Skip to main content
banner image
venafi logo

Complying with Data Security Laws and Regulations? Congratulations, You’re Doing the Minimum! Part 2

Complying with Data Security Laws and Regulations? Congratulations, You’re Doing the Minimum! Part 2

Complying with Data Security Laws and Regulations? Congratulations, You’re Doing the Minimum! Part 2
August 26, 2014 | Michael Rosen
Dig Deeper for Security Vulnerabilities

Business is booming and electronic information systems are running smoothly. You’ve passed all compliance audits and feel confident in your ability to defend your enterprise against cyber attacks. Data security, while a constant challenge, appears manageable. Attacks and intrusion attempts are ongoing, but breaches and direct losses so far appear to be both rare and manageable. As a Global 2000 leader with high profile, worldwide operations, you know intuitively that your systems and processes are prime targets for cybercriminals and miscreants. Perhaps your competitor just suffered an embarrassing breach? You read the news and the relevant industry press describing advanced persistent threats (APTs). Many of these APTs are now employing sophisticated malware communicating over secure sockets layers (SSL), looking to exploit cryptographic keys and digital certificates, and attempting to gain rogue secure shell (SSH) access with root access privileges. Despite copious investments in people, processes, and technology—plus verifiable compliance with all relevant data security laws and regulations—you still wonder, “Can I be missing something important? How would I even know?”

Look Forward for Security Inspiration, Not Backward

Audits are indispensable tools for certifying past performance against regulatory compliance standards that apply with general uniformity to all organizations within a given industry. They are much less effective, however, for ascertaining true information security defense capabilities on a particularized, forward-looking basis. Audits certify what took place over a specific historical reporting period—typically the last calendar or fiscal year—and may cover events that occurred long ago, even though much may have changed in the threatscape since that time. Looking backward is instructive, but looking forward is a far more effective means of assessing security readiness.

Did we provide enough security last year to pass the audit? What does barely passing an audit reveal? How urgently will necessary changes be implemented if there are no repercussions resulting from just squeaking by?

Strive for Continuous Improvement, Not Just to Pass Audits

information security regulation

Achieving an unblemished audit record is a laudable achievement and should be a goal of every organization, security team, and compliance officer. It is necessary, of course, but by no means is it sufficient for assuring data security against modern cyber attacks. If passing an audit is the primary yardstick and everyone is satisfied with the status quo, then what is the incentive to improve things for the next year? In some cases, failing an audit provides more impetus to pursue improvement, and would be more beneficial in the long run, than passing one by a small margin.

With so much at stake, is “good enough” really good enough? Best security practices demand more than minimal compliance.

Look Inward for Motivation, Not Outward

Motivations for achieving regulatory compliance are typically externally focused: to pass an audit; to renew a certification; to prevent a lawsuit; or to avoid a penalty such as a fine or a suspension from government contracting. By contrast, motivations for achieving true data security against a fast-changing threatscape tend to be internally focused: to meaningfully secure proprietary, customer, and employee data; to bolster active defenses; to improve detection and response capabilities; and to reduce the organization’s overall vulnerability cross-section.

The focus on passing an audit is fundamentally different from a commitment to achieving excellence in information security.

Compliance is measured by “reasonableness under the circumstances,” a sliding scale based on the nature and scope of an organizations operations. Arguing gray areas is what keeps an army of lawyers gainfully employed, but what’s considered to be “reasonable” has been steadily expanding in recent years. So be proactive and don’t wait to be tripped up by an audit! Can you identify all cryptographic keys and digital certificates in use across your enterprise and to whom they are assigned? Are they secured and protected? How strong is their encryption and how often do they get rotated? Do you know the location of every SSH-enabled server and whether the authentication keys that access them are unique or shared? What does “trust” look like in your organization?

If you strive to achieve strong security practices for their own sake, you will invariably find yourself exceeding the compliance requirements of the applicable laws and regulations in your industry. If you strive primarily for compliance, however, you will likely fall short of minimum practices necessary to achieve true data security and leave yourself vulnerable to trust-based attacks on the keys and certificates that enable enterprises to secure critical information systems.

Learn how Venafi can help protect your encryption and authentication assets against trust-based attacks to achieve both industry compliance and strong data security practices across the enterprise.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Michael Rosen
Michael Rosen
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more