For the past decade, organizations have invested millions in their security and compliance management programs. The unfortunate reality is that they've spent too much to get too little security or regulatory compliance. To this day, many still don't have the ability to ensure — and validate — that their systems are secure from breach and compliant with legal mandates. Why? Because many have thrown people and technology at these problems often in a tactical or ad-hoc manner, but have not tackled security and compliance as the systemic challenges they are.
The predicament so many find themselves in today is understandable because security vulnerabilities and attack vectors always change, as do regulations. In fact, many of our customers must remain compliant with a number of separate regulations that include HIPAA, Sarbanes-Oxley, various state data breach notification laws, the European Union Directive, PCI DSS, and many others. And the costs associated with compliance are high and rising — because enterprises rely too heavily on disparate management frameworks and costly, duplicate manual efforts. Research firm AMR states that two-thirds of budget for governance, risk, and compliance efforts is earmarked for people-related expenses, such as labor and services.
There are a number of reasons why it is so costly. Companies have too many ill-conceived and duplicate compliance controls. Their security data lies dormant in log files. And there's little, if any, synergy among all of the point security products they've deployed. The result? Teams of people running around the office manually updating clipboards and spreadsheets that are often out of date before the final audit report even is printed.
Also, regrettably, too many organizations equate this level of compliance with being "secure." The Verizon Business RISK Team's 2009 Data Breach Investigations Report, which evaluated 90 breaches that affected 285 million records, found that in an astounding 82 percent of those incidents, the data that could have pointed to the pending compromise was available, but not identified or acted upon.
To avert that unenviable position, mitigate or avoid breaches altogether, and cut the costs of attaining regulatory compliance, organizations need to find a way to improve, consolidate, and coalesce all of the people, processes, and technology already in place for these efforts.
That means putting in place the security and compliance policies that make sense for the organization, and then leveraging the technology — such as identity management, log management, and security information and event management —to automate security and policy compliance enforcement and validation. This doesn't mean deploying new security application after security application; it means establishing a program in which the right people and processes are in place for security and compliance, and that the technology is there to make certain that people and processes are operating within set policies.
Additionally, by mapping internal polices to the requirements of specific regulations, regulatory compliance efforts can be streamlined while reducing risk. An example could be the way that privileged accounts, such as administrative system accounts, are managed. How access to these accounts is managed could affect many different regulations, and an optimal approach would be to create a single privileged user account policy that is used throughout the company. This policy should meet, if not exceed, the requirements of every applicable regulation. Other examples include vulnerability, log, identity, and firewall change management policies. In all of these cases, it could be established that when the internal policy is tailored to the optimal security the organization needs, all regulatory burdens subsequently are met. This cuts costs —as well as the number of teams running around with clipboards and spreadsheets in hand — while increasing security and regulatory compliance.
Three classes of technologies are essential to have in place and working together, to ensure that security and regulatory compliance can be proactively managed in that way: identity and access management, log management, and security information and event management. Here's why:
- Identity and access management, with access certification capabilities. Whether it's security, compliance, or just good management, knowing and controlling who has access to what is foundational. We often joke, that if an employee stays at a company long enough, he or she eventually will be given access to everything. The more rights an employee is given, the harder it is to remove those rights when an employee leaves or changes responsibilities. This creates serious security weaknesses and regulatory compliance gaps. It is simple, excess application or system rights leads to excess organizational risk. That's why it's crucial that every organization understands who has access to what. Implementing automated controls to tune employee access as their jobs and roles change, along with a certification process that continuously ensures appropriate levels of access will assure employees have the correct access to applications and resources at all times.
- Log management. All enterprises store a wealth of information about the activities occurring on their networks, platforms and applications. This includes both security and regulatory compliance within application and database logs, identity and access management repositories, network device logs, and other systems. In fact, it's quite common for enterprises to store more information than they can manage. A compounding concern is that these logs are often stored and processed in “silos”. This segregation of security data mean that those analyzing the logs are usually receiving an incomplete view of the enterprise’s true security posture.
As the Data Breach Investigations Report showed, organizations have the data that could warn, if not avert, data breaches. They just can't cull and correlate the right information from these data stores in a meaningful way.
- Actionable, real-time security event information. Through real-time identification and integration of security-related information and events across the enterprise, suspicious activities and events can be identified and mitigated immediately. These can include everything from unusual log-on attempts to malicious network activity. This capability is essential for security and compliance mandates. Using reports from the three-month-old compliance audit to verify security policy do not get the job done. This is the equivalent of documenting the barn door was left open 90 days after the cows escaped. Real-time analysis allows us to close the barn door before the livestock exit. That is what any good IT security program should have as its goal.
Leveraging identity, system logs, and real-time security information in this way makes it much easier to discover when systems fall out of policy compliance and set them right before there's an audit finding or even more damaging, a data breach. It also makes it possible to execute an overall risk governance program successfully. In addition to increasing security and compliance, these efforts will cut costs. By correlating all of this information, duplicate processes can be eliminated and ineffective processes improved. It also becomes possible to document adherence to security and policy compliance better, and thus streamline the audit process and cut additional costs. This allows an organization to address the regulations and security threats of today while providing an infrastructure to prepare for the compliance needs and risks of tomorrow. In short, organizations will be able to achieve what they need: fewer people running around with clipboards and an improved, most cost-effective path to sustainable security and compliance.
Ben Goodman is marketing solutions manager of Compliance Management at Novell.