Maintaining the privacy of personal data is important is many industries. This aspect of computer security has received lots of attention from regulatory agencies, who have issued massive bodies of regulations that must be followed in order to achieve security. They've done it in fintech (for banks) and in healthcare, for example HIPAA. But there's a little problem: if you follow all the security regulations with absolute perfection, you can still be hacked. In many cases, following the regulations makes you less secure! Here are details.
Are you going to be secure, or are you going to adhere to the security regulations? It's a choice no one should have to make, but it's exactly the choice forced on us by supposedly well-intentioned government agencies and industry groups.
The Simple Solution
There's actually a simple solution to this problem, though it's likely that a well-known really hot place run by things with horns and tails will freeze over before it will be accepted. Why the resistance? It's simple! It's inexpensive! It's marvelously effective! It enables innovation! And most of the people currently involved in the regulatory nightmare would be out of jobs. Sound like a good reason to find fault?
I've described this amazing solution here. It's pretty simple. The regulations declare that consumer's personal information shall not be disclosed without their explicit approval to any entity, whether on purpose or as a result of error or negligence. Make the penalties severe and personal. Exactly how this is accomplished is up to you. And unleash a torrent of fast, effective security measures. Ones that work!
Why should such a radical approach be tried? Well, among other reasons, the current approach to mandating security just isn't working. Period. Here's a reminder of just how bad it was a couple years ago (and it's not getting better):
What to do while the hot place remains hot
Ok, that's a nice fantasy, but what do you do now? I'm going to be inspected for regulatory compliance, and I've got to pass! Here are the basics of a sensible approach to pass audits and achieve actual security at the same time.
Information and systems security is incredibly important. No one wants systems to be down for any reason or information to fall into unauthorized hands.
Creating systems that can evolve quickly, scale and survive systems failures, while maintaining good performance and near-perfect up time, is really hard, but is core to business success.
- Small organizations have trouble maintaining speed, flexibility and quality as they grow.
- Large organizations rarely are fast and flexible.
Achieving “basic” security (things like firewalls and access control) is easy and normal. Basic measures protect against most threats.
When you go beyond basic security, there are measures that organizations can take that are sensible, proportional to realistic threats, and supportive of the business. The measures are in the spirit of fast, flexible and high quality systems development that lead to business success.
As organizations grow, there are pressures on them to “grow up.”
- In development, organizations adopt industry-standard development processes, and see costs explode, time-lines stretch out and quality plummet. The “solutions” usually make the problem worse.
- In security, organizations call in the experts, get audited, and change lots of things in order to comply with all the lawyer-written regulations. The net result is normally an additional big tax on development (making it even slower and costlier), with dramatic reductions in the actual security of systems and information.
The painful fact is that complying with security regulations is not highly correlated with actually being secure, whether it’s keeping patient records confidential in healthcare or financial information secure in banking and commerce.
- Smart organizations can recognize this and have two efforts: one to maintain actual security, and another to achieve compliance that is “good enough” to pass any audits that may be required.
- Large organizations are more likely to have industry consultants and security specialists who see their jobs as being expert in the regulations and complying with them. This can create the illusion of security without achieving it, while placing an ever-growing burden on the business.
There are many reasons why security regulations are ineffective at achieving their goal. They include:
- Bad guys are always inventing new ways to be bad, and the regulations tend to lag far behind them.
- The regulations tend to be voluminous, detailed specifications for how to achieve security rather than plain statements of what to achieve, which would leave room for innovation and automation.
- You can have highly automated, more effective security measures than specified by the regulations and still fail to be in compliance.
- Achieving compliance tends to be so hard and costly that there is usually little appetite for supporting actual security.
- Meeting the regulations is often so burdensome that compliance in practice tends to be tardy and/or incomplete, further worsening the effectiveness of the regulatory approach.
- Many regulations are written assuming (demanding!) the obsolete, document-heavy waterfall style of software, making compliance while running fast, modern iterative development nearly impossible.
Truly bad things happen when you have actual security breaches, not failures of compliance. Therefore:
- Top priority should be achieving actual security, because failing to do so can seriously harm if not kill the business.
- Second priority should be running the business effectively and efficiently.
- Then should come achieving enough regulatory compliance to stay out of the news and out of serious trouble. There are ways to accomplish this.
Basics of Effective Security
The most important aspect of security is establishing a culture of security throughout the organization. Security is not principally a technical issue—it is a cultural one. It doesn’t matter if you use 128-bit encryption on all of your “data at rest” if your implementation associate puts a million patient records in a Dropbox or a customer service representative emails those records to someone pretending to be an employer. High "walls" don't protect against the bad insider.
As a company with a larger profile, you do need to check the boxes—for example in healthcare, having an assigned HIPAA security officer, do an annual HIPAA risk assessment, go through an SSAE-16, etc. But you should fill that role with someone who truly thinks about it from a risk-appropriate basis. This is no different from the idea that the ideal Director of QA doesn’t fundamentally think of themselves as the police; the best QA organizations are the small, highly automated ones that are highly integrated with the development team and who are equally talented.
The ideal Security Officer is someone with the intellectual flexibility and horsepower to understand and mitigate the real security issues in the organization while also being able to speak the language of the auditors. Those people do exist (although they are rare)—but they think less about how they are responsible for “policing” the organization (which quickly leads to multiple layers of dysfunction, cost, and distrust) and more about how they can work as part of the organization to mitigate issues.
[Thanks to Ed Park for this formulation!]
Security is tough, particularly when the regulations are burdensome and ineffective. The approach and realizations described here are the only ways I've found to be secure while minimizing the regulatory tax.