Best Practices for Merging Security and Compliance
Within many organizations today, security and compliance teams are running in isolation. This introduces significant enterprise risk, as the security team might be doing what’s best to combat advanced attackers, but their actions may not be in compliance with corporate, industry or federal guidelines. Similarly, the compliance team might be laser-focused on adhering to regulations, but their strategy might be introducing security risks. Tim Woods, VP of Technology Alliances at FireMon, outlines the challenges of operating security and compliance in silos.
Every compliance initiative – whether regulatory or internal – poses the same central question: Are you monitoring for change? While the question is a simple one, for many companies, the answer remains elusive.
Whenever there’s a data breach, compliance failure or system outage, the first thing business leaders want to know is: What changed? And, too often, the response from security and compliance teams is “nothing,” when, in fact, change is happening – they just don’t know about it. By no means are these teams attempting to mask the truth, they are simply being forthright with the limited information available to them.
Maintaining awareness of network and access changes is an important element in achieving a strong security and compliance posture, along with reliable network operations and services. But change management is a complex challenge for many companies for two reasons: 1) limited team collaboration and 2) lack of visibility.
Uniting Business, Security and Compliance Teams
Mastering change management and successfully achieving compliance goals requires collaboration. Business, security and compliance teams must consistently work together and share information. Yet, within many organizations, these teams run in isolation, which can introduce significant enterprise risk. For example, security professionals may do what’s best to combat advanced attackers, but their actions may not be compliant with corporate policies or industry regulations. Similarly, the compliance team may be laser-focused on adhering to regulations, but their strategies may introduce significant gaps in security defenses. Last, but certainly not least, business teams often deploy new applications and services as quickly as possible to speed time-to-market, leaving security and compliance as afterthoughts.
The effects of departmental silos can significantly impact an organization’s ability to achieve compliance objectives, and policy creation and management serves as a great example. When a new access request or a change request is submitted, the security team needs to know information such as:
- Who is requesting the access or change?
- Is the request for someone other than the requestor?
- What is the associated department?
- What access is being requested (i.e., access to what data or systems)?
- What is the business justification for the request?
- Where will the access come from?
- What is the expected duration of the access?
- When does this access need to be in place?
Many times, because of the communications barriers that exist between their team and the business and compliance groups, security professionals don’t get the information they need to develop the best possible access policies. This often results in rules and policies that are inaccurate, non-compliant, redundant, outdated or overly permissive. For example, security professionals might grant access beyond what is required to meet the needs of the business, they might provide access to the wrong data or systems or they might fail to provide sufficient documentation to prove they are following compliance requirements.
When business teams provide appropriate context around the objectives behind their requests, security professionals can create intent-based access rules that uphold security and compliance requirements and then provide the compliance team with the appropriate documentation proving new policies are compliant with internal, industry and federal mandates. When these three equally important groups work in unison – rather than isolation – network and access change information can be shared, the appropriate actions can be taken, and the success rate of compliance projects increases dramatically.
Gaining Visibility into Network Changes
Monitoring for access and network changes was a lot easier in the simpler days of security, when IT infrastructures were much more streamlined and a concrete perimeter existed to separate a company’s assets from the outside world. In today’s world, however, security and compliance teams are responsible for networks, servers, databases and desktops while managing the complexity created by cloud computing, virtualized application deployments, containerization of applications, software-defined network services and other new technologies made possible by digital transformation. These diverse and highly distributed IT infrastructures make it impossible to manage change with manual processes, because they simply cannot scale to keep pace with the growth in complexity.
The evolution of IT infrastructures now demands automatic and dynamic change management, where real-time change monitoring solutions detect, capture, alert on, analyze and report on changes as soon as they happen – and, thankfully, this technology exists today. Real-time change monitoring solutions:
- Detect changes as they happen,
- Perform a differential comparison of the previous configuration to the newly modified configuration and
- Provide a delta change report following the differential comparison that states which monitored device was changed, when the change was made, who made the change and details of the change.
Capturing and documenting change in this way enables organizations to confidently respond when asked if they’re monitoring for change and also to answer two equally important follow-up questions: “How are you monitoring for changes?” and “Is there documented proof of changes?”
Staying secure and compliant in today’s world of sophisticated cyber criminals and never-ending regulations is possible. It just takes teamwork, vigilance and a bit of technology to get there.