Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

4/24/2020
10:00 AM
Ariel Zeitlin
Ariel Zeitlin
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Narrow the Scope of Compliance

Many organizations are doing more than they need regarding compliance.

Compliance budgets are high on the agenda of every CISO and CIO. New regulations to comply with, new environments to audit, and new requirements to support are expensive line items. However, unintuitive as it may sound, many organizations are actually doing more than they need regarding compliance. Some call it overcompliance, and it is an emerging concern among many companies, calling for closer examination.

Compliance is hard. Companies working to comply are facing a wide range of requirements introduced frequently. To keep up, they are pushed to manage many tools, dynamic and changing infrastructure, and applications. This includes, among other responsibilities, staying on top of security testing, patching, user management, logging, and third-party vendor management. From a user perspective, these highly regulated environments are more restrictive and tend to be less comfortable to freely work in. So, what makes companies overspend on compliance?

For many companies, overcompliance doesn't happen overnight. Consider, for example, one of our customers, a financial institution. "When we first started our business, we made the strategic decision to scope our entire production environment," says the CIO. "With a small overhead at the time, it made sense to keep all the systems in scope." But fast forward 10 years and that production environment, which was already hosting many out-of-scope systems, now had more than 60% of its servers unnecessarily "burdened" with software licenses, authentication controls, and auditing hours required for compliance. He estimated this "overcompliance" cost the company hundreds of thousands of dollars annually.

The key to a successful audit is scope. One of the biggest mistakes we see companies make is to start applying compliance control without truly understanding what should be considered in scope. This often leads to "scope creep," one of the leading causes of audits spiraling out of control, and which may also result in significant delays and costly expenses. To avoid scope creep, customers need to separate their virtual environments (VLANs), but this is often a task that's so time-consuming that it's easier to just maintain the entire VLAN and apply regulation to all systems.

Take, for example, the European Union's privacy act, the General Data Protection Regulation, or its American counterpart, the California Consumer Privacy Act. A company that doesn't properly scope, whether to avoid the labor-intensive VLAN separation or for any other reason, may end up with large parts of its environment regulated with no real justification. As the company grows, more applications that have nothing to do with personally identifiable information are added to the environment, leading to excessive costs and burdens.

Organizations deciding to rescope their systems will face several challenges, including:

  • Infrastructure complexity: How to operate in flat networks with different VLANs required for scoping.
  • Lack of visibility: How to get visibility into the environment required to decouple the scoped from the out-of-scope systems.
  • Downtime: How to avoid often-inevitable downtime to business-critical applications when moving applications across different VLANs.

To tackle these challenges, here are a few strategies that I suggest.

  1. Make sure to scope well only what needs to be regulated. Right-scoping the environment reduces audit and compliance burden.
  2. Having a great visibility or data-mapping tool can be greatly beneficial. Seeing the boundaries of your scoped area will benefit both your organization and your auditor.
  3. Consider various segmentation technologies to separate the in-scope from the out-of-scope environments. Modern segmentation approaches can help do this without getting into great investments.
  4. Finally, constantly evaluate the scoped environment to avoid scope creep using proven visibility tools.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Ariel Zeitlin co-founded Guardicore after spending 11 years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35128
PUBLISHED: 2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with permission to manage companies, an application feature, could attack other users, including administrators. For example, by loading an externally crafted JavaScript file, an attacker could eventually perform actions as the target user. ...
CVE-2020-35129
PUBLISHED: 2021-01-19
Mautic before 3.2.4 is affected by stored XSS. An attacker with access to Social Monitoring, an application feature, could attack other users, including administrators. For example, an attacker could load an externally drafted JavaScript file that would allow them to eventually perform actions on th...
CVE-2020-23342
PUBLISHED: 2021-01-19
A CSRF vulnerability exists in Anchor CMS 0.12.7 anchor/views/users/edit.php that can change the Delete admin users.
CVE-2020-20950
PUBLISHED: 2021-01-19
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in Microchip Libraries for Applications 2018-11-26 All up to 2018-11-26. The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vulnerable li...
CVE-2020-23522
PUBLISHED: 2021-01-19
Pixelimity 1.0 has cross-site request forgery via the admin/setting.php data [Password] parameter.