Posts

Warning: Regulations May Harm Your Security

Like many of you, I have spent decades trying to devise security controls that comply with various regulatory requirements. In some cases, they are actual regulations, like FINRA 17a-4, GDPR, HIPAA, NYDFS Part 500, and PCI DSS. In other cases, the regulation is an industry standard to demonstrate adequate controls to business partners and customers, such as NIST CSF and SOC 2 Type II; or a requirement for some customers, such as FedRAMP. While every one of these is well intended and they all have some requirements that are sensible, they also have the potential to cause harm, primarily in one of two ways.  Regulatory Compliant Does Not Mean Secure Regulatory compliance is often presented as a voucher or certification. Management often celebrates that we “passed our certification”. First, most of the regulations are not actually certifications. For instance, as a merchant, you are not “certified” under the Payment Card Industry (PCI) Data Security Standard (DSS). You are assessed, and

Single Sign-On

There are two kinds of organizations. Those that manage their single sign-on (SSO) system, and those that let their users manage their SSO. The other day I was in a discussion with a number of security leaders about how important identity management is to your security strategy. Obviously, everyone agreed that identity is very important. After all, if you don’t have a strong identity strategy pretty much no other component of your strategy will be strong. There is a reason that the first function of the NIST CSF is Identity.  However, the discussion then turned to SSO and whether it didn’t constitute putting all your eggs in one basket, and whether doing so is a good idea. Yes. SSO does constitute putting all your eggs in one basket. But, that is a good  thing. Why? Because you, as a security leader control  that basket. You know where it is. You know how it is configured. You have already required strong multi-factor authentication (MFA) on it. (You have right? If not, stop reading th

Electric Car Charger Basics

Congratulations on your electric car purchase, or at least thinking about it. The first thing you need to learn about driving electric is that your car is nearly always going to be fully charged when you go to use it, because you will plug it in as soon as you get home. Unlike a car with an internal combustion engine (ICE), where the first thing you do is check how much fuel you have, with an electric car, you just go, because it is nearly always fully charged! The second thing will learn is that you don’t need to fully charge the car. You just need to charge it enough to get to where you can charge it next. This is very different from an ICE vehicle where you nearly always fill it up. Because you can plug in almost anywhere (there are 800,000 charging stations in the US for instance) you don’t really ever worry about it after the first two weeks of driving electric. Charging Standards The great thing about standards is there are many to choose from. Electric car charging is no differe