regulatory compliance – Two Ears One Mouth IT Consulting

When cloud computing first gained acceptance and began to gain momentum in business IT security became a headwind holding it back from even greater acceptance. After all, the IT manager may have thought moving his/her data from the premises to an off-site location is sure to be risky. Similarly, they wondered how their data could be secure when they don’t own and manage the hardware it resides on or even know where it is. While these arguments seem logical, logic does not equal security. How the data is protected is far more important than where it is geographically speaking regarding security. Many times, the data center or cloud provider is better at laying the foundation for IT security than the IT leader of a business, but it is best when there is a team effort between the two.

Beginning with Compliance

Many businesses today are faced with the challenge of regulatory compliance in their IT services. Compliance is a complicated and tedious process that includes not only IT operations but virtually all aspects of the business. A regulated business needs to consider processes that affect the datacenter as well as other departments such as employee and visitor access to data, audits and reporting, and disaster recovery. These are functions that data center providers consider as a primary part of their business. These practices are defined by certifications, with today’s most common certification being Service Organization Controls or SOC. Today you will find most data center using SOC 2. SOC 2 is a set of standards the data center complies with and reports on to satisfy their customer requirements. The audits of SOC 2 will authenticate the data center is doing what it says it does regarding monitoring, alerts and physical security. When a business moves or migrates their IT infrastructure to a SOC 2 compliant datacenter they are assured to have met their compliance goals without managing the difficult process themselves.

Encryption, Cloud Securities Best Practice

Many of the most valued processes of IT security in whole hold true for a cloud and data center environment. No single exercise is as important as encrypting the vital data of the business. Encryption is one of the most effective data protection tools because it converts the data into a secret code that renders it useless without a key. The encryption software produces a key that must be used to unlock and read the data. Data can be encrypted at rest, as when it resides in storage in the datacenter or in transit between the datacenter and the data users. Data encryption in transit is typically created by an appliance that creates a Virtual Private Network (VPN). Encryption is a vital technology to secure data wherever the data resides, encrypting the data in transit is an additional layer of security that helps keep data secure as it moves on and off site.

The Future of Security in the Cloud

It is difficult to predict future trends across industries, but this exercise proves to be especially difficult in technology. To consider how security in the cloud will be handled in the future it is important to understand how the cloud itself with be evolving. In cloud technology, containers are the technology that is gaining acceptance and market share at the current time. Containers are similar to the virtual machines (VMs) of today’s infrastructure but are more independent and create an environment for the use of microservices. Microservices is a concept that a single application for a business should consist of many smaller services instead of one monolithic application. This allows for greater overall uptime as the entire application doesn’t need to be taken down due to a single service requiring maintenance or an update. The same benefit can be realized for security. However, microservices can create a very complicated “mesh” of services that will complicate all aspects of the infrastructure including security. To alleviate these complications for security there have been opensource software packages developed. One helpful opensource software package is Istio. Istio is an opensource package that allows the infrastructure manager to secure, connect and monitor microservices. Itsio can be implemented in a “side-car” deployment where it will secure services from outside the service or container. Today we often think of security services, such as anti-malware as another application running within the server or VM it is protecting. Software like Itsio makes security more of an integral part of the application as opposed to something added to a completed solution. Opensource services like Itsio are making complicated systems easier to manage. Containers and microservices are the strongest evolving trends for the cloud, so one should look to them for the future of security in the cloud.

With each change in technology, the landscape seems to get more complicated. Security can add to the complication; however, it can be simplified if it can be considered prior to the service being developed as opposed to after. The cloud computing industry is taking the lead in corporate IT infrastructure as well as the dual role of creating new ways to approach securing a business’s data.

If you would like to talk more about security in cloud strategies contact us at:

Jim Conwell (513) 227-4131 jim.conwell@twoearsonemouth.net

www.twoearsonemouth.net

we listen first…

In this time of IT security breaches, businesses of all sizes have become aware of the consequences of not having a solid IT framework and security policy. What previously was a concern for only large enterprises has now become a challenge all businesses share. Government regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), have mandated compliance for the security of Protected Health Information (PHI) for any size of enterprise that stores PHI. A recent trend has been for large enterprise to relay their compliance and security requirements downstream to their suppliers which may be smaller businesses. One of the initial causes for this was the Target breach. Target, who was fully compliant with their regulatory environment,[1] (PCI DSS), was breached through an HVAC vendor. This Target business partner was primarily responsible for compromising credit card information for millions of its customers and causing large scale damage to Target’s finances and reputation. To learn more about the total cost of a data breach please see my previous article: https://twoearsonemouth.net/2017/11/22/preparing-for-the-cost-of-a-data-breach/ .

In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the PCI DSS previously mentioned above in regard to Target. PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance to all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.

Businesses are not completely on their own to navigate through this complex regulatory and IT security environment. There have been a series of IT frameworks developed that an organization can use to reach their goals. These frameworks describe IT “best practices” which are written in general terms. Typically, businesses use them as a reference to achieve regulatory or security compliance. Below are some examples of the most common IT frameworks available today:

COBIT– A framework designed by Information Systems Audit and Control Association (ISACA) to provide management and business process owners with an IT governance model that aids in delivering value from IT and understanding the management of risk associated with IT.
ISO 27002– An IT security standard originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)
ISO 38500– Similar framework to ISO 27002 for IT used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)

IT security best practices at the highest level can be classified in 3 categories; physical safeguards, administrative safeguards and technical safeguards. Below is a brief description of each.

Physical Safeguards are tools such as alarm systems (video), key card systems, secure locks for offices and drawers where laptops and phones are stored, a guard or receptionist always at the front door and a secure IT server room.

Administrative Safeguards are processes that include creating a security officer and/or department, creating training programs to make all employees aware of what data needs to be protected and how it is protected, a company policy for storing and archiving of protected data and business continuity policies.

Technical Safeguards are IT tools such as Unified Threat Management (UTM) and Next-Gen firewalls, malware and virus protection software on servers and workstations, encryption of data in transit and at rest and a strong Business Continuity and Disaster Recovery (BCDR) plan that is tested on a regular basis.

Following these principles and best practices not only help to achieve a business mitigate risk but also make good business sense.

Contact us so that we may learn more about the IT challenges within your organization. We will provide an initial consult at no cost! We can provide best in class IT Project Management in Cincinnati or remotely.

Jim Conwell (513) 227-4131 jim.conwell@outlook.com www.twoearsonemouth.net

[1] PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS is an industry based regulatory authority for the credit card industry.