Another example involves our VPN deployment. We use strong encryption in transit, with a requirement for multifactor authentication for access to our corporate network, and that is enough to pass PCI, no problem. But what PCI doesn’t uncover is the fact that a user with knowledge of VPN configuration settings can obtain VPN software and install it on any computer in the world, placing that untrusted device on our network. We can overcome that problem with Network Admissions Control or other forms of controls that restrict VPN access to only authorized, corporate-owned devices, and I do intend to address this shortcoming in that way sometime soon. The point is, though, that as far as Level 1 PCI is concerned, we’re good to go.
I have hardly exhausted the examples, but here is just one more, involving the requirements for antivirus and patch management. Most compliance activities represent a point-in-time state: We demonstrate to the auditor that at the time of the audit, all our PCs and servers were up to date with patches and endpoint protection. It would be far better if the auditor had us prove, via metrics, that we maintained a certain level of compliance throughout the year. Many companies rush to get all devices up to snuff for the auditor, and then relax until the next yearly audit.
Compliance is not mere window dressing, but it’s far from a guarantee of security. I will drive that point home as I seek additional budget and head count so that our organization can become more secure, and not merely compliant.
Sign up for CIO Asia eNewsletters.