Risky Business: Addressing Risk Management Aversion
When I think of information security in the broadest sense, I immediately think of managing and mitigating risk. I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in both research and consultancy organizations), struggled to understand why there is opposition to this point of view. Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’). It pains me to know end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business. It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment.
It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk and the establishment of a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization as a whole and on individual levels amongst business units and individual contributors. Recently I engaged in a thought provoking conversation with the talented and engaging Mr. Dan J. Molina during which a substantial amount of time was dedicated to discussing this very matter. During the conversation we discussed in no specific order many of the points, which are debated (some with greater degrees of merit than others), within our industry regarding risk management:
- Risk is inherent in all things; nothing worth doing (or not doing) can be said to be devoid of risk
- To understand risk one must embrace, not run from it
- Risk can be empowering if one takes the time to explore it or devastating if one ignores it
- Neither men or organizations of men (in business, government, or life), can eliminate risk; they can only work to manage it via mitigation with the hope of minimizing impact
- Too many people mistakenly equate risk management with compliance – the two are not mutually exclusive however they are by no means the same thing
- Risk management is hard and as a result of it being hard it is undesirable by many, as it requires. EFFORT!
- Risk management is an impossible or unrealistic ideal – Ranum / Schneier debate…it’s rubbish
- The practice of managing risk does not require the invocation of a ‘new school of thought’; there is nothing wrong with the schools of thought present and accounted for today or yesterday; adoption is a not dependent on the cohesive nature of the school of thought
- It is both irresponsible and fool hardy to operate as though risk does not require managing or that it is not present in all things
10. There is no way to force risk management into effect regardless of how compelling the data supporting it (actuarial data, circumstantial data etc.) is or might be
The discussion of these points gave way to another discussion on whether or not there was merit in simply ‘feeling secure’ as opposed to being secure and having to demonstrate a state of security vis a vis evidence of a mature risk posture.
We then discussed the importance of feeling secure as it relates to the demonstration of security vis a vis evidence of risk posture as they relate to the state of being secure. For many ‘feeling secure’ as Bruce Schneier has pointed out in the past, is as or more important than actually demonstrating security via hard fact and unilaterally. I tend to agree with Schneier on this point that many would be comfortable operating under the belief that they are secure (regardless of whether or not it had been substantiated via qualitative and quantitative means), by virtue of how they feel as opposed to actually knowing they are secure. In essence the argument boils down to a collective delusion, which finds everyone sharing the same experience; the same reality regardless of its accuracy. This of course is dangerous at best and potentially cataclysmic at worst.
So how do we change the perceptions of risk management within our industry? That is the question! There are many ways to begin, though none are trivial. The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not. This is something, which cannot be legislated, nor can it be faked. One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms or they do not. It is as simple as that. Risk management exercises (provided they are under taken), are unique to the individual organizations endeavoring to learn from the process. These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it. Open, honest discourse related to the data brought to bear is essential to this process. Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny. This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it. By no means is it! It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and (God willing), help remedy the madness which clouds and obstructs our collective vision.
On Monday January 4, 2010 Information Infrastructure Solution Giant, EMC agreed to acquire Overland, Kansas based Archer Technologies for an undisclosed amount (Archer Technologies is privately held) and anticipates completing the acquisition sometime before the end of Q1 2010. I am slightly annoyed by this as I love Archer Technologies products and think they do a smashing job in the GRC (Governance Risk Compliance) software space however, I am happy for the Archer folks all the same if the deal works to their collective best interests and those of their collective clients and customers. Art Coviello, President of RSA, which has for a while now been the Security Division of EMC summed it up the reasoning for the acquisition best saying that traditional security management focuses primarily on addressing technology issues but their customers were telling them their real challenges came in the area of policy management, audit and compliance. He concluded by saying “You can’t manage what you can’t see”, a fair point yet rather pedestrian for those more fluent in information risk management where the real challenge is not being able to secure what you are not cognizant of. It seems as though Archer Technology will live within the realm of RSA and likely be integrated or, at the very least coupled with RSAs’ SIEM solution, Envision.
