The latest buzz in data security and compliance surrounds the need to integrate systems to help organizations manage their data security and compliance programs. Running multiple integrations between platforms has become commonplace and client organizations are requesting pre-configured integrations or open APIs.
But what is the real value of these integrations? And how can organizations ensure that the cost of setting up and maintaining them does not outweigh the benefit they provide?
Ostendio CEO, Grant Elliott discusses the benefits of Purposeful Integrations
The Pros and Cons of GRC Integrations
Here are some of the pros and cons of integrations.
The advantages of integrations
Setting up integrations to retrieve required data automatically can result in significant benefits, including:
The user does not have to navigate to another application
You don’t have to worry about access permissions or remembering the login credentials of another system
It eliminates the efforts required for manual entry, screen scraping, or managing manual imports
Imported data can be automatically pre-configured and formatted to meet your needs
Automated integrations typically improve accuracy
Integrations can be scheduled to ensure data is always current or is conducted at a particular time
Imported data can be limited for convenience and security.
The disadvantages of integrations
Building and maintaining integrations are not without significant pitfalls including:
Setting up and maintaining an integration can be complex and time-consuming
Integrations can fail or malfunction, and if not configured properly, that failure may not be obvious, resulting in data not being updated
Integrations can result in data quality issues if the data mapping is not set up correctly, leading to missing data, duplicated data, and data conflicts
Integrations can become a security vulnerability if they are not set up securely. If the third-party data source is compromised that can lead to unauthorized access
Once an integration is set up, the data exchange is fixed and there is no flexibility. The integrations must be modified if additional or different data is required
Compatibility of different systems can make integration more complex
Systems changes and/or software releases to either system may compromise the integrity of an integration, resulting in a possible error or even failure
Data leakage. In a world where data privacy is increasingly important, being able to track where data is stored can become more complex with multiple integrations.
Compliance - depending on the data being imported that can change the risk or compliance status of an application. For example, if federal data is being imported, the receiving application may now be subject to federal oversight under FedRAMP scoping definitions.
While there are many advantages to automated integrations, there are significant disadvantages that must be addressed, so an organization should not enter lightly into an integration project.
Understanding the purpose of an integration
When it comes to automating your security and compliance program it is important to think first about the purpose or business goal of an integration. Most security and compliance auditors will request visibility beyond a checkbox that data has been imported. Merely setting up multiple integrations into your security and compliance platform that mirrors aspects of your production data will not meet the needs of a credible audit. The auditor will need to see what you are doing with this data.
For example, if you are pulling in AWS server metadata that includes attributes, such as server name, encryption status, and backup status and simply presenting that as a compliance check, you are not meeting the full objectives of the relevant control. Sure, you are highlighting that the data is encrypted and that back-ups are enabled, but how are you comparing that with policy? Determining whether encryption should be enabled and at what level, as well as detailing what should be backed up and how often, cannot be selected in a simple data pull. Nor can it be reflected with an overly simplistic “checkmark”.
For an integration to be purposeful, it must have an objective and be actionable. Purposeful integrations will allow imported data (the current or “What is” state) to be compared with the policy or process that defines how that data should be managed (the “What should be” state). Additionally, the data must be actionable so that if discrepancies are discovered, they can be immediately noted and/or remediated. It is important to remember that the goal of a purposeful integration is to institute a process of “checks and balances” - and a simple automated data pull falls well short of this requirement.
Serious CISOs and security professionals should embrace the concept of purposeful integrations to select the integrations that align with business use cases and goals using the imported information to track compliance and to remediate potential vulnerabilities and non-compliant items.
Why most standard integrations over-promise and under-deliver
Everyone likes the idea of making a complex task simple. Busy CISOs are not alone in their desire to make compliance a more manageable process so they can focus on other demands of their role. A recent report showed that over 98 percent of enterprise leaders say APIs are a critical part of their digital transformation efforts, and 97 percent agree that successfully executing an API strategy is essential to secure organizations’ future revenue and growth.
Organizations use SaaS platforms that focus on a few key areas such as HR, asset management, tickets, and technology, and all are applicable to their compliance programs. By considering the platforms you use and the ones that you need to draw data from, CISOs can be more thoughtful about the actionable data they bring into their security program.
But as we have demonstrated, integrations are not a silver bullet and at their worst, if implemented without purpose, can lead organizations to a false sense of security. Integrations must always be purposeful, actionable, and secure in order to maximize their value.
The Dangers of API Breaches
API data breaches can be more dangerous than data leaks because hackers can steal data and do damage by potentially erasing a whole database of information. A recent T-Mobile data breach of 37 million postpaid and prepaid customer accounts was caused by an API breach. As such, the key to integrating systems is not having multiple out-of-the-box integrations, but establishing integrations that are purposeful and align with your security and compliance goals.
The benefits of being purposeful
Integrations should be purposeful, actionable, and secure.
With purposeful integrations, organizations can make choices about the data that they import into their security and compliance programs. This enables CISOs and cybersecurity leaders to understand the number of APIs that they are currently running, the types of APIs, and the information that is being exchanged. APIs can do some of the heavy lifting with simple automation of repeatable tasks, but the human element is still required when creating a robust data security program. Although the data shows the current status or “what is” of a compliance task, it is also necessary, through purposeful integrations, to check that it matches the established security protocols or “what should be” of the task in order to establish and remain compliant.
What features should you look for when implementing APIs?
When you build an API, ensure that the level of effort to create and maintain the API is worth the effort in terms of the reward you get. Each API is piercing a hole into your platform, so you need to be sure the API is secure.
For example, if you use a single API profile for all integrations and a third party gets breached, that could potentially expose all integrations. The best practice is to ensure you create a dedicated profile for each integration to increase management efficiency and isolate potential risks. Make sure that each profile has a unique API key. Ideally, you should whitelist the source URL or IP address.
There are four main features that organizations should consider when building integrations into their security and compliance programs:
- Client can generate multiple API profiles
- API profiles can be configured to be unique per integration
- API profiles support both password and/or encryption key options as required
- API requests can be restricted to white-labeled URLs or IPs
The Ostendio platform has over 30 pre-configured APIs covering some of the most popular industry SaaS platforms.
Open API and Pre-configured API
When considering which APIs work best, you can save time by following some pre-configured APIs that are designed for the most commonly used SaaS platforms. These might include AWS, Google Cloud, and Microsoft Azure. If you have a more niche SaaS platform that holds the data you need for your compliance program, you may want to also integrate that data. With easy-to-configure options using the REST API architecture, clients can configure their chosen APIs to support their compliance needs.
Will implementing APIs take a long time?
Implementing APIs with the Ostendio platform is simple and easy to manage.
Building Platform Integrations to benefit your compliance program
Your next step should be to speak with an expert to evaluate what APIs are right for your business. Experts at Ostendio can help you put what you know into practice to benefit your organization.
Schedule some time to talk to an Ostendio expert about your options or ask any additional compliance and API-related questions. Ostendio is built for serious security professionals.