‘We have ways of making you compliant' – not a secret service threat, but a promise from many providers and third parties.
At the outset it is worth remembering that whoever is used to ensure the company meets its compliance mandate – internal, service provider, or cloud provider – the ultimate responsibility stays with the company. Using a third party does not change the equation of liability and impact to your reputation, so can compliance be outsourced?
Yes. Compliance-as-a-Service is possible, but only if you have the correct mix of logging, patching, scanning (both patch and vulnerability), and device-configuration and build-validation checking. For many mandates, such as PCI-DSS and GPG-13, this means having to focus on all the disciplines above.
How many companies can say they have all these covered and would pass a thorough audit? Our guess is well below 50 per cent.
Compliance should be similar to a trip to the dentist, something that is far less painful if done on a regular and scheduled basis. It's the same old story, relating to chaos theory: all systems if left alone entropy, but if checked and maintained on a regular basis they will perform better and the costs of maintenance will be less.
That's why we say Compliance-as-a-Service delivers positive benefits to any company. Lower costs equals more to spend on other IT projects, and less pain means more resources available internally if activities are performed regularly.
Compliance-as-a-Service contains all the consultative and externally serviced elements that allow the customer to achieve and maintain compliancy. While responsibility undoubtedly still resides with the company, many do need help with the identification of their compliance mandate and the subsequent monitoring and alerting to compliance violations.
A good externally sourced service should begin with a consultative phase that analyses the customer estate and identifies the events that needs to be monitored, ticketed, alerted on and, of course, responded to. While the logging aspect is important, a service should also deliver patch and vulnerability scanning, build-validation and configuration checking are all key to maintaining compliance.
Maintaining compliance should be seen as security best practice; the two go hand-in-hand. This is highlighted when evaluating intelligent logging of key events in the infrastructure, events that the consultants or internal IT have deemed necessary to maintain compliance.
A compliance event is often a security event, so what happens next is crucial. Compliance-as-a-Service should include customer escalation based on the nature of the event, anything from log- and ticket-only for the auditors, to 'call me within 15 minutes 24/7' if the event is serious and requires immediate attention.
Additionally, compliance mandates such as PCI-DSS require acknowledgements of events within 24 hours, and an externally sourced service should undertake a daily inspection of the logs plus checking for credit card data in the logs.
While it is true that companies are responsible for their compliance adherence, many never inspect their log files, struggle to determine what to monitor and alert on and how to respond when an alert occurs. An external service can provide significant value in this area.
