I have been working on issues that relate to security certification at a number of our clients, and I can’t say that I have anything good to say about it. I have a very simple reason behind my dislike. Compliance standards are set such that you are protecting against the bulk of the people out there. This is generally very good practice, but when you rely on standardization alone, you open yourself to real danger.
This is not to say that “best practices” aren’t good policy. Sure, I totally agree with picking the “low–hanging fruit” and preventing the bulk of the attackers from casually accessing your data. I have a lock on the front door of my house. I know that it doesn’t prevent a criminal from getting into my house, but it might stop the 15 year old punk who has nothing better to do after cutting algebra class. I don’t have anything that valuable in my house, but if I had something worth $100 million in my living room, you can be sure I would have a big dog and a guy in a ninja suit there ready to stop someone from getting it.
Today we have several companies out there handling hundreds of millions of dollars on their networks. The desire of every company to save your credit card data has created a wealth of targets for those who know what to do with a stolen number. So compliance is implemented. It requires that your company pass a number of audit tests that enforce proven methods of preventing attack.
This sounds great to me. It’s pretty much the same as building codes in real estate. My house has to have a lock on the front door. It’s just part of the code, and if it wasn’t required, you would have builders out there who would build houses without locks on the front door. Compliance can be obtained fairly easily. The old saying is “people are people,” and at the end of the day, most people just want to get their job done. When an auditor comes along and wants to know something, they are often told whatever they need to hear. From what I’ve seen, the companies doing the auditing are not even savvy enough to recognize the code they’re looking at.
I used to own a Chinese food restaurant, and we had regular visits from a health inspector. Although I agree that this was necessary, I would argue that the process was far too driven by the personal opinion of the inspector. If he thought we were good people, we got a good review. If he thought we were crooked people, we would have all kinds of violations. The same thing affects these compliance audits. You make someone feel good enough, and you’ll pass. Again, “people are people”.
The danger in this is that people get a false sense of safety from these certifications. If you have data that is wildly valuable (and lots of companies have this), you need to have people dedicated to being in a ninja suit and stopping people from getting your data. Most companies will do everything they need to do to become compliant, but won’t dedicate resources specifically to the protection of the data.
I have done a lot of work in the world of backups, and the current attitude toward security smells very much like an earlier valuation of the importance of backups. Even today, companies put backups low on the list of things they need. As an Oracle administrator, I know first–hand that a backup is one of the primary essentials of operating a production environment. As more and more companies become compromised, you will see a shift from simply being security compliant to having full–fledged security departments, much as you see complete areas of IT dedicated to backups in companies now. Enough people have been burned by not having backups to know that this is a necessary piece of your IT puzzle.
Now, if you asked any head of IT, he or she would tell you that they would love to have someone dedicated to security. It hardly ever happens. There are too many things to do and not enough good people to do them. So what happens? Let’s become security–certified! This is where compliance really makes me angry. You can have a building code that will specify that a lock needs to be on the door, but in order for the lock to be effective, you need someone in the house that knows you should lock that door.
Certification/compliance is really just for show. And it’s not even as effective as putting a sticker on the window of your house and claiming that you’re protected because the people who are after your data do not care what kind of seal you have on your website.
When I had my restaurant, we cleaned quite a bit and we worked hard to keep the food coming out of the kitchen without any issues. When we work on Oracle databases, we take very serious precautions concerning security, and it is always in the back of our minds. If your infrastructure people are all regularly thinking about this, you will be safe most of the time. But, if you have very sensitive data, you really need to have people dedicated to keeping that data safe. To prevent a disaster, you need to have a team of professionals who know the attackers and their methods well enough to put accurate checks in place. Compliance simply isn’t enough.