Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/13/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Ditch the Big Ass Spreadsheet with Continuous Security Compliance

Replacing outdated spreadsheets with automated, continuous monitoring reduces workload and increases reliability, making compliance easy.

Find the biggest monitor on the market, display the specifications for any compliance standard on it, and then try to determine whether or not your cloud infrastructure is actually compliant. The NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells. While the document certainly contains all the necessary data, in that format it is far from an accurate depiction of what’s going on with your IT environment. Auditors and compliance managers need a real-time format that gives them insight into the state of compliance, and an automated way to fix issues. To do that effectively, it’s time to ditch that big ass spreadsheet.

The traditional tools used to address security and compliance issues no longer work for cloud environments. The behaviors are outdated as well, as auditing simply can't abide by checks that occur in regular intervals. To effectively address compliance and security risks, those checks now need to be done continuously. The very reasons that you choose the cloud are the very reasons you’re running into challenges. The cloud is dynamic, agile, and responsive. It is moving and adapting, and so too are those who wish to do you harm.

While cloud service providers (CSPs) do their part to adopt standards, it is up to you to measure and demonstrate compliance in your systems. Like many other organizations, you may struggle to do so in this new cloud paradigm. And here's the kicker: the critical thing about compliance is that you have to be compliant ...all the time. Once a condition is not being met, your organization is vulnerable. Now, the NIST Cybersecurity Framework alone has almost 400 specific requirements, all of which must be meet at all times. The task of ensuring that type of compliance can quickly become overwhelming if done manually, even with a fully staffed team of experts.

It’s surprising that, given the magnitude of the task, many organizations manage their compliance function through spreadsheets. Yes, massive spreadsheets remain open on desktops and one-by-one requirements are assessed, and potential risks are identified.When needed, remediation steps go into play. It's a continuous loop of attention and hope, and a bit of faith that nothing will be missed in the identification or subsequent remediation of violations. It's hard to know if that’s a result of perverse tradition or laziness, but time and again it’s proven to be a slow solution to a problem that is immersed in speed. Thankfully, there are tools that provide a much faster, more elegant way of handling compliance.

Automating compliance delivers a magnitude of scale to your compliance efforts, but it provides other advantages as well. For instance, a tool that is continuously monitoring your cloud environment will deliver a lot of usable data about other aspects of the state of your cloud security. This information can help you not just remediate as needed, but apply long-term fixes to ongoing problems. You'll also have a running log of data points that can be used for audits and infrastructure performance reviews.

Getting rid of the spreadsheet means that your organization must commit to using a solution that gives insight across all of your cloud environment. That tool will become your de facto guide for how you identify compliance risks before they become a problem, and will allow you to apply active management of policies as a way to mitigate any breaches that occur.

Too often we rely on outdated systems out of habit or the perception of ease. We're even willing to accept a little pain to maintain the status quo. But automated, continuous compliance monitoring makes life easier because it reduces workload and increases reliability. Financially, and brand-wise, this is a boon to forward-thinking organizations that are serious about maintaining a secure and compliant IT infrastructure in the cloud.

So, we rally the call to rid yourself of that big ass spreadsheet that acts as Sisyphean reminder of your never-ending task of compliance monitoring. Tools and expectations have evolved to the point where it is not tenable for you to manually perform compliance checks any longer -- nor should you have to.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.