I read an article the other day, the title of which was, “Compliance does not equal security”. While there is much truth to this title as well as the points made in the article, I don’t think it went far enough to a definitive conclusion.
There is allot of talk about security compliance, especially regarding PCI DSS. There are also a number of differing regulations. So here is the question. What exactly does compliance certification by itself accomplish? We have all heard about organizations that had PCI DSS compliance audits and were certified compliant, and then they were subsequently hacked. There is obviously something missing.
When an organization conducts a security compliance audit, penetration test or any kind of security audit, and are certified to be compliant, what does this mean? Organizations have many moving parts and have fallible people intimately involved in their processes. Processes, settings and configurations are constantly changing, and people are coming and going. As soon as an organization completes a compliance audit and the auditors walk out the door, how long are they compliant? An hour? A day? A week? A month? It all depends on level of change that is occurring in the organization, and no organization remains the same. As soon as a compliance audit is complete, processes, configurations, and settings have already begun to change. An organization will certainly become non-compliant at some point. This is especially true for those organizations that had findings that had to be remediated. The processes that led to the finding and remediation are right back at work to recreate them after the audit is concluded.
So what is the solution? As the title of the blog stated, there has to be enforcement or monitoring mechanisms in place, and they have to be automated. The automation is required because there are simply too many moving parts to effectively do it manually. While there are solutions focused on compliance enforcement, they are unfortunately a patch work of differing solutions with different focuses. Some focus on content, while others focus on privileged accounts, and still others focus on email and end points. On top of this, many of these solutions are prohibitively expensive, which price small and medium sized businesses (SMBs) out of the market. However, the overarching issue with these solutions are that they are packaged solutions and are inherently inflexible.
Every organization is different where it comes to their security and compliance requirements, and these issues are constantly evolving and changing. An enforcement focused solution needs to be extremely flexible to not only address all of the varying requirements across organizations, but also keep up with the changes at each individual organization. Having to have developers create new one-off enforcement mechanisms as they are needed is not a viable solution. They simple will not be able to keep up with the change.
The solution requires a modular approach whereby micro-services can be easily created and reused for specific enforcement mechanisms. The services need to be able to be easily deployed or removed by administrative personnel without developer involvement. Above all, the services need to keep up with the evolving and quickly changing security compliance landscape.
At Vallum Software, we believe we have such a solution with Halo Manager. Halo Apps are designed to provide micro-service functionality, and are deployed to augment the functionality of the Halo Manager solution in a modular manner, and based on customer requirements. They are easily created for just about any enforcement or monitoring activity, they are reusable, and they can come with configuration options where needed. They are easily deployed or removed with a couple of clicks. There is a growing selection of Halo Apps on our website, and we welcome any new ideas or recommendations.
About the Author:
Lance Edelman is a technology professional with 25+ years of experience in enterprise software, security, document management and network management. He is co-founder and CEO at Vallum Software and currently lives in Atlanta, GA.