Sneaking around compliance

Government and industry data security regulations make us all safer. That's the theory. The reality? Maybe a little different.

That's the observation of Jack Phillips, managing partner with the Institute for Applied Network Security LLC, (IANS) a Boston-based security research company. First, he points to the Payment Card Industry Data Security Standard, or PCI, and observes that its value is less in protecting consumer data or the merchants who must comply with it than it is a way to protect credit card issuers. He says that without PCI governments were going to step in and regulate the industry. PCI, for now, has staved off that government intrusion.

But that might not be forever, if Phillips's other observation becomes more widespread. That is, he argues in some companies compliance has actually made data less safe.

How?

Phillips says to comply with new mandates, companies use vendor software to wall off data by policy so it only can be seen by the right people in the right context, in what he calls "zones." But sales, marketing and other workers know that once customer data is put into a zone, they won't get access to it. As a result, Phillips claims some staff members are taking greater risks with customer information, storing it in places outside of IT's zones so they can access it whenever they need to.

These rogue data repositories are beyond IT's control. They are chosen for the convenience of the worker, so they can anything from USB sticks to online storage services. And one can assume that because the workers are bypassing compliance policies for the data, they don't really care too much if the places where they house data is secure or not.

"Security is like a balloon," Phillips says, "You push on one side and something pops out of the other side."

Let's hope your security policies aren't being popped by people pushing private data outside your secure zones.