Q&A: Why Compliance is the Best Friend and Worst Enemy of Good Security
Compliance efforts will also affect the security of your data. We explore the connection and what IT can do to protect its information assets.
With compliance solutions in place, enterprises must now focus on the impact such mandates, regulations, and solutions have had on data security. What are the implications for security professionals, and how do other technologies (such as virtualization and cloud computing) affect security? To learn more, we contacted Geoff Webb, senior product marketing manager at NetIQ; the company offers several compliance and security products for enterprise IT.
Enterprise Systems: The need to comply with mandates such as PCI-DSS, SOX, and others has come at considerable expense. What has the true impact on security been as a result?
Geoff Webb: The impact has been mixed. Organizations have invested heavily in security technology in response to compliance drivers. In many cases, however, those investments have been made to just meet the specifics of compliance mandates, whether that’s PCI-DSS, NERC CIP, SOX, HIPAA, or some combination of them all. The problem is that this “check-box” approach rarely goes far enough. Yes, it will get your organization through an audit, but in the end, the gains in securing critical data fall far short of what’s possible. Has there been a positive impact? Yes. Are we where we need to be? Not yet.
Why do breaches continue to occur?
Breaches, the really bad ones, happen because a series of things go wrong. One mistake compounds another; one vulnerability exposes another weakness; and so on. Attackers begin by identifying a single point of weakness and exploiting mistakes, flaws in process, and oversights, until they have access to the information they need.
The problem is that the compliance “check box” approach of doing the bare minimum to just meet the standards will rarely, if ever, provide the kind of protection required to prevent a serious breach from occurring. For example, although PCI-DSS (the payment card industry data security standard) mandates that logs must be gathered and reviewed, there is really no way to ensure that the security teams responsible are able to garner useful information from those logs, or even know what to look for, to proactively prevent a system breach.
What are the common mistakes organizations make in the way they approach compliance?
The biggest single mistake is to treat compliance as an end in itself. Yes, dealing with an auditor or assessor is an important part of the job, but it’s not the core issue. The auditor standing in your office may be demanding your attention, but it’s the team of attackers looking for poorly configured service accounts that should be the focus of your concern. Successful audits don’t have to come at the expense of good security, but it’s fair to say that they often do.
What steps can organizations take, or what best practices can they adopt, to avoid these problems?
Organizations, particularly those subject to multiple compliance mandates (which are a great many), can start to do a couple of things. First, they can look carefully at the ways in which they are securing critical data and then align those practices to compliance drivers, rather than the reverse. That is, start by building good security practices that help you meet your compliance needs and reduce your organizational risk while making your auditors (and the board room) happy.
Additionally, organizations should look for more efficient ways to address the needs of compliance and security process. IT Operations teams have been improving process efficiency for years, and we can learn a lot on the security side of the house from the techniques they’ve employed. Improving efficiency saves money, which is always nice to report to the C-suite, and makes your security teams better able to respond to real threats.
Are there any regulations that are actually detrimental to security? Are there times when compliance jeopardizes good security?
Certainly PCI-DSS seems to be a lightning rod for discussions around the collision of compliance and security, which I believe is partially due to its prescriptive nature. It is very specific in some areas, and this has led to a “check-box” mentality more than ever. That said, it’s also a great baseline to use when thinking about securing critical data in addition to cardholder information. Nothing in PCI-DSS -- or any of the major compliance mandates, for that matter -- jeopardizes security. It’s really the way that some organizations approach compliance like a finish line rather than a starting gate that puts their security at risk.
You bring up a good point -- PCI-DSS garners significant attention -- as does the perception that it has failed to improve security. To what extent has the PCI-DSS been successful?
There should be no question that PCI-DSS has achieved a couple of very important objectives. First, it has put the question of credit card information security on the map, and as anyone who has had their credit card details stolen will tell you, that’s a victory in itself. Second, PCI-DSS has provided a great baseline for security practices around sensitive information. It’s not perfect, but then no single “to do” list of security is going to be perfect. Rather, it’s kicked off an immensely valuable conversation, elevated it to the board room, and defined a yardstick for measuring bare-minimum security practices needed to protect sensitive data. Most remarkable of all, it’s an industry-sponsored standard driven by market needs rather than legislation.
The world in which security operates is changing rapidly, with virtualization and cloud computing igniting additional security concerns. How do these technologies impact the way organizations approach compliance?
I think the jury is still out on how these disruptive technologies will change compliance -- particularly compliance reporting -- but the fact that they will have an impact is without question. One of the biggest challenges organizations will have to deal with is the mapping of user identities across their internal and external informational landscapes -- who has access to what and how it is managed. These form some of the most basic requirements for good security and we’re going to have to understand how to securely address those requirements as data flows ever more readily between internal systems and, for example, the cloud.
Are organizations focused enough on security best practices? If not, how can security teams change that?
Security teams already know how they should be spending their time, and what’s needed to keep data secure. The challenge they face is convincing their business stakeholders that good security is worth investing in, even when it’s not directly tied to a specific mandate. If there’s one area where security teams are looking for help more than anything, it’s in showing how they can have measureable business impact in terms the rest of the organization understands and values. This is one of the key challenges for the next two to five years.
How does NetIQ help organizations address the impact of security and compliance?
NetIQ is firmly focused on delivering the tools and knowledge organizations need to ensure more mature, successful security programs. That often takes the form of specific security solutions (such as security event monitoring, configuration assessment, file integrity monitoring, database activity monitoring, etc.), as well as the ability to integrate such technologies with existing security technologies and automating the processes around them. We have extensive expertise in enterprise deployments and are always working to transition those skills to the teams we work with to help them meet their definition of success.