Risk
1/21/2014
02:45 PM
Andy Daudelin
Andy Daudelin
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security

New mandates around datacenter virtualization, enterprise apps, and BYOD will stretch IT security staffs and budgets to the max in 2014.

At the beginning of each year, security pundits (myself included) usually make predictions about which new cyberthreat or fancy attack vector will capture the attention and budget of IT organizations in the coming year. Emerging malware and threat signatures remain popular and safe areas for prediction, but the fact remains that decisions to invest in new security controls and protocols are largely driven by compliance audits and liability, not emerging threats.

Organizations of all sizes should be concerned with a staggering increase in audit and compliance demands in the coming year. Standards such as PCI, HIPAA, and SOX will continue to receive heightened awareness, while high-profile breaches will encourage corporate boards and internal audit committees to turn up their focus on security and conduct their own audits and compliance reviews. Not only will the volume of these demands stress the bandwidth of security staff already tasked with 24x7 network protection, but businesses will also be challenged to provide adequate security assurance for an increasingly complex IT infrastructure. Capturing log information and setting up analytics capabilities will become even more important for demonstrating compliance.

Let's take a look at the driving forces behind the approaching audit crisis: datacenter virtualization, enterprise applications in the cloud, and BYOD.

Datacenter virtualization
In addition to geographic redundancy for business continuity, virtualized datacenters and cloud services make it easier to scale capacity quickly and on demand. They also enable in-house teams to streamline operations, reduce costs, and focus on mission-critical tasks. Yet, with the move to virtualization, many organizations are outsourcing, not only services and software, but also infrastructure. This means the traditional defend-the-perimeter approach to security and compliance is no longer valid.

Until recently, compliance has been pretty straightforward, because IT knew exactly how data was secured within the perimeter. But in virtualized environments, many organizations are trying to leverage the same security policies, processes, and tools they used with traditional on-premises infrastructure. To meet impending compliance and audit requirements, businesses will need to adopt a designed-for-security approach. The goals are greater visibility into virtualized security controls, centralized security functions, and assurance from providers that access to corporate assets is properly managed.

Cloud-based enterprise applications
Businesses store sensitive financial, personal, and operational data in enterprise application databases. As a result, many organizations are moving to a private cloud infrastructure that takes advantage of the cloud's elasticity while maintaining control of corporate data behind a dedicated firewall.

This kind of infrastructure requires a different set of security and compliance considerations. For example, a core benefit of private cloud environments is that they break down departmental silos and increase accessibility across business units. But lax access management and inconsistent enforcement of role- and/or rule-based access can lead to unwanted security breaches. As a result, a growing number of compliance initiatives now mandate application controls and audit requirements focused on insider threats. This year, I expect business customers of applications and IT services (especially when the architecture is cloud-based) will ask providers to demonstrate appropriate security through compliance audits.

BYOD (and apps)
Bring-your-own-device security has been a major pain point for some time now, and for good reason: It increases the risk of data loss and vulnerability exploitation. At the same time, user security habits involving their personal devices haven't changed much. Even though security breaches are consistently a hot topic, few organizations are keeping pace with these escalating risks. Government regulators and industry standard bodies are starting to address this new reality with rules that give IT departments greater control over the content and configuration of these devices.

In 2014, businesses can also expect auditors to flag potential BYOD risks unless companies demonstrate the devices meet overall security policies -- an action that will likely drive even more internal audits. If, at minimum, BYOD audits require the same assurances for employee-owned devices as corporate-owned PCs and mobile devices, organizations will need to prepare a complete record of all devices connecting to their corporate network, the security posture of each device, and which corporate assets they can connect to on the network.

Additionally, regulated businesses will need to create mobile device policies about permitted apps, remote wiping, the preparation of private and corporate information, data encryption (static and in transit), automated security scans on each device, and the prohibited use of rooted or jailbroken devices. Container solutions will become more widely adopted to separate and protect corporate information on personal devices.

Bottom line: Whether you're facing new compliance mandates surrounding datacenter virtualization, enterprise apps, or BYOD, your businesses will need security policies that are easily understood, up to date, fully implemented, complied with, and consistently enforced. Are you up to the audit and compliance challenge? Let's talk about it in the comments.

Andy Daudelin leads the strategic direction for the AT&T security portfolio. He is responsible for scaling the company's security services across its global network and integrating them into AT&T's business solutions offerings.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/24/2014 | 8:06:35 AM
Re: Hipaa Compliance Solutions -- BYOD
There is a lot of talk about the effectiveness (or lack of effeciiveness ) of user education, but you hit the nail on the head when you tie it tightly together with a policy like BYOD. I also really like your approach to training the user, training the trainer, and random checks to keep users vigilant. Thanks for sharing!
ecobb951
50%
50%
ecobb951,
User Rank: Apprentice
1/23/2014 | 6:10:42 PM
Re: Hipaa Compliance Solutions -- BYOD
The best way to deal with any pushback on a BYOD policy or any policy or security change is through education. It was not enough to change or implement a BYOD policy. Once that was done, we then had to deal with the compliance reality - just because you have a policy, doesn't mean people will follow it.

