Getting Ahead of the Compliance Curve ADOPTING A MANAGED APPROACH TO WEB SECURITY AND REGULATORY COMPLIANCE

Transcription

1 Getting Ahead of the Compliance Curve ADOPTING A MANAGED APPROACH TO WEB SECURITY AND REGULATORY COMPLIANCE

2 Getting Ahead of the Compliance Curve Introduction: You Can t Get Ahead if You re Busy Catching Up Compliance is a fast-moving target, and it s getting harder to keep up. In a survey by IT Policy Compliance Group, a consortium dedicated to helping IT security professionals meet policy and compliance goals, 70 percent of all respondents reported being subject to multiple regulatory compliance mandates, as well as contractual obligations and industry standards. 1 Meanwhile, IT budgets are getting leaner as organizations strive to increase cost efficiency in tough economic times, and the emergence of cloud-based services has increased the complexity of compliance management. Given these challenges and tight deadlines, many organizations are addressing compliance requirements in silos using a checklist approach. Unfortunately, this tactical, reactive approach can lead to higher compliance costs, more audit deficiencies, greater business downtime, and increased risk of data loss. To avoid this trap and get ahead of the compliance curve, organizations need solutions that can help them take a more proactive approach and plan for instead of reacting to the rapidly changing compliance environment. Compliance and the 2.0 Effect Many organizations today still wrestle with the myriad of existing compliance regulations that have emerged over the last years. The Sarbanes-Oxley Act (SOX), the Gramm-Leach- Bliley Act (GLBA), the Healthcare Information Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) standard are only a few of the seemingly infinite number of regulations that organizations must address. And now, a new wave of regulations are beginning to take effect, many of which significantly augment or alter existing regulations, as illustrated in Table 1. The result is a growing realization that organizations won t be able to keep pace with change by using a checklist approach, or by managing security and compliance in silos. Table 1. Examples of 2.0 regulations and their impact on IT security and compliance Regulation Date Requirements/Impact BASEL II 2009 Requires that banks use encryption technology to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. FISMA Requires continuous monitoring of information systems as part of every U.S. federal agency s information security program; agency CIOs must implement software to continuously monitor the security of their networks by the end of the 2012 government fiscal calendar. PCI DSS New standard for payment card security programs; became available at the beginning of 2011, and organizations must stop using the previous version before the beginning of HITECH Act 2011 Requires healthcare providers, insurers, clearinghouses and business associates to achieve meaningful use of electronic health records technology by the end of In the event of a data breach, organizations must notify all affected individuals within 60 days, unless data is undecipherable (i.e., protected with strong encryption) Symantec: Financial Information Security and IT Risk Management services_10_2008_ en-us.pdf

3 Regulatory Fragmentation: When Cybersecurity Laws Go Viral Those who remember when SB1386 first came into effect in 2003 know all too well how the law went viral as other states took notice and quickly passed their own data breach notification laws. Today, nearly every state in the nation has a data breach notification law similar to California SB1386. For example, Massachusetts has passed preventative legislation requiring companies or persons who store or use personal information to develop a written, regularly audited plan to protect that data 2, further complicating compliance requirements for organizations that operate across state lines. The European Union s Directive on the Protection of Personal Information (EU Directive 1995/46/EC) 3 is another example of how legislation can spread virally. In effect, this directive establishes a common data protection and privacy baseline for each EU member state, providing a framework from which all EU member states must derive their own internal data protection and privacy laws. To comply with these laws, organizations must take appropriate technical and organizational measures against unauthorized and unlawful processing, loss, or destruction of personal data. These data protection and privacy laws also make it unlawful to transfer personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several nations around the world have passed data privacy and protection legislation to facilitate access to European markets. Many of these laws closely follow the EU Directive 1995/46/EC framework, making it a de facto international standard for the protection of personal information. In almost every case, these laws require the use of technical controls such as encryption to protect personal information from theft, loss and exposure. Table 2. Examples of Data Privacy and Protection Laws Around the World Country Legislation Year Argentina Law for the Protection of Personal Data 2000 Chile Law for the Protection of Private Life 1999 Hong Kong Personal Data Privacy Ordinance Japan Japan Personal Information Protection Act 2003 Taiwan Computer-Processed Personal Data Protection Law 1995 Singapore (Proposed) baseline for data protection South Africa South Korea India Electronic Communications and 2002 Transactions Act 6 Act on Promotion of Information and Communication Network Utilization and Information Protection 7 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules Commonwealth of Massachusetts: 201 CMR Compliance Checklist. December European Union: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. November LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML 4. G&A Management Consultants Limited: Privacy of Personal Data in Hong Kong ZDNet Asia: S pore sets data protection law for February 16, Parliament of the Republic of South Africa: Electronic Communications and Transactions Act, July 31, United Nations Public Administration Network: Act on Promotion of Information and Communication Network Utilization and Information Protection. December 31, BNA International Global Law Watch: Analysis: Data Privacy in India. May 23,

