Wednesday, September 02, 2009

On DLP, PCI and QSAs

Raise your hand if you know what “S” in the “QSA” stands for (hint here)?

<dramatic pause> <drum roll> <another, shorter pause>

It actually stands for “security.” “QSA” stands for a Qualified Security Assessor (and woe be on all who are ever to utter a phrase “PCI auditor”) and such definition brings up a picture of a dude who is out there assessing security.

So, what happens if said dude thinks that the security intent of a particular PCI DSS requirement in a particular merchant environment calls for deploying a DLP (Data Leak/Loss Prevention/Protection) solution, whether for protection or for data discovery only?

This thoughtful discussion actually started here (“The QSA Conundrum”, please read the comments too) when it was reported that a QSA suggested that the merchant run a data discovery tool to find files containing card data outside of the defined in-scope environment.

As it is common with PCI nowadays, such situation caused non-trivial outrage from both sides of the debate (!). Specifically:

  • “Darn those evil QSAs who ‘invent’ requirements” - whether out of desire to sell stuff or out of being ‘overzealous’ or out of fear of ‘QSA police’ .. eh… QSA QA
  • “Darn those evil QSAs who practice ‘checklist security’” – whether due to not knowing better or out of being ‘easy-graders’ or out of fear of being replaced.

So, is this "inventing requirements through implication” (=bad, results in unneeded stuff being bought) vs “following the intent, not the letter” (=good, results in useful security improvements and compliance)?

My gut tells me to be on the side of the QSA who helps reduce risk by suggesting scanning for card data, but my brain tells me to wait and analyze it. So, let’s try to analyze it a bit.

Back in the day, I said  (“A Few More Words on DLP and Compliance”) that DLP vendors underleverage PCI DSS and compliance in general in their marketing due to lack of direct mention of DLP in the mandates: “DLP is newer than  most regulations (PCI DSS, HIPAA, FISMA, etc) and the documentation for these mandates just doesn't mention DLP (or CMF) by name.” That means that there is no specific checklist item to check on that. Obviously, DLP can be useful for data security, but people who treat PCI DSS as gospel (or even – the horror! – as ‘enough security’) will probably not buy it. On the other hand, those who use PCI to help their security and not just something to “shoot and forget” are more likely to get it and utilize it effectively.

For example, check out this PCI Knowledge Base entry: “We are a service provider in the travel industry. […] PCI had a big impact on how we spent our security dollars in 2005 and 2006, and still has an impact today. We would not have DB encryption or Data Loss Prevention (DLP) and other security tools if it weren't for PCI.” This also seems to indicate that “90 percent of [DLP] deployments are for compliance purposes (PCI, HIPAA) rather than for the protection of Intellectual Property.”  As a result, I see DLP vendors starting to lean more on compliance to sell their wares. For example, nexTier networks (where I am on the advisory board), just launched Compliance Enforcer, which is a compliance-focused DLP box. Finally, DLP boxes make good compensating controls in some cases (but more on this in the future).

However, the argument of the other side has merit too: QSA’s magical powers wane at the border of the in-scope environment. It is ultimately merchant’s responsibility to define where it begins and ends, based on what PCI DSS document says. This means that a merchant cannot force their QSA to ignore that big database server which stores all the card data, BUT the QSA cannot force the merchant to include that desktop which is properly segmented from the cardholder environment. Even if due to a bizarre twist of fate this desktop contains 200,000 PANs in CSV format…

So, what is the conclusion:

  1. Listen to your QSA even if he suggests something that you don’t think is “mentioned in DSS” and evaluate how/whether this helps you secure the data – think about it as “free services from somebody who otherwise charges $300/hr”
  2. Next, argue with your QSA if he states that some solution is “mandatory” and – you are in luck! – his company happens to sell it too.
  3. Ultimately, the decision is YOURS, not your QSAs! This, BTW, applies to both “right” and “wrong” security decisions. You get to live with their consequences!

There is no way to give a more precise answer: PCI is neither “a pill against stupid” nor “a silver bullet” for all things security.

Possibly related posts:

Obligatory “added everywhere” posts :-)

Dr Anton Chuvakin