Regulations aimed at protecting the security and privacy of organizations and individuals are well meaning. But sometimes these standards, or how they're interpreted, can be more than a nuisance--they can actually contribute to weaker security.
[Thinking outside the IT audit (check)box]
Here are few examples, from security executives and analysts, of internal and external compliance standards that are potentially problematic, and how they can be addressed so that they don't cause problems while they're trying to provide solutions.
Encryption and HIPAA
Many organizations and security executives are under the mistaken impression that compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires encryption, and this can actually lead to security problems, says Paul Proctor, vice president and distinguished analyst at Gartner Inc.
In fact, HIPAA requires the appropriate use of encryption, which is quite a different standard and can mean the difference of millions of dollars, Proctor says. Aside from the overspending of time and energy on encryption, the misunderstanding related to HIPAA can have a negative impact on certain business processes, affect application performance and even cause users to bypass certain controls because they're annoyed at security, he says.
Decisions such as over-encrypting data "tend to have a ripple effect, of which lowering security is only one," Proctor says. "The answer is to develop a risk management process that allows thoughtful consideration of what you should do" to be compliant with regulations. "Organizations can make poor decisions if they don't have a formal risk management process--and most don't."
Password-Protected PDFs
Sometimes the regulatory environment has companies spending money on tools that aren't effective, and makes life more difficult for customers. When Tony Hildesheim, now senior vice president of IT at Redwood Credit Union, was working at another organization, internal regulations mandated that no account information be printed on any document.
"This also required that if you emailed a customer information, it had to be in a password-protected PDF," Hildesheim says.
This caused multiple problems. "Many financial institutions truncate the account number so that the whole number is not printed on any material," Hildesheim says. "Without an account number present on a piece of paper, it is hard to help the customer, many of whom no longer can tell you their account number."
[GRC: Trying to take the bite out of risk]
The other issue is that with the company's email scanning solution, it was having a difficult time scanning the password-protected PDF. "Therefore, the security measure we put in place to ensure no data [such as credit card numbers] is emailed out of the company is rendered useless because the system cannot break into a PDF," Hildesheim says. "We had to change the procedure, train the staff and fight with the audit department."
Regulations "are often written in response to a very specific or perceived risk that may or may no longer exist, has other mitigations or whose likelihood is so remote that it is a non-threat," Hildesheim says.
Overzealous Virus Scanning
Several years ago Proctor and other Gartner analysts were visiting a large credit union to discuss security strategy. The firm had just experienced a computer virus attack when a user had connected an infected PC to its corporate network and inadvertently spread the virus.
"So they created a blunt rule that said every machine the comes into the organization from outside had to have a full virus scan," Proctor says. "This was done at the security desk and it took two hours for each machine. When we showed up for our meeting we couldn't get in" because of the delays. "The meeting was cancelled because of this silly decision. And who knows how many pieces of the business were impacted because of this rule."
[Passing PCI firewall audits: Top 5 checks for ongoing success]
It likely had a negative impact on the organization's security posture because of increased resentment toward security, Proctor says. The solution, again, is to more clearly think through how compliance standards should be implemented and their potential impact on all aspects of the business.
Vulnerability Scoring and PCI
The PCI standard requirement for a "clean scan" is a huge burden on businesses, says Adrian Sanabria, senior security analyst at 451 Research. "It steals focus away from more effective risk-reduction work and encourages a dangerously false sense of security," he says. Earlier versions of the PCI security standards "required businesses to show that all vulnerabilities rated a 'CVSS score of 4.0 or higher' be resolved," Sanabria says. "This is a hugely labor-intensive process that yields very little return on security."
The key issue here is the ineffective nature of vulnerability scoring, Sanabria says. "The automatic score given to a vulnerability--provided it isn't a false positive--is often highly inaccurate," he says. "It is simply a best guess' without some extra work to factor in each organization's unique context. The vast majority of effort often goes into fixing vulnerabilities that aren't a threat at all, and potentially ignoring ones that could be critical, but were scored under PCI's threshold."
