Governance to Weather the “Perfect Storm”

Businesses are faced with a "perfect storm" of global challenges: security threats, increasing complexity, regulatory pressures and stiff competition – to name just a few. Organizations are tasked with reconciling the many competing demands on their limited time, staff and budgets, including:

• The threat of hackers, insider breaches, phishing and identity theft
• Regulations imposed by the European Directive on Data Protection, the Federal Financial Institutions Examination Council (FFIEC), the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX)
• IT controls and best practices, including COBIT, COSO, ISO, ITIL and NIST
• Twenty years of IT build out – mainframes, databases, Windows, UNIX, Linux and open source

Most organizations have developed unsustainable processes, requiring specialists to monitor, analyze, interpret and report on progress. While businesses have likely implemented controls, adopted new standards and deployed new technologies, have they also successfully reduced costs, complexity and risk?

For most of us the answer is “yes and no.” Organizations can point to a few wins – a successful audit, better security policies and processes or perhaps, good return on investment from a new technology. Unfortunately they are still spending a significant amount of time and money trying to mitigate risk, reduce complexity and support compliance.

What’s Standing in the Way of Progress?
Businesses of every size (and employees at every level in these businesses) need to establish, track, control and prove sound identity and security practices. After all, the success and profitability of a company, not to mention the safety of its data and people, depend on its ability to meet these challenges in a cost-effective manner. Failure to do so can result in enormous financial losses, brand damage, increased risk and legal sanctions.

However, it is expensive, complicated and time consuming for businesses to implement policies and procedures that effectively manage identity and security issues. Many organizations have patchwork solutions in place that consist of homegrown solutions and multiple applications from multiple vendors. This disjointed approach results in high management costs and increased complexity and makes it difficult for companies to prove they are complying with such regulations as the SOX, HIPPA, GLBA, Basel II and others.

Difficulty enforcing policies and processes
Without a comprehensive management solution, it is difficult, if not impossible, for business leaders to enforce and determine the success of policies and processes. Without the ability to gather feedback and determine the effect of policies, a significant compliance exposure ensues. When a business cannot prove its compliance, its risk increases significantly. This difficulty leaves the CEO/CFO exposed and blind relative to his or her responsibilities, which can have very real implications for the company.

Challenges identifying and mitigating risk
The absence of a solution makes it difficult and highly labor-intensive for the Chief Information Security Officer (CISO) and risk management staff to identify and mitigate sources of risk faced by the entire organization – from IT to physical security. To complicate matters, departments within the organization are often independent, having their own IT budgets and staff, so getting them all to work together on unified security policies and goals is next to impossible. The CISO also has little control over IT, whose primary objective is the smooth operation of IT services, not ensuring security (and who has little time to even consider compliance).

Struggling to get a comprehensive view of security and access
Compliance is not going to get any simpler. And it's not just industry regulations, such as HIPPA, HSPD-12 or Sarbanes-Oxley. Organizations must also ensure their security systems are compliant with internal policies. However, without a clear picture of what's actually happening throughout the entire organization, it's nearly impossible to ensure unauthorized personnel are not gaining access to restricted buildings, systems and information.
If anyone at any level in the organization wants a comprehensive view of the security and access picture, the data comes in different formats from dozens of different sources. It is a long and painstaking process to make sense of this data manually to see who has access to what, and whether these authorizations are contrary to policy and/or regulation. And when problems are identified, it can take far too long to correct them because doing so requires coordinated effort between the CISO, IT and one or more independent departments.

Stretching thin an already over-taxed IT staff
From the point of view of IT staff, the demand from above to coordinate roles, security and access sounds like more work for less money. IT wants to provide effective and efficient IT services, and it often either doesn't see security as within its range of responsibilities, or doesn't have the business insight and tools necessary to address identity and security concerns comprehensively. Furthermore, whenever the CISO or other high-level officers implement a new security and access initiative, the helpdesk is stretched by floods of password help calls and other user-authorization problems.

Resisting identity, access and security policies
End users and departments sometimes resist efforts by the CISO to implement identity, access and security policies because they see them as too restrictive. End users worry that they won't be able to do their jobs efficiently because of all the extra steps involved to get access to what they need. Departments worry they won't be able to pursue new business opportunities because of the extra layers of complexity they think will be added by such policies and solutions.

Hindering auditors
Finally, internal and external auditors find it very difficult to determine whether business objectives are in line with policies and regulations because of the lack of visibility resulting from patchwork solutions, nonstandard data, differing practices between departments and inconsistent application of policy.

So how can organizations improve the way that they manage identity and security issues? The following is a good place to start.

