Security Pie

Many security companies sell what they call a DLP solution. In many cases this DLP solution is a grouping of regular expressions that looks for SSN and CCN and maybe other items. The limited protocol coverage and limited granularity of the engine gets re-positioned as built in simplicity. Cisco and Proofpoint jump to mind but there are many others.

At the heart of this approach is an assumption that data security is just another version of network security. A credit card in an email is somehow just the same as a virus in a web download. Well, technically it might seem that way, but I would like to propose that this assumption is as far from reality as possible.

To demonstrate this point, let’s look at the nature of the risk surrounding data security. I will demonstrate using a single standard, with a single set of predefined “punishments”, a similar scope of breach, but a resoundingly different outcome. I compare two incidents where PCI DSS (payment card industries notorious and somewhat silly data security standard) was triggered by having a lack of any data governance whatsoever, resulting in massive breaches.

The two companies are CardSystems Solutions which lost 40 million customer records out of its Tucson office and TJX where over 94 million customer records were siphoned (according to the lawsuit filed against the perpetrators of that breach).

The cases are similar:

1. Both companies had very little to no data governance. (The companies will not agree to this point, but a company that sends out 94 million records whether knowingly or not has NO data governance IMHO).

2. Both companies had installed some malware that siphoned off millions of records that were used to steal identity of customers.

3. Both companies had an abrupt change in PCI status (fully compliant the day before the breach, and non compliance the day after – funny, and indicative of a fundamental flaw in PCI DSS)

4. Both companies accepted their responsibility witht he caveat that “it was not their fault” (as if it was not their servers, their IT systems, or their lack of governance).

In spite of the above similarities, there is very little resemblence in the risk profile, as can be attested by the outcome of the breach. CardSystems ended up paying the ultimate price, cleaning up shop and being required to sell their assets to Solidus Networks (Pay by Touch). Meanwhile TJX is doing well. The discount retailer thrives in bad economy scooping back customers from Nordstrom and Neiman Marcus (Ahem). At most, TJX response was summarized in a series of letters from its CEO Carol Meyrowitz.

The one difference between the two scenarios is the risk profile. CardSystems had no public face. They were one of many processors operating in the background. They could not afford the cleanup (expensive post breach hush money to pay-off FTC, PCI members, court fees, class action payoffs, etc.). Visa, MasterCard, and Amex exercised their muscles and forced the company (now without customers) to sell its assets and cease existence.

TJX meanwhile, was a cash cow, making the credit card industry vast amounts of cash. A “slap on the wrist” was the most the credit card comapnies did to TJX. After pay-offs (100′s of millions of dollars) all was well.

(BTW, the latter is not unique: Hannaford Brothers supermarkets had a similar incident with similar results to TJX).

So next time you hear the message that in data security “one size fits all”, I propose that you verify that the technical and business capabilities of the solution really do align with your risk profile.

/al