Many times larger organizations have a person entirely dedicated to coordinating tasks and obtaining clean scans, Sanabria says. "That's one person's time dedicated to a tiny fraction of PCI," he says. "Newer versions of PCI have tried to correct this issue by implementing a new requirement in which each organization applies custom rankings to each vulnerability that affects them. Now these organizations will have to dedicate a second person to the task of vulnerability management."
Encrypted Data Backups
One compliance effort that makes a difficult situation even more difficult is the requirement for encrypted backups. Hildesheim knows of companies required to maintain such backups of data.
[5 myths of encrypting and tokenizing sensitive data]
"This sounds like a reasonable precaution if you are storing your [backup] tapes in a public store," Hildesheim says. "But consider that management and likelihood that seven years from today the encryption is able to be decrypted. Never mind that the password or key would have to be stored somewhere securely and cataloged. The encryption algorithm or software would have to still be in a form that could decrypt the data."
This is even more confounded when regulators require that backup media be encrypted, even if it is stored in a controlled storage vault to which only your company has access, Hildesheim says. "One of the answers that many of the regulators are wanting to see in place is encrypted electronic backups," he says. "This again sounds good, until you realize that most have a local store and offsite store which is in a shared environment, or cloud."
Multiple International Regulations
For companies that offer their services primarily through the cloud, such as learning and talent management solutions provider Saba, the need to comply with a host of federal and industry regulations can create complexities that potentially hinder security.
Saba complies with standards such as ISO27001; privacy requirements such as Safe Harbor, EU Directive and other geographic privacy requirements; Life Science Validation Environments; FISMA, etc., says Randy Barr, chief security and information officer.
Some of these regulations are stricter than others and create challenges that are important to address in order to provide adequate security, Barr says.
For example, some require employees to work in the U.S., or have U.S. citizenship. "It's difficult to keep track of individuals who work abroad, and having to do so for some of the groups within our company can be challenging," Barr says. "If Saba wasn't prepared for such regulations, our ability to provide security across the board would be in jeopardy. It's important that all departments take the time to understand the security programs that we've communicated rather than just reviewing compliance requirements and saying it must be done."
[The race toward copliance is 'not optimal']
Saba is able to meet all of its customers' security requirements, Barr says, but not without a huge amount of extra effort because of the complex compliance requirements. It's working with the Cloud Security Alliance to find more effective ways to comply with standards without draining resources. In addition, it has formed a Saba Security Council to provide a consensus-based forum to support the overall Saba Security program. "Discussions around meeting the requirements of [regulations] are discussed in these quarterly meetings," Barr says.
ISO Regulations and Roadblocks
The ISO/IEC 15408 regulations requiring Common Criteria testing can hinder security, says Robert Schadey, CISO and director of infrastructure services at 1901 Group, an IT services management provider.
"The Common Criteria guidelines and specifications developed for evaluating the security within a product ensure that security standards are agreed upon and [testing is] in place," Schadey says. For the most part, Common Criteria validates the claims of vendors' security features with an assessment of potential threats, he says.
"However, the overall length of time for testing and costs has caused a roadblock for most of the industry," Schadey says. "Our focus has shifted to providing a services-based approach for our federal customers. Services are delivered via dynamic hosting environments whereby the infrastructure layer may not be under a customer's control."
[Security and vulnerability assessment: 4 common mistakes]
This can make it difficult to ensure that the intent of the Common Criteria security measures are in place without analyzing each vendors' cloud implementation against Common Criteria security functional requirements (SFRs) and identifying the security gaps to determine if the cloud provider is acceptable, Schadey says.
"The loss of control at the infrastructure layer can cause security problems," he says. "The other issue that hinders security is the timeframe it takes to test the products and have them available for selection off the Common Criteria Products List."