Compliance Management

Security and regulatory compliance technologies need to converge, part 1

For too long, companies have been forced to spread their IT departments thin in order to maintain secure IT systems and comply with government and industry regulations, whether that be Sarbanes-Oxley, SB 1386, GLBA, or others.

Specifically, IT security, operations and audit teams, while working toward the same goals in many instances, have great difficultly sharing the information they need, when they need it. And in too many cases, they're forced to duplicate manual efforts.

In fact, with no coherent, comprehensive view of security and compliance status throughout an organization — or even across various regulatory requirements — compliance and IT security teams will continue to be tied down in inefficient, ad hoc and redundant efforts.

The fault doesn't rest entirely on organizations. The challenge is that, when you look at the responsibilities associated with IT security and compliance, only about 30 percent of tasks actually can be automated today, while the rest must be handled manually such as policy and review procedures, orphaned account deletion and thorough system asset classifications. Also, many technologies used by security and compliance teams, such as security event managers and compliance reporting tools, are costly and cumbersome to use. They fail to help companies manage security and compliance holistically. For instance, a customer of ours was utilizing 57 different paper-based standards to deal with all its various operating systems and applications. In addition, many businesses have discrete policies for controlling malware, limiting the deployment of peer-to-peer software, controlling the deployment of applications that could be harmful to the IT infrastructure, and others.

There has to be a better way. The trick is converging compliance and security efforts wherever possible. In fact, most compliance activities, and many security efforts, can be grouped roughly as defining policies, discovering assets and policies in place, evaluating their level of compliance, and then remedying anything vulnerable or out of compliance. For example, password policies have relevance across internal security rules, Sarbanes-Oxley, HIPAA, GLBA, and other external mandates. Likewise, controls that govern user access and permissions also have relevance to Sarbanes-Oxley, GLBA, HIPAA, NIST, and internal processes or security frameworks. Patch policy also is relevant to Sarbanes-Oxley, GLBA, HIPAA, NIST, and internal IT infrastructure management. In fact, all of these policies and controls have relevance across the activities of the compliance and audit, security and IT operations teams.

Organizations need security and compliance solutions that transcend individual audit, security and operation teams, and provide a holistic view of an organization's risk and compliance posture. It would be so much more effective for any organization to be able to centrally manage all of their security policies and regulatory mandates. This way, all policies could be efficiently accessed, managed, evaluated and enforced by operations, security and compliance teams. Such a converged solution would support the entire compliance process, much in the same way Configuration Management Databases, or CMDBs, do for configuration management, and combine policy management with vulnerability scanning and remediation based on specific policies, with granular task-based access control. Such a solution would ideally combine all of an organization's gathered data into a secure repository that provided "need-to-know" access from a single management console.

With very few exceptions, such a solution would allow a single group of compliance checks to support most, if not all, of an organization's compliance obligations. For example, user password policies, user access privileges, account management and other types of checks can be designed to satisfy all internal and regulatory requirements.

Of course, a security and regulatory risk management platform that would combine policy, threat, asset and risk management would need to be simpler than the security event management applications and many of the compliance point solutions available today. And the software-as-a-service (SaaS) model, recognized now as the future of software delivery, would seem to have all of the attributes necessary to make such a solution possible. SaaS would make it possible to provide the centrally managed policy, IT asset management information, as well as vulnerability and compliance risk management that would be instantly accessible to IT audit, operations and security teams. In that way, the entire compliance and security life cycle would be centrally aligned, permitting remediation workflow, trouble tickets, and audit-finding fixes to be centrally reportable and actionable.

We'll discuss in more detail how a converged security and compliance SaaS delivered solution would work in the next installment. Because only when the market delivers on this need will organizations be able to fully coalesce and streamline their IT security regulatory compliance efforts in the most cost effective way possible.

- Philippe Courtot is chairman and CEO of Qualys

Philippe Courtot

Demonstrating a unique mix of technical vision, marketing and business acumen, Philippe Courtot has repeatedly built innovative companies into industry leaders. As CEO of Qualys, Philippe has worked with thousands of companies to improve their IT security and compliance postures. Philippe received the SC Magazine Editor’s Award in 2004 for bringing on demand technology to the network security industry and for co-founding the CSO Interchange to provide a forum for sharing information in the security industry. He was also named the 2011 CEO of the Year by SC Magazine Awards Europe. Before joining Qualys, Philippe was the Chairman and CEO of Signio, an electronic payment start-up that he repositioned to become a significant e-commerce player. In February 2000, VeriSign acquired Signio for more than a billion dollars. Today, VeriSign’s payment division, based on the Signio technology, handles 30% of electronic transaction in the U.S., processing $100-million in daily sales. Prior to Signio, Philippe was President and CEO of Verity, where he re-engineered the company to become the leader in enterprise knowledge retrieval solutions. Under Philippe’s direction, the company completed its initial public offering in November 1995. Philippe also turned an unknown company of 12 people, cc:Mail, into the dominant e-mail platform provider, achieving a 40% market share while competing directly against IBM and Microsoft. Acknowledging the market leading position of cc:Mail and the significance of e-mail in corporate environments, Lotus acquired the company in 1991. In 1986, as CEO of Thomson CGR Medical, a medical imaging company, Philippe received the Benjamin Franklin award for his role in the creation of a nationwide advertising campaign promoting the life-saving benefits of mammography. Philippe served on the Board of Trustees for The Internet Society, an international non-profit organization that fosters global cooperation and coordination on the development of the Internet. French and Basque born, he holds a master’s degree in physics from the University of Paris, came to the US in 1981 and has lived in Silicon Valley since 1987.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.