There are many compliance regulations (e.g.,PCI, HIPAA, FISMA, GDPR), and some organizations have to deal with several of them concurrently. Compliance regulations are often very detailed, subject to frequent change, and many of the requirements are open to interpretation on how best to meet the requirement and demonstrate compliance.
Most businesses face challenges when trying to understand and comply with regulations, so there are many consulting organizations to aid them in their journey. The SANS Institute, a cooperative research and education organization for security professionals, breaks down these regulations into the Top 20 Security controls, as well as maps them to the regulations above.
There are many solutions available on the market, and just like the regulations, none of them are comprehensive. Some of the more useful ones offer a complete inventory of all the assets involved, including hardware, software and services. Others keep a record of all the configurations of all the devices involved, such as network, security and systems. Some organizations do a very nice job of creating reports in an organized fashion, that can be viewed on a web-based dashboard or a document. However, none of them offer cradle-to-grave compliance support.
What Customers really want is a “one-click” solution providing daily, weekly, and monthly reporting that can be archived as a formal record and be available during an audit. They also want to be able to prove their environment is compliant, right now, either to themselves or an auditor.
And yet, compliance is still a struggle. According to Verizon’s Annual Payment Security Report from 2018, approximately 50% of organizations that process payments are fully PCI compliant.
Most organizations do not have the proper resources in staff or IT to keep up with these projects, and as a result there is a growing services sector to help meet these demands, at additional cost.
Compliance versus Security
An important aspect to all of this is the classic compliance versus security debate. You can be completely compliant with one or all of the regulations listed above, but that doesn’t guarantee security. In fact, there are a number of large enterprise networks and systems in the government, financial, and technology sectors, where the actual environment was “accredited” by an external approval authority (in theory this is an annual event, in reality most organizations are doing this every 3 to 5 years, if at all). Despite these accreditations, there are still significant issues related to incidents and breaches and losses of data.
One of the biggest challenges is “compliance drift”, where an environment could be considered compliant on Day 1 – but after one or more changes, compliance is lost. Generally, organizations do a good job of verifying the detailed configurations of firewalls, routers, switches, servers, and end systems, ensuring they are compliant after any approved changes. However, maintaining compliance across an entire system or maintaining it after the addition of a new application, service, or network is challenging.
It’s important to understand the overall behavior of the environment and interconnected network of systems — before, during and after a change — as well as what is “normal” for that environment. Security and compliance professionals should take into account “seasonal” business events – whether it is end of month/quarter/year or even daily/weekly events like back-ups or security updates. Too often, there are unexpected consequences after an approved change. If that change has to be backed out to restore services, there is increasing the vulnerability of that environment.
Bottom line – keeping up with all of the compliance regulations in your industry is a challenging task, further compounded with maintaining the overall security for that same environment. There are difficult decisions to be made when applying resources to meet these requirements. Your environment may in fact be compliant with one or all of the regulations listed in the beginning of this blog, but that does not guarantee that that environment is secure. The savviest businesses know these two concepts are not mutually exclusive.
Richard Larkin is a Solutions Architect at FlowTraq, a Riverbed company and Boston native. When he's not defending the world from bad guys, he really enjoys Yoga with his wife, getting silly with his grandchildren and playing golf with anyone.