Managing Security Compliance from the Inside Out
Why automated security policy management should be part of IT's overall data security compliance strategy.
By Tom Diamond
For IT professionals who must secure information as part of a data security compliance initiative, the phrase 'information wants to be free' has special significance. In a compliance scenario, information such as confidential customer data and intellectual property needs to be controlled and contained. In today's compliance environment, IT faces a delicate balancing act between allowing access to sensitive information for those who need it to perform their jobs and maintain productivity, and restricting access to information from insiders (including employees) who could inadvertently expose or potentially misuse the information.
High profile data security breaches over the past few years have laid bare a disconcerting fact for organizations and their IT departments. In many cases, employees themselves have been responsible, either through malicious activity or simple carelessness. This fact illustrates a troubling disconnect between employers who have a heightened awareness of the need to protect data in order to comply with regulations and to protect their brand, and employees who often don't consider themselves as key enablers of data security processes. It also demonstrates the need for organizations to increasingly rely on IT to be overseers and gatekeepers of sensitive data.
When employees breach data security, perimeter defenses alone do little to protect information, because the threat originates inside the firewall. Organizations and IT departments need to embrace wide-reaching, multi-faceted data security strategies and methodologies that include perimeter defenses to ward off outside threats, combined with strict internal controls that protect against unauthorized information access by those inside the firewall. Educating end users on their roles and responsibilities is important, but even more important is leveraging automation technologies to minimize the risk of security breaches by employees and other trusted insiders.
Although there is no magic bullet for data security, there are many areas where large gains can be made with relatively small investments. With the vast majority of organizational information in electronic form stored on servers, workstations, and laptops, securing the computer resources that can be accessed by employees takes on much greater importance and can pay significant dividends in protecting information. New and merging technologies, including automated security policy management, should be leveraged to maximize security and minimize the risk of employee-initiated security breaches.
Testing by the National Security Agency (NSA) and The National Institute of Standards and Technology (NIST) shows that applying an IT security configuration template (a comprehensive set of computer security policies) improves security on systems by 80 to 90 percent. This enhanced security is achieved by vastly reducing inherent and default vulnerabilities in operating systems and applications such as inappropriate administrative privileges, insecure accounts, unnecessary services, file permissions, and registry settings.
Manual methods of applying security policies, such as through Active Directory Group Policy Objects (GPOs), are time and resource intensive and lack a continuous, real-time enforcement mechanism. While GPOs are widely used, they can provide a false sense of security because they don't provide real-time alerting and automated remediation to enforce secure configurations. That has changed with the advent of automated security policy management solutions.
Automated security policy management delivers significant value as a key component of an overall data security compliance strategy. As threats to data security rises, proactive organizations are adopting automation technologies to minimize risks from vulnerability exploits. When considering the role of security policy management in data security, consider the many IT functions involved. In simple terms, you can think of them as the CORES of security compliance:
- Configuration management technologies that automate and streamline security administration of workstations and servers
- Offline enforcement of security policies to protect systems beyond the protection of perimeter defenses
- Reporting and monitoring configuration states to maintain audit trails and document security compliance to management and auditors
- Easy policy management processes and technologies that can be adapted to encompass emerging and changing compliance requirements
- Systematic updating of security policies and configurations to ensure compliance levels.
Configuration Management: Networks are the dominant computing paradigm in organizational settings, but they are typically configured more for easy communication between systems than for enhanced security. Configuration management through automated security policy enforcement provides a foundation for locking down endpoints that store and access confidential and sensitive data.
Offline Enforcement: Laptops that leave the network and its perimeter defenses present a special security configuration challenge. Automated security policy enforcement solutions can resolve this challenge by monitoring offline systems for unauthorized configuration changes, and automatically remediating them when out-of-compliance states are discovered.
Reporting and Monitoring: Reporting begins with actively monitoring system security configurations against assigned security policies, and delivering real-time insight into compliance states. Active monitoring should include alerting mechanisms that notify administrators if security-based parameters have changed. In addition, it should provide reports such as administrative audit trails and compliance histories, giving IT everything it needs to document and demonstrate security configuration compliance to management and auditors.
Easy Policy Management: Traditional methods of implementing and managing security policies are resource intensive. Leveraging automated configuration and remediation technologies gives IT departments the right tools to simplify and streamline policy management. Important features should include intuitive interfaces and navigation, dynamic computer grouping by security configuration traits and organizational structure, drag-and-drop policy assignment, and pre-packaged security policies based on Microsoft, NIST, and NSA security templates. Policy editing is important to enable administrators to customize existing polices and create new security policies that reflect the needs of their unique network environment.
Systematic Updates: IT departments must be flexible so they can adapt to changing compliance requirements and adopt methodologies for staying ahead of the compliance curve. This includes implementing processes and adopting appropriate automation technologies for systematically updating security policies and system security configurations as regulations and corporate standards evolve.
As organizations face growing pressures to comply with data security components of regulatory measures, employees are often the weak link in the security chain. By eliminating default configuration vulnerabilities and locking down servers, workstations, and laptops, organizations greatly reduce the risk of data exposure and misuse by employees while significantly improving their security posture and compliance profile. Automated policy management and enforcement solutions that enable comprehensive security configuration management give IT departments the tools they need to simplify and streamline these processes, allowing IT to create and administer a sustainable compliance environment and reduce the risk of data security breaches by employees.
Tom Diamond is the president of New Boundary Technologies (http://www.newboundary.com). You can reach the author at firstname.lastname@example.org.