TraceSecurity: DevOps Meets Compliance
#infosec #devops #bigdata #cloud IT security initiatives can benefit from a devops approach enabled with a flexible framework
What do you get when you mix some devops with compliance and its resulting big data?
Okay, aside from a migraine just thinking about that concept, what do you get?
What TraceSecurity got was TraceCSO – its latest compliance, security, cloud mashup.
BIG (OPERATIONAL) DATA
The concept of big "operational" data shouldn't be new. Enterprise IT deals with enormous volumes of data in the form of logs generated by the hundreds of systems that make up IT. And the same problems that have long plagued APM (Application Performance Management) solutions are a scourge for security and compliance operations as well: disconnected systems produce disconnected data that can make compliance and troubleshooting even more difficult than it already is.
Additional data that should be collected as part of compliance efforts – sign offs, verification, etc.. – often isn't or, if it is, is stored in a file somewhere on the storage network, completely disconnected from the rest of the compliance framework.
Now add in the "big data" from regulations and standards that must be factored in.
There are a daunting number of controls we have to manage. And we are all under multiple overlapping jurisdictions. There isn't a regulatory body out there that creates an authority document that doesn't, or hasn't overlapped an already existing one. The new US HIPAA/HITECH Acts alone have spun a web of almost 60 Authority Documents that need to be followed. Even PCI refers to almost 5 dozen external Authority Documents and there are at least 20 European Data Protection Laws.
-- Information Security Form: Unified Compliance Framework (UCF)
While the UCF (Unified Compliance Framework) provides an excellent way to integrate and automate the matching of controls to compliance efforts and manage the myriad steps that must be completed to realize compliance, it still falls on IT to manage many of the manual processes that require sign off or verification or steps that simply cannot be automated.
But there's still a process that can be followed, a methodology, that makes it a match for devops.
The trick is finding a way to codify those processes in a such a way as to make them repeatable and successful. That's part of what TraceCSO provides – a framework for process codification that factors in regulations and risk and operational data to ensure a smoother, simpler implementation.
HOW IT WORKS
TraceCSO is a SaaS solution, comprising a cloud-hosted application and a locally deployed vulnerability scanner providing the visibility and interconnectivity necessary to enable process automation. Much like BPM (Business Process Automation) and IAM (Identity and Access Management) solutions, TraceCSO offers the ability to automate processes that may include manual sign-offs, integrating with local identity stores like Active Directory.
The system uses wizards to guide the codification process, with many helpful links to referenced regulatory and compliance documents and associated controls. Initial system setup walks through adding users and departments, defining permissions and roles, coordinating network scanning and selecting the appropriate authority documents from which compliance levels can be determined.
TraceCSO covers all functional areas necessary to manage an on-going risk-based information security program:
TraceCSO can be integrated with a variety of GRC solutions, though this may entail work on the part of TraceSecurity, the ISV, or the organization. Integration with MDM, for example, is not offered out of the box and thus approaches compliance with proper security policies via an audit process that requires sign-off by responsible parties as designated in the system.
Its integrated risk assessment measures against best practices CIA (Confidentiality, Integrity, Availability) expectations. TraceCSO calculates a unique risk score based on CIA measures as well as compliance with authoritative documentation and selected controls, and allows not just a reported risk score over time but the ability to examine unimplemented controls and best practices against anticipated improvements in the risk score. This gives IT and the business a way to choose those control implementations that will offer the best "bang for the buck" and puts more weight behind risk-benefit analysis.
By selecting regulations and standards applicable to the organization, TraceCSO can map controls identified during the risk assessment phase to its database of authorities. Technical controls can also be derived from vulnerability scans conducted by the TraceCSO appliance component.
TraceCSO is ultimately an attempt to unify the many compliance and risk management functions provided by a variety of disconnected, individual GRC solutions today. By providing a single point of aggregation for risk and compliance management as well process management, the system enables a more comprehensive view of both risk and compliance across all managed IT systems.
It's a framework enabling a more devops approach to compliance, which is certainly an area often overlooked in discussions regarding devops methodologies despite the reality that its process-driven nature makes it a perfect fit. The same efficiencies gained through process and task-automation in other areas of IT through devops can also be achieved in the realm of risk and compliance with the right framework in place to assist.
TraceCSO looks to be one such framework.