Thursday, October 20, 2011

Compliance vs Security

Almost as exciting as a few other epic throwdowns, I am lecturing tonight for the University of Washington's infosec certificate program. A few quick highlights from my lecture notes, which is based on the Source talk I gave this summer.

Compliance-driven security forces you to make certain bets on the big enterprise roulette table - but I only have so many chips to play, so I prefer not to be constrained in my choices.

As a consultant I saw primarily two kinds of organizations:  Those practicing good risk management who wanted to get better and  Those forced to be more secure because of compliance or a breach.

Why is there such restrictive compliance regimens? Without repeatable, evidence-based, agreed-upon risk methodologies, you cannot rely on third-parties to make security decisions with your data that are aligned with your interests, instead of theirs.

Compliance is a multi-dimensional object... and lot more than three.  You've got width - the general rules f the standard plus a few specific new ones based on how the organization interprets it.  This is the easiest dimension.  Depth: As most compliance acceptance is based on auditor opinion, which is driven by the individuals experience.  Plus, if the standard is somewhat worthwhile, it includes the appropriateness of risk model (relevance) to your problem.   Then there's several dimensions of scope: Time (past events, present controls, future possible events) and then the general usual dimension of Physical, virtual, sofware, network... what’s constitutes a a barrier in those domains.    And of course, all of this is moving.

Security is also multi-dimensional but it has slightly different dimensions and moves differently than compliance.

 Best practices?  In other words, “This worked in our organization once upon a time, So it should work for you too.”

Where I live is the intersection of:
1. What the auditors demand we do,
2. What we need to do to keep from getting breached, and 
3. What we can afford to do.
And I'm mot going to get all of all three.

Stupid compliance failures:
- Why is the absence of a particular control is a risk? A high risk?
- How can I be 100% compliant with an open standard? With a product lifecycle of 12-18 months?
- Hey, that's a feature not a high-risk vulnerability - it all depends on your context
- Impact does not equal risk. You forgot probability. Dumbass.