Mission impossible?

Today, most organisations face the same issues when it comes to securing their systems and complying with various regulations and security requirements coming from industry bodies, business partners and others. These include:

Costs and risks are excessive. As the challenges of compliance and risk management increase in scope and complexity, so too do the costs and challenges of meeting these demands. Traditionally, organisations have responded by deploying specialised tools and manual processes that are expensive, inefficient, error-prone and that deliver conflicting results.

Integration is lacking. When it comes to managing and monitoring security events in the IT environment, there are few established best practices and little or no centralisation. Security data is distributed across a number of different databases and application systems, and some security tools in use are device-centric, while others are identity-centric. In this kind of situation, it is oftentimes an overwhelming task to produce a consolidated view of the people, processes, and technology especially in a large organisation.

Security is a moving target. Hackers constantly test the limits of security measures, and constant vigilance is required to manage potential internal threats. It is very challenging – or even impossible – to stay one step ahead, especially since new users and new resources are added to the network all the time.

Full compliance seems unattainable. Without a real-time security information and event management solution, you are literally out of compliance before you know it. To make matters even more challenging, many organisations are subject to multiple regulations coming from industry bodies and business partners, resulting in a never-ending race against the compliance clock.

To attempt to tackle and remedy these challenges, many organisations use processes that are unsustainable. These organisations must employ many people to analyse and interpret vast quantities of data, then issue reports to prove not only that the organisation has established the required IT controls, but also that they are functioning as intended. The process of gathering, analysing, and reporting on this can take weeks or even months – long enough that the data is ancient history by the time it reaches the hands of decision-makers or internal or external auditors.

Addressing and solving the enterprise security and compliance challenges discussed above is currently very high on many CIOs’, CSOs’, and business executives’ priority lists. The more things change, the more intense regulatory requirements become. European companies will spend almost €10 billion in 2007 on technologies and services in attempts to comply with regulatory requirements, minimise risk, and assure their customers and partners that their security administration processes and procedures, networks, and data are secure. They have no choice – it is a cost of doing business.

The need for achieving a real-time, holistic view of security and policy compliance activities across your entire IT environment has never been more acute. Automated enterprise security and compliance management provides your organization with the ability to demonstrate and monitor compliance with internal security policies and government and industry regulations. It also provides a framework that enables business policies to drive IT policy and actions, the capabilities for real-time security management and compliance monitoring across all systems and networks, and automatic documenting and reporting on security and access events across the organisation.

Identity and access management and security information and event management are key security environments that organisations need to deploy to ensure they meet enterprise security and compliance management needs. Typically, these two environments have required different approaches to information security, and they have been treated both as separate projects and separate services by different organisations. However, enterprise security and compliance efforts are acting as the major catalyst driving them together. Preparing for this integration by evaluating common audit needs of your organisation from those systems is particularly important for a successful implementation.

To enable all of this from the technical standpoint, a cross-platform, enterprise-wide system that combines identity and access management with security information and event management is needed. This kind of approach also delivers a holistic solution that integrates people, processes, and technology to provide integrated intelligence at every level of the organisation. As a result, your organisation can reduce costs, minimise risk, and maximise efficiency, while maintaining the highest levels of security and compliance with industry regulations, internal security policies, and the security requirements coming from your strategic business partners.

The organisation’s ability to address enterprise security and compliance requirements is also closely linked to the security and access controls defined for its information technology infrastructure and business applications, as these are what enable, for example, the financial reporting process and related activities. Any unauthorised access to the financial data stored and processed on application systems can threaten the organisation’s ability to comply with regulatory requirements or internal security policies.

When it comes to system security and the control of access to systems and applications, most of the regulations are not explicitly prescriptive. However, by comparing industry best practices for security and control of other types of information with these regulations, the following common requirements for internal control become clear:

• Access rights in distributed and networked environments must be effectively controlled and managed.
• Organisations must be able to remove terminated employees’ or contractors’ access to application systems immediately.
• Periodic assessments and audits of access rights and privileges must be performed.
• The allocation of passwords must be formally managed, and password security policies must be enforced.
• Organisations must be able to confirm that only authorised users have access to sensitive information and systems.
• Appropriate measures must be taken to prevent unauthorised access to computer system resources and the information held in application systems.

Essentially, these requirements all touch upon the need to deliver the right information and business processes to the right people, and doing so starts with controlling identity. The decision to grant people access to business and IT resources and information is based on their role with and within the organisation, which is managed as ‘identity information’. This must be complemented by an integrated view of security and compliance events on the network, allowing the identification of both external and internal security threats and compliance-related breaches of all kinds. The key is the ability to take immediate action to address weaknesses based on roles, business policies, and regulatory requirements.