[BreachExchange] Going Beyond Regulation

[Destry Winant]

http://www.itsecurityguru.org/2017/06/09/going-beyond-regulation/

The cyber-security landscape is plagued by the fact that
cyber-criminals seem to be permanently one step ahead and rather than
addressing the problem, it seems that regulation is, in some cases,
compounding the problem. Understandably, many organisations are opting
to define security policies based on regulatory requirements, however
the result is that their security postures become very quickly out of
date. Not only are regulations 24 months old by the time they are
implemented but by taking a compliance-only approach, businesses could
actually provide hackers with an ‘access blueprint’ – as weaknesses in
the security model that are not covered by regulation are clearly
visible for any hacker to exploit.

As Paul German, CEO, Certes Technology, insists, a compliance first
approach to security is fundamentally insecure. It is time for
companies to change the mindset, go beyond simply meeting regulatory
requirements and focus on truly protecting data.

Disturbing Trend

With the number of high profile security breaches still hitting the
headlines, organisations are clearly struggling to lock down data
against the continuously evolving threat landscape. Yet these breaches
are not occurring at companies that have failed to recognise the risk
to customer data – indeed many have occurred at organisations that are
meeting regulatory compliance requirements to protect customer data.

Given the huge investment companies in every market are making in
order to comply with the raft of regulation that has been introduced
over the past couple of decades, this continued vulnerability is – or
should be – a massive concern. Regulatory compliance is clearly no
safeguard against data breach.

Is this really a surprise, however? With new threats emerging weekly,
the time lag inherent within the regulatory creation and
implementation process is an obvious problem. It can take upwards of
24 months for a regulatory body to understand and identify weaknesses
within its existing guidelines, update and publish requirements, and
then set a viable timeline for compliance, often 12 to 18 months.
During this time an organisation with a security strategy dictated by
compliance is inherently insecure. Furthermore, these are catch all
standards that are both open to interpretation and fail to address
specific business needs or operational models – immediately creating
security weaknesses.

Hacking Blueprint

Yet despite this obvious vulnerability, organisations are actually
moving towards a compliance first model, rather than away. Rather than
extending the remit of the Chief Information Security Officer (CISO),
growing numbers of organisations are recruiting Chief Compliance
Officers (CCO), effectively side-lining the data security requirements
of the business. Compliance is important, clearly, but it should be a
subset of the overall security strategy – with the CCO reporting to,
not replacing, the CISO.

Following this attitude to its logical conclusion can only further
undermine an organisation’s security posture: organisations looking to
meet compliance requirements may avoid penalties but they are not
secure.  In fact, by taking a compliance first approach organisations
are effectively advertising their security posture to hackers. A
published regulation, while open to some interpretation, outlines
requirements very clearly – effectively presenting a hacker with a
network blueprint that highlights potential vulnerabilities.

Attaining regulatory compliance is offering organisations a false
sense of security on many levels – not only as a result of the new
threat landscape but also when we consider the ways in which emerging
connected technology is being used. The adoption of the Internet of
Things (IoT) is a prime example of regulations’ inability to keep
pace.  The Health Insurance Portability and Accountability Act
(HIPPA), for example, has specific requirements related to patient
data management – but a hacker breaching an IoT patient monitoring
device may not just compromise a patient’s data but potentially his
life if that were to tamper with its settings. Would compliance to the
existing HIPPA requirements stand up in court should that patient’s
family sue for mismanagement? Put a security expert on the witness
stand and most probably not. Security teams know that prioritising
compliance demands over effective data security is wrong – and
businesses that fail to listen will pay the price.

New Mindset

The entire security model is flawed not least because most regulatory
bodies are still adhering to the ‘secure the border’ model. Breach
prevention, even breach detection, are not adequate security postures.
They assume a level of trust – that anyone or anything inside the
border is trusted until proved otherwise. But this is patently untrue,
as the raft of breaches – many of them undetected for months – reveal.

Organisations and regulators alike need to stop trying to build trust
into an infrastructure and adopt a Zero Trust mindset. This means
decoupling security from the complexity of the IT infrastructure and
addressing specific user/ IoT device vulnerability. Instead of
firewalls, network protocols and IoT gateways, organisations should
consider data assets and applications; and then determine which user
roles require access to those assets.

Building on the existing policies for user access and identity
management, organisations can very quickly use cryptographic
segmentation to ensure only privileged users have access to privileged
applications or information. Each cryptographic domain has its own
encryption key, making it impossible for a hacker to move from one
compromised domain or segment into another – it is simply not possible
to escalate user privileges to access sensitive or critical data,
meaning any breach is contained.

It is by creating a zero trust approach to data security first, and
only then overlaying any specific compliance requirements, that
organisations can lock down the business against threat and meet
regulatory demands.

Conclusion

Organisations are understandably concerned about the financial
penalties associated with failing to achieve regulatory compliance.
But take a step back and consider the financial implications of data
breach, of high profile customer data compromise. That is a far more
significant cost and an event that will have long term repercussions
on customer perception and loyalty.

This continued, even increasing, focus on compliance over data
security is confusing.  These static regulations can never be up to
date, can never provide organisations with the robustness of security
posture required to protect data against the continually evolving
threat landscape. The fact that these regulations are open to
interpretation also creates potential weaknesses within the security
architecture.

The blunt fact is that compliance driven security programmes do not
adequately address the threat landscape because the focus is on
meeting audit trail requirements rather than leveraging security
innovation to effectively fight the latest threats. The model is wrong
– and businesses are suffering as a result.