From the Blogosphere
When Compliance Comes Down to Security | @CloudExpo #Cloud #Security
The top three regulations and how you can prepare
By: Fouad Khalil
Sep. 2, 2016 01:00 PM
In the business world, it's hard to throw a rock without hitting a compliance requirement. All must be obeyed, but some call for a high level of control and auditability. Governing bodies are exerting their authority like never before, increasing the number of auditors and handing out heavy fines - sometimes as much as $1 million.
This has become the new norm, and it isn't likely to turn around any time soon. It's important, then, to be aware of the primary threats that could undermine compliance efforts. The top three such issues are discussed below.
The Challenges of SOX
For the financial industry, SOX-404 and internal controls remain the most critical on the compliance horizon. Financial industry compliance challenges include Annual Financial and SSAE-16 audit requirements. However, audits of identity management (logical access) controls continue to result in exceptions. Companies struggle with adherence to privileged access controls - lack of visibility into what, when and how administrators access production environments.
SSH keys are a critical component for ensuring adequate and compliant controls for cardholder data environments. However, many organizations have no visibility into or assume compliance with their SSH key environments until an auditor identifies the issue or exception in their reports. SSH is one of those unseen workhorses in IT infrastructures, which is why it is also referred to as the "dark side" of PCI DSS compliance.
Financial institutions have expanded their business models beyond simply doing payroll, tax, investments, etc. They have taken on additional services to expand their markets and revenue potential. These vary from complete HR services to retirement services to medical payment services and much more. But changing industry business models change the threat landscape and expand the definition of sensitive information. Their protected data definitions now go beyond SSN and DOB to also include credit card data and medical data (protected health information). This increases the complexity of their compliance initiatives and the scrutiny of the audits they start to undergo.
Managing Privileged Access
Enterprises must grant third-party access to a variety of vendors and contractors, but managing this access often comes as an afterthought in the organization's overall security strategies and postures. The 2014 U.S. State of Cybercrime Survey revealed some dangerous trends on this topic:
Better security and privacy controls may be supported by third-party and vendor contract agreements, but these actions may not exclude organizations from accountability and responsibility as it relates to a security breach.
Regulatory bodies have kept track of the areas that healthcare providers have failed at most often in the past, and auditors are concentrating their firepower in those areas and are levying massive fines for noncompliance. Targeted areas include:
As enterprises branch out into new markets, they will need to exercise caution regarding whether those markets are covered by HIPAA and whether they are being compliant to avoid being hit with heavy fines.
Compliance via SSH Security
1. No more manual key management
2. Take control of your SSH key deployment
3. Take inventory to understand your environment
4. The ability to audit in real time
The Whole Compliance Package
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week