4 Compliance + Cloud Computing = Complexity 9 Cloud computing technology is a top priority for many CIOs 10. Organizations are accelerating their uptake of cloud-based services, and Gartner Research has estimated that enterprises around the world will cumulatively spend USD $112 billion on cloud services over the next five years 11. At the same time, an IDC survey of IT executives reveals that security is the #1 biggest challenge facing IT cloud services 12. Gartner Research has identified seven specific areas of security risk 13 associated with enterprise cloud computing. Table 3 lists some of the compliance-related issues that organizations should bear in mind when evaluating a cloud-based service. Table 3. 7 Areas of Enterprise Cloud Computing Security Risk As Identified by Gartner Issue Challenge Accountability Organizations are responsible for the security and privacy of protected electronic data, even when a third-party cloud service provider hosts that data. Access Control Organizations must be able to confirm that their cloud service providers can maintain adequate hiring, oversight, and access controls to enforce administrative delegation. Data Provenance Many SaaS providers leverage cloud-based storage solutions from third parties (Amazon, Rackspace, etc.), and some providers utilize data center capacity outside the United States. As such, organizations should ask service providers where their data centers are located and if they can commit to specific privacy requirements. Multi-Tenancy Many public clouds are shared environments, and it is critical to make sure hosting providers can guarantee complete data segregation and network isolation for secure multi-tenancy. Data Recovery Cloud computing outages can and do happen. Organizations must make sure their service provider has the ability to rapidly restore all data and services in the event of a disaster. Monitoring and Reporting Monitoring and logging public cloud activity is complex, and organizations should make sure upfront that their cloud service providers can monitor both physical and virtual network traffic, and that they can fully support investigations and compliance audits. Business Continuity Technology businesses especially startups come and go. Organizations should ask hard questions about the financial stability of their providers and the portability of their data to avoid lockin or potential loss if the provider s business fails or is acquired. 9. Commonwealth of Massachusetts: 201 CMR Compliance Checklist. December Gartner Research: EXP Worldwide Survey. January 19, Gartner Research: Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in June 22, IDC Research: New IDC IT Cloud Services Survey: Top Benefits and Challenges. December 15, Gartner Research: Assessing the Security Risks of Cloud Computing. June 3, ( 4