The Key to a successful BYOD policy is education. We had to do a 15 minute training with all the staff to explain the policy, and why we need it, as well as explain the relationship with our own HIPAA compliance. Once the training was done, we saw a dramatic rise in compliance to the BYOD policy and this was measured by the dramatic increase in the use of the HIPAA compliant messaging app (TigerText) that was built into our policy.

Can't stress how important the training of staff is to the success of a BYOD policy, or any policy.
Also, if you are looking for a good 'train the trainer' program to help set-up a successful BYOD policy training program, I suggest contacting PrepMasters.com

Concerning enforcement, we have our trainers do training updates and testing to make sure the policy is known and used. She also does random checks in the workspace.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
1/23/2014 | 11:54:50 AM
Re: Hipaa Compliance Solutions -- BYOD
Thanks for posting that example policy ecobb951. I'm curious to know how your staff has reacted to the requirements? Are you getting any pushback? Is it hard to enforce?
ecobb951
50%
50%
ecobb951,
User Rank: Apprentice
1/22/2014 | 1:25:52 PM
Hipaa Compliance Solutions
Yes, HIPAA can be a pain in the ass, but it is critical to our medical system and keeping data secure. There are lots of network systems that are set-up for HIPAA, and can handle HIPAA, SOX and PCI changes without much of a problem.


The real issues I think are going to crop up in BYOD policy. There, the solution are more difficult, and have a very wide range of possabilities.

A good example is that we have a BYOD policy that limits mobile data transfers to that of a HIPAA compliant text and file transfer app (TigerText) that we install on all our staff's phones. It is through this policy and app that we are able to keep our staff patient data communication secure and compliant, without making it a burned of very costly.

A good example of a BYOD policy is here:

http://www.hipaatext.com/wp-content/uploads/2013/03/BYOD-Policy-20130213.pdf
Andy Daudelin
50%
50%
Andy Daudelin,
User Rank: Apprentice
1/22/2014 | 12:09:31 PM
Re: Does Compliance Help or Hurt
Drew - It's not an either/or situation. Today's businesses are challenged with adhering to regulatory compliance requirements and managing risk while meeting business objectives. As you mentioned, compliance requirements can help companies develop useable frameworks and policies. But you can pass an audit and still be vulnerable to an attack. Compliance will remain an unavoidable component to enterprise security, yet checking the boxes is not enough. Companies also need real-time monitoring and security operations for effective incident prevention, detection, and response.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 11:19:56 AM
Re: SOX
Are you saying that you've got the best of both worlds, Paul? No worries about regulators bearing down but a good set of processes and controls in place? Curious to know if you think your risk management posture has deterioriated at all now that you're not subject to those rigorous regs?  Tell us what's still working and what's falling short... 
Rhallowell
50%
50%
Rhallowell,
User Rank: Apprentice
1/22/2014 | 10:21:10 AM
HIPPA Compliant
First of all, great article. People in the enterprise industry need to know how at risk they are and what new guidelines they need to follow under the HIPAA act and you laid that out perfectly. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/22/2014 | 9:21:06 AM
Re: Does Compliance Help or Hurt
That's a great question, ACM, and I'm looking forward to hearing Andy's and other community members response. IMO compliance regulations are a necessary evil. True, they can be overly complex and time consuming, not to mention a hefty cost for an organization. I also do not doubt that there are ways to game the system in a check-box audit. But if used effectively -- as a best practices tool to manage risk and protect an organization's data privacy and security --they will deter and detect serious abuse and damage. 

If I'm missing something, please let me know in the comments!
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/22/2014 | 9:01:32 AM
Does Compliance Help or Hurt
Hi Andy,

Do you think compliance mandates, on the whole, are useful? On the one hand, compliance requirements can provide some security structure for companies, but on the other hand, organizations may focus more on checking boxes and satisfying auiditors instead of managing risk. I'm curious to get your take on this.
Gary Scott
50%
50%
Gary Scott,
User Rank: Apprentice
1/21/2014 | 11:29:47 PM
HIPAA & GLBA Data Destruction Compliance
We are an IT recycling and data destruction company.  With the new HIPAA and HITECH regulations, most of our new business comes from onsite hard drive destruction whereas before it was IT recycling.

Organizations and data centers are now seeing value in the NAID Certification and onsite data destruction.

 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.