Compliance and Security, Part 3: Handling the Off Stream
Compliance applies to the entire infrastructure, even the many crannies of heterogeneous environments.
- By Chris DeVoney
Compliance didn’t start with Sarbanes-Oxley, but SOX gets attention as a major benchmark for enterprises. If you analyze SOX as did PowerTech VP Brendan Patterson, "We are in the third, maybe fourth year of Sarbanes-Oxley. People are really looking at ways to save money. But if the same findings are coming up year after year, there is less excuse to get by with any lax practice."
Nancee Melby, Shavlik Technologies’ marketing manager for the company’s NetChk Compliance 3.0 product, acknowledges another change since SOX: "The business value in compliance is a numbers games. If you are out of compliance with a standard like PCI, you face not only bad press and brand damage, but there are implications of financial penalties for violations. Many major retailers are saying ‘I don’t like to write that two million dollar check every month.’"
As enterprises, institutions, and agencies make inroads into compliance and the entire IT governance, risk-management, and compliance (GRC) space, cost remains an issue. Yet IT compliance covers the entire IT space, which can be more complicated in heterogeneous environments that use leading technologies, aging technologies, and, on occasion, the off-items in between. Even when an overarching security/compliance reporting framework such as Agiliance or CA Compliance is deployed within the entity, additional investment is required to fill in the gaps in security and compliance.
For example, wireless continues to make major inroads. Although corporations monitor the hardwired connections to the world, Chris Roeckl, vice president at AirMagnet (which makes a variety of wireless products including WLAN IDS/IPS systems), notes the perplexity. "The hardwire Ethernet gives some sense of security because if you can’t plug into it you can’t get on that network resource, unlike wireless where someone can be sitting in a parking lot and accessing assets."
He stated security and compliance go beyond locking down the accounts payable department -- an enterprise must also deploy wireless IDS/IPS systems and sense/secure against man-in-the-middle attacks and rogue access points. He cites a financial institution where an Apple Airport was turned on during the night so an employee could illegally access accounts.
Noting the increased role of wireless in enterprises, Roeckl remarked, "This is not about security for security’s sake. This is about protecting real assets and not wearing an orange [prison] suit." He noted that organizations need to track compliance on burgeoning Bluetooth devices, too.
Protecting Legacy Applications
Legacy applications are often problematic for IT departments. iSeries toolmaker PowerTech’s vice president, Brendan Patterson, remarked on his experience at a Gartner security conference regarding the pervasiveness of legacy applications.
"When asked by the speaker how many in the room were running applications that are 20 years old, about half the room raised their hands. When asked about 30-year-old apps, about a third of the room did. One poor soul admitted to a 40-year-old app." Although not all multi-decade-old legacy applications run on creaking hardware, ensuring compliance or providing mitigation are still essential actions for regulatory mandates.
PowerTech’s Compliance Monitor provides both the necessary auditing reports for compliance in organizations where the major frame is the IBM AS/400-iSeries. Products such as Compliance Monitor can export its information for use by automated, unified compliance frameworks. Such products do fuller and deeper monitoring and report on items such as privileged account use, where the specifics of these capabilities are known only to a small segment of the IT staff -- often the case with i/OS or z/OS.
Patterson provides justifications for making investments for off-frames. "Using a product [such as] Compliance can be faster than writing specific SQL statements and reports themselves. But even if they do that, there is a separation of duties since you have key IT people writing some of the reporting, which, by its nature, needs to report on their activity -- and that is true on any platform."
With multiple regulations and continuing needs, Shavlik’s Melby reminds entities that compliance should be treated as a strategic sustainable process rather than as an event. "As soon as you 'get' compliance, the next day you can’t answer the question 'yes.'" For success, Melby’s suggests that companies align compliance-related activity with business goals and look for opportunities where compliance becomes a value to your business. She also believes that someone high up in the organization must "own" the process and have primary responsibility for compliance.
Consider that companies with strong and regularly reassessed compliance programs have outperformed their peers in the stock markets. Furthermore, deliberately lax compliance can facilitate a change in wardrobe colors for the CxO suite. Applying intelligent effort to IT GRC is smart, profitable for the business, and enables good institutional/agency governance.