Secure Payments, PCI DSS, Regulatory Compliance Blog

There is No Spoon - Compliance in a New World

March 11th, 2009 by admin Posted in Compliance, PCI DSS

The arguments for and against PCI have gone far to both extremes of either standing ideologically PRO or CON both the standard and the industry as a whole.  When it comes to payments security people either love or hate the current compliance initiative called PCI DSS.  I’m here to tell you there is no spoon!

As part of our daily lives we believe what we are told and follow the leader, sometimes almost lemmingish, on both extremes of the spectrum.  The title of this post is meant to reflect the fact that there is no one answer to compliance.  There is no one point at which you are compliant and thus can stop security.  There is no hair splitting on the topic of what is compliant and what is not.  There only exists risk management, and I would argue risk is primarily based on the current and ever changing attack environment.  The answer to compliance is not the point at which you can stop, but the ever changing spectrum of risk itself.

I’m a strong proponent of what I’ve coined Attack Vector based Risk Management (AVRM).  This means simply that you cannot economically defend your home until you better understand the evolving threat landscape.  For example, if you know that attackers are breaking into cars in your neighborhood and stealing the 8-track players then putting another lock on your front door will not solve the problem.  You need to start parking your car in your garage or putting a better surveillance system outside your house.  Sure you could build a fortress to keep all your systems inside but that’s not economically feasible (especially these days.)

So, we have people on one end of the spectrum that cry monkey every time a house gets broken into and we have people on the other side that preach about building fortresses.  Who should we listen to?  How bad is the world out there?  What risks are we willing to accept and what are we not willing to accept?  Once you understand that there is no one ‘right’ answer for all companies of all sizes in all industries across the entire globe, you will begin to accept the fact that a risk based approach is the only real and scalable approach towards not just security but also compliance.

I’m famous for asking the question, “Can a firewall be used to segment a network?” Most people will say ‘yes’ but I will say ‘no’.  I feel the paradigm change and mind shift when I say, “No, only a properly configured firewall can segment a network.”

So again I say, there is no spoon.  Try to imagine a world in which there is no concept of compliance, and then you will realize that the end goal for both security and compliance should be a risk based approach and not one involving a checklist.  Try to imagine a world where there are not QSAs making point-in-time assessments but an internal and ongoing process of review and maintenance.  It is only then that you will realise the truth, which is to say that it’s not compliance you dislike but the attackers, and only by understanding their motivations and patterns can you better protect against them.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “There is No Spoon - Compliance in a New World”

  2. By Merrell Sheehan on Mar 11, 2009

    Great post and a solid analogy - despite the reference to an 8-track. Made me remember how old I really am!

  3. By EK on Mar 11, 2009

    Interesting opinions. Most of which I generally agree with. BUT, as there IS a PCI DSS and it IS compliance, there is a point at which you CAN stop and remain compliant. Of course you probably won’t remain secure then (just as you’ve pointed out).

    And your question at the end, “Can a firewall be used to segment a network?”. The answer is YES as others have said. Full stated the answer is “Yes a firewall can segment a netowrk provided it is properly confgured. If you want the answer to be “No” as you’ve stated in the article, you need to change the question to something like “Can ANY firewall be used to segment a network?”. You will probably get a lot more people saying “No” then.

  4. By Michael Dahn on Mar 11, 2009

    EK, thanks for the clarification on adding the “ANY” reference. It’s the thought process I want to convey to people. It also feeds directly into what I’ll be talking about at SOURCEBoston this week on Cloud Computing and Compliance.

  5. By Michael Dahn on Mar 11, 2009

    Merrell, yes, I could have said MP3 player but in a few months even that will be out of date as people clarify with solid-state players. I figured going retro was the only safe bet. ;)

  6. By DAG on Mar 13, 2009

    Here’s another similar thought provoking saying “Firewalls are your last line of defence, not you first!” The thought behind this is that the security of the endpoint is paramount.

Sorry, comments for this entry are closed at this time.