All of this is goodness for the end customers and clients of EMC’s current solutions and could prove advantageous for Archer Technologies legacy customer base as well. Tools such as Archer are wonderful for influencing and bringing to bear properly architected risk based process, procedure and policy frameworks while identifying deficiencies where they exist. The challenge is that Archer Technologies does not have legitimate actuarial based data as do vendors such Prevari, which enables you to establish sound metrics against the enterprise. Was I working with Mr. Coviello I would have recommended purchasing both as one without the other is good, but both demonstrate a more sophisticated and complete view of an enterprise world.
So what will become of Archer? As mentioned previously we shall see it working with the RSA suite and if EMC can pull it off, their Ionix unit that aids customers in automating their IT configurations across servers, networks, and storage environments. This would be exciting for enterprises and could prove hugely influential in EMCs maturity as a security player in addition to their ability to provide more robust solutions geared towards governance and risk management. Jon Olstik of Network World wrote a wonderful blog post on this topic stating the following for EMC’ choice and reasoning in acquiring Archer Technologies:
- An enterprise GRC architecture:
- RSA will integrate Archer and enVision into a multi-tiered architecture. The bottom tier will be log management (i.e. data collection, processing, and storage). The middle tier will be data services (i.e. middleware-like functionality including data translation, transaction services, etc.). The upper tier will be dedicated to data analysis. This analysis is dedicated to security and compliance today but it could be used for network operations, capacity planning, and business queries in the future.
- Strategic services:
- With Archer in tow, RSA becomes one of few vendors who can help companies align security and compliance with business processes. Yes, this will drive product sales but it will also help EMC create valuable strategic services and capture lots more services revenue.
- A bridge to IT Service Management:
- Aside from security and compliance, EMC is also pushing hard into ITSM with its Ionix product line. EMC will integrate Archer and RSA together linking log management with the CMDB as well as change, patch, and configuration management. In this way, Ionix can help enterprises automate compliance and security management response.
I do not believe this will be an easy task for EMC / RSA to accomplish. They are facing some incredible technical integration challenges with this acquisition and their intended integration strategy. Between their platforms and will no doubt struggle to define and articulate a realistic product road map that represents their vision and capabilities to current and prospective customers & clients alike.
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509 ready for download!!!
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509
The Payment Card Industry Data Security Standard (PCI DSS) is not the devil incarnate but comes under scrutiny (for good reason – a great deal of which has less to do with the standard itself and more to do with the organizations wrestling with it along with the credit card corporations themselves), likely as often as the devil himself. Before PCI was PCI, before there was this digital equivalent to “reefer madness”, where fear, uncertainty and doubt solely relegated to the world of the payment card and their affiliated merchants and provider – banking environments seemed to permeate every fiber of the tapestry of the Information Technology and Information Security worlds, all the bigs – Visa, MasterCard, American Express, Discover Card (aka Discover Financial Services), Diners Club and JCB International, all had their own ‘ways’ of assessing the security posture of their vendor / provider networks. Some were more inclusive and detailed than others. That is a fact.
It was ugly, it was cumbersome, it was ineffective and it warranted change as the credit card corporations and their affiliated banking partners were experiencing fraud and exploitation in a variety of ways from a variety of sources, which ultimately led to a convergence occurring within that world. A convergence which would have impact upon us all for years to come…like chocolate and peanut butter only not as good. Initially this did not seem like a bad thing. In fact, I happen to believe it was necessary in small scale to aid in jump starting awareness. I am proud to be personally acquainted with the primary architect of the original draft of the first PCI standard and know where his mindset was when he drafted it. I know his intentions were pure with respect to this standard. Furthermore, I also know that he did and does not believe the PCI DSS to be a legitimate replacement for sound risk management practice but rather a starting point for many organizations, which had no bearing point. Fair enough. I think we can all accept that, at least those of us who are intellectually honest. What happened? Why all the hub-bub? How did something which started out with solid intentions turn into this new and creative form of audit water torture which often yields little in the way of sound risk posture aside from gaining PCI accreditation…for what that is worth…I’m guessing the folks at Hannaford Supermarkets, Heartland Payments and Choicepoint (parts I & II) know what I’m talking about.
