Business is booming and electronic information systems are running smoothly. You’ve passed all compliance audits and feel confident in your ability to defend your enterprise against cyber attacks. Data security, while a constant challenge, appears manageable. Attacks and intrusion attempts are ongoing, but breaches and direct losses so far appear to be both rare and manageable. As a Global 2000 leader with high profile, worldwide operations, you know intuitively that your systems and processes are prime targets for cybercriminals and miscreants. Perhaps your competitor just suffered an embarrassing breach? You read the news and the relevant industry press describing advanced persistent threats (APTs). Many of these APTs are now employing sophisticated malware communicating over secure sockets layers (SSL), looking to exploit cryptographic keys and digital certificates, and attempting to gain rogue secure shell (SSH) access with root access privileges. Despite copious investments in people, processes, and technology—plus verifiable compliance with all relevant data security laws and regulations—you still wonder, “Can I be missing something important? How would I even know?”
Audits are indispensable tools for certifying past performance against regulatory compliance standards that apply with general uniformity to all organizations within a given industry. They are much less effective, however, for ascertaining true information security defense capabilities on a particularized, forward-looking basis. Audits certify what took place over a specific historical reporting period—typically the last calendar or fiscal year—and may cover events that occurred long ago, even though much may have changed in the threatscape since that time. Looking backward is instructive, but looking forward is a far more effective means of assessing security readiness.
Did we provide enough security last year to pass the audit? What does barely passing an audit reveal? How urgently will necessary changes be implemented if there are no repercussions resulting from just squeaking by?
Achieving an unblemished audit record is a laudable achievement and should be a goal of every organization, security team, and compliance officer. It is necessary, of course, but by no means is it sufficient for assuring data security against modern cyber attacks. If passing an audit is the primary yardstick and everyone is satisfied with the status quo, then what is the incentive to improve things for the next year? In some cases, failing an audit provides more impetus to pursue improvement, and would be more beneficial in the long run, than passing one by a small margin.
With so much at stake, is “good enough” really good enough? Best security practices demand more than minimal compliance.
Motivations for achieving regulatory compliance are typically externally focused: to pass an audit; to renew a certification; to prevent a lawsuit; or to avoid a penalty such as a fine or a suspension from government contracting. By contrast, motivations for achieving true data security against a fast-changing threatscape tend to be internally focused: to meaningfully secure proprietary, customer, and employee data; to bolster active defenses; to improve detection and response capabilities; and to reduce the organization’s overall vulnerability cross-section.
The focus on passing an audit is fundamentally different from a commitment to achieving excellence in information security.
Compliance is measured by “reasonableness under the circumstances,” a sliding scale based on the nature and scope of an organizations operations. Arguing gray areas is what keeps an army of lawyers gainfully employed, but what’s considered to be “reasonable” has been steadily expanding in recent years. So be proactive and don’t wait to be tripped up by an audit! Can you identify all cryptographic keys and digital certificates in use across your enterprise and to whom they are assigned? Are they secured and protected? How strong is their encryption and how often do they get rotated? Do you know the location of every SSH-enabled server and whether the authentication keys that access them are unique or shared? What does “trust” look like in your organization?
If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.
Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.