic CSO process (www.pragmaticcso.com) is all about building a security program and ends with a chapter on compliance, which recommends a different approach than you are used to in dealing with your auditors. Check it out. You’ll thank me later.
Report Card: Incite #4 - Stay out of Jail
In the last Report Card for today, let's look at what happened in the wild and wooly world of compliance.
Incite #4 - Stay out of Jail
Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large-scale basis hasn’t gotten any easier.
Grade: A
Original Days of Incite post: here
Incite Redux post: here
Finally, a decent Incite that actually turned out to be right on. Clearly the wind is out of the sails of “compliance” as a term, and if anything CEOs and CFOs are now asking the tough questions about what all this compliance stuff they’ve bought does.
So we will look back at 2004-2006 as the halcyon days for compliance. Now it is truly an operational aspect of every security program. Those that don’t ask about the compliance impact of any new infrastructure or applications are clearly asking for trouble. And don’t expect to get more funding or resources to do “compliance.”
As security professionals, everything we do should generate an artifact (report, graph, other document) and that artifact can be used to substantiate the controls in use by the security program. It's the presence of those controls and the comfort that issues will be remediated fast and completely is what the auditors are most interested in.
What we didn’t see as much of was widespread adoption of encryption. Instead we saw pockets of strength and great strength at that. The number of lost/stolen laptops and the associated PR and notification fiascoes made it very clear that mobile devices need to use encryption to protect the private and sensitive data on those devices.
The good news is that whole disk or desktop oriented encryption is quite leverageable and not just from a compliance standpoint, so this is one of those technologies that are bought to solve a compliance problem, but end up being pretty strategic over time.
How does it become strategic? Basically as part of a broader data security environment that controls and protects data at its fundamental element. We are still a ways away from even having technology to do that, but having that data on the mobile devices protected is a start.
It’s not clear yet that “compliance” will get another Incite in 2007 since it is rapidly being subsumed into all security operational activities, but don’t be lulled into complacency. There are compliance considerations in everything that you do as a security professional.
Can Oracle succeed in security?
Dealing with Oracle when you are an analyst is loads of fun. There is no more arrogant company out there. I asked for a briefing on their identity management stuff early this year, and I got the "read our white papers, they'll tell you everything you need to know." It was clear, they didn't have time for analysts that don't have a G or F in their company name.
But that's OK. Oracle has never really been taken seriously in the security space, so it's not like I have a lot of folks asking me about what they are up to. But given the amount of money they've spent on acquiring a space in the Identity Management space and the fact that data security is becoming more real (EMC/RSA being a pretty significant data point), I'll need to suspend disbelief and take another look at what Oracle is up to.
So I was pleased when a little birdie gave me a sneak peek at Oracle's "security strategy" briefing for 100's of analysts customers around the world. Shockingly enough, they claim to be the "leader" in security. That's a laugh. But I'll get to that.
First, what does Oracle consider security? Basically it's the stuff they sort of have. Access Control (but they mean Identity), data privacy (database encryption), and compliance (whatever that means). So they are hovering around in what I call information or data security and Identity in Pragmatic Security lingo.
They make a number of bold claims, including integration amongst the products and that their security works consistently across all of their applications. Huh? So they've gutted PeopleSoft and JD Edwards and Siebel and now have a common security model. Maybe on the PPT, but not in reality. Oracle does have a bunch of crap in a bag. But to say it's integrated is insulting the intelligence of the folks that buy stuff from them. Though I know that Oracle holds their customers in high regard. Kind of like CA in the days of yore.
Basically, all of this cool integration and the like is on a Fusion roadmap. Due to the wonders of federation and standards, many of the products (at least on the IAM side) can work together. But that ain't integration, to be clear.
What about data privacy? Well anyone that's even tried to do sophisticated logging on a high transaction production database knows it kills performance. And to try to do field level encryption? No way. Unless you are running at 10% utilization that is. Then you've got plenty of headroom to drive your DB to 90% utilization. Performance has never been their strong suit. But that's what bigger servers are for, no?
And compliance? As I've said a million times, compliance is a process not a product. It's very easy for Oracle to make it a pillar of their security strategy because it doesn't mean anything. So if you can get logging to work, then you can pull a report on it and BAM! You are compliant. Did I mention that I hate compliance lately?
Now that I've rained all over their parade, I'll begrudgingly admit that Oracle will be a factor in data security. If only due to their market presence. Whether we like it or not, Oracle controls much of the data in the largest enterprises in the world. That's a pretty powerful position to be in, but it's far from a mandate to control information security.
To date, no one has a compelling "big story" as to how data security evolves over time. And that creates opportunity for other big players (like EMC, IBM, Symantec and Microsoft) to codify that story and take the thought leadership high ground. It also creates a window for smaller data security players to gain a foothold and thus become acquisition bait.
But Oracle always has Plan B, just in case they can't tell the big story and their roadmap falters - it's the checkbook. There is the old saying that "the enemy of your enemy is your friend." Well over the past few years, Oracle has bought both their friends and enemies until there isn't much left standing.
But these were mature markets. Very much like the CA of old. They are milking the acquired revenue streams. But data security ain't mature. There are no revenue streams to milk.
So Oracle can crow all they want about being the leader of this or the leader of that. Soon enough they'll figure out that security is different. They'll need a more compelling vision for the customer. They'll need to get some application security technology (like a web app firewall). And they'll need to be more respectful of a heterogeneous world.
Oracle is not Cisco or Microsoft. Applications have inertia, but it's nothing like the inertia of the network or the desktop. With the advent of SOA, applications and data can be and will be anywhere and everywhere. A strong disruptive application is much more likely to be adopted than something new in network plumbing or on the desktop.
Maybe they can learn a lesson from CA, which proved that what goes around, comes around. Even if it takes years. But probably not.
Recent comments
10 weeks 13 hours ago
10 weeks 1 day ago
10 weeks 2 days ago
12 weeks 16 hours ago
12 weeks 4 days ago
12 weeks 6 days ago
12 weeks 6 days ago
13 weeks 17 hours ago
13 weeks 1 day ago
13 weeks 1 day ago