I was recently at the Nashville Infosec 10 conference where Robert “Bob” Carr of Heartland Payment Systems was the keynote. I’ve had a lot of heartburn about Bob. After Heartland was breached, Bob hit the press junket telling anyone who would listen, that it was his QSA‘s fault that Heartland had over 100 million credit cards compromised. Bob’s argument was that his auditor…who was also his consultant, was responsible for his security and that financial institutions were not sharing malware or attack information amongst themselves.
I realize Bob isn’t a security practitioner, and I have to applaud how they are now baking-in more security controls in to their payment systems and passing the cost to the merchants. I still think Bob doesn’t quiet get everything that went wrong and how those lessons can better protect our data in the cloud.
1) You are always responsible – You are making decisions for the data you control. Your data custodian can provide all the evidence required to gain your trust, but you are still responsible for defending your decisions.
2) Ignorantia juris non excusat – ignorance of the law does not excuse. You need to know what parts of your data is regulated, what those regulations entail, and consider the implications of noncompliance.
3) It doesn’t matter if your data is in the cloud or in your own racks, you need to know every endpoints ingress and egress points to your critical data.
4) Be prepared for the worst, and be humble. Accept that you can’t prevent all forms of attacks. Reduce and mitigate risk down as low as possible, but understand and plan for failure as well. This includes considering breach insurance and other liability protections, as well as incident response plans.
5) Don’t forget the logs. Imagine how much money could have been saved from the Heartland situation, had someone been monitoring their logs and records. You can’t blame an auditor or a consultant for what you aren’t doing.
There are many other lessons we can learn from the Heartland exercise. We should consider these lessons not only for our enterprise, but we should also look towards applying these lessons to our cloud security posture as well.