In reality, best practices are what every company should be doing but almost none actually are. On the off chance that a company is one of the few actually applying a best practice, they are almost always applying it at a fraction of the level they claim they are. The issue here isn't maliciousness or even incompetence, but purely and simply a matter of business realities. In other words: Implementing security best practices isn't seen as being worth the money for the return the company is going to get.
Case in point: Best practices (and various compliance regulations) say that employees should change their passwords every 30-90 days and companies should enforce strong password rules -- that each password should include capital and lowercase letters, numbers, symbols/special characters and be a minimum of 8 characters in length. Due to the aforementioned regulations, this is a best practice that more and more companies have implemented. Yet relatively few organizations are fully in-line with this best practice. It may be easy to implement with an LDAP or Active Directory architecture, but doing the same with UNIX boxes authenticating off of NIS requires third-party software. Many mainframe environments have similar issues as well.
Alternately, let's look at end-to-end encryption. This is a great idea, in principle. If all data is encrypted as it flows across the network, then it's much harder to steal. However, encryption isn't a panacea. Someone can always attack the applications or storage devices to get to the data, so it is important to look at those vectors as well. Even so, if end-to-end encryption is such a great idea, why are so few companies doing it? Why is it that, even if the domain is limited to Web-based applications housing an organization's most critical data, there are still a limited set of organizations that are following this best practice?
This is especially true for the connection between the application servers and the database. Combine this with the loss of passive audit visibility due to encryption and it suddenly becomes hard to justify the total hard and soft costs of implementing end-to-end encryption. As a result, the technology is probably only implemented in extremely security-conscious companies or those who have been badly burned, like Heartland Payment Systems Inc. -- companies who know the monetary value of such encryption in preventing a data loss.
Best practices are often good ideas; it's just that they are often orthogonal to the business realities surrounding them. As a result, no matter how loudly we as infosec pros scream from the rooftops that these security measures are necessary, they just aren't going to happen until the best practices and the business practices come into greater alignment.
As regulations have come about mandating security controls, it has become a lot easier to implement certain technologies to achieve this alignment. I guarantee that if the next version of the Payment Card Industry Data Security Standard (PCI DSS) were to mandate end-to-end encryption, suddenly there would be several thousand companies trying to implement it and there would also be a lot more investment by product companies developing products to help meet this need. On the other side of the coin it is imperative for information security pros to realize that not every industry best practice is the right choice (or even a realistic one) for many enterprises. Next time you see someone offering up a list of best practices, be sure to take it with a grain of salt and a dose of pragmatism.
About the author:
As CSO-in-Residence, David Mortman is responsible for Echelon One's research and analysis program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in August 2009