For too long, companies have been forced to spread their IT departments thin in order to maintain secure IT systems and comply with government and industry regulations, whether that be Sarbanes-Oxley, SB 1386, GLBA, or others.
Specifically, IT security, operations and audit teams, while working toward the same goals in many instances, have great difficultly sharing the information they need, when they need it. And in too many cases, they're forced to duplicate manual efforts.
In fact, with no coherent, comprehensive view of security and compliance status throughout an organization — or even across various regulatory requirements — compliance and IT security teams will continue to be tied down in inefficient, ad hoc and redundant efforts.
The fault doesn't rest entirely on organizations. The challenge is that, when you look at the responsibilities associated with IT security and compliance, only about 30 percent of tasks actually can be automated today, while the rest must be handled manually such as policy and review procedures, orphaned account deletion and thorough system asset classifications. Also, many technologies used by security and compliance teams, such as security event managers and compliance reporting tools, are costly and cumbersome to use. They fail to help companies manage security and compliance holistically. For instance, a customer of ours was utilizing 57 different paper-based standards to deal with all its various operating systems and applications. In addition, many businesses have discrete policies for controlling malware, limiting the deployment of peer-to-peer software, controlling the deployment of applications that could be harmful to the IT infrastructure, and others.
There has to be a better way. The trick is converging compliance and security efforts wherever possible. In fact, most compliance activities, and many security efforts, can be grouped roughly as defining policies, discovering assets and policies in place, evaluating their level of compliance, and then remedying anything vulnerable or out of compliance. For example, password policies have relevance across internal security rules, Sarbanes-Oxley, HIPAA, GLBA, and other external mandates. Likewise, controls that govern user access and permissions also have relevance to Sarbanes-Oxley, GLBA, HIPAA, NIST, and internal processes or security frameworks. Patch policy also is relevant to Sarbanes-Oxley, GLBA, HIPAA, NIST, and internal IT infrastructure management. In fact, all of these policies and controls have relevance across the activities of the compliance and audit, security and IT operations teams.
Organizations need security and compliance solutions that transcend individual audit, security and operation teams, and provide a holistic view of an organization's risk and compliance posture. It would be so much more effective for any organization to be able to centrally manage all of their security policies and regulatory mandates. This way, all policies could be efficiently accessed, managed, evaluated and enforced by operations, security and compliance teams. Such a converged solution would support the entire compliance process, much in the same way Configuration Management Databases, or CMDBs, do for configuration management, and combine policy management with vulnerability scanning and remediation based on specific policies, with granular task-based access control. Such a solution would ideally combine all of an organization's gathered data into a secure repository that provided "need-to-know" access from a single management console.
With very few exceptions, such a solution would allow a single group of compliance checks to support most, if not all, of an organization's compliance obligations. For example, user password policies, user access privileges, account management and other types of checks can be designed to satisfy all internal and regulatory requirements.
Of course, a security and regulatory risk management platform that would combine policy, threat, asset and risk management would need to be simpler than the security event management applications and many of the compliance point solutions available today. And the software-as-a-service (SaaS) model, recognized now as the future of software delivery, would seem to have all of the attributes necessary to make such a solution possible. SaaS would make it possible to provide the centrally managed policy, IT asset management information, as well as vulnerability and compliance risk management that would be instantly accessible to IT audit, operations and security teams. In that way, the entire compliance and security life cycle would be centrally aligned, permitting remediation workflow, trouble tickets, and audit-finding fixes to be centrally reportable and actionable.
We'll discuss in more detail how a converged security and compliance SaaS delivered solution would work in the next installment. Because only when the market delivers on this need will organizations be able to fully coalesce and streamline their IT security regulatory compliance efforts in the most cost effective way possible.
- Philippe Courtot is chairman and CEO of Qualys