The Sarbanes-Oxley Act (SOX), for instance, requires publicly held companies to implement internal controls over their financial filings to ensure the accuracy of those filings. The Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA), on the other hand, focus on the confidentiality of consumer data, while California’s SB 1386 requires the public disclosure of any security breaches that expose the confidential information of California residents.
The above regulations cover a lot of territory, and while automated compliance tools are available, there is no one-stop shopping when it comes to compliance. Vendors offer different tools for different problems. GeoTrust, Entrust, and Verisign, for example, provide managed user authentication and document integrity, while Elemental Security and iPolicy Networks automate policy creation and enforcement, and Approva and Logical Apps offer tools for internal process controls monitoring.
First Things First
So, what should CIOs address first? According to Joan Lockhart, vice president of Marketing for GeoTrust, the logical starting point is security.
“These regulations have two basic things in common,” Lockhart said, “a need for strong user authentication and document security. Unless you have a secure, manageable way for handling your organization’s user and content base, you’ll have a hard time achieving regulatory compliance.”
The key to this is automation, said Lockhart, and some companies are finding that the best way to automate is through a managed service.
Whether outsourced or addressed in-house, automation is on everyone’s mind since most organizations initially tackle their compliance efforts manually. IT resources and executive focus is shifted from business goals to meeting regulatory mandates — an unsustainable approach, said John Hagerty, vice president of research for AMR Research.
“For most companies, the focus the first time around is simply on finishing the job,” he said.
What that means is that most companies overspend and over-prepare for compliance. “In the second year, companies learn that a manual process isn’t sustainable, so they start thinking about how to automate all of this.”
However, automation itself can pose problems. “One thing for companies to keep in mind is that you run the risk of sacrificing your business objectives during the compliance cycle,” said Lockhart. “For instance, when you address user authentication, strong authentication is not enough. That will earn you compliance, but your solution must also be manageable and flexible enough to meet your business goals.”
“What advise our clients to solve whatever problem they have today,” AMR’s Hagerty said. “If you need to protect client information, find a solution that does that, but you should take a platform approach. Buyers would love a magic bullet, but the commonalities between regulations aren’t common enough.”
Another problem is companies think of customer information as means to an end, a business tool used to achieve business objectives, rather than an important asset in need of protection.
According to David Lynch, vice president of Marketing for Apani, a provider of internal security solutions, this line of thinking must change. “In past eighteen months or so, a thriving black market has emerged where people can buy and sell personal information. Price ranges anywhere from $7 to $100 per record.”
Clearly, information has value. Lynch argues that once information has this much value, security must evolve to protect it. And the importance of data extends beyond its black-market value. With many regulations forcing the reporting of data breaches, companies lose more than just data: they lose customers.
“Companies that experience a data breach see the value of their stock drop and they see their market share erode,” Lynch said.
Ebb and Flow
Lynch notes that traditionally data is only protected while it’s at rest. Perimeter security prevents outsiders from accessing the internal devices where data is stored. What is needed on top of that, he said, is security that protects data as it flows through various networks.
Encryption is the obvious answer here, but relying too heavily on encryption erodes the performance of applications. Or, as GeoTrust’s Lockhart warned, you end up meeting your compliance goals but sacrificing business goals.
Lynch argues that automated policy enforcement addresses this problem. With proper policies in place, companies can dictate where data is allowed to flow without creating bottlenecks.
“If server A wants to talk to server B, the first thing policy software does is see if the two servers are allowed to talk at all,” Lynch said. “If they are, it then figures out what policies must be met while those two servers communicate.”
An added benefit of automated policy creation is that policy software provides an audit trail, which is essential for regulations like SOX and GLBA. In the past, achieving compliance meant being compliant on the day when the auditors showed up. Ongoing problems were often corrected at the eleventh hour.
Today, it’s not enough to be compliant when you’re audited. Instead, you must prove that you’ve been compliant all along, and the only way to do that is to automate key aspects of security, such as policy enforcement, user authentication, and document integrity. When the auditors arrive at your door, your automated systems prove that achieving compliance is a standard business practice and not a one-time fix.