Tollef Fog Heen <[email protected]> writes: > ]] Russ Allbery >> Certification compliance is not something I would ever work on without >> being paid, personally. It is not enjoyable or fun; it's a job whose >> only real benefit is the paycheck you get for doing it. That's of >> course just my personal opinion; maybe someone out there finds filling >> out ISO 27001 paperwork a great way to spend a lazy Saturday afternoon.
> I'm obviously not going to tell you what you enjoy or not, but I think > that's a poor (but sadly quite common) way of doing compliance > work. Compliance work should be like running make check – it's a way of > testing that your procedures are actually as expected and provide > verification that the security properties you put into the system still > hold. If it's compliance for compliance's sake, it'll be thrown out the > window at the first opportunity. I'm not sure I understand what you're characterizing as a poor way of doing compliance work. Oh, maybe you're saying that compliance shouldn't only be a paperwork exercise? Sure, that's certainly true, and when I worked on compliance, it wasn't. We built as much of compliance as possible into our software and automated generating the information required for proof of compliance. The goal was to ensure, wherever possible (it's not possible everywhere), that a computer was enforcing the correct process rather than a human having to remember it, and a computer was keeping all the necessary audit trails and generating the compliance reports. I think this was doing compliance properly? I don't think it was a poor job. There was still a lot of paperwork (which, lucky for me, was mostly done by other people). Nonetheless, it was work, for which I was paid, and which was not interesting or satisfying in its own right, and while some of it is simply necessary to do a good job (similar to how writing a test suite can be tedious but is necessary to do a good job of software development), a lot of the necessary outputs (and audit meetings!) are just annoying or involve effort to reward trade-offs that are hard to justify unless you care about the compliance certification specifically. > As an example, and as someone who holds some keys in Debian (such as the > cert used to sign uploads to MS for shim signatures), I'd not be > particularly interested in spending time proving documenting or proving > to an auditor what my security controls for that key particular is. See, right, this is exactly my point. I have done work like this before, but it's not something I'm going to do for free, because it's tedious and annoying. If we want some sort of make test for our procedures, which is certainly a rational thing to want, we'll need to figure out some way to do it that's less tedious and annoying than (at least my experience with) audit and compliance frameworks. There is to some extent a reason for why those audit and compliance frameworks do things the way they do, and not all of it is an outgrowth of formalism or bureaucracy. They probably do catch some things that less formal and more streamlined approaches don't. But locking down those last few percentage points of security is a lot of work that we are going to have a pretty hard time finding someone to do for free. People who really care about that should be prepared to pay for it, which also has implications for who should be doing it and how to structure that work. -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/>
