Related
Recommended

Security Kung Fu: Security vs. Compliance

joshberman
5 minute read time

Like traditional kung fu, in Security Kung Fu, there are two schools of thought. On one side, there are those guided by the industry’s best practices for IT security. On the other side, there are those who use regulatory frameworks like PCI DSS, HIPAA, SOX, and more as the guiding principles for their IT security strategy.

In the fourth and final chapter of the Security Kung Fu Series, we discussed these opposing strategies and provided insight into why our Security Kung Fu Masters view them as complementary, but not commensurate with one another.

If this subject is of interest, I strongly suggest you watch the on-demand recording of this session for a much deeper dive. Continue onward for a brief recap along with some highlights from the discussion.

Watch the On-Demand Recording | Check out the SlideShareRegistered

Meet Your Security Kung Fu Masters

For the fourth and final chapter of the Security Kung Fu series, we decided to mix things up a bit. In addition to welcoming Jamie Hynds, Senior Product Manager for SolarWinds Security Portfolio—a featured speaker in some of our previous sessions—we were joined by Destiny Bertucci, Head GeekTm at SolarWinds.

With over 15 years of network management experience spanning healthcare and application engineering (nine of which she served as SolarWinds Senior Application Engineer), @Dez boasts an ever-growing ensemble of degrees and certifications with a slant towards IT security. If it’s not apparent now, you’ll see from this session that she really knows her stuff.

Beyond this,  Destiny is a frequent presence on THWACKRegistered, most recently launching a blog/social commentary series on Geek Speak titled “Shields Down.” I strongly encourage you to follow along in her series and get involved in the discussion. Whether you’re an experienced IT security professional or on the lighter side of these skillsets, there is something for everyone. But don’t sit on the sidelines—share your stories and insights for the collective good of us all.

Regulatory Compliance

Compliance, as it relates to IT, involves adhering to rules and regulations that are meant to protect various types of sensitive data. It can govern everything from IT decision-making and purchasing, to configurations, and the policies and procedures a company must create and enforce to uphold this important task.

Rightfully so, many businesses are taking the obligation of compliance very seriously. After all, there is a lot at stake when fines and penalties can be levied against you (among other legal repercussions) for noncompliance.

Security vs. Compliance

Though, yes, compliance for many businesses is absolutely critical, it is not the end all be all. We contended throughout this session that taking a compliance-dominated approach to the way you secure your IT operations is not the way to go. In fact, with many of the examples we provided in this session, it can sometimes be a detriment to IT security.

On that note, we provided three really solid points to shape your mindset.

Compliance is more than a checkbox. Many view compliance as a “must have” to avoid the wrath of auditors. But, like I mentioned before, they let it dominate their IT strategy. Our tip is to not lose sight of the bigger picture. IT compliance should be seen as an opportunity to ensure the right controls are in place to actually keep your network and sensitive data secure.

As an example, it’s choosing between applying encryption for data in transit because it’s an IT best practice, instead of opting out of doing so because the regulations your business faces do not mandate it. If the end game is to ensure the confidentiality, integrity, and availability of sensitive data, you are doing yourself and your business a disservice and leaving yourself susceptible to attack without it.

“Compliant” does NOT equate to “secure.” Meeting regulatory compliance alone does not guarantee IT security. In some cases, it can lead you away from this objective. There are countless real-world examples of this, but it should be well-understood that in several cases, following compliance schemes strictly “by the book” can undercut your security responsibility. Why not go beyond what they dictate? For this, think of my earlier example involving encryption.

No one solution can make you compliant. The same too can be said for security in general, but simply applying one or more security solutions to your IT arsenal will not inherently make you compliant with any framework. Compliance involves many aspects outside of your software-purchasing decisions down to the very core of how your business operates.

In this session, we urged that for the sake of both these objectives, Defense in Depth strategies are applied. If you haven’t caught on yet, this was continually preached throughout the Security Kung Fu webinar series. 

According to the SANS Institute, Defense in Depth is “the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.”

This approach has for a long time been a mainstay in the security realm, but it too should play into your approach to compliance.

Five Tips for Continuous Compliance (and Security)

As we called an end to the Security Kung Fu series, we left our viewers with some concluding thoughts on this subject. In no way does this cover all your needs, but they are all worth considering.

  1. Define policies and establish your network security baseline.
  2. Collect, correlate, and securely store all relevant and required log data.
  3. Actively monitor and analyze what’s going on within the IT infrastructure at all times.
  4. Run regularly scheduled compliance reports.
  5. Leverage regulatory requirements and audits as an opportunity to truly assess network risks and help ensure the security of your entire IT infrastructure—from perimeter to endpoint!

A final takeaway, however: no matter your objectives, there are a multitude of software offerings from SolarWinds that can assist your business and support an in-depth defense strategy. Visit the IT Security Software page to learn more.

Well, I hope you enjoyed not only the webinars that made up this series, but each recap I’ve provided as well. As always, I welcome your feedback or thoughts on any of this subject matter.

  • This is a good introduction to Security and Compliance.  I have spent some time working compliance issues in a secure environment.  One of the best things for me with running a compliant IT operations is that I find that I produce a level of standardization across my enterprise.  Usually if something goes wrong, I find the system was just outside our organizations compliance requirements.  Once the issue is resolved the compliance standard is met. 

    Security + Compliance = Standardization

  • We tend towards compliance because we have audits and check boxes. Thinking in terms of security adds a much needed layer.

  • In the beginning there was security... Protect your data at all costs. Then came compliance... You will protect your data and report back to the government agency in charge or face fines. Or was that the other way around??? emoticons_confused.png In the grand scheme of things as Josh said, they complement each other as step 1 in his 5 steps are the driving force behind security. Without a policy that states what are assets and not knowing what security needs to protect, are we just putting money in the wrong place? Defense in depth and SIEM to help make heads or tails of what information you are getting with real time alerts to inform us as well as periodic scanning just to stay on top to see where updates need to be made and if there are any holes in the defense system that need to be closed.

    Great post Josh!

  • Compliance is key for me too, having worked within NHS organisations in the UK we have to comply with the requests of NHS digital and other regulatory organisations.

    I have experienced how compliance can be done easily, with NCM, Patch Manager, Log & Event Manager, service level agreements / resulting compliance reports in place and of course a decent change control system like ServiceNow.

    I've also seen how it can be done badly when organisations cannot make their mind up about which tech to use and so spend all their time configuring multiple technologies to do something that Solarwinds can do easily.


  • Definitely I'm in favor of best of breed, layered, best practices security solutions, and ensuring you have a great SIEM analyzing what's happening, pointing out highlights and making recommendations, is a great step towards knowing what's happening, and whether it's good or bad.

    I love the idea of establishing, monitoring, and enforcing a baseline configuration, and it wasn't long ago where I thought that would be impractical.  With the ability to easy create Compliance Reports and our own custom policies and standards, combined with ensuring our systems comply with regulatory requirements, enables us to go above & beyond simple industry compliance.

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.