Everyone is beginning to suspect that Information Security is in a bit of a crisis these days. Sony, Target, Home Depot, multiple banks and many government departments have had the inner sanctums of their IT infrastructure pillaged by outside hacker teams who, with seeming impunity, wiped systems and stole all of their crown jewels. Sony’s debacle where their security team didn't seem to be aware of the attacks until after it became a Hollywood-sized spectacle is a truly face-palming moment that makes us all cringe and shake our heads in dismay. Not 111MB or 111GB, but 111TB of data were taken? Really?
Obviously the old security paradigm we have been promoting for the past 30 years just isn't up to the challenge of protecting our data assets any longer. The old paradigm - build a bastion castle with thick walls, keep your valuables locked up inside the castle where the 'good' people live, and keep all the 'bad' people outside - no longer applies. Now we live in a world where our good sales team is working outside the castle walls and some bad disgruntled employees may be working inside the castle walls. Plus, we now have VPN tunnels going under the moat and through the walls giving our (hopefully) trusted staff access to the castle’s inner sanctum. And the evil outsiders now mail plague-infected packages to the unsuspecting castle occupants. It no longer looks like a very secure castle, does it?
However, this is not all the fault of the Information Security geeks who have been doing their best to protect the castle. In the court of the king, there exists some fear and confusion as to how we can best protect the castle and its inhabitants. For example, the king of the Target kingdom lost his crown last year when his castle was ransacked. But all was supposedly well in the kingdom, as their auditors and the exchequer of the royal treasury were fully in compliance with all the expected standards expected of a well-managed castle. What went wrong?
I think in every king’s court, confusion exists around conflating ‘compliance’ with ‘security.’ “We passed all the auditors tests and have check marks by all of the items on their list of controls, therefore all is secure. Now let’s get on to the next issue we have running our castle.” Unfortunately, simply meeting the compliance checklist is no longer good enough to be ‘secure.’ Compliance to standards is now merely the basic minimum due reasonable care for keeping one’s castle in order. But ‘compliance’ should not be confused with or equated with the umbrella concept of ‘security,’ and we need to do more to make everyone aware of this distinction.
Perhaps a better word to use would be trust. Trustworthy systems don’t just check all the boxes on the auditor’s security compliance spreadsheet. They also provide a deeper level of security that tells us we can depend on all of the controls to synergistically provide a reliable level of protection and keep our assets safe (within whatever levels of risk the organization chooses to accept and can afford). That deeper level of security also has to provide what we call “Situation Awareness” - insight into the health of our systems and network.
Too often, when I ask a manager if they have Situation Awareness, they stare at me as if their brain just had a ‘blue screen of death’ experience. Situation awareness can simply be described as being able to tell if you’re having a ‘good day’ or a ‘bad day.’ Is your network capacity being maxed out because a new program is being rolled out and more clients are on your web site today? Or is it maxed out because someone is busy FTP-ing 111TB of data to a computer in Russia or DDoS-ing your server? You need to be able to tell the difference and properly prepare so that you have the resources and contingency plans in place to deal with a ‘bad day.’
Most of the current standards checklists focus on safeguards, not activities. Perhaps if we focused a bit more on developing defense in depth activities, and less on the safeguards checklists, our castle would operate in a more trustworthy manner.
What do you think? How trustworthy is your IT environment right now?