Security vs. Compliance: What’s the difference?
Compliance vs. security
The first two posts in our compliance blog series focused on managing compliance through automation. In this third post, we take a step back to explore a more foundational — but no less important — topic: What’s the difference between compliance and security? Is compliant infrastructure secure infrastructure?
People often talk about compliance and security as though they’re one and the same. To a certain extent, this makes sense; there is a lot of overlap between the two concepts. But compliant infrastructure is not necessarily secure infrastructure, and vice versa. I’ll use an analogy to explain the difference.
The roof analogy
Say you buy an old house in need of repairs. Some repairs can wait, but replacing the roof is your number one priority. The old one is leaky, and a family of squirrels has found a way in and taken up residence in the attic. You don’t want to replace the hardwood floors and move in all of your furniture only to have them damaged by the elements before the new roof is installed.
So you hire a contractor; she draws up plans and replaces the roof, and all is well. Do you expect it to stay in perfect condition forever? Depending on how long you plan to stay in the house, you might not experience issues with it. But the reality is you will need to replace some shingles — or a branch could fall on the roof. There’s also a decent chance that 10 years down the road there will be another leak. The roofers aren’t going to drop by your house to check on the health of your roof everyday.
In this scenario, the roof is your compliance policy. It’s been designed and built to a standard that ensures your house and everything in it are protected — to a certain point. But like most things, ongoing maintenance is required to ensure the roof continues to serve its function. The act of maintaining the roof is your security practice — reacting to threats that arise by consistently applying patches, managing configuration drift, and having a reliable vulnerability management strategy.
To illustrate this point, let’s take a look at a real-world example.
Compliance doesn’t guarantee security
In December, 2013, Target revealed that it had been breached, exposing over 40 million debit and credit card numbers. The complete details of the attack are a bit opaque, but the most likely scenario is that hackers retrieved VPN credentials through a phishing attack on a third-party contractor, which enabled remote access to Target’s network. Once inside the network, they were able to install malware on the point-of-sale system, thereby revealing sensitive credit card information used at cash registers in Target stores.
As a major retailer that processes hundreds of millions of credit card transactions each year, Target is legally required to comply with the Payment Card Industry Data Security Standard (PCI DSS), which contains controls — including password requirements and network segmentation rules — that should have prevented such an attack. And in fact, Target successfully passed a PCI audit only weeks before the breach.
How can that be? Did the auditor do an insufficient job? Even as a former auditor, I can’t answer that question. The fact is that it’s entirely possible for a breach to occur, or for sensitive data to be inadvertently revealed, even when a company is found to be compliant. It’s also important to recognize that states of compliance are fleeting. What’s working as expected today may leak tomorrow. Whether malicious or unintentional, system configurations change.
Only the active practice of security can reduce the risks associated with systems being out of compliance.
The regulations that govern your organization — your compliance policy — provide a proactive set of guidelines to establish a defense against most forms of data loss, whether due to a cyberattack or carelessness on the part of an employee. But infrastructure changes, vulnerabilities crop up, and cyberattackers are constantly innovating. If you’re not reacting to these threats — conducting regular scans, managing drift, and keeping up to date with patches — you’re likely to run into some serious problems sooner or later. Even a roof that is built to spec will eventually spring a leak.
Jeff Schmied is the Senior Director of IT Security at Puppet.