5 Steps to a Continuously Compliant Data Center (Part 1 of 2)
These five steps provide a road map for continuous compliance in the data center.
By Dan Trevino, Senior Product Marketing Manager, BMC Software
What do you do when the "check engine" light comes on in your car while you are driving down the highway? Do you need to immediately pull over and call a tow truck? Probably not, but you should get the engine checked and the issue resolved as soon as possible. If you address the problem in a timely manner, your car may require only a routine repair. However, if you ignore the light and keep driving day after day, you may cause serious damage to your engine, resulting in an expensive repair or replacement of engine components.
It's the same principle with data center compliance. Achieving and maintaining compliance with government regulations and industry standards can prevent a small issue from causing major damage to your company's financial well being or reputation due to security breaches and outages. These actions can apply to Sarbanes-Oxley 404, Statement on Auditing Standards (SAS) 70, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Basel II, and other regulations and standards.
Achieving and maintaining compliance can help your organization avoid the high cost of recovery and repair that goes along with unfavorable audit findings or compromising your enterprise. Some compliance breaches have resulted in losses of millions of dollars, so the key is to focus on prevention.
The best-practice approach described here provides a road map for continuous compliance in the data center. It consists of five key steps: Definition and goals, implementation, measurement, enforcement, and monitoring. This article, Part 1, focuses on the first two steps and the remaining three will be covered in Part 2 next week.
Step 1: Definition and Goals
Start with your vision and a clear definition of compliance and the compliance goals you want to achieve. Specifically spelling out the definition and goals will ensure everyone understands them.
Creating a Compliance Definition
When you define what compliance means in your organization, address the following three facets: security, configuration assurance, and verification support.
Security involves patching, identifying vulnerabilities, and having access controls. From a security standpoint, compliance means ensuring that you have secured your servers and applications by keeping up to date with the latest patches. It means that you have identified vulnerabilities in the environment that require remediation and have put appropriate access controls in place to limit administrative privileges. Patching, of course, helps eliminate vulnerabilities. Administrative privileges also need to be in place. Specifying who is authorized to perform various tasks on any server at any point in time protects systems from unauthorized access and helps you demonstrate compliance to auditors.
Configuration comprises both establishing standard settings for all your systems and ensuring adherence to those standards. You must also define a process to monitor the environment and report on any settings that drift from standards.
Verification support includes processes that drive attestation and evidence gathering for all identification and remediation processes, and an automated capability to verify that remediation activities are committed as planned.
Establishing Compliance Goals
IT organizations that have achieved a high state of compliance have done so by setting and achieving four major goals: standardization, accountability, transparency, and measurability.
Standardization normalizes configuration settings across Windows, Linux, UNIX, and other platforms that comprise your infrastructure. Standards drive your build policies and help you identify risk.
Accountability is about establishing audit trails for the changes that have occurred, when they were implemented, who made them, and what impact the changes had on the environment. Good accountability ensures that mechanisms are in place to alert you when a system deviates from the norm, prompting you to take action to rectify the situation and to track down and eliminate the cause so that it doesn't happen again.
Transparency is primarily related to reporting; that is, gaining insight into what your people are doing. You can assess your progress by answering critical questions related to compliance, such as:
- Did you experience fewer emergency changes this month than last month, six months ago, and last year at this time?
- Has the drift from standards decreased over the past year?
- Are some platforms, servers, applications, or business service servers more compliant than others? If so, why?
Measureability defines establishment of policies that have materiality and processes that specifically assess adherence to said policies. This also includes analytics that enrich both the escalation and the reporting of material gaps in adherence. Put simply, you can't manage what you can't measure, so ensure you are measuring the right things the right way.
Step 2: Implementation
Automation is critical for ensuring continuous compliance with policy-based operations. There are three parts to the implementation step: choosing and implementing a governance framework, identifying and implementing controls, and adopting a platform to ensure continuous compliance.
Implementing a Governance Framework
Follow the Control Objectives for Information and related Technology (COBIT) framework for guidance. It's broad coverage means that you can leverage your investment to comply with several other regulations and standards, such as the Sarbanes-Oxley Act and Basel II.
COBIT also integrates well with established frameworks, such as the Software Engineering Institute's Capability Maturity Model Integration (CMMI), ISO 20000, the IT Infrastructure Library (ITIL), and ISO 17799 (the standard security framework, which is now ISO 27000).
Identifying and Implementing Controls
A phased approach to implementing controls works best because you may need to address the many controls involved. Instead of trying to implement all of them at once, start with those required for a specific regulation or standard that you identified as a priority in Step 1. Alternatively, consider identifying "common denominators" -- controls that will immediately bring you into compliance with multiple regulations. Regardless of your starting point, however, be sure to pay close attention to access controls. For example, one global financial services firm faced serious challenges with respect to access controls that disrupted its change process. Shared user IDs prevented IT from clearly identifying who had made each change, which can create a problem because only certain people are supposed to be able perform to specific changes. It became increasing difficult for this organization to roll out changes to nearly 5,000 servers on a weekly basis, and using manual processes became overwhelming for the server administration staff.
By improving its access controls, the company was able to deliver substantial improvements to the change success rate and to staff productivity. The financial services provider used best-practice processes and automated tools for access, change, and release. Adopting role-based access control enabled the security team to delegate the implementation of certain changes to groups requesting the change without impacting security. In the six years since the processes and tools were deployed and the issues related to shared IDs were resolved, the number of servers has increased five times and the number of applications has increased three times. The staff, however, has handled the increase with a dramatic improvement in the server-to-administrator ratio. The end result is that effective compliance enabled this IT organization to improve its business impact and simultaneously lower risks and costs.
Adopting a Compliance Platform
Your compliance platform can provide the foundation for the controls you implement. It should support three essential capabilities:
- Prevention to keep unwanted events from happening
- Detection to alert you immediately if problems that can impact compliance have occurred
- Correction to automatically fix problems that have been detected
These capabilities will give you confidence that the IT controls you implement are working fully and delivering the level of compliance you need. Part 2 of this article in next week's newsletter will review measurement, enforcement, and monitoring.
Dan Trevino, senior product marketing manager for BMC Software, is an expert in regulatory controls and compliance. He currently drives the IT Governance, Risk, and Compliance (IT GRC) offering at BMC. Trevino has lead the design and creation of the BMC compliance and IT GRC offerings since he joined BMC in 2009. He was an enterprise architect for an IT governance and compliance consultancy and developed and managed the services program and solutions deliverables for their successful IT compliance consulting practice. Trevino has over 25 years in IT with expertise in both process management and systems management.