Print
Close Window
From: www.itworld.com
Does compliance equal security?
August 12, 2008 —
With government increasingly telling businesses how they need to comply with regulations, I wonder if this means that my data is more secure. At the end of the day, does compliance equal security?
A common misunderstanding among business and IT managers is that compliance signoff from the auditors automatically means that critical data is secure. The breach discovered at the supermarket company Hannaford Bros. earlier this year certainly indicates that compliance doesn't automatically equal security. It appears that Hannaford was in compliance with the PCI DSS at the time of the breach, and the firm continues to investigate how the breach could have happened. One theory is that an insider planted the code that led to the breach of customer credit card numbers as they streamed through company servers.
The threat from trusted insiders continues to be high on organizations' watch lists. Often, the connection between regulatory compliance and data security is difficult to prove. For example, Sarbanes-Oxley Section 404 requires that organizations implement adequate internal controls, and companies often deploy access control to key applications to comply with 404. However, the true effectiveness of access control mechanisms is hard to gauge, as they are usually limited in scope and often deployed in a siloed manner. Access control might exist for an accounting application, for example, but the database underneath the application has its own policies. Or worse, the underlying file system may have no per-user controls at all, and anyone on the network can peruse saved .csv reports from the accounting system.
Often a new problem announced at one organization will send managers at another running to see if they are exposed in the same way. The recent incident with the city of San Francisco has certainly caused both public and private organizations to re-examine their exposure to a trusted insider holding the network hostage, for any reason. Many of those firms are in compliance with the appropriate regulations, but may still need to rework their policies for password or data handling.
I can suggest several ways to improve security as it relates to compliance. The first is to think of compliance in terms of evolution over time. "Checkbox compliance," where the organization meets the minimum auditor requirements, is a first step, but certainly shouldn't be the last step. Organizations should also consider how to move past that phase to better secure data and then to improve operations. As a colleague of mine once said, compliance is often portrayed as a negative, but in fact can help optimize the business.
Next, consider technologies that connect silos of controls. For example, look for solutions that can tie together access policies in key applications to policies in underlying databases and file systems, to give a better view of user activity.
Finally, consider analysis tools that crunch activity data to determine if unusual patterns exist. One interesting item to note in the aftermath of the Société Générale incident uncovered earlier this year is how many of the individual warning signs of fraudulent behavior existed and were simply not connected. Technology can help connect the dots and indicate problems early, even if the organization already holds a passing grade from its compliance auditors.
Network World