Simplify, Simplify, Simplify
With so many policies and procedures outside of an organization’s control, the focus should be on simplifying processes that reduce administrative burden and support compliance. If access control policies cannot be consistently enforced across core systems, businesses should consider an enterprise-class user provisioning solution. They'll gain the ability to automate access controls based on their business policies as well as the IT controls needed to support various regulations like SOX and HIPAA. And by adding a comprehensive Web access management solution that includes single sign-on, they will increase security and simplify access for their users.

Gain Control
Most organizations have security and compliance systems that generate reams of data, but do they truly have the time and personnel to make sense of it all? And if a breach is discovered, it's often too late to apply the fix that will reduce or mitigate your risk. A security information and event management (SIEM) solution can help businesses gain control of their IT environment by automating security and compliance management. A SIEM solution monitors the networked environment for anomalous behavior by capturing and correlating event data from virtually any system across the enterprise. It automates monitoring, reporting and remediation to provide a real-time view of the IT security environment, streamlining previously labor-intensive and error-prone processes so organizations can build a more rigorous security and compliance management program.

Maximize Assets
For years, we've all been doing more with less, so realizing the full potential of IT systems, devices and resources is as critical as ever. Are organizations wasting money on software licenses that aren't being used? Are those company-issued PDAs increasing the management burden and risk? How confident are organizations that their patching program is sufficient to safeguard business-critical systems? Without a centralized system and resource management solution, companies aren’t getting a full return on their investment in key resources: desktops, laptops, servers, handheld devices and more.

Unify Physical and Virtual Security
With 54,000 attacks and six identity thefts occurring each minute, the threats to an organization are seemingly endless. These attacks come in many forms – from within and from outside of an organization. Dishonest or disgruntled employees can steal, damage and destroy important files, paperwork and equipment, and often represent the greatest threat to a business. Hackers gaining unauthorized access to IT systems can infect or corrupt irreplaceable information. In fact, data theft in the form of corporate crime and espionage costs businesses worldwide US$1.5 trillion annually. And all this happens because the enterprise is not as secure as it could be.

Traditionally, security has been separated into two groups: physical, for access to buildings, rooms and equipment; and virtual, for access to networks, computer systems and files. While this method has worked in the past, with more advanced technology, the probability has increased of encountering holes that occur because the systems do not overlap. With more advanced malicious attacks, more intricate regulatory compliance, and costs for both continually rising, keeping these systems disparate is no longer feasible.

Simplify, Control and Maximize the IT Environment
If the ultimate goal is a real-time, holistic view of security and compliance from desktop to data center, the examples above are good steps in the right direction. And while they may seem like disparate examples, they are each variations on familiar themes:

Automation based on policy.
Every asset in an organization’s IT environment – from users to servers to virtual machines – requires management throughout its lifecycle. Whenever possible, organizations should leverage business policies to automate that lifecycle from acquisition to retirement. This will help enforce consistent security and compliance policies – and help extract the maximum value from IT assets.

Centralized management and administration.
Most companies have multiple identity stores: HR, network directories, e-mail, contractor data and more. And many enterprise applications own a piece of each user's identity. Businesses that integrate a large number of point solutions know how difficult it is to administer and manage these systems. IT staff requires constant training and highly specialized skill sets that aren't necessarily transferable as the organization continues to build out its infrastructure. This approach is costly to maintain, does not share data with everyone who needs it, and cannot keep data accurate, consistent or up to date. As much as possible, organizations should consolidate management interfaces, and simplify administration to reduce costs and improve visibility.

Across systems and platforms.
Security and management solutions are only as good as the systems they cover in the IT environment. No business can get a complete picture of its security and compliance posture if it doesn’t have a way to monitor and manage all its diverse, distributed systems. If an organization uses virtualization to maximize its data center but has to manage its Windows and Linux images separately, it could get better value from a cross-platform solution. Likewise, if it can automate the creation and provisioning of users’ e-mail accounts but not accounts on the PBX system, it should consider an enterprise-wide provisioning solution.

Integrated systems, security and identity management.
IT leaders tasked with managing cost, compliance and risk across a diverse, heterogeneous IT environment need to consider systems, security and identity management solutions that put them in control of their IT environment. With such solutions, businesses can control costs, ensure security and compliance, and optimize the value of their IT assets across diverse server and client platforms. By staying on top of their security and compliance challenges, organizations can spend less time on routine, day-to-day issues and more time focused on building and growing their business.

By leveraging today's leading-edge technologies to help manage the ever-increasing 'perfect storm' of today's complex business environments, organizations can not only simplify those complexities but do so in a manner that reduces risk while simplifying user lifecycle management. All of this can be achieved while reducing costs, strengthening governance and, ultimately, enabling compliance in the midst of what was initially perceived to be a potentially untenable storm.