There are seemingly countless regulatory and industry frameworks out there that organizations have to navigate and comply with. SOX (Sarbanes-Oxley), PCI-DSS (Payment Card Industry Data Security Standard), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and many others that require maintaining a specified baseline of security. Compliance is a challenge in and of itself, but it is increasingly difficult to maintain compliance with accelerated DevOps lifecycles and complex, hybrid cloud environments.
Is Compliance and Risk Continuous?
Shailesh Athalye, VP of Compliance Solutions for Qualys addressed the issue of compliance at the Qualys Security Conference in Las Vegas. Speaking to hundred of attendees at the Bellagio Hotel, Athalye presented a session titled, “Continuous Compliance in Hybrid Environment.”
He pointed out that security is continuous and unified. In the DevOps era, there is little that isn’t continuous. If you find something that isn’t continuous, there’s probably someone working on automating it to solve that problem. Athalye noted that security has no defined end. Vulnerabilities and configuration issues are identified and resolved, networks are constantly monitored for suspicious activity or emerging configuration issues, and threat intelligence is continuously gathered. Rinse and repeat.
He stressed, however, that compliance and risk are not necessarily connected directly to security. I agree. Even though there are elements of compliance that address cybersecurity and data privacy, the reality is that maintaining compliance does not necessarily mean you’re secure. The reverse is also true—although theoretically being secure should be more than enough to achieve compliance.
Qualys Policy Compliance
One of the primary challenges of compliance is maintaining it. Many organizations scramble to check the right boxes to pass a compliance audit, but don’t bother to do anything to remain compliance once the audit is passed. Athalye cautioned that an audit should not be a discovery exercise—it should be a confirmation exercise.
While there is no direct relation between security and compliance, there is some overlap. Athalye described how Qualys’ platform for unified and continuous security—including things like Vulnerability Management, Continuous Monitoring, and Compliance Management—maps to various functions of governance and risk side, like IT internal audit reporting, IT policy management and reporting, Integrated IT risk assessment and reporting, and IT vendor risk management.
Athalye led the audience on a technical walkthrough of continuous compliance using Qualys Policy Compliance (PC). He talked about the role of FIM (file integrity monitoring) from the continuous delivering phase, and the ability to automatically discover and assess middleware technologies on the network from host scans without the need to create authentication records.
He wrapped up by pointing out some of the many advantages of Qualys Policy Compliance. He explained that it has best in class technology and content coverage for configuration management—with over 400 policies, and more than 10,000 controls and coverage for 150 different technologies. Data is collected from across all Qualys sensors, and you can automate remediation for configuration failures.
Every network is dynamic. Things change. The reality is that the more time that goes by between audits, the more likely it is that system configurations have drifted or deviated from expectations and compliance requirements. Adopting automated and continuous compliance will make future compliance audits a breeze.