Five key elements to complete IT compliance
By Gavin Selkirk April 7, 2015
- The needs of the business have often overruled the requirements of compliance
- But organisations need to plug the gap between security and operations (SecOps)
STARTUP Uber recently acknowledged that it suffered a security breach, which resulted in the disclosure of the names and drivers’ licence numbers of about 50,000 drivers.
Closer to home, several Hong Kong government websites were hacked by ‘hacktivist’ group Anonymous, in a show of support for the Occupy Central movement.
These security breaches were definitely not by chance and could, more often than not, be a result of IT non-compliance.
The Economist Intelligence Unit (EIU) recently published a report, Sharing the blame: How companies are collaborating on data security breaches, which showed that breaches are occurring at a high rate in Asia.
Aligned with the title of the report, only 35% of Asian companies surveyed were confident that they did not experience a data breach in the past year.
The needs of the business have often overruled the requirements of compliance, with enterprises purchasing any and every solution they believe will help increase company productivity, efficiency, and communication.
This has resulted in several companies having disparate IT systems, and compliance standards being placed on a backburner.
The entry of cloud computing and social media, and a rising trend of employee-owned devices, makes it even more of a challenge for IT managers to ensure complete compliance across the workplace for regulatory requirements and practices.
Security and operations teams both play crucial roles in the area of compliance. It is the job of the security team to spot issues, however they rely on operations to make changes. The operations team may not be as proactive in making changes as they do not recognise fully the security threat, and would rather take a ‘wait and see’ mentality so as not to alarm employees with dynamic changes.
This means that the time between security issue identification and resolution can be a period of weeks or even months.
In view of recent high-profile security breaches and compliance failures, organisations need to find a way to plug the gap between security and operations (SecOps).
How can organisations modernise their approach to compliance and close the SecOps gap with a strategy designed for today’s complex, dynamic IT environments?
Regular automated discovery ensures that compliance efforts cover all relevant applications and infrastructure.
Some approaches to discovery focus on the ‘core’ system, but the reality is that non-core systems can sometimes be a bridgehead in the network for attackers.
This is even more true for unofficial systems, which may not be properly patched, beefed up, and updated. Whether a system is managed by security teams or not, it is security teams which will be held responsible for any breach they allow.
To ensure that the entire environment can be brought in compliance, a comprehensive discovery capture needs to include both unofficial and unmanaged systems as well as any temporary modifications, virtualised assets, and other relevant dependencies.
Security teams should look for a flexible system that allows them to define the desired compliance or security state by rule.
A library of pre-defined policies such as PCI-DSS, HIPAA,DISA STIG, and SOX, including both audit and remediation capabilities, can be used as templates, or customised and extended to meet individual requirements.
With greater confidence in the accuracy of audit results, the operations team can take corrective action more decisively.
SecOps teams need to have complete visibility into the state of the environment at any time, rather than just a configuration snapshot taken prior to the audit.
The team will want to look into ongoing audits, which can provide real-time data feeds and help in verifying compliance.
Compatibility with other tools and even manual configuration management is definitely a must in facilitating seamless adoption and enabling SecOps to spot issues on-the-fly.
The best solution to close the SecOps gap would be to provide both teams with a common context point to unify audit and remediation.
In terms of remediation, the operations team would appreciate a system that provides the option to make targeted, specific changes only to the parts of a file that are affected by compliance violation, rather than replacing the entire file.
Remediation should not be considered as a final measure and any system that is deployed needs to remain fully transparent and designated as ‘compliant with exceptions,’ rather than simply compliant or non-compliant.
To ensure complete security, role-based access control and delegation that ensure only approved users are able execute changes should be included.
Of course, an option for the operations team to return to a known good state if necessary would be reassuring.
Compliance cannot come at the expense of business support. Security teams need to make changes with full visibility into their implications for the business, and govern these processes in a way that minimises their impact – such as not rebooting servers in the middle of a payroll run.
Compliance teams need to reassure operations and other stakeholders that compliance remediation will not pose risks to the production environment or interrupt essential services at inopportune times.
Any effective approach to compliance must address the SecOps gap head-on. Security teams need changes to be made more quickly. Operation teams need to ensure that these changes will not create new problems.
Both sides have to find a better way to communicate and collaborate with each other and the appropriate IT service may just be the answer.
Gavin Selkirk is president of BMC Asia Pacific.
Technology and business heads to make peace in 2015
Target: Learning from security breaches on POS systems
BYOD security: It’s about company culture, not just devices
Compliance and risk will drive IT spend in 2013: Ovum
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.