Thursday, January 08, 2009

Making PCI Easy?

Here is an observation about PCI DSS and “making PCI easy.” BTW, before reading further check out the previous burst of hoopla over this exciting subject - Mike R freaks out and they respond. So, OK,  how can one make PCI compliance EASIER? Is this akin to "quick tips on nuclear reactor building", "neuroscience for dummies" or – my fave! – “making complexity science simple”?

So, fine, PCI compliance is NOT easy. And, OMFG, security is definitely NOT easy either. Remember Dan Geer saying that “security is perhaps the most difficult intellectual profession on the planet” (here). Also check this essay “What is it that makes security hard?” (here)

Alright, we established that. Now what? Should we not try to make it easier to help people who struggle with PCI on a daily basis (and sometimes curse it with much drama…)

I am not that old, but I remember the times when only “An Enlightened Expert” (by whatever definition) was able to perform an uncanny magic of a vulnerability scan. Today, nobody would argue that Qualys made vulnerability management MUCH easier (still, I would not say that enterprise vulnerability management is easy … don’t hold out for this one :-)). We will soon make web application security scanning easier (yes, we will)! In any case, when people think about “making PCI easier” they often split into two camps:

  1. “Please, please make PCI easier by letting us skip the requirements; or, better, just let us ‘SAY YES ON THE SAQ!’” camp.
  2. “We know that our security program makes us PCI –compliant; please make it easier for us to prove it!” camp.

As you can guess, the organizations that fit into camp #1 and camp #2 are very different: while some in camp #1 will miss the joke in ScanlessPCI :-), the #2 are often concerned with relating their “risk-focused” approach to PCI’s mostly “control-focused” approach. And don’t remind me about confusing a firewall with a fire extinguisher (camp #1).

Moreover, in camp #1 people sometimes say things like (oh horror!) “PCI is already easy, you just need to ‘get scanned’ and answer ‘Yes’ to a bunch of questions.”  And so, yes, if a mysterious device called “a firewall” is mentioned in the question, saying “Yes” is probably acceptable :-)   Still, it is possible to make PCI easier even for those who just want it gone: make doing the right thing easier for them (while making doing the wrong thing harder)

On the other hand, while in camp #2, one sometimes hears things like “we have a good security program [we manage risk well!] – why should we spent time on that PCI thing? We are probably in a good shape already!” These organization are likely doing a good job with security (OK, “good” in the Ranum-ian sense: by being as insecure  as possible while continuing to do business) and want to use all that to quickly “prove compliance.” In this case, making PCI easier will include making it easier to assess, validate and prove compliance and overall make the whole “audit experience” (for those of the L1 variety) a little less painful (BTW, read “Risk vs Risk” on that).

OK, the above is definitely an oversimplification, but you get the point.

So, what are some of the ideas on how to make “PCI easier”:  make proving it easier, make boring process simpler thus allowing more time for becoming more secure (but not “more secure than needed”), make choosing the right thing easier (and the wrong thing harder), etc.

Finally, here is a parting thought: have you ever met anybody who wants to “do a good job with compliance [for the sake of compliance]?” is there any such crowd? :-)

No comments:

Dr Anton Chuvakin