The reason: most organizations remain too focused on the security and compliance-associated fires that spark every day. What else could explain the adverse breach data that continues to be published? Consider the findings of the Ponemon Institute's 2009 Annual Study: Cost of a Data Breach, which found the cost to be $204 per record. Compound that cost across thousands – perhaps hundreds of thousands – of records, and the true expense of such breaches easily is many millions of dollars.
Ad-hoc security and compliance approaches are not working No one would argue that security and compliance are not costly, or difficult. However, neither regulations nor security threats are going away. And while the expense and damage of fines and data breaches are quite high, the good news is that the right approach to compliance and risk management is less expensive than the way most organizations tackle these situations today.
Let's use the challenges of a large pharmacy as a hypothetical example. It must deal with Sarbanes-Oxley requirements for its financial reporting, Payment Card Industry Data Security Standard (PCI DSS) mandates for the credit cards it processes, and the Health Information Portability and Accountability Act (HIPAA) for patient information. One day, its security consultant finds a PCI DSS control breakdown. This flaw both increases risk and creates a roadblock to compliance. Weeks later, an external regulator finds a HIPAA violation that jeopardizes patient data. What does the pharmacy do in each case?
It does what most every organization does: it dispatches separate tiger teams to fix the problems. Those teams will perform separate ad-hoc risk assessments and they will file separate reports. Moreover, each is likely to put new and unique controls in place to make sure the situations don't recur.
What caused those two, apparently unrelated, breakdowns in security and compliance? It turns out that a number of network vulnerability assessments were not being conducted on systems that contain protected information. Disconnects like this are not only a costly waste, but they increase the risks of more audit findings and weakened security across the organization.
Now our pharmacy lives with a new problem: it has two new controls that perform the same exact function. Since they were created independently, the requirements of each will be different, and they likely will require separate risk assessments and reports.
This was a simple example, but consider the increased security risk, management costs, and audit findings when such incidents are multiplied throughout an organization. They includes password policies, provisioning workflow, access rights, system configurations, log management policies, and many other security and regulatory controls. This is how very small regulatory inefficiencies become costly and systemic problems when they are spread across the organization and IT infrastructure.
If organizations are facing these types of governance and risk management challenges now, how can they expect to reduce risk and govern the dynamic architectures that will be even more dependent on virtualization than they are today? Looking slightly further ahead, how will they manage their much more nebulous cloud environments?
The answer is that they must build a unified and flexible governance framework – a framework that will mitigate risks and cut costs today – while also preparing the organization for even heavier reliance on virtualization and the eventual shift to cloud-based computing.
The move to a unified, flexible compliance and risk management framework
The first step is to get away from the ad-hoc, piecemeal approach to regulatory compliance and risk management. That's achieved best by initially taking inventory all of the organization's risk management processes and controls, and then making sure they are clearly defined and documented. As there may be hundreds to thousands of controls and policies in place, depending on the size of the organization, this could take some time and effort. But, it's well worth it.
With the inventory of controls and policies in hand, start to simplify and consolidate regulatory controls wherever possible – and map those controls to the organization's systems and data. Rather than having an entirely separate set of controls for PCI DSS, HIPAA, and others, determine the common controls among them and unify those policies into a single framework that can be used to support all regulatory and internal security policy requirements. Use IT tools, where it makes sense, to continuously monitor the effectiveness of the policies and controls in place. This would include log monitoring, identity and access management reports, security information and event management, among other security and compliance applications.
How many redundant controls can be found? Plenty, depending on the number of regulations an enterprise faces. Is it necessary to have separate password policies across the company? It might be better to have one password policy that can be enforced evenly throughout the organization. The same should be true for provisioning workflow, establishing access rights, managing and monitoring event logs, and most other policies.
Now, should a new regulatory mandate come along – such as requiring a password of a certain length – it is simply a matter of updating that single policy rather than overhauling five separate policies, each with its own layer of oversight and governance. A situation like this is what caused the breakdown within our hypothetical pharmacy above.
The advantages to virtualized and cloud-based infrastructures Consider the importance of this unified and flexible risk and regulatory framework in virtualized environments. There are significant changes to security and compliance when virtualization is introduced to production systems. How are policies mapped to the corresponding virtual machines? How could regulatory controls end up broken when a virtualized workload shifts from one task to another? How are the policy and security controls of these workloads updated when regulations or security threats change?
A unified and flexible risk and governance management framework will help organizations manage the compliance and security of these virtualized workloads much more intelligently.
The same is true for the move to cloud computing. These efforts will help ensure that proper access control systems are in place across physical, virtual, and cloud-based computing services. They will ensure the proper logs are being managed, data privacy controls are in place, and other security policies are enforced, whether the work is taking place in the main data center, a virtual system in a remote office, or in a cloud service provider’s facility anywhere in the world.
Building a flexible governance and risk management framework is not easy or inexpensive – but it is easier and costs a lot less than the price of data breaches, regulatory fines, and the wasted labor used to react to regulatory and security-related fires. It can be achieved by building a risk management framework that is at least as flexible as the IT infrastructure.
Jay Roxe is Director of Solution Marketing, Identity and Security for Novell.