The PCI Standards are easily had these days as are lists of authorized assessors however, just because they are easily had (both the ‘standard’ and the assessors) does not mean they are effective. In many respects, PCI reminds me of the early days of HIPAA, the difference being that with PCI people actually being penalized for failing to comply. Sort of a novel idea really however I believe that that regulatory and auditing criteria (standards) – important as they are, in and of themselves do not meet the needs of enterprises small and large; private or public in our world today. What can meet these needs? (cue drum roll): Well designed business centric risk management security programs and frameworks. Are they trivial? No. No, they are not. However, neither is PCI, or HIPAA for that matter and whereas both PCI and HIPAA fall into the Sisyphean category in my view of the world, Risk Management does not, additionally, if undertaken risk management initiatives will provide an enterprise with a wealth of information which PCI never would (sorry guys), not on its best day. So the question (or one of them anyway), becomes: Why continue to divert time, effort, resources (personnel and budget), into something so one dimensional when a properly designed risk management based security program can address these and every other regulatory and compliance concern you’re presented with. The bit gods must be crazy…let’s read on.
I believe that the only way to rescue the hearts and minds (and ledger books!) of those responsible for budgets within industry is through demonstration of the intrinsic value of risk management (e.g. enterprise risk management, fiduciary risk management and information security risk management working in concert). This demonstration must be ubiquitous and comprehensive in scope to the enterprise in question touching all areas of the business: customers, business partners, P&L, revenue streams, brand preservation etc. This is something that I feel passionately about as do others within our industry. The fact is that as times and circumstances change (for better or worse), so too will budgets (for better or worse), and if initiatives such as PCI are not reconsidered (given the current volume of spend being seen as a direct result of meeting or achieving compliance with the standard) — in both scope and value, we may very well run the risk of encouraging and incurring new and previously unforeseen risk via new threat vectors previously not considered nor addressable due to a lack of budget (capital or operational), for investment in innovative technologies, processes and people.
Clouded Vision: Cloud Computing and SaaS
Clouds are mysterious. They come in a variety of shapes, sizes, consistencies and architectures. I like clouds however, I am not sure I want my data floating about in one any more than is necessary. Cloud Computing is not my forte however; security is. I believe that cloud architectures warrant the same directional approach as other architectures, after all carriers have been securing ‘clouds’ for years. I made a point of not commenting on cloud computing or SaaS (Security as a Service), environments principally because I thought that there were others out there (some very astute and knowledgeable folks), commenting ad nausea on the topic, however I felt that the time had come for me to add my input to this topic. Why you might ask, have I decided to change my opinion on this? Well to begin with I feel there is a great deal of “cloudy” (please forgive the pun), thought and messaging being disseminated in the industry today. Many industry experts whose kung fu is stronger than mine specifically in the realm of cloud architectures, would have us all believing that cloud architectures are new and subsequently superior to that which we have come to know and embrace as the standard in infrastructure today, let alone securing them. Perhaps they are right. Then again, perhaps they are not. Much has been made of the cloud. Many suggest that the cloud is both the next generation of computing, as we know it and as such a complete shift in paradigm.
I, for one, do not believe this to be true. Yes, the advent of cloud computing is popular and as a result, worthy of note. But new? I think not. As an idea and concept, as I mentioned earlier in this post, the carriers and others (ASPs, MSSPs, and hosting entities – not to mention third party outsourcing entities), have been providing cloud services for decades. One might argue that these are not the same type of clouds and that as such the argument is moot. Well, until someone defines and articulates a standard with respect to clouds, I will maintain my postion. In particular, SaaS services strike me as being derivative and familiar. Ask anyone who has worked extensively with Managed Security Service Providers (MSSPs), what their thoughts are regarding SaaS and you will get a number of different responses and more than a fair share of eye rolling.
