Almost every week another major company is in the media for another security breach or data leak. Last week it was eBay. This week, it was Spotify and Office, a UK-based clothing retailer. With this continued coverage on security issues, comes a growing concern that businesses are having an increasingly difficult time maintaining a solid security posture. Pile on the increasingly stringent compliance requirements, and now we have an ever-changing landscape of security issues that don’t fit in to most budgets. It's going to keep the C-Levels up at night (especially after Gregg Steinhafel’s departure from Target.)
Security aside, it is a daunting task to manage a compliance program, especially for businesses without resources dedicated to security and compliance. HIPAA, PCI, SOX; they all continue to bring new technical control requirements to their programs. In addition, with every change, new findings will appear on your risk assessment, costing more to manage and more to secure. Between changing business requirements and the tightening of compliance controls, we continue to hear about the concepts of businesses being compliant on audit day and not again for the next 364 days. The key question for businesses is how they actually keep things secure while integrating their standard operating processes with their security and compliance programs.
Ever-changing business requirements and boundaries
One of the main culprits here is the continuously changing set of business requirements…especially in companies small enough to make changes quickly. They are always looking to add new systems, applications and capabilities, while at the same time reducing costs with virtualization efforts and cloud-based applications. With so many applications being outsourced these days, how can businesses define a finite boundary around their systems and still maintain the compliance requirements and security visibility?
To be able to meet compliance and audit requirements, and keep systems secure, businesses need to be able to implement solutions with a security-specific mindset. This means taking into account requirements of asset management, vulnerability assessments, access control management and overall usage visibility. Businesses need to implement a security philosophy that can be tailored and applied to any new application, system or business requirement that may come up. This doesn’t mean implementing a set of tools. This is creating an overall security-focused mindset and driving that into the business, so that the concepts can be taken into account when critical business and technical decisions are made.
Risk Assessment? Nah…Just put it into production
Risk assessment is a key component of being able to identify system vulnerabilities, while maintaining compliance. But it can also be the cornerstone of maintaining a solid security posture. That means is evaluating every component of a new system and every change in a production environment, against the overall effect of the whole structure or for individual security issues.
As a matter of fact…HHS has even said that they don’t specifically define a minimum required client operating system. That means that Windows XP can still be considered a compliant system if appropriate risk assessments have been done, vulnerabilities are identified, and mitigation strategies are documented and on the roadmap (We would never recommend this, by the way). In fact, HHS has also provided a HIPAA Security Risk Assessment tool for download and use in documenting an entire risk assessment, evaluating findings and mapping out remediation.
The problem with all of this is, it isn’t reasonable for many companies to properly execute this cycle every time they make a change. Businesses are too dynamic these days for this to be a cost effective approach and by allowing the regulatory compliance audit process to drive these assessments, we are increasing the potential for businesses to suffer critical losses.
Again, this is where businesses need to drive security principles into their overall architectural designs and philosophies. If new programs are implemented with a security-centric approach, then it is a matter of applying principle and minor technical controls into most of these systems, enabling them with measurable security metrics and adherence to compliance requirements.
Understanding your options
The question that many businesses need to answer is how they satisfy both overall security health and simplicity in compliance management. Businesses now need an astounding amount of flexibility and technical expertise to keep up with compliance security controls. It is no longer operationally or financially effective for mid-market sized businesses and smaller to be able to maintain this landscape, stay under budget and keep the lights on. It used to be, that someone could just wear the ‘security hat’ when something came up, but it’s just becoming too much to handle as a secondary or tertiary function. Understandably, many companies can’t justify the additional head-count or additional cost for dedicated security personnel.
One concept to consider is going the Managed Security Service Provider route. MSSP’s have the benefit of being able to apply expertise in a limited scope across multiple customers, while still being able to be flexible for the business and overall cost effective. Managed Security from Sedara, leveraging AlienVault’s USM, can provide a flexible security offering that allows businesses to change and adapt to their dynamic needs, while being able to apply a sound unified security concept that is comprehensive, scalable and can offer advanced security technologies and simplicity of compliance reporting, in a single platform. We can tailor solutions to work on site, in the cloud, and in distributed architectures, while simultaneously providing security visibility and compliance reporting in today’s dynamic environments.
About the Author
Darrick Kristich is a Security Enthusiast and currently works at Sedara, a managed security service provider and Alienvault Partner. His background primarily stems from the Aerospace & Defense markets and has experience with technical and security architecture, as well as compliance program development and incident response. He currently resides in Buffalo, NY and runs the blog at sedarasecurity.com. He can be reached at [email protected].