Skip to main content

Compliance versus Security

As I alluded in my previous post, compliance versus security is a discussion all its own and here is my attempt to explain my thoughts.

Does compliance with regulation really make our information systems more secure?  The answer, like the answer to most of these sorts of questions, is it depends.  Merriam-Webster defines security as “measures taken to guard against espionage or sabotage, crime, attack, or escape [1].”  Clearly then, reducing exposure to risks like espionage, sabotage, criminal activity, or attack through the network improves security.  How do we, as consumers, either individually or as businesses, ensure the services we utilize are secure? 

One method is the use of agreed upon frameworks of controls that the systems can be measured against.  If the framework is complete and valid and the system is compliant, then we can be reasonably certain that the system is secure, at least against the known threats that the framework provides controls for.  Seems simple enough, right?  So, where do we go wrong?  To begin with, there are multiple problems with frameworks.

The first problem is the assumption of completeness.  In order for a framework of controls to be complete, it would need to account for every possible attack vector.  While most frameworks make a valiant attempt at accounting for every conceivable method of attack, we have learned time and again that the threat landscape is constantly evolving.  This means that while we may have accounted for every conceivable attack, there are many that we haven’t yet conceived of that hackers are already exploiting.

Related to this first problem is the second, namely that frameworks tend to be static, slow to change not only to threats but emerging technology.  These frameworks tend to be rooted in bureaucratic origins, with multiple, often competing factions fighting for sometimes short-sighted interests.  Their bureaucratic origins also tend to result in vague, legalistic, technocratic language that is open to multiple interpretations. 

The bureaucratic origins of many of these frameworks also brings with them potential penalties for non-compliance, since most of them have been developed as reactions to security and privacy breaches.  While avoidance of fines and penalties tends to be a strong motivator for corporate compliance, the motivation tends to stop at compliance, regardless of the actual level of security.  As a corollary, information security professionals often get caught up in the auditing of systems, ruling strictly on compliance without regard for actual security.

Does this mean that frameworks and compliance are without merit?  No, in fact they have an important place in information security.  One of the most difficult and time-consuming parts of developing security controls is determining the risk level, both before and after the control is applied.  Frameworks give us a method of reutilizing these sorts of calculations for common, well-understood threats.  Using compliance as a starting point, we can tailor the controls to the current level of risk.  The important thing to remember is that this needs to be our starting point, not our goal, and that a serious discussion about the level of risk needs to occur.

In this way, we can develop systems that are both compliant and reasonably secure.  The framework, as a starting point, gives us a common reference and starting point on which to build a discussion about security.  As security professionals, we must constantly adjust and tailor the controls to the current risks, avoiding the trap of merely being compliant.

References:

1. Merriam-Webster Online Dictionary.  http://www.merriam-webster.com/dictionary/security.  Accessed 4 May 2012.

Comments

  1. AnonymousMay 6, 2012 at 8:22 PM

    Security is continuous & compliance has an end date.
    Compliance activities include like DIACAP (Defense Information Assurance Certification & Accreditation Process), which leads to whole bunch of paperwork, some security and eventually a document called ATO (Authority to Operate). Its complete opposite of real continuous security which is more like research, hacking, programming, making sound policies, etc…

    ReplyDelete
  2. AnonymousMay 7, 2012 at 7:13 AM

    Great article. Although the background is a bit distracting ;)

    I believe that compliance is a great thing, but as you mentioned there really isn't such a thing as absolute security, so I do believe some organizations think that just because they are compliant, that they are indeed 'secure'. I think it might create a bit of a 'warm fuzzy' feeling of being secure that they rely too much on.

    ReplyDelete
  3. philAMay 12, 2012 at 5:37 AM

    Compliance = Minimum Coverage.

    Most companies can barely do the bare minimum to be competitive. Some companies even choose to ignore what they are required to do.

    Being "compliant" at least allows companies to demonstrate due care with respect to an operating regulation. It’s better than nothing.

    Although I agree that there really isn't such a thing as absolute security, this further muddies the water because it is a hard concept for companies to deal with.

    Security becomes a never-ending investment and that's not something most companies want to hear or deal with since security is not the primary or any focus/concern of the company. Most companies operate to generate a profit and security tends to be overhead plain and simple.

    As for Compliance frameworks, they are a foundation. I'm glad that we at least have these to instantiate and support our programs. We can rely on them to demonstrate fundamental due diligence. In the most recent Data Breach Investigations reports and in the media, we consistently hear that most companies need to focus on the fundamentals. They are being compromised because we have applied those fundamentals.

    Well, what are those fundamentals?

    Other frameworks like ISO 27001/27002 provide us other frameworks and the fundamentals to demonstrate consistent and appropriate application of security controls that improve our security posture. ITIL helps us improve our processes to meet goals and operate security efficiently. COBIT determines if a company's needs are supported and if security is aligned to support the company's needs.

    Along the way, fill in the gaps. I like applying evidence to drive risk treatment and decisions to fill the gaps.

    Thanks,

    Phil Agcaoili

    ReplyDelete
  4. philAMay 12, 2012 at 5:41 AM

    Correction--They are being compromised because they have NOT applied those fundamentals.

    NOT--They are being compromised because we have applied those fundamentals.

    ReplyDelete

Post a Comment

Popular posts from this blog

Baked In versus Buttered On

Virtually everyone I've ever spoken to will agree that security is always better "baked in" to the design from the beginning as opposed to "buttered on" at the end. Why is it, then, that we always seem to have so much trouble getting there? It seems as though we have implemented our systems development processes in a way that prevents us from reaching this state. While there are great frameworks out there like the Systems Development Life Cycle (SDLC), the systems are only as secure as the requirements that they are developed to. This, I believe, is where we most often go astray. Security must be a requirement, just as throughput or port density are requirements. The challenge, then, is to get security practitioners to develop requirements that will drive the design and assist in the tradeoff decisions between security, functionality, and cost that will inevitably occur. These tradeoff decisions must be backed up by solid risk analysis and not just compli
1 comment
Read more

Getting Beyond Compliance

In my last post, I discussed compliance frameworks, postulating that they should be a starting point for our attempts to secure our networks and not a be-all-end-all goal.   Getting beyond the compliance is the goal of this post. I don’t wish to be taken as bashing compliance.   As I’ve previously discussed, compliance is a strong corporate motivator to exercise at least the minimum recognized security controls to show due diligence.   Compliance frameworks also serve as a common language, ensuring that practitioners, academics, and business managers alike can form an understanding.   Frameworks normally cover the most common situations and thereby reduce the amount of work required to develop a reasonably secure network. The problem comes, however, when threat or technology changes outpace the changes to the framework, or our business requirements don’t fit neatly into the mold of common implementations.   In the last two of these examples, a network developed with new techn
Post a Comment
Read more