Skip to content

Management: The Enemy of the State

August 11, 2009
In digging through my stored bookmarks, I came back across this article in May’s Information Security Magazine where Richard Mackey tackles the idea of automating compliance and how to do it. Gosh, that requires a treatise, but he does a good job summarizing a few key aspects of the process in the article.

First is the concept of knowing what you don’t know, and that’s pretty much about finding the data that is protected and/or private and then tracking access and authorizations for that information. Don’t minimize the amount of work involved in this step. Whether you want to call it “data governance” or anything else, this step has killed many a compliance effort, as well as most of the stand-alone DLP market. But that’s another story for another day.

Second he dives into identity management, since that both enables the tracking of who does what, and also provides the ability to turn up or shut down access quickly and in an automated fashion. Since most organizations are pretty dynamic by nature (meaning people come and go, and customers come and go, and pretty much everything else comes and goes at different times), it’s hard to see how any organization can really substantiate compliance if they don’t have some level of automation underlying their identity infrastructure. This is another good topic, but not what caught my eye about this article.

What I want to focus on is his discussion of “state management,” which is basically configuration and vulnerability management. Though I buy into his idea of this being the third aspect of compliance automation, I think from a security operations standpoint – it’s as important (if not more important) to get this nailed PRIOR to large scale identity projects. Yes, this is part religion and part philosophy, but I still get back to the issue that anecdotally a lot more data is lost because of less than secure configurations and the inability to patch against known exploit code, than provisioning or deprovisioning issues.

I know, I know, compliance REQUIRES that you know who is accessing what and when. And that gets back to one of Richard’s points relative to doing what’s right for security vs. being forced to do what will get the auditor off your back.

Requirements like PCI pretty much require both state and identity management, but there is a lot of variability in what that really means. So, again it gets back to doing what’s right for your business, documenting the policies and being prepared and able to defend them when the auditor challenges you.

And they will. So be ready.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: