iQoncept - Fotolia

Security compliance is still a corporate headache

Ensuring compliance with security and data protection regulations is an eternal burden for IT departments - but it can be made easier

Some things in IT are transient, while others become increasingly important over time and are ever-changing. Such is the case with security compliance.

From the early days of data protection laws, the post 9/11 Sarbanes-Oxley Act (SOX) in 2002 and various UK and EU laws and guidelines since, compliance has continued to be a nightmare for IT. In many cases it has also enforced what were considered unholy marriages within a company -- IT and finance, security and networking, technical and admin -- enough to bring any IT professional out in a cold sweat.

The many regulatory compliance standards from the payment card industry data security standard (PCI DSS) onwards require companies to monitor their networks in real-time, ensure high levels of security for their confidential enterprise assets, and provide network compliance audit reports to auditors upon request. 

To put the compliance issue into perspective, a quick glance at the classified adverts revealed that just one agency for London alone has almost 30,000 compliance job vacancies advertised. At a recent meeting with Milton Keynes council's IT team, a recurring theme was issues with compliance. Here the situation is doubly relevant; a council is regularly affected by political change and, prior to the results of the recent general election, those changes were potentially unknown -- yet compliance is significantly affected by it. So, who is responsible?  

"It's a massive problem for organisations," says Martin Heaton, principal IT engineer for Milton Keynes Council. 

"In one sense it was easy -- everyone was looking to drive down operating costs. But now we've come to a crossroads: cost is important but who's grasping the nettle strategically? Am I prepared to pay more for compliance -- to get that nice warm feeling -- and use IT services that are going to work and be flexible enough to change with requirements?"

Heaton points also to the problems councils had with PSN compliance. In order to connect to the new Public Services Network (PSN), local councils as well as other government departments have had to ensure their security connections are compliant with a code of connection set by the Cabinet Office. 

EU regulations

But it is not only UK-based compliance regulation that IT has to deal with. New EU data protection regulations are also going to create waves of problems, according to Nigel Hawthorn, European spokesman for Skyhigh Networks, a company focused on cloud security and enablement.

Hawthorn says the new regulations will have an impact on any company that may have data on EU citizens and residents, with tougher sanctions of fines possibly as high as 5% of global revenue for non-compliance, with users able to claim compensation for data loss, including class action lawsuits. 

Read more about security compliance

In this case, the responsibility also extends to a heavier compliance burden on data controllers -- the owners of the content -- and the data processors, such as cloud providers, that are also responsible for data protection. Hawthorn believes regulation also recognises how technology can help keep data safe and states that if data has been tokenised or "pseudonymised" it is presumed to meet an individual's reasonable expectations of data privacy.

"This is great news for enterprises, as it allows organisations to encrypt or tokenise data before uploading to the cloud, and, assuming that they keep the encryption keys on their own premise, data loss is not such a disaster," he says.

Another big issue is, who is responsible when several parties are affected? For example, Hawthorn points to a recent data breach involving service provider TalkTalk, where the telecoms company took legal action against a supplier after a breach at the supplier led to the exposure of TalkTalk customer data.

But this is a common situation now, in which IT is struggling to understand what security and compliance standards are in place with third-party suppliers and where the data ends up. Hawthorn says that, in the case of TalkTalk, its supplier had access to customers' personal details, but TalkTalk had no idea that data had been extracted until customers reported receiving bogus phone calls quoting their customer number and trying to conduct fraudulent deals.

Cloud and outsourcing

The cloud, and outsourcing in general, has put ever more pressure on compliance. Paul Briault, senior director, solution sales at CA Technologies UK, notes that software as a service (SaaS) applications involving sensitive or confidential data can be another major problem area. 

According to Briault, SaaS or outsourced application providers can often fail to address important questions of legal risk associated with confidential data or private customer data -- where it is stored, or how it is transmitted. This can lead to a dangerous compliance gaps and potential legal costs. In this case, again, the requirement is with third-parties and, as such, it is important that end-user organisations are not afraid to ask their cloud service providers tough questions to address legislative and security concerns.  

