[BreachExchange] A New Internal Threat to Your Environment? ‘Checkbox Security’

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 30 19:41:16 EDT 2017


Securing your virtual environment is a constantly evolving challenge with
changing variables. Checkbox security, a strategy that focuses on
compliance, does not make your environment secure. It is a strategy of
complacency leading to eventual failure. A comprehensive risk strategy
tackles compliance and security and can be achieved through governance

Some may argue that if your environment is fully compliant with a stringent
regulatory standard (PCI for example, as this is a particularly
wide-reaching compliance standard), then your environment is “secure”. The
assumption is that meeting a standard means that you have shored up any
security vulnerabilities. This can be a fatal assumption. Compliance with a
particular standard, be it FISMA, HIPAA, SOX or the aforementioned PCI,
simply means that you are in alignment with a set of externally defined
criteria with the ultimate goal of protecting sensitive customer or user

While there is an extra level of complexity that must be taken into account
with dynamic virtual infrastructures, there are tools that can ensure
compliance even in a virtual environment. As the nature of compliance
mandates is being standardized and well defined, a “checkbox” approach to
compliance does make sense.

That being said, while there are tools that provide the appropriate checks
and audits needed to verify and maintain compliance, they often do not
address actual security challenges or vulnerabilities. Compliance provides
safeguards for specific types of security risks such as accessing credit
card or health record data. Securing your virtual environment is a more
fluid task that requires vigilance against both external and internal
threats such as breaches, misconfiguration, access control changes,
authentication and more.

A checkbox security approach breaks down in this scenario – there are
simply too many variables outside the scope of compliance-focused toolsets
to ensure the security of your environment. A checkbox security approach
that relies on your compliance policies is, simply put, vulnerable. Being
compliant does not mean your environment is secure; and conversely, just
because your environment is secure does not mean it’s compliant.

Governance automation can go a long way in satisfying compliance
requirements while also enforcing security policies to protect against
internal and external threats. In a virtual or cloud-based (public, private
or hybrid) environment with constantly shifting and distributed resources
and possibly shared services, automated governance tooling is indispensable
for implementing a comprehensive risk strategy at scale, no matter the size
of your organization. A good governance solution will ensure that security
tasks, such as identity and access management for personnel, are executed.
Other tasks can be automated, including provisioning, authentication and
authorization as well as more organization specific, granular security
processes. Governance automation can not only deliver key elements of good
data stewardship such as secure access, encryption and loss prevention, but
recognize vulnerabilities, perform remediation and ensure audit readiness.
These benefits of governance automation do not even take into account the
additional benefits provided in a virtual or cloud environment, such as
overall cost controls and the increased speed of business processes.

It’s an all too common downside of the “checkbox security” approach that
you don’t actually get the security you’re looking for. This problem is
exacerbated in a virtual or cloud environment where flexibility and scale
opens up a whole Pandora’s box of additional checks and processes that will
impact the productivity and security of a limited toolset – especially if
data is compromised or vulnerability attacked.

Governance automation provides controls for regulatory compliance and data
protection while incorporating security policies to address
vulnerabilities, protecting enterprises from both internal and external
threats and eliminating the inadequacies of checkbox security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170530/6d2b4547/attachment.html>

More information about the BreachExchange mailing list