In fact, one of my former employers offered both comprehensive traditional MSSP services in addition to two distinct “cloud driven” solutions – one provided by a third party vendor now owned by Symantec, built around secure messaging and web transactions and the other built around advanced vulnerability management and compliance. The arguments and justifications used in identifying and selecting these services are shockingly similar (or not so shockingly), to those used when identifying and selecting MSSP services. Just ask anyone who has either written an RFI / RFP / RFQ for these types of services or anyone whose job it was to answer them in their entirety without pulling their hair out. You will note from my photo that I shave my head; I gave up 
. So why are organizations embracing these services? To a degree, I believe it has to do with cultural tolerance, profitability, the availability of staff (experienced staff), and the businesses interpretation of the importance of information security as a business enabler however, I believe there is more than meets the eye here. My experience in the MSSP space demonstrated that that there were certain considerations and realities that led to both the introduction of such services and, at times, the displacement of an incumbent provider. Here is a short list:
- Need or desire to reduce costs as they relate to capital or budgetary expenditures :
- Eliminates / minimizes the need for new capital expenditure on equipment (potentially)
- Eliminates associated maintenance & support costs for said equipment (potentially)
- Enables operational security staff to focus on other, more compelling security driven initiatives on behalf of the business (this is how I used to pitch it)
- Complexity of threats and / or evolution of challenges being presented to enterprise security teams by internal business clients, partners or external clientele continue challenge and strain pre-existent teams:
- Expertise is neither easy to come by nor always geographically available; these services can be used to counter act those realities
- The ability to correlate, normalize and analyze data from disparate network and host elements enables these teams to provide salient detail pertaining to the enterprise and / or its initiatives and user community. This is obviously important and of value to external clientele as well
- The inability to achieve a realistic risk posture, one which reflects the environments physical, logical and procedural state while providing meaningful artifacts and evidence necessary in appeasing internal audit and risk management entities in addition to external auditors and regulatory bodies.
- Transference of risk:
- Often times, though not spoken (although at times it was spoken of), the transference of risk was the primary driver though typically it was associated with one or all of the above
- All of the above:
- Rare but at times the case
My concerns with respect to cloud computing and SaaS provider’s stem from the assurances or lack thereof being made to potential clients when considering these solutions. I understand that heated debates are going on (probably on a forum near you!) with respect to this very topic and as such I feel it vital to discuss what I feel is solid criteria for initial vetting of these providers. The first rule however is that we shall not discuss pricing. Why is the first rule? Mainly because price varies as does the quality of the services being rendered however, they are not always mutually exclusive. We will however discuss the forms in which these service offerings are presented in and as it merits, discuss deal or offering structure. I believe it is necessary for enterprises considering the adoption of such services and architectures to consider how their data is treated as it enters the cloud, what occurs during transmission, what occurs at rest and what occurs during egress. Put plainly, what occurs from the perspective of confidentiality, integrity, availability and assurance? One should always inspect what one expects scenarios such as this are no exception.
I believe that those organizations providing cloud driven security or SaaS services should follow the example (minimally), set by MSSPs or at least those that I have worked with and competed against, with respect to data preservation and security. In my experience, there is no excuse for short cuts with respect to data integrity and preservation, as such, I have worked with and represented organizations that espoused the same ideological stance on the matter of handling other people’s data. A minimum criterion in my mind includes but is not limited to the following:
- Attainment of accreditation and certification relevant to secured carrier or cloud environments
- SAS70-II
- SafeHarbor
- SysTrust
- Regular internal & external security assessment and audits performed and delivered by qualified internal employees as well as trusted, third parties:
- Penetration Testing
- Social engineering
- Application assessment
- Customer premise ingress (if possible)
- Concise, meaningful documentation of the environment and the ability to produce report deliverables, accreditations, and artifacts upon request
Beauty, after all, is in the eye of the auditor and his or her interpretation of the standard against which one is being audited is, paramount in attaining or maintaining status.
