WingNews logo WingNews
top | item 30770605

(no title)

maldeh | 4 years ago

A more poignant elegy to the modern landscape of compliance theater I have never seen:

> Security Standards. Okta's ISMP includes adherance to and regular testing of the key controls, systems and procedures of its ISMP to validate that they are properly implemented and effective in addressing the threats and risks identified. Such testing includes:

> a) Internal risk assessments;

> b) ISO 27001, 27002, 27017 and 27018 certifications;

> c) NIST guidance; and

> d) SOC2 Type II (or successor standard) audits annually performed by accredited third-party auditors ("Audit Report").

I don't think storing AWS keys within Slack would comply to any of these standards?

discuss

order

hughrr|4 years ago

Yep. All these standards are tick boxing for liability. Nothing more.

They are not effective security controls and never will be and should never be a measure of that.

dvtrn|4 years ago

We’ve been monitoring this internally, as customers of an Okta-like service.

I’ve also been closely monitoring the responses from our CTO and VP of Security when someone from our DevOps team posted a link to the Verge article in slack this morning.

Which brings me to this inquiry: How are your orgs responding to this? We have a dependency on an Okta-like provider and my first thought when reading this news was “you know, wonder if we should give our shit a sanity check”, and someone beat me to this, proposed it in slack but the idea was turned down by our SecOps team.

disillusioned|4 years ago

I don't know if tick boxing was a spoonerism or intentional or a real thing but I love it and am stealing it.

(Upon further review, it appears to be the more UK way of saying it! Ha!)

stefan_|4 years ago

And yet Okta is the ultimate in box-ticking technology. They are bought to tick the boxes. So what happens now that the box tickers are not ticking the boxes?

Spooky23|4 years ago

They aren’t security controls at all. Just puffery.

I’d look at stuff like FedRAMP as a starting point for the control environment and explore further.

api|4 years ago

A lot of compliance theater comes from the requirements of insurance companies.

The decision makers have absolutely no idea how any of this stuff works.