Let’s be real. Attackers are growing more and more emboldened by the day. As their tools become so simple that even “script kiddies” can use them to wreak havoc on unsuspecting targets, governing bodies are putting added emphasis on tighter regulatory compliance.
All of this is being done in an effort to force companies (and their software and service providers) to implement stricter controls, strengthen security postures, and provide users with a better guarantee that their data will remain safe from cyberthieves.
The Cost of Non-Compliance
HIPAA, FERPA, PCI, SOX, FISMA, GDPR, DFARS… and the list goes on.
These acronyms (and a slew of others) strike fear in the minds of many upper-level business and IT executives—and for good reason. In direct correlation to the influx of data breaches in both the public and private sector, data privacy regulations, such as these, are becoming de-facto news items themselves.
After all, failure to achieve, maintain, and demonstrate compliance with applicable regulations can be extremely costly. For example, the penalty for non-compliance with the pending European Union General Data Protection Regulation (the GDPR is slated to go into effect in May 2018), could potentially cost a company $27 million or 4% of their global annual turnover, whichever is greater.
With this in mind, it’s easy to understand the concern over compliance, particularly by a company’s executive management team.
Who wants their name to come up in relation to a breach? What company wants to be on the tail end of these fines and penalties?
The obvious answer is—nobody.
Reactively Demonstrating Compliance Is No Longer Enough
The common theme among these various regulations is data protection.
Companies are being tasked with ensuring internal and external user data is kept tightly under their control, whether that refers to the prevention of unauthorized access and viewing of information, maintaining secured possession of said information, data encryption at rest and in transit, disaster recovery, antivirus/anti-malware prevention, or providing audit trails.
Information security and operations teams are frequently tasked with gathering information to help auditors ensure that their compliance activities meet or exceed expectations. However, more and more, potential and existing customer bases also carry expectations of their data providers’ readiness and operating standards. And often, these expectations go beyond the ability to reactively demonstrate compliance efforts and into proactive, preemptive, and preventive measures.
Some customers will request self-audit documentation from the provider that details how the provider securely manages data, utilizing tools like the Cyber Security Evaluation Tool (CSET).
However, many now require Service Organization Control (SOC) reports from their providers. These reports serve as reliable proof that a service provider has been audited by accrediting bodies and can demonstrate that appropriate business controls and secure architectural planning have been implemented.
For the service organizations striving to meet these requirements, maintaining evidentiary data, ensuring that processes are both secure and consistent, and committing the time to ensure adequate reporting to substantiate their compliance claims is often a struggle. They may lack adequate manpower or resources to maintain proper reports or they may not fully understand the scope or depth of the information that they are required to maintain.
As a result, many fall back into old patterns—reactive gathering of information and assessment of their environments in order to meet their compliance audit deadlines. This type of responsive activity typically sends IT teams into a frenzy, puts strain on day-to-day operational and security activities, and can result in misrepresentation of security efforts or even completely overlooking operational and control inadequacies.
A Better Approach to Compliance
Any established security program leader will be the first to tell you that they’d rather be proactive with their teams’ efforts, whether with regard to information security or operational efficiency.
Teams that take a proactive approach typically utilize frameworks and toolsets that enable them to manage both workforce and customer activities and information. These tools also allow flexible and customizable controls to be established, so that authoritative and organizationally-defined rules can be applied to both their processes and data.
Over time, these teams find it much easier to implement automated controls and processes, which not only help to reduce human error, but also reduce the time needed to perform their duties, while continuing to maintain informative, audited activity records.
Having the right technology in place is another critical factor when it comes to compliance. When properly implemented and maintained, a modern Identity and Access Management (IAM) solution that includes (but is not limited to) automated identity provisioning and deprovisioning, access certification and workflow with both time and source data / attribute-based association, automated role management, multi-factor authentication, and detailed auditing will go a long way towards ensuring that a company is serious with their compliance efforts.
Additionally, combining IAM with Security Incident and Event Monitoring (SIEM) solutions for log correlation between disparate systems, IDS and IPS solutions, and centrally managed network and firewall infrastructure components, can make providing compliance-supporting data a far less intrusive and intensive process when auditors arrive. This also allows IT and security staff to continue to manage and monitor their environments without interruption.
Getting Started
Compliance audits don’t have to become a burden. By taking proper care throughout the lifecycle of the organization and putting planning and controls in place early on that are influenced and supported by regulatory compliance, companies put themselves in a much more proactive, prepared position. This not only makes it easier for them to maintain compliance, but their security posture will be strengthened and risk levels better remediated during regular operation, rather than dictated by emergency or other newsworthy events.
Additionally, modern IAM solutions, such as RapidIdentity, provide many of the pieces necessary to accomplish these tasks. If fact, Identity Automation utilizes our own tools with regard to our own compliance efforts.
While there are certainly some activities (such as demonstrating valid data backups or network segmentation) that may fall outside the realm of a modern IAM solution, the ability to use the solution to apply consistent core controls and processes to configurations, as well as identity and user data, makes it very easy to demonstrate both the readiness and compliance activities around those areas.
Comments