With respect to the monetary value associated with such services, there is no question in my mind that savings can be achieved via the selection and adoption of such services. The value represented in dollars in sense can be arrived at when negotiating initial pricing as these contracts are typically written for specific durations; sometimes month to month however it is more often the case where these services are delivered on a term basis (12, 24, 36, 60, 72 months etc.). The more mature the offering and provider; the easier (typically), it will be to estimate initial (capital) signings costs and subsequent savings over time. Numbers do not lie; people do, so inspect what you expect. Again, a familiar model should one look beneath the covers. You might be saying to yourself, “Wait, wait what if it is a service that is software driven and predicated on a subscription model?,”; my assertion is that fundamentally the numbers will either demonstrate value over time or prove to be cost prohibitive so again, inspect what you expect. In many respect this is no different from any time an enterprise engages in a long-term contract with a third party for the delivery of a service. Whether its telecomm, call center or SaaS, I believe fundamentally that they are analogous to one another.
Organizational security posture may also play into the immediate revelation of value realized by the organization upon engaging in this type of service agreement. Depending on the condition of the enterprise in question, the needs of its user community and its overall risk posture costs may vary (most providers will offer various levels of service all of which will have or should have, differing degrees of service level agreements each with its own merits and penalties to be paid to the enterprise client should the provider miss an SLA), in order to enable and empower the enterprise in realizing their goal: protection of their data, their user community and brand, all while minimizing and transferring risk. No decision of this sort should be made in a vacuum and as such, decision makers, influencers, recommenders, stakeholders (departmental and within the various and sundry elements representing the business units which make up the enterprise), should investigate all options available and arrive at a decision which best suits their needs while providing the most value to the business. In doing so, they will effectively enable the business to do what it does best to generate revenue while fostering a culture of cooperation and partnership. The net effect of which could lead to a fundamental change in comprehension, attitude and application of information security within the enterprise as a whole. In closing, clouds can be beautiful; amazingly striking things or, depending on the conditions ominous forbearers of storms to come. In choosing wisely you might just be able to remain in Kansas Toto 
PCI DSS Sisyphean Task?
PCI DSS Compliance is a Sisyphean task. I believe this wholeheartedly. Though well intentioned, I feel it it is just as challenging as the price paid by Sisyphus for his transgressions against the gods. The myths tell us that Sisyphus was a rather nasty bloke. He was a king who believed he was above the laws of men and gods and was condemned by Zeus for his trickery to be chained in Tartarus by Thanatos (Death personified) for all eternity. Sisyphus being the crafty fellow that he was, asked Thanatos to demonstrate how the chains worked and subsequently, chained Thanatos himself thusly disrupting the natural cycle of life and death. This deceit led to Ares eventual intervention which led to Sisyphus’ final destination. It is in honor of Sisyphus’ punishment that we in the modern world refer to tasks that are seemingly insurmountable as being of a Sisyphean bent.
I want to be clear that I am not suggesting those who are being tasked with meeting PCI DSS compliance have earned that fate by virtue of their wickedness as Sisyphus earned his, but that like Sisyphus, the net result is often an uphill battle that never culminates in victory. It seems that the nature of the PCI DSS standard, and the interpretive flexibility given to QSAs and ASVs responsible for conducting both audits and assessments result in cases in Sisyphean ends. Regulatory Compliance (and this is not solely reserved for PCI DSS), has somehow become equivalent with being secure; the two couldn’t be further from the truth. My good friend and former co-worker, Josh Corman is fond quipping that the PCI DSS standard has become the information security space’s equivalent of ‘no child left behind’; in other words a demonstration of too little too late. I tend to believe that there is nobility in desiring to address the weaknesses which place so many (and so much), at risk however we cannot afford to ignore the lessons learned from Sisyphus’ struggle up the mountain. A great deal of time, toil, and effort (let’s not forget exertion and pain), are required to get the boulder (or in this case audit criteria, artifacts, interviews, etc. complete) up the hill only to see it teeter and begin rolling back down. But had the work been done to begin with, would the boulder ever meet the foot of the hill? The the myth of Sisyphus offers many lessons in morality. One which stands out in my mind is that actions have consequences and results may vary.
