HIPAA, SOX & PCI: The Coming Compliance Crisis In IT SecurityNew mandates around datacenter virtualization, enterprise apps, and BYOD will stretch IT security staffs and budgets to the max in 2014.
At the beginning of each year, security pundits (myself included) usually make predictions about which new cyberthreat or fancy attack vector will capture the attention and budget of IT organizations in the coming year. Emerging malware and threat signatures remain popular and safe areas for prediction, but the fact remains that decisions to invest in new security controls and protocols are largely driven by compliance audits and liability, not emerging threats.
Organizations of all sizes should be concerned with a staggering increase in audit and compliance demands in the coming year. Standards such as PCI, HIPAA, and SOX will continue to receive heightened awareness, while high-profile breaches will encourage corporate boards and internal audit committees to turn up their focus on security and conduct their own audits and compliance reviews. Not only will the volume of these demands stress the bandwidth of security staff already tasked with 24x7 network protection, but businesses will also be challenged to provide adequate security assurance for an increasingly complex IT infrastructure. Capturing log information and setting up analytics capabilities will become even more important for demonstrating compliance.
Let's take a look at the driving forces behind the approaching audit crisis: datacenter virtualization, enterprise applications in the cloud, and BYOD.
In addition to geographic redundancy for business continuity, virtualized datacenters and cloud services make it easier to scale capacity quickly and on demand. They also enable in-house teams to streamline operations, reduce costs, and focus on mission-critical tasks. Yet, with the move to virtualization, many organizations are outsourcing, not only services and software, but also infrastructure. This means the traditional defend-the-perimeter approach to security and compliance is no longer valid.
Until recently, compliance has been pretty straightforward, because IT knew exactly how data was secured within the perimeter. But in virtualized environments, many organizations are trying to leverage the same security policies, processes, and tools they used with traditional on-premises infrastructure. To meet impending compliance and audit requirements, businesses will need to adopt a designed-for-security approach. The goals are greater visibility into virtualized security controls, centralized security functions, and assurance from providers that access to corporate assets is properly managed.
Cloud-based enterprise applications
Businesses store sensitive financial, personal, and operational data in enterprise application databases. As a result, many organizations are moving to a private cloud infrastructure that takes advantage of the cloud's elasticity while maintaining control of corporate data behind a dedicated firewall.
This kind of infrastructure requires a different set of security and compliance considerations. For example, a core benefit of private cloud environments is that they break down departmental silos and increase accessibility across business units. But lax access management and inconsistent enforcement of role- and/or rule-based access can lead to unwanted security breaches. As a result, a growing number of compliance initiatives now mandate application controls and audit requirements focused on insider threats. This year, I expect business customers of applications and IT services (especially when the architecture is cloud-based) will ask providers to demonstrate appropriate security through compliance audits.
BYOD (and apps)
Bring-your-own-device security has been a major pain point for some time now, and for good reason: It increases the risk of data loss and vulnerability exploitation. At the same time, user security habits involving their personal devices haven't changed much. Even though security breaches are consistently a hot topic, few organizations are keeping pace with these escalating risks. Government regulators and industry standard bodies are starting to address this new reality with rules that give IT departments greater control over the content and configuration of these devices.
In 2014, businesses can also expect auditors to flag potential BYOD risks unless companies demonstrate the devices meet overall security policies -- an action that will likely drive even more internal audits. If, at minimum, BYOD audits require the same assurances for employee-owned devices as corporate-owned PCs and mobile devices, organizations will need to prepare a complete record of all devices connecting to their corporate network, the security posture of each device, and which corporate assets they can connect to on the network.
Additionally, regulated businesses will need to create mobile device policies about permitted apps, remote wiping, the preparation of private and corporate information, data encryption (static and in transit), automated security scans on each device, and the prohibited use of rooted or jailbroken devices. Container solutions will become more widely adopted to separate and protect corporate information on personal devices.
Bottom line: Whether you're facing new compliance mandates surrounding datacenter virtualization, enterprise apps, or BYOD, your businesses will need security policies that are easily understood, up to date, fully implemented, complied with, and consistently enforced. Are you up to the audit and compliance challenge? Let's talk about it in the comments.
Andy Daudelin leads the strategic direction for the AT&T security portfolio. He is responsible for scaling the company's security services across its global network and integrating them into AT&T's business solutions offerings.