Like traditional kung fu, in Security Kung Fu, there are two schools of thought. On one side, there are those guided by the industry’s best practices for IT security. On the other side, there are those who use regulatory frameworks like PCI DSS, HIPAA, SOX, and more as the guiding principles for their IT security strategy.
In the fourth and final chapter of the Security Kung Fu Series, we discussed these opposing strategies and provided insight into why our Security Kung Fu Masters view them as complementary, but not commensurate with one another.
If this subject is of interest, I strongly suggest you watch the on-demand recording of this session for a much deeper dive. Continue onward for a brief recap along with some highlights from the discussion.
Meet Your Security Kung Fu Masters
For the fourth and final chapter of the Security Kung Fu series, we decided to mix things up a bit. In addition to welcoming Jamie Hynds, Senior Product Manager for SolarWinds Security Portfolio—a featured speaker in some of our previous sessions—we were joined by Destiny Bertucci, Head Geek™ at SolarWinds.
With over 15 years of network management experience spanning healthcare and application engineering (nine of which she served as SolarWinds Senior Application Engineer), @Dez boasts an ever-growing ensemble of degrees and certifications with a slant towards IT security. If it’s not apparent now, you’ll see from this session that she really knows her stuff.
Beyond this, Destiny is a frequent presence on THWACK®, most recently launching a blog/social commentary series on Geek Speak titled “Shields Down.” I strongly encourage you to follow along in her series and get involved in the discussion. Whether you’re an experienced IT security professional or on the lighter side of these skillsets, there is something for everyone. But don’t sit on the sidelines—share your stories and insights for the collective good of us all.
Compliance, as it relates to IT, involves adhering to rules and regulations that are meant to protect various types of sensitive data. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.
Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.
Security vs. Compliance
Though, yes, compliance for many businesses is absolutely critical, it is not the end all be all. We contended throughout this session that taking a compliance-dominated approach to the way you secure your IT operations is not the way to go. In fact, with many of the examples we provided in this session, it can sometimes be a detriment to IT security.
On that note, we provided three really solid points to shape your mindset.
Compliance is more than a checkbox. Many view compliance as a “must have” to avoid the wrath of auditors. But, like I mentioned before, they let it dominate their IT strategy. Our tip is to not lose sight of the bigger picture. IT compliance should be seen as an opportunity to ensure the right controls are in place to actually keep your network and sensitive data secure.
As an example, it’s choosing between applying encryption for data in transit because it’s an IT best practice, instead of opting out of doing so because the regulations your business faces do not mandate it. If the end game is to ensure the confidentiality, integrity, and availability of sensitive data, you are doing yourself and your business a disservice and leaving yourself susceptible to attack without it.
“Compliant” does NOT equate to “secure.” Meeting regulatory compliance alone does not guarantee IT security. In some cases, it can lead you away from this objective. There are countless real-world examples of this, but it should be well-understood that in several cases, following compliance schemes strictly “by the book” can undercut your security responsibility. Why not go beyond what they dictate? For this, think of my earlier example involving encryption.
No one solution can make you compliant. The same too can be said for security in general, but simply applying one or more security solutions to your IT arsenal will not inherently make you compliant with any framework. Compliance involves many aspects outside of your software-purchasing decisions down to the very core of how your business operates.
In this session, we urged that for the sake of both these objectives, Defense in Depth strategies are applied. If you haven’t caught on yet, this was continually preached throughout the Security Kung Fu webinar series.
According to the SANS Institute, Defense in Depth is “the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”
This approach has for a long time been a mainstay in the security realm, but it too should play into your approach to compliance.
Five Tips for Continuous Compliance (and Security)
As we called an end to the Security Kung Fu series, we left our viewers with some concluding thoughts on this subject. In no way does this cover all your needs, but they are all worth considering.
- Define policies and establish your network security baseline.
- Collect, correlate, and securely store all relevant and required log data.
- Actively monitor and analyze what’s going on within the IT infrastructure at all times.
- Run regularly scheduled compliance reports.
- Leverage regulatory requirements and audits as an opportunity to truly assess network risks and help ensure the security of your entire IT infrastructure—from perimeter to endpoint!
A final takeaway, however: no matter your objectives, there are a multitude of software offerings from SolarWinds that can assist your business and support an in-depth defense strategy. Visit the IT Security Software page to learn more.
Well, I hope you enjoyed not only the webinars that made up this series, but each recap I’ve provided as well. As always, I welcome your feedback or thoughts on any of this subject matter.