Paper Lunch Sac Firewalls: Information Security Gear is Not Compliance

Owning gear does not make an organization compliant with information security compliance standards. Let’s use the analogy of compliance being lunch.

“We have firewalls, what [information security] compliance requirements are met by us buying them?” This was a question asked of me by a former direct supervisor. He was an interim/acting chief or director of something or other.

“None, having a firewall doesn’t mean we are compliant with anything. We have to make sure it is installed, has been configured with groups of rules. Ensure it is filtering and protecting the correct traffic and ensure it meets compliance requirements.” He told me my answe was insufficient. I was instructed to make compliance requirements fit the organization.
Shortly afterwards I decided to find an organization that practiced security instead of painting a picture of security. He fired me and stated arrogance, condescending, and an argumentative attitude as the reason. I was being honest and providing real information security feedback.

Owning gear does not make an organization compliant with standards. Let’s use the analogy of compliance being lunch. In this analogy the firewall is a paper lunch sac. It doesn’t really do much good to have a lunch sac if there are no access rules, food, protection, or usage restrictions.

Let’s start with whom can access it. Only the people making the sac (vendors or software engineers) have access before public use (preproduction). Those putting the lunch into the sac (administrators) get consistent access. While consumers of the lunch (end users) get to use the contents as appropriate.

The contents of any good lunch sac should be appetizing and filling. There will be the main course (the rulesets), a salty side (the configurations), and a receipt or menu (audit logs). Potentially specialty items like a pickled egg (VPN concentrator), a pudding cup (an intrusion prevention system), or a drink such as chocolate milk or a juice box (NAT) may be included.

There are many ways to abuse our lunch sac. The maker could use rice paper and all the contents could spill (data spillage). An enemy could poison us (supply chain attack). An adversary might pretend to be a cook filling the lunch sac (admin-take-over). One of the cools could go rogue (insider threats). A competitor may steal the contents (malicious external hackers or insider threats). Rain could destabilize the composition of the paper (zero day exploits). The paper could wear out over time and degrade (end of life or obsolescence). All of these things need to be considered, accounted for, and mitigated or accepted.

We need rules for using paper lunch sacs. There should be ways of verifying the manufacturer is making a product that meets standards. We need to ensure only we have properly trained cooks so we don’t become ill or injured. Ways to secure our lunch sac so it can’t be stolen, the contents can’t be poisoned, and our food doesn’t go bad must be established. The same lunch sac can’t be used forever. Certain standards and guidelines on when we need a fresh lunch sac are required?

Not even a thermal lunch bag (IPS), a plastic lunch box (proxy), a lunch pale (containerization), or plastic bags (EDR) is a full meal. Information gear may help implement compliance requirements but it does not constitute fulfillment of compliance requirements. Make sure you are practicing security and not just painting a pretty picture.