Fear, boredom and the pursuit of compliance
When it comes right down to it, we try to comply with regulations and policies because we are afraid of the penalties. Penalties such as corporate fines and jail time may be for the executive club, but everyone is affected when the U.S. Federal Trade Commission starts directly overseeing your security audits and risk assessment programs for 20 years. Just ask the IT folks at TJX Cos Inc. Then there are the hits to the top line as customers get shy about using their credit cards with you, and the press has fun raking you through the mud. Not to mention your sneaking suspicion that all the checked boxes on the regulatory forms are not really making you more secure. With all of that, there is a lot of fear associated with compliance.
On the other hand, compliance is difficult because it requires consistency, diligence, and close attention to detail – three things are extremely tedious and boring. Most human beings simply do not behave that way for long periods of time. It is more compelling for us to react to an event (such as a crash diet to fit into a wedding dress) than it is for us to eat healthy and exercise every day. The situation is also complicated by the fact that enterprises do not like the price tag of having highly skilled technologists manually collect data and run compliance reports. Yes it is insurance against bad things, but who really likes paying for it. So what happens is that IT managers rarely have the time or resources to dedicate to manually troll through logs looking for compliance issues on a daily basis, in spite of the fact that doing so is a basic good practice.
What’s the result? People find creative ways to avoid having to comply or avoid the axe when it falls.
Yet auditing and compliance are not the enemy. They are mechanisms to make sure that you know what you think you know. When done consistently with minute by minute diligence IT’s control over the whole environment improves. So a better way would be to let technology do the basic work for us. Computing is great at tedium and terrible at creative thinking. The trick is getting technology with the right combination attributes (notice I didn’t say features):
- adaptable to different data collection situations
- adaptable to different data analysis situations
Auditing and compliance works best when it is non-intrusive. Well-meaning people can unintentionally do terrible things to their systems – making a configuration change to improve network performance that leaves a security hole wide enough to drive a truck through. Unscrupulous people behave differently when they know they are being watched. The combination of these can be terrifying – just ask Hannaford. IT managers rarely have the time or resources to manually troll through logs looking for compliance issues on a daily basis, in spite of the fact that doing so is a basic good practice. So it’s a win-win-win situation when the auditing solution is non-intrusive enough to collect data, conduct routine analysis and report results without additional IT effort.
Pervasiveness of a compliance solution is growing in importance because, quite simply, there are no more disconnected systems. Consider how auditors try to determine if an IT system is relevant to SOX. They ask if the system is directly related to the timely production of financial reports, or if the application is characterized by high-value and/or high-volume transactions with straight-through processing, and whether the application is shared by many business units across the enterprise.
These questions are almost nonsensical from a technical perspective, particularly as economic and business reality has forced the continued development of modular, distributed computing environments that can and will change at increasingly rapid rates. With loosely coupled architectures such as SOA a single ordering application is now a composite of multiple services developed by different groups in different business units. These services will also be reused in other business processes. New services components can be added at any time. Today, composite applications typically have only one or two connections, however, the benefits of SOA are so compelling that over time the number of connections per application will explode. But wait – there’s more. Virtualization and automated provisioning means that new application servers, storage devices, or networking equipment can be deployed or reallocated within minutes. The entire datacenter could be reconfigured in six months. Well maybe that is a little extreme, but you get my point.
In this situation the concept of auditing only the servers that support the ordering application makes little sense, instead there needs to be an assumption that every system will interact with other and those interactions will change over time. What is important is differentiating between good and bad or authorized and unauthorized interactions even as the environment is constantly evolving. The last thing you need is to have a meeting where you are asked why the ordering application is transacting with the employee database every two minutes and your only response is – “but that’s not how that app is supposed to work.”
And yet the raw data needed to make those differentiations is available. Traces of new transaction paths, new service connections, configuration changes, resource reallocations and so on are typically logged by the infrastructure itself. The question is whether the auditing solution is pervasive enough to capture the full picture of what is happening.
Adaptability of the data collection process is also very important for handling the constant changes in how businesses use technology. For example, consider some of the short lived analytical applications currently developed by financial analysts to meet immediate needs of specific customer transactions. Often these applications are a unique combination of desktop productivity tools connected to a variety of corporate databases and applications. The applications also exist only as long as the customer requires them, typically a few weeks to a few months (hopefully we won’t get to 24-hour application life-spans any time soon). These short-lived applications are a great competitive advantage, but present unique difficulties for auditors and risk managers. An enterprise has to prove that specific transactions under audit where completed by an application and that the virtual computing environment in which it operated (both of which no longer exist) were compliant with regulatory and corporate risk management policies. In other words, prove that the application had integrity during its short life-span.
Today, what some companies are doing is making their IT folks do a manual inventory of these applications (from desktop to everything it touches) every day. Imagine how tedious that is – the burnout rate for those admins must be incredible. Why do it this way? Because their existing tools were not extensible enough to cover this new use case.
OK, we’ve covered technology change, business change but we are not done yet because the regulations and policies themselves change and this is were the adaptable to different data analysis situations comes in. Not only do auditors become more sophisticated in what they are asking for, but the minute you expand your company internationally you have to deal with a slew of new regulations and policies. Much of the time these new regulations are simply about analyzing the same raw data in a different way. But producing six slightly different reports based on the same data should not be a manual effort. You should be able to hit a ‘print reports’ button and let the pdf-ing software take care of the rest of it.
Besides, even auditors are human. Surely they prefer the more creative and investigational aspects of their work over the tedium of generating multiple versions of the same quarterly compliance reports.
Jasmine Noel is founder and partner of Ptak, Noel & Associates. With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion. Send any comments, questions or rants to firstname.lastname@example.org
Products to help detect insider threats
While insider threats aren’t as prevalent as attacks from outside a network, insiders’ malicious activity tends to have far greater consequences. Insiders know precisely where to go to access the most sensitive information, and they often have ready means to carry out malicious actions. One way to detect and protect against such threats is to log, monitor and audit employee online actions. Today we’ll look at three products that are well suited to detecting insider threats.
Featured Case Study
LeHigh Valley Hospital uses EventTracker to comply with HIPAA and improve IT Security