Does compliance equal security?

by Rick Caccia
Be the first to comment | 2I like it!
Tags: compliance, regulation
More »
on this topic
August 12, 2008, 11:59 AM —  Network World — 

With government increasingly telling businesses how they need to comply with regulations, I wonder if this means that my data is more secure. At the end of the day, does compliance equal security?

A common misunderstanding among business and IT managers is that compliance signoff from the auditors automatically means that critical data is secure. The breach discovered at the supermarket company Hannaford Bros. earlier this year certainly indicates that compliance doesn't automatically equal security. It appears that Hannaford was in compliance with the PCI DSS at the time of the breach, and the firm continues to investigate how the breach could have happened. One theory is that an insider planted the code that led to the breach of customer credit card numbers as they streamed through company servers.

The threat from trusted insiders continues to be high on organizations' watch lists. Often, the connection between regulatory compliance and data security is difficult to prove. For example, Sarbanes-Oxley Section 404 requires that organizations implement adequate internal controls, and companies often deploy access control to key applications to comply with 404. However, the true effectiveness of access control mechanisms is hard to gauge, as they are usually limited in scope and often deployed in a siloed manner. Access control might exist for an accounting application, for example, but the database underneath the application has its own policies. Or worse, the underlying file system may have no per-user controls at all, and anyone on the network can peruse saved .csv reports from the accounting system.

Often a new problem announced at one organization will send managers at another running to see if they are exposed in the same way. The recent incident with the city of San Francisco has certainly caused both public and private organizations to re-examine their exposure to a trusted insider holding the network hostage, for any reason. Many of those firms are in compliance with the appropriate regulations, but may still need to rework their policies for password or data handling.

I can suggest several ways to improve security as it relates to compliance. The first is to think of compliance in terms of evolution over time. "Checkbox compliance," where the organization meets the minimum auditor requirements, is a first step, but certainly shouldn't be the last step. Organizations should also consider how to move past that phase to better secure data and then to improve operations. As a colleague of mine once said, compliance is often portrayed as a negative, but in fact can help optimize the business.

Next, consider technologies that connect silos of controls. For example, look for solutions that can tie together access policies in key applications to policies in underlying databases and file systems, to give a better view of user activity.

Finally, consider analysis tools that crunch activity data to determine if unusual patterns exist. One interesting item to note in the aftermath of the Société Générale incident uncovered earlier this year is how many of the individual warning signs of fraudulent behavior existed and were simply not connected. Technology can help connect the dots and indicate problems early, even if the organization already holds a passing grade from its compliance auditors.

» posted by ITworld staff

Network World

I like it!
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace