One of the key objectives when developing an effective security and compliance management program is to remain interdependent of core systems. While some integrations can offer significant time saving such as Single Sign-On, Ticketing, and Asset Management, typically there are more sophisticated tools available that will perform core audit functions like network monitoring, asset discovery, log management, and intrusion detection. The reality is that while software can significantly reduce the need for manual labor, when automation goes wrong the biggest price is paid. The challenge is ensuring that each of these systems is doing what it should, in a cost-efficient manner. Can this be achieved if the system results flow through automatically to the tool set up to provide that independent verification?
One example of streamlining a security task is data backup. There are many great tools that help companies manage their data backup process. Back-ups can be scheduled automatically at recommended intervals, and the tool will indicate whether the backup was successful or highlight where it may have failed. However, most security frameworks will still require that a company demonstrate they regularly test their backup restoration process to make sure it works because automation can fail, often in a way which is not transparent. You don't want to find this out the moment you need it.
Practicalities of Automation
Automation can also sound better in theory than in practice. Anyone who has used an automated asset discovery tool on their network will know that the data that comes back is not always in a user-friendly format. Technology today is complicated and the distinction between hardware, firmware and software is increasingly blurred, especially in our increasingly digital world. A single server can come back as 200 independent components. This means it can often take longer to format this data than it would be to maintain an independent record set.
And getting the data is just the first step. Many companies that publish APIs focus on just 'Get Commands'. But once the data has been downloaded, maintaining accurate synchronization is a much more complicated task. Other areas that impact compliance include Identify Management (who is making the change), Access Control (who can make the change) and Change Management (are changes made and who made them being tracked). A single mis-configuration, whether by accident or with malicious intent, can mean that erroneous data gets passed on to the tool which is supposed to be performing the independent verification.
Each of these examples are working with a single system. Multiply this by every system (and virtual system) in the organization, and before you know it you have a full-time job simply managing system integration.
Another point to consider; a recent Gartner study found that on average 40% of applications used by the Enterprises surveyed were not controlled through the companies SSO, and in some cases IT were not even aware of them (shadow apps). In an increasingly SaaS based world where the concept of a network is becoming less relevant, this poses additional challenges for creating a fully integrated system.
To be clear, we are not suggesting that automation and integrations are bad. Simply, they are not a silver bullets and should be viewed via a practical lens so that the benefits are not overstated. Advances in technology need to be layered with human readiness - security in layers.
Are you interested building a holistic security program which aligns your controls with a recognized security and privacy framework? Contact Ostendio today for a complimentary consultation with one of our security experts.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.