BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Continuous Risk, Security And Compliance For Cybersecurity Posture Management: A Unified Approach

Forbes Technology Council
POST WRITTEN BY
Praveen Jain

Getty

Today’s risk, security and compliance solutions are fragmented, requiring different approaches or even totally different deployments for on-premise, the cloud, containers, and enterprise-critical applications such as databases. With multiple tools, configurations, operations and different algorithms for prioritizing critical assets, it’s hard for any security operations team to assess and maintain their organization’s cybersecurity posture.

As an industry, we need to evolve to create a more unified approach that spans multiple environments and offers customers a single dashboard for selecting frameworks, launching time-based assessments and reporting on results. And we need to introduce machine intelligence to facilitate predictive assessments and quicker time to remediate.

This evolution has financial as well as a practical impact, in that the days of a constantly growing security budget are over, as recently captured by IDC. This year, 50% of companies expect a budget increase, down from 79% last year, reflecting a departure from the trend of bringing in a new point security product for each requirement. Organizations must find more value, and as their environments become more complex, products must adapt accordingly. In particular, this bodes well for platforms that protect public cloud and on-premises infrastructure in a unified way.

Embracing The Hybrid Cloud

In order to effectively handle different assets across the hybrid cloud, winning solutions must have the flexibility to secure the on-premise to public cloud services, handle multiple OSs, and support VM, container, and serverless architectures with ease.

Consider a HIPAA workload on VMware, on-premises inside a perimeter. When migrated to Amazon Web Services (AWS), this same workload could have open access VPCs and security-groups, open S3 buckets and vulnerable VMs, all of which need continuous evaluation for security. Next, given a sophisticated and flexible discovery mechanism, the solution shouldn’t be limited to just assessing OSs. It should effectively handle the hypervisors and containers such as VMware, Docker and Kubernetes. Additionally, it should effectively assess those critical cloud services that are closely tied to the workload such as databases, thus offering a more complete view of an organization’s security posture. This requirement for flexibility lends itself to customization.

Customization

Henry Ford’s quote -- “Any customer can have a car painted any color that he wants so long as it is black” -- just doesn’t cut it in today’s security deployments. Every enterprise has its own requirements, its own way of assessing risk. For comprehensive security and compliance assessments, this requires an intuitive way of scripting custom policies for both OS and for on-premise/cloud services.

For example, a vendor’s solution may offer monitoring and remediation for a pre-packaged set of AWS services, but the enterprise may have adopted one of the more obscure ones, though critical to their environment. Here, customization can offer enterprises a complete view of their security posture. In the same way, pre-packaged benchmarks from the CIS or other technical control mappings such as HIPAA or HITECH may integrate a set of checks, but a health care institution may need something more in depth or a variation of an existing control. Or, it may need to develop its own framework consisting of controls from different families as well as custom policies. Options here include leveraging already-available Security Content Automation Protocol (SCAP) content or creating custom policies from scratch via scripting.

Machine Learning

In most cases, compliance teams take a standard such as HIPAA that contains a set of administrative, physical and technical safeguards. They map each technical safeguard to a corresponding technical control policy, such as that found in CIS, which then maps to a target OS. As one would imagine, this is a time-consuming process, and in almost all cases, they have no way to prioritize technical controls to guide change management plans. Once the mappings are in place, the compliance platform automates checks, with the output a list of recommended remediation actions.

But, as new regulations and standards emerge, especially for data privacy, we need to evolve, both in the way we map the various standards, regulations and benchmarks, and how we handle the output. This is where a practical application of machine learning comes into play as it can help streamline and automate the mapping and prioritization of various technical controls. At the tail-end, the system should effectively prioritize remediation actions and, if the operator is so inclined, automatically carry out this guidance.

How To Get Started

If you're a cybersecurity leader looking to implement this unified approach, here's how to get started. As a baseline, the NIST Cybersecurity Framework (CSF) provides structure to implementing a security program, including conducting an initial risk assessment, creating a target security profile, analyzing and prioritizing gaps and carrying out an action plan. It is not a regulation in and of itself, but it makes reference to a number of other standards that one may apply to a specific function and vertical. For example, those in health care may focus on HIPAA and ISO. Extending to the public cloud, the CSF may be used in conjunction with the new CIS Controls Cloud Companion Guide that maps the CIS 20 Controls to IaaS, PaaS, SaaS and FaaS.

Ultimately, a unified approach to risk, security and compliance automation offers organizations a more extensible, accurate and cost-effective way of securing their hybrid data and applications. Multicloud deployment, custom scripting and leveraging machine learning are all critical capabilities that enable this evolution.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?