When it comes to designing a secure and compliant system for file transfers and data handling, system administrators face multiple competing standards and large regulatory burdens. Thesechallenges require companies to put a lot of effort into defining how their data flows work. It's not just a question of sending processes through servers. Modern enterprise requires a high degree of risk management, architectural detail and proactive security.
First Steps for Developing Compliant Security Systems
At the recent Ipswitch Innovate 2015 User Summit cybersecurity expert David Lacey discussed some of the essential steps to coming up with the right systems for adequate security and full compliance with industry regulations. Some of the first steps involve looking at the business drivers that necessitate particular use cases. The first business driver is compliance, which David described as “backward-looking”. Another is risk, which can be harder to support:
“You can actually find that there’s not enough funding available for mitigating actions,” David said.
Then there’s business opportunity. It may also be harder to fund projects based upon it. Unlike compliance projects, these projects may require the initiators to build a case for their value, he said.
Choosing a Set of Standards for System Design
Companies also face the delicate task of picking a set of standards and applying them to a secure and compliant system design.
In his keynote, David noted the difference between standards such as PCI-DSS (Payment Card Industry Data Security Standard), ITIL (Information Technology Infrastructure Library) and NIST (National Institute of Standards and Technology) in detailing how today's lead system admins have to work through complexity.
Using the example of PCI-DSS for financial and retail sectors, each standard is composed of many different moving parts, with changing requirements that make it hard to get a handle on full compliance. For example, changes to the PCI standard that now require using TLS instead of the older SSL security certificate formatting. Authors of the PCI standard originally intended to have a “level playing field” with less proprietary acquirements, but that landscape is changing over time. As auditors become more stringent, there’s been a corresponding rise in restrictive requirements.
“It can be very expensive to change all of the protocols in your organization,” David said. “You need to close the networks right down and restrict and control all of your data flows very formally.”
Another major contrast is between ITIL, which David characterized as big and expensive, and the NIST standards from the U.S. government, which are available for free. David favors NIST, describing some of its content as useful “how-to stuff” and pointing out that, unlike the British system, the standards are more accessible.
Companies can use open-source alternatives to ITIL, but that still requires a pretty large burden for figuring out how to use these tools and how to implement them in a business.
Another standard is COBIT – something David says is so complex that even auditors struggle to understand it. Speaking of the “numerous dimensions and permutations” built into the auditor-designed standards set, David described COBIT as time-consuming, but possibly valuable in its complexity.
“Even COBIT experts will struggle to apply this in its full form,” he said.
Then there's the ISO set of policy standards, in particular ISO-27001 and ISO-27002, built on 133 controls, 11 domains and 39 control objectives. David described these as highly complicated sets of standards composed of different “vintages” that make it extremely hard to address ISO in a comprehensive way.
“The standards are of variable quality and consistency,” David added.
In addition, David described some of the growth and expansion of modern compliance standards. Some, like Sarbanes-Oxley and privacy legislation, apply to almost any type of industry or business. Others are specific to their fields: the financial industry faces compliance with Basel initiatives, while retailers need to adapt to PCI DSS standards, and healthcare companies need to be careful of HIPAA regulations. In addition, David said, there's also local legislation that can also apply to projects.
Tips for Compliant and Secure Data Transfer
So how do companies build coherent and comprehensive systems?
David states it's essential to pick a standard. Trying to pick and choose pieces of different standards can get businesses in trouble. At the same time, trying to build one’s own standards inventory is similarly dangerous.
Instead, David recommended starting with existing standards and creating your own risk assessment model. That will be the starting point for a business architecture that addresses all of the needs of that particular company. He also suggested using technology to reduce delays and keep overhead low.
Another good strategy is to select products that have out-of-the-box compliance built-in. This will allow companies to change with the times. And it also greatly decreases the complexity of procurement and implementation. It's a shortcut to determining how a business system will really protect data, and protect the company from the liabilities of data breaches. Implementing end-to-end encryption and cloud security best practices, companies can feel safe and secure knowing that they are on solid ground.