Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


10:00 AM
Ariel Zeitlin
Ariel Zeitlin
Connect Directly
E-Mail vvv

Narrow the Scope of Compliance

Many organizations are doing more than they need regarding compliance.

Compliance budgets are high on the agenda of every CISO and CIO. New regulations to comply with, new environments to audit, and new requirements to support are expensive line items. However, unintuitive as it may sound, many organizations are actually doing more than they need regarding compliance. Some call it overcompliance, and it is an emerging concern among many companies, calling for closer examination.

Compliance is hard. Companies working to comply are facing a wide range of requirements introduced frequently. To keep up, they are pushed to manage many tools, dynamic and changing infrastructure, and applications. This includes, among other responsibilities, staying on top of security testing, patching, user management, logging, and third-party vendor management. From a user perspective, these highly regulated environments are more restrictive and tend to be less comfortable to freely work in. So, what makes companies overspend on compliance?

For many companies, overcompliance doesn't happen overnight. Consider, for example, one of our customers, a financial institution. "When we first started our business, we made the strategic decision to scope our entire production environment," says the CIO. "With a small overhead at the time, it made sense to keep all the systems in scope." But fast forward 10 years and that production environment, which was already hosting many out-of-scope systems, now had more than 60% of its servers unnecessarily "burdened" with software licenses, authentication controls, and auditing hours required for compliance. He estimated this "overcompliance" cost the company hundreds of thousands of dollars annually.

The key to a successful audit is scope. One of the biggest mistakes we see companies make is to start applying compliance control without truly understanding what should be considered in scope. This often leads to "scope creep," one of the leading causes of audits spiraling out of control, and which may also result in significant delays and costly expenses. To avoid scope creep, customers need to separate their virtual environments (VLANs), but this is often a task that's so time-consuming that it's easier to just maintain the entire VLAN and apply regulation to all systems.

Take, for example, the European Union's privacy act, the General Data Protection Regulation, or its American counterpart, the California Consumer Privacy Act. A company that doesn't properly scope, whether to avoid the labor-intensive VLAN separation or for any other reason, may end up with large parts of its environment regulated with no real justification. As the company grows, more applications that have nothing to do with personally identifiable information are added to the environment, leading to excessive costs and burdens.

Organizations deciding to rescope their systems will face several challenges, including:

  • Infrastructure complexity: How to operate in flat networks with different VLANs required for scoping.
  • Lack of visibility: How to get visibility into the environment required to decouple the scoped from the out-of-scope systems.
  • Downtime: How to avoid often-inevitable downtime to business-critical applications when moving applications across different VLANs.

To tackle these challenges, here are a few strategies that I suggest.

  1. Make sure to scope well only what needs to be regulated. Right-scoping the environment reduces audit and compliance burden.
  2. Having a great visibility or data-mapping tool can be greatly beneficial. Seeing the boundaries of your scoped area will benefit both your organization and your auditor.
  3. Consider various segmentation technologies to separate the in-scope from the out-of-scope environments. Modern segmentation approaches can help do this without getting into great investments.
  4. Finally, constantly evaluate the scoped environment to avoid scope creep using proven visibility tools.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Ariel Zeitlin co-founded Guardicore after spending 11 years as a cybersecurity engineer and researcher at the Israeli Defense Forces (IDF), where he worked closely with co-founder Pavel Gurvich. In his last position at the IDF, Ariel led a team of 30 engineers and researchers ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/28/2020 | 12:09:13 AM
Thanks for sharing valuable info : 

COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...