REGISTER

email 14 48

Article Index

By Danny Lieberman, Security Expert

Oct 28 2009 - I recently saw a post from a blog on a corporate web site from a company called Cloud compliance, entitled Is Compliance is the New Security Standard.

Cloud Compliance provides a SaaS-based identity and Access Assessment (IdAA) solution that helps identify and remediate access control and entitlement policy violations. We combine the economies of cloud computing with fundamental performance management principles to provide easy, low cost analysis of access rights to prevent audit findings (sic) and ensure compliance with regulations such as SOX, GLBA, PCI DSS, HIPAA and NERC.

The basic thesis of the blog post was that since companies have to spend money on compliance anyhow, they might as well spend the money once and rename the effort "security".

This is an interesting notion - although perhaps "placebo security" might be a cheaper approach.

Compliance is not equivalent to security for several fundamental reasons.

Let's examine this curious notion, using PCI DSS 1.2 as a generic example of a regulatory compliance standard that is used to protect payment card numbers:

- Filling out a form or having an auditor check off a list is not logically equivalent to installing and validating security countermeasures. A threat modeling exercise is stronger than filling out a form or auditing controls - it's significant that threat modeling is not even mentioned by PCI DSS, despite the ROI in think time.

- Although PCI DSS 1.2 is better than previous versions - it still lags the curve of typical data security threats - which means that even if a business implements all the controls - they are probably still vulnerable.

- PCI DSS was designed by the card associations - there is no way that any blanket standard will fit the needs of a particular business - anymore than a size 38 regular suit will fit a 5′ 7″ man who weighs 120 kg and wrestles professionally.

- PCI DSS talks about controls with absolutely no context of value at risk. A retailer selling diamond rings on-line, may self-comply as a Level 4 merchant but in fact have more value at risk than then the payment processor service provider he uses. (See my previous post on Small merchants at risk from fraudulent transactions )

CyberBanner

Log in

Please Login to download this file

Username *
Password *
Remember Me

CyberBanner

CyberBanner

MetricStream TPRM

CyberBanner

Go to top