Every other post Hoff makes is packed with information that is way over my head, oftentimes making me lightheaded. But he continues to have great posts in between the bleeding-edge ones. I took two points from a recent post of his on the conflict between virtualization and PCI compliance (2.2.1 which wants single roles for a server may fail all host servers that “serve” multiple guests of various purposes, although I *might* argue the host serves the single purpose of hosting virtual servers).
1. Auditors and checklists will always be behind new technology.
2. Auditors need to know what the crap they’re talking about.
If they make certain observations on their audits, they know they need to field questions that may be as obvious as “how do we secure or satisfy this virtualization piece you dinged us on?” If auditors can’t answer questions like that, I wouldn’t be surprised if they decide to fluff through and try not to touch it, further miring checklists behind technology, and further not providing much real security. It all comes down to training and hands-on exposure to technology.
This is a chicken-egg scenario. Can you implement and mature new technology or do you have to wait until compliance, which may mean needing to implement and mature it to learn it…
This is made futher painful because this contradicts what I consider a rule of IT and security: Technology moves forward. There is no holding it back, putting on the brakes, or waving the yellow flag of security. It inevitably moves forward. (Fine, we can hold some things back a bit, but eventually it simply will happen.) This is especially true if new technology is economically beneficial. Companies don’t need to think bleeding-edge, but they can’t afford to be lagging badly behind the curve.