5 Additionally, when moving from using just one cloud-based service to using several from different providers, enterprises must manage all these issues across multiple operators, each with different infrastructures, operational policies, and security skills. This complexity of trust requirements, when coupled with the growing complexity of compliance requirements, drives the need for a ubiquitous and reliable method to secure data as it moves to, from and across the cloud. The Need for a Managed Approach to Security and Compliance SSL and code signing certificates enable secure online transactions and data through authentication, encryption and verification. The ever-expanding and changing compliance landscape has fueled a dramatic increase for encryption and authentication demands. As a result, the administration and management of certificates has become a challenge as installation increases over time and is distributed at different locations across the company. Changes in IT staffing can also add complexity in terms of controlling and maintaining visibility over technical contacts and other individuals who may have access to certificates. In the meantime, many IT operations are faced with the need to operate with a reduced budget while complying with internal and external security policies. Table 4 illustrates some of the specific pain points facing IT organizations that manage large volumes of SSL and code signing certificates. Table 4. SSL and Code Signing Certificate Management Challenges Issue Challenge Visibility and Control Large segregated networks and variance in network operations make it difficult for administrators to determine the status of certificates across the entire enterprise and to manage the lifecycle of digital certificates. Many vendors do not provide a central data repository to track and manage certificates. Efforts to manually track and monitor certificates through spreadsheets or SharePoint do not scale, and introduce discrepancies and overhead. Business Continuity Unplanned certificate expiration can lead to business disruptions and increase service calls. Organizations may experience a major outage of their online systems that could potentially lead to huge revenue lost. Prolonged certificate expirations can also result in penalties from non-compliance and reputation damage. IT Operations Managing SSL and code signing certificates across the organization is laborious and time consuming when done manually. Many IT administrators support a diverse ecosystem of applications and operating systems, each with unique methods for life cycle management. Keeping track of every certificate s location and expiry date can be challenging, especially for organizations that use certificates from multiple vendors. 5

6 Under these circumstances, many IT operations are looking for the means to simplify their processes, increase operational efficiency, and minimize risk. How to Get Ahead of the Compliance Curve To get ahead of the compliance curve and to take a more proactive approach to Web security, organizations need an enterprise-class solution that will enable them to manage all SSL and code signing certificates from a single, secure point of control. To help ensure that you find the best solution to fit your needs, the sections below outline some key features to look for in any solution you consider. AUTOMATED SCANNING While it is possible to audit networks manually, this approach would simply take too long and require too many staff resources to be feasible in a large, complex enterprise environment. Be sure to select a service that enables your team to conduct automatic scans that will detect all certificates from its providers. AUTOMATED PROCESSES Manually issuing, renewing and installing SSL and code signing certificates is not feasible for large enterprises. You need a solution that can improve productivity by automating key administrative processes, such as certificate request approvals, and route certificate requests to the right administrator to save time and effort. ALERTS, REPORTS AND AUDIT TRAILS An expired certificate puts data at risk, so it is important to find a service that will send alerts before a certificate needs renewal. You need a solution that will help you proactively manage risk with administrative activities. FLEXIBILITY AND SCALABILITY Enterprise networks are dynamic, ever-changing environments, which means a certificate discovery service should have configurable parameters, such as the duration of the scan, which IP addresses to scan, etc. In addition, the service must be scalable to allow for future growth. ADMINISTRATIVE DELEGATION In a large enterprise, it is absolutely imperative to delegate administrative duties and access privileges. If your account manages multiple organizations and organizational units, you should be able to select the appropriate roles for the different administrators. Conclusion SSL and code signing certificates are essential to maintaining security and compliance efforts. However, the growing complexity of the compliance landscape has given rise to a proliferation of certificates, which in turn has created the need for services that make it easy to discover and manage certificates across the enterprise. Ideal for medium to large companies with a variety security and compliance requirements, Thawte Certificate Center Enterprise Account allows enterprises to automate discovery tasks and set up alerts to notify administrators when certificates expire or require maintenance. To learn more about how Thawte Certificate Center Enterprise Account can help you simplify security and take a more holistic approach to compliance, please visit: index.html To learn more, contact our sales advisors: Via phone US toll-free: option 4 (for enterprise queries) UK: South Africa: Germany: France: Enterprisesales@thawte.com Visit our website at Protect your business and translate trust to your customers with highassurance digital certificates from Thawte, the world s first international specialist in online security. Backed by a 17-year track record of stability and reliability, a proven infrastructure, and world-class customer support, Thawte is the international partner of choice for businesses worldwide Thawte, Inc. All rights reserved. Thawte, the thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.