Compliance As Kick-StarterHow SOX and PCI have actually improved enterprise security, vendors notwithstanding
Regulation is a boon to security. Without the government and other private organizations leading security around by its nose, we would be eternally trapped in the "just strap another pizza box into the rack" solutions offered by clueless vendors. There were zillions of them at RSA this year.
One problem is that many security vendors seem to be in it for the money. For example, antivirus vendors love to tie you to the gerbil wheel of virus definition updates, even though they know there are superior antivirus approaches to the ones they currently sell which would not require constant updates (or the associated recurring revenue stream).
And just about all vendors are guilty of the silver bullet myth, that is, "just buy our silvery bullet-like stuff and your security problems will miraculously disappear." The worst silver bullet offenders are the application firewall people. Talk about approaching the right problem (software security) in the wrong way (network traffic inspection)!
Fortunately there are regulations to rescue us from our own nonsense. Probably the best regulatory nose-leading has been carried out by Sarbanes-Oxley. In the first runner-up category, the credit card consortium's Payment Card Industry (PCI) standards have likewise generated great forward progress in security.
Pull Up Your SOX
Everyone knows just enough about SOX to be dangerous. I don't want to provide a tutorial here, so if you need some background on SOX, click here. In any case, the main lever in SOX is that ultimately the CEO of a public company must attest to the fact that accounting numbers are accurate or risk going to jail. It turns out that there's nothing quite like possible time in the slammer to motivate CEOs.
Here's how IT got involved (and in turn, security) at some major investment banks I am familiar with. The CEO asked the CIO whether there were software programs that touched the numbers, and if so how many there were. The CIO asked the software guys. Everyone was expecting a number back that was small, like eight. Instead they got a large number back, like 800. Oh, no! Two orders of magnitude off.
And where did those programs come from? Turns out most of them were written in-house. In fact, the 800 SOX-related applications were a subset of the 1,500 or so in-house apps. Furthermore, there were literally thousands of developers on staff building and maintaining these things. Turns out the bank is a software house.
SOX was a wakeup call for software risk. In order to attest that the numbers were accurate, the CEO had to be sure that the applications that compute and manipulate the numbers function properly. Smart execs quickly realized the exposure that software causes on the security side at the same time. Software that behaves properly in a pristine environment can fail spectacularly when maliciously attacked. The software security message hit home.
This is how more than one major software security initiative in New York got started. In the end, SOX did more good for software security than any other single activity. As it currently stands, SOX may have its share of critics, but at least SOX woke us all up about certain kinds of risks and forced us to deal with them head on.
PCI and Data Security
If you stop and think about it for a few minutes, it is fairly easy to spot a huge trend in security. Security is moving from the outside (where we protect our LANs with firewalls and intrusion detection systems) to the inside. The first step on the way in is to consider software programs that interact over the Internet. Web-based applications lead the pack. Next come more complex internal applications that involve n-tier architecture and back-end systems.
And finally, deep inside, are the data themselves. It is clear that data security is next in line for improvement as security continues to evolve. This is especially apparent given how fed up the public has become with identity theft and data loss.
The data problem is growing every day as well. Dan Geer points out that three years ago the per capita data production rate on the planet (including all of those people who make less than a dollar a day) was 800 Mbytes. That was three years ago, and data production rates are basically doubling every 18 months. It seems that the problem is getting bigger and bigger even as we're only barely coming to grips with it.
PCI standards and compliance initiatives have jump started data security in a very interesting fashion. Because they are completely driven by the credit card industry, PCI standards center around protecting credit card data. Many businesses that rely on credit card transactions for their business (think hotels, for example) are scrambling to get into compliance.
Of course wherever you find large concerns scrambling to meet industry standards, you'll also find a preponderance of vendors. The most common vendor approach is to declare that whatever their solution happens to be will magically result in compliance to PCI. "Sure, bolt on this pizza box and you're home free!"
I've seen some humdingers. My favorite was a huge company that bought a gigantic PKI solution with certificates, revocation, initiation rites, complex application APIs, and goat sacrifice, to solve its problem. Left with a big pile of new stuff and no idea how to solve the actual problem, they called some consultants. It was obvious at once that the problem could be solved with a much more elegant lightweight solution.
In the end, Cigital built a credit card data proxy server allowing the data to be cryptographically protected both in transit and at rest, while at the same time preserving the "data shape" so that the legacy back end and all the apps would still work.
Without PCI standards hovering like the sword of Damocles, it is unclear whether any progress would have been made by now on the data security front. Once again, we have a set of standards, this time not created by the government but by private industry, pushing security to do the right thing.
I think this all goes to show that you can lead a security guy to water, and you can even force him to drink!
Gary McGraw is CTO of Cigital Inc. Special to Dark Reading