Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:00 AM
Ariel Zeitlin
Ariel Zeitlin
Connect Directly
E-Mail vvv

Narrow the Scope of Compliance

Many organizations are doing more than they need regarding compliance.

Compliance budgets are high on the agenda of every CISO and CIO. New regulations to comply with, new environments to audit, and new requirements to support are expensive line items. However, unintuitive as it may sound, many organizations are actually doing more than they need regarding compliance. Some call it overcompliance, and it is an emerging concern among many companies, calling for closer examination.

Compliance is hard. Companies working to comply are facing a wide range of requirements introduced frequently. To keep up, they are pushed to manage many tools, dynamic and changing infrastructure, and applications. This includes, among other responsibilities, staying on top of security testing, patching, user management, logging, and third-party vendor management. From a user perspective, these highly regulated environments are more restrictive and tend to be less comfortable to freely work in. So, what makes companies overspend on compliance?

For many companies, overcompliance doesn't happen overnight. Consider, for example, one of our customers, a financial institution. "When we first started our business, we made the strategic decision to scope our entire production environment," says the CIO. "With a small overhead at the time, it made sense to keep all the systems in scope." But fast forward 10 years and that production environment, which was already hosting many out-of-scope systems, now had more than 60% of its servers unnecessarily "burdened" with software licenses, authentication controls, and auditing hours required for compliance. He estimated this "overcompliance" cost the company hundreds of thousands of dollars annually.

The key to a successful audit is scope. One of the biggest mistakes we see companies make is to start applying compliance control without truly understanding what should be considered in scope. This often leads to "scope creep," one of the leading causes of audits spiraling out of control, and which may also result in significant delays and costly expenses. To avoid scope creep, customers need to separate their virtual environments (VLANs), but this is often a task that's so time-consuming that it's easier to just maintain the entire VLAN and apply regulation to all systems.

Take, for example, the European Union's privacy act, the General Data Protection Regulation, or its American counterpart, the California Consumer Privacy Act. A company that doesn't properly scope, whether to avoid the labor-intensive VLAN separation or for any other reason, may end up with large parts of its environment regulated with no real justification. As the company grows, more applications that have nothing to do with personally identifiable information are added to the environment, leading to excessive costs and burdens.

Organizations deciding to rescope their systems will face several challenges, including:

  • Infrastructure complexity: How to operate in flat networks with different VLANs required for scoping.
  • Lack of visibility: How to get visibility into the environment required to decouple the scoped from the out-of-scope systems.
  • Downtime: How to avoid often-inevitable downtime to business-critical applications when moving applications across different VLANs.

To tackle these challenges, here are a few strategies that I suggest.

  1. Make sure to scope well only what needs to be regulated. Right-scoping the environment reduces audit and compliance burden.
  2. Having a great visibility or data-mapping tool can be greatly beneficial. Seeing the boundaries of your scoped area will benefit both your organization and your auditor.
  3. Consider various segmentation technologies to separate the in-scope from the out-of-scope environments. Modern segmentation approaches can help do this without getting into great investments.
  4. Finally, constantly evaluate the scoped environment to avoid scope creep using proven visibility tools.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Ariel Zeitlin co-founded Guardicore after spending 11 years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/28/2020 | 12:09:13 AM
Thanks for sharing valuable info : 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to V3.15.70_4 devices fails to sanitize user input on the system configurations page. This allows an attacker to backdoor the device with HTML and browser-interpreted content (such as JavaScript or other client-side scripts) as the c...
PUBLISHED: 2020-10-01
In Istio 1.5.0 though 1.5.8 and Istio 1.6.0 through 1.6.7, when users specify an AuthorizationPolicy resource with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields, callers will never be denied access, bypassing the intended policy.
PUBLISHED: 2020-10-01
Unisys Stealth(core) before 4.0.132 stores Passwords in a Recoverable Format.
PUBLISHED: 2020-10-01
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
PUBLISHED: 2020-10-01
Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization.