Security Curve Weblog

Gartner's Magical Solution

As newly-appointed "Master of the Obvious", Gartner has gone on record to tell us all that breach disclosure is expensive. Well poke my eye and call me blinky!

And lest they be accused of criticizing without offering anything to help the situation, they've recommended a course of action that they say is cheap, easy to implement, and efficacious for prevention of exposure. Namely: HIPS, encryption, and audits. Oh yes, I'm perfectly serious. Gartner says that using all three of these technologies is 15-times less expensive than having to disclose a breach:

A company with at least 10,000 accounts to protect can spend, in the first year, as little as $US6 per customer account for just data encryption, or as much as $US16 per customer account for data encryption, host-based intrusion prevention, and strong security audits combined

One might question what these technologies have to do with each other - or why encryption is more complimentary to auditing than say firewalls. But that aside, these are the technologies they've chosen, and by gum Gartner's sticking to them. Actually, I don't doubt that they are (when compared directly) less expensive than breach disclosure. However, Gartner's Magical Formula (TM) in my opinion completely misses the point - in fact, if you were to follow their instructions literally, these instructions are actually somewhat dangerous. Specifically, while encryption of data may prevent you from having to disclose under certain very restrictive situations, it depends entirely on how you apply it. Moreover, while encryption may have some benefit, HIPS and auditing do nothing to prevent you from having to disclose in the event of a breach, and they do nothing in terms of preventing the breaches from occuring - at least via the most common vehicle we've seen to date. So, in most cases, if you followed Gartner's advice and then had a breach - it'll still cost you what it originally would have, but now you'll pay extra for the "not helping you do anything" measures that Garter's encouraged you to buy.

Look, the number one way that disclosure come about is laptop theft. Say for example that I put a database of New York residents' Social Security numbers, names and addresses on my laptop. I then install a HIPS product and "lose" the laptop in Penn station. Do I have to disclose to those folks that their data was lost? Yes. Does having a HIPS prevent me from having to disclose? No. How about if I just had an auditor come through and look over my machine right before I donated it to the homeless? Um, guess what - I still have to disclose. So, in the context of preventing disclosure - these measure are, again, valueless. I suppose that someone could argue that having HIPS and audits would prevent compromise from happening some other way (like from some hacker attacking the machine over the network), but how many disclosures have you seen recently that result from hacker activity? Some, but it's pretty rare...

Now, encryption is a different (but more complicated) story - in some cases (SB1386), encryption will provide safe harbor for disclosure. However, under something like DATA (currently in review by the House Judiciary Committee), safe harbor is only provided when a FIPS 140-2 certified module is used (same if you're a federal agency like the VA.) Where's that in Gartner's Magic Formula?

What really gets me fired up about this is the fact that Gartner testified before congress and stated this same foolishness. Lawmakers aren't going to be technically saavy enough to see that this is just wind... I ask it again: why are we listening to Gartner about data loss? Why not listen to someone who actually has some skin in the game?

Posted by Ed at June 7, 2006 10:59 AM | TrackBack