Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/13/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Ditch the Big Ass Spreadsheet with Continuous Security Compliance

Replacing outdated spreadsheets with automated, continuous monitoring reduces workload and increases reliability, making compliance easy.

Find the biggest monitor on the market, display the specifications for any compliance standard on it, and then try to determine whether or not your cloud infrastructure is actually compliant. The NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells. While the document certainly contains all the necessary data, in that format it is far from an accurate depiction of what’s going on with your IT environment. Auditors and compliance managers need a real-time format that gives them insight into the state of compliance, and an automated way to fix issues. To do that effectively, it’s time to ditch that big ass spreadsheet.

The traditional tools used to address security and compliance issues no longer work for cloud environments. The behaviors are outdated as well, as auditing simply can't abide by checks that occur in regular intervals. To effectively address compliance and security risks, those checks now need to be done continuously. The very reasons that you choose the cloud are the very reasons you’re running into challenges. The cloud is dynamic, agile, and responsive. It is moving and adapting, and so too are those who wish to do you harm.

While cloud service providers (CSPs) do their part to adopt standards, it is up to you to measure and demonstrate compliance in your systems. Like many other organizations, you may struggle to do so in this new cloud paradigm. And here's the kicker: the critical thing about compliance is that you have to be compliant ...all the time. Once a condition is not being met, your organization is vulnerable. Now, the NIST Cybersecurity Framework alone has almost 400 specific requirements, all of which must be meet at all times. The task of ensuring that type of compliance can quickly become overwhelming if done manually, even with a fully staffed team of experts.

It’s surprising that, given the magnitude of the task, many organizations manage their compliance function through spreadsheets. Yes, massive spreadsheets remain open on desktops and one-by-one requirements are assessed, and potential risks are identified.When needed, remediation steps go into play. It's a continuous loop of attention and hope, and a bit of faith that nothing will be missed in the identification or subsequent remediation of violations. It's hard to know if that’s a result of perverse tradition or laziness, but time and again it’s proven to be a slow solution to a problem that is immersed in speed. Thankfully, there are tools that provide a much faster, more elegant way of handling compliance.

Automating compliance delivers a magnitude of scale to your compliance efforts, but it provides other advantages as well. For instance, a tool that is continuously monitoring your cloud environment will deliver a lot of usable data about other aspects of the state of your cloud security. This information can help you not just remediate as needed, but apply long-term fixes to ongoing problems. You'll also have a running log of data points that can be used for audits and infrastructure performance reviews.

Getting rid of the spreadsheet means that your organization must commit to using a solution that gives insight across all of your cloud environment. That tool will become your de facto guide for how you identify compliance risks before they become a problem, and will allow you to apply active management of policies as a way to mitigate any breaches that occur.

Too often we rely on outdated systems out of habit or the perception of ease. We're even willing to accept a little pain to maintain the status quo. But automated, continuous compliance monitoring makes life easier because it reduces workload and increases reliability. Financially, and brand-wise, this is a boon to forward-thinking organizations that are serious about maintaining a secure and compliant IT infrastructure in the cloud.

So, we rally the call to rid yourself of that big ass spreadsheet that acts as Sisyphean reminder of your never-ending task of compliance monitoring. Tools and expectations have evolved to the point where it is not tenable for you to manually perform compliance checks any longer -- nor should you have to.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.