Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/13/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Ditch the Big Ass Spreadsheet with Continuous Security Compliance

Replacing outdated spreadsheets with automated, continuous monitoring reduces workload and increases reliability, making compliance easy.

Find the biggest monitor on the market, display the specifications for any compliance standard on it, and then try to determine whether or not your cloud infrastructure is actually compliant. The NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells. While the document certainly contains all the necessary data, in that format it is far from an accurate depiction of what’s going on with your IT environment. Auditors and compliance managers need a real-time format that gives them insight into the state of compliance, and an automated way to fix issues. To do that effectively, it’s time to ditch that big ass spreadsheet.

The traditional tools used to address security and compliance issues no longer work for cloud environments. The behaviors are outdated as well, as auditing simply can't abide by checks that occur in regular intervals. To effectively address compliance and security risks, those checks now need to be done continuously. The very reasons that you choose the cloud are the very reasons you’re running into challenges. The cloud is dynamic, agile, and responsive. It is moving and adapting, and so too are those who wish to do you harm.

While cloud service providers (CSPs) do their part to adopt standards, it is up to you to measure and demonstrate compliance in your systems. Like many other organizations, you may struggle to do so in this new cloud paradigm. And here's the kicker: the critical thing about compliance is that you have to be compliant ...all the time. Once a condition is not being met, your organization is vulnerable. Now, the NIST Cybersecurity Framework alone has almost 400 specific requirements, all of which must be meet at all times. The task of ensuring that type of compliance can quickly become overwhelming if done manually, even with a fully staffed team of experts.

It’s surprising that, given the magnitude of the task, many organizations manage their compliance function through spreadsheets. Yes, massive spreadsheets remain open on desktops and one-by-one requirements are assessed, and potential risks are identified.When needed, remediation steps go into play. It's a continuous loop of attention and hope, and a bit of faith that nothing will be missed in the identification or subsequent remediation of violations. It's hard to know if that’s a result of perverse tradition or laziness, but time and again it’s proven to be a slow solution to a problem that is immersed in speed. Thankfully, there are tools that provide a much faster, more elegant way of handling compliance.

Automating compliance delivers a magnitude of scale to your compliance efforts, but it provides other advantages as well. For instance, a tool that is continuously monitoring your cloud environment will deliver a lot of usable data about other aspects of the state of your cloud security. This information can help you not just remediate as needed, but apply long-term fixes to ongoing problems. You'll also have a running log of data points that can be used for audits and infrastructure performance reviews.

Getting rid of the spreadsheet means that your organization must commit to using a solution that gives insight across all of your cloud environment. That tool will become your de facto guide for how you identify compliance risks before they become a problem, and will allow you to apply active management of policies as a way to mitigate any breaches that occur.

Too often we rely on outdated systems out of habit or the perception of ease. We're even willing to accept a little pain to maintain the status quo. But automated, continuous compliance monitoring makes life easier because it reduces workload and increases reliability. Financially, and brand-wise, this is a boon to forward-thinking organizations that are serious about maintaining a secure and compliant IT infrastructure in the cloud.

So, we rally the call to rid yourself of that big ass spreadsheet that acts as Sisyphean reminder of your never-ending task of compliance monitoring. Tools and expectations have evolved to the point where it is not tenable for you to manually perform compliance checks any longer -- nor should you have to.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.