It made me think about whether or not it matters if the security controls we put into place are essentially illusory as long as they bring us some level of comfort.
Diana - Security Curve Weblog
As I was reading Diana's article and this one sentence jumped out at me. Does anyone in the security field still have any illusions that we can make a network or company completely secure? If they've been in security for more than a couple of years, I hope they know better. We're never completely secure, there are too many aspects of our enterprise to cover to be certain we've taken everything into account. There's always going to be a vulnerability somewhere, it's a fact of life.
We can't afford to have too many illusions as security professionals. We have to see our network for what it is so that we can take the appropriate steps to safeguard our resources. We often have to do the best we can with the resources at hand, because proving the threat/risk to cost ratio to management is difficult in the best of situations. We have to hope that what we've done is good enough to keep the bad guys out of our network.
I guess this is the illusion Diana was really talking about. Not that our network is truly secure, but that our security measures are 'good enough'. Because if our security is 'good enough', it'll be someone else's company that will end up on the front page of Slashdot because of a compromise. But sometimes it's this illusion that allows us to get to sleep at night.
Michael Dahn blogged recently about continuous security and PCI recently (my response) and I think this relates well to Diana's thoughts on compliance illusions. Meeting with a compliance framework such as HIPAA or PCI is part of a security stance, but neither of these will make your enterprise secure without a lot of extra safeguards.
We have to have illusions to live our lives. As long as we pick the right ones, either by luck or design, our networks can stay secure. But if we choose to believe the wrong illusion, we could suffer from a compromise.
Welcome to a little Monday morning philosophy. Now I have to go rent Pan's Labyrinth.
My original concept was that simply complying once with a standard, provides momentary security. What companies need to do is maintain the ongoing operational management and security of their systems. There are a number of different things that companies need to do just to maintain the level of security required for compliance. This maintenance is what I believe you refer to by "a lot of extra safeguards".
Posted by: Mike | June 04, 2007 at 10:29 PM
No, I meant that PCI will take you a certain distance towards having a secure enterprise, but it's only aimed at keeping credit card information secure. There are any number of additional areas that have to be addresed to have a secure enterprise, from mail servers to the company forums to blogging. PCI doesn't cover everything, and it doesn't address your concerns about continuous security. That's what I meant by needing extra safeguards.
Martin
Posted by: Martin McKeay | June 05, 2007 at 10:08 AM