The word “trust” appears in the tagline for a great many security products and services. But in the business world what we often tout as trust simply boils down to an acceptance of risk and the expectation that we can transfer liability to other parties should that trust be broken.
I contend that there is no place for the concept of “trust” in IT security. Trust, as it relates to business security, is a wholly unreliable concept because of human nature and the laws of unforeseen consequences. For example, in the time it takes an employee to walk away from an unprotected computer screen to get a glass of water, he might allow outsiders to view sensitive information that damages the organization. However inadvertent the action may be, there exists a breach of the organization’s trust by the employee.
If Not Trust, What?
When evaluating an organization’s security posture it can help to think in terms of regulatory compliance rather than trust. By this I mean employee compliance with rules established by internal policies and mandated by those responsible for the organization – both executives and IT managers. Unfortunately, such rules vary widely by organization.
When considering security and compliance, we need to look beyond an organization’s employees and also factor in partners, service providers and even some customers. Again one must ask, do I accept that these people and organizations will each protect the client’s interests? For many third parties this can be a gray area.
Are We Really Compliant?
Consider the example of a business partner migrating mission-critical applications – including those that host other organizations’ sensitive data – to a cloud computing environment. Today this is a common scenario (whether you know it or not), yet organizations moving to the cloud face a multitude of challenges to identify who is responsible for maintaining their data security – and the security of their business partners.
According to the industry analysts, Statement on Auditing Standards (SAS) 70 compliance cited by many cloud service providers has the potential to be misused as a smokescreen. The analysts tell us that SAS 70 is too often misrepresented as “proving” security and regulatory compliance. But your clients should recognize that by itself SAS 70 does not demonstrate compliance with rules for data security, continuity or privacy; rather it is only a self-certification that addresses the preparation, processing and formatting of auditing and financial reporting. So if a vendor tells you that its SAS 70 compliance in any way demonstrates that your data is secure, you should be suspicious of their knowledge, their truthfulness, or both.
Earlier this year, I wrote an article, “The Cloud Challenge: Security”, that was published in Cloud Computing Journal. Recently, I also participated in a podcast on the topic: “IdentityCast: Security in the Cloud – What Every Enterprise Needs to Know”. I urge you to read the article and/or listen to the podcast, as it outlines the roles and responsibilities of enterprises and cloud providers in ensuring data security. Successfully executing transparency, checks and balances and accountability are keys to creating true, continuous compliance, rather than blind trust, for any organization.
Feel free to send me your thoughts or any questions at email@example.com. You can also follow me on Twitter: @liebsoft.