"A good starting point would include questions about who has access to the data and platform, the location of the data centre and any country-specific legislation that the organisation needs to be aware of, as well as any binding legal requirements of that organisation if a data breach occurs", says Briault.

SolarWinds is a software company that has network management roots but now has an increasing focus on compliance. Mav Turner, head of security at SolarWinds, says that an ever-increasing problem with compliance is bringing all the different data sources together.

"There is a big need in having that information -- the performance data plus the security, whether it's a firewall log, or from an Apache server or whatever -- and bringing it all together with intrusion detection (IDS) and intrusion prevention (IPS) system logs, correlating that data and finding vulnerabilities, whether they be on the web server or elsewhere," he says.

Turner adds that  integration is only the starting point, given the need to connect with other endpoint protection systems, servers, and any device running a Syslog. However, he believes the good news is that a lot of people are not just looking to "tick boxes" but are starting to understand the serious requirement -- a level of understanding he describes as: "If I am going to invest and add security, then it's not just a case of running a report for the internal admin team". In other words, there is a business responsibility as well as a technical one.

"Compliance and regulations are not malicious. The goal is not to create unmanageable overhead, but you have to re-prioritise and make sure it is resource and time well spent, as this is no longer an option," says Turner.

Compliance guidelines

Good Practice Guide (GPG) 13 is another longstanding UK compliance guideline that is still creating lots of work for IT, according to Glen Kershaw of Kenson, a SolarWinds reseller. GPG 13 is focused on protective monitoring, including IDS and IPS, and policies for logging and log analysis. Kershaw claims that 40% of customers are looking at the next steps of their compliance strategy, both at a threat level and at an administrative level.

"We've had a lot of customers that have asked us to supply a solution for GPG 13, to come in, install the software, tick the box and move on", he says. But the bigger picture, he believes, is in pulling a team together to work on security compliance.

"I don't believe it's possible for one person to be in charge. You have IT, then other customers led by the security team and, depending on the company size, maybe a reliance on software for the SME sector and more on specific individuals at the high-end," says Kershaw.

Compliance and regulations are not malicious. The goal is not to create unmanageable overhead
Mav TurnerSolar Winds

The need to monitor existing guidelines at an increasing level of detail, and with emphasis on real-time analysis, is another major time-consumer in IT. The typical approach to testing for vulnerabilities and measuring compliance is to use a vulnerability scanner, says Mark Kedgley, CTO with New Net Technologies, a provider of security compliance solutions. 

But, he says, there are two problems with this approach: First, scans are simply a snapshot of compliance and any configuration drift between scans will not be detected, leaving systems vulnerable to attack until the next scheduled scan. The other major problem is that a scanner is blind to zero-day threats and does not provide any file integrity monitoring to detect breach activity. Kedgley believes non-stop file integrity monitoring is the only way to provide continuous compliance assessment and real-time breach detection. 

For example, BCH Digital, an established provider of interactive voice response (IVR) call management services, had a requirement to ensure the compliance of its telephone card payment service. 

Chris Johnson, technical manager at BCH Digital says: "Part of the PCI compliance mandate requires organisations to ensure various file tracking and monitoring systems are in place. We were faced with a formidable obstacle in finding tracking software that can help with PCI compliance, that is full featured, that is easy to use and that can be readily integrated into our systems."

Having trialled several different software solutions, BCH Digital went with New Net Technologies' Change Tracker solution. The key here is that compliance tracking is not just a tick-box "must have", but is actually enabling the company's business to expand.

"Looking into the future, we are sure that we will continue to pass PCI-DSS audits and continue to remain compliant," says Johnson. "It is a key component of our -- and our clients' -- ongoing business growth."

What is certain is that compliance regulations and guidelines will not simply fade away, but will continue to be created and adapted.

However, it is also clear that this is such a huge market opportunity for software companies that more and more solutions - along with the associated expertise -- are becoming available. At the same time, existing solutions are being improved.  And as for the need for IT to develop closer relationships with other parts of the business, such as administration, security, finance and so on -- some would say it is about time.

Read more on Regulatory compliance and standard requirements