The key to compliance

By Dominique Levin, LogLogic, Inc.

Data retention has become one of the most pressing issues facing business today. Compliance is no longer just a problem for IT, the issue is now in the boardroom. Governments and international bodies launch a raft of laws and regulations and company directors are held legally responsible for non-compliance.

Compliance is one of many concerns, or ‘pain points’ for today’s CIO, with others including business continuity, risk mitigation, business operations, privacy protection and how to handle increasingly large volumes of log data.

With companies already struggling to control IT expenses, compliance might seem like an unwelcome addition to any list of priorities. In fact, many companies say meeting regulations today is a greater burden than when preparing systems for Y2K. As much as compliance is about complying with legal mandates and regulations, it also is an opportunity for companies to examine and improve IT and business processes and practices and to achieve a new level of risk mitigation and operational efficiency.

However complying with legislation can be tedious and time-consuming. Finding information for auditors takes hours, and sorting it into a usable format can be impossible without advanced reporting features that automate the process. Tight budgets limit headcount dedicated to compliance tasks, putting added strain on already taxed IT departments.

Compliance and log data

Compliance mandates force a critical examination of business and IT processes and practices. Such examination starts and ends with visibility and transparency into these processes and practices. Many regulatory and best practices frameworks recommend achieving transparency through logging – the activity of collecting, analysing and storing a complete audit trail of system and user activity.

Enterprise data can be largely grouped in three categories – public, application and log. All organisations generate log data, but the information is often not collected systematically or stored securely. According to the SANS Institute, logs make up 25 percent of all enterprise data and tracking log data is now critical to mitigating risk and meeting compliance commitments. Log data tends to have the following characteristics: high volume, sensitive (customer, employee), dispersed, inconsistent formats and no chain of custody or control.

Log data can be held on multiple devices, applications, operating systems and servers. Usually there are little or no policies or procedures governing its use and little enterprise awareness or consistency regarding its usage.

The emergence of log management and intelligence as an industry illustrates the paradigm shift occurring in IT, as new enterprise-class solutions replace the home grown scripts and SIEM products of the past to enable compliance, while also ensuring better all-around IT efficiency and data protection. Where it was once a siloed task, log data management is emerging as a best practice in ensuring operational effectiveness and mitigating risk.

Without a powerful log management solution, organizations lack the visibility required to properly monitor their networks and respond to security, availability and performance issues effectively. Log management is an important element of any risk, performance and compliance management strategy.

An ongoing and automated examination of IT and business practices can illuminate processes in a company that are wasting money and resources and point to better processes for managing data. Additionally, greater insight to log data can improve IT health by providing administrators’ speed and agility when responding to security and performance risks.

Managing and protecting the terabytes of data commonly generated by enterprise networks is a task that requires deep insight into network activity and the ability to react quickly should a problem – such as a security breach, system failure or internal leak – occur. Compliance frameworks define best practices for doing just that, and companies who do not comply face not only legal consequences, but also the risk of downtime, dissatisfied customers, and ultimately, lost revenue.

Each case of fraud costs companies an average of US$15,000 and IT departments spend about 175 hours on remediation after a security incident. Corporations can be held liable, leading to legal debt and other related expenses. Additionally, brand damage resulting from waning consumer trust can cause huge losses in revenue. According to Gartner, by this year, 20-30 percent of Global 1000 companies will suffer exposure due to privacy mismanagement. The costs to recover from these mistakes could range from US$5-19 million per incident. In addition to legal risks, intellectual property leakage, such as shared trade secrets or pre-announced products, can cost companies millions in lost profits.

Solutions need to offer IT a higher level of reporting and auditing, securely storing all raw log data for on-demand retrieval or historical analysis. This is so IT staff can quickly create customizable templates that align with their IT control matrix and best practice standards and regulations, including Sarbanes-Oxley, HIPAA, COSO and ITIL.

Best practice – business and IT processes

Although it’s clear that increasingly strict guidelines necessitate automated ways to collect, analyse, alert on and archive log data, most companies do not have an adequate solution in place to perform these tasks efficiently. Accenture says the average bank will spend US$61 million on Basel II over the next couple of years.

Despite the investment being made in compliance, companies are still failing to meet requirements. Recently, Gartner reported that two-thirds of all companies found material weakness in controls this year, with audit deficiencies expected to double until 2008. Why are they failing to comply? Organisations that rely on homegrown logging solutions lack the visibility and transparency into their infrastructure to meet the requirements. For example, collecting disparate pieces of logging information without an automated way to summarize and analyze that information in real time does not provide an administrator enough information to pinpoint unusual and suspicious user activity. Manual activities, such as searching through log data in response to auditor’s questions, can make compliance efforts seem like a virtual black hole for IT budgets.

Any compliance strategy must be clear on how to achieve visibility and transparency of IT and business processes. Best practice frameworks recommend using log data to provide greater insight into four critical IT processes in particular to achieve a more proactive approach to heading off potential pitfalls in information management. These four critical IT processes that can be monitored through log data are:

Authentication and authorisation: No individual should have more rights than he or she needs to execute his or her assigned tasks. The organisation should also maintain a complete record of access and activities.
Configuration and change management: No changes should be made without authorisation. A record of what changes are made should be maintained so that the state of a system or application at a previous time can be determined.
Segregation of duties: A single person should not have the right to configure IT systems as well as audit, initiate or approve incompatible activities in those systems.
Documentation: All entities must be held accountable. Compliance should be documented and tested on an ongoing basis. The audit trail should allow for testing of the internal IT control framework as well as substantiating regulatory compliance.

Although requirements vary across industries and regions, these four areas are largely consistent. Most regulatory groups also recommend retaining accurate network activity logs for anywhere from three to seven years. Administrators can be asked to report on specific log data at any point, so fast access to complete data is essential.

In terms of business strategy, there are some key habits that will help an organisation stay on the right track:

• Document the policy and control environment
• Assign appropriate oversight of compliance management
• Require personnel screening and access control
• Ensure compliance through training
• Implement regular control monitoring and auditing policies
• Consistently enforce the control environment
• Prevent and respond to incidents and gaps in controls

It helps to remember that compliance is not a necessary evil, but an internal business benefit and a selling point to external customers. The key for any organisation is to turn compliance into a business advantage, not a burden.

Dominique Levin is VP, Product Development at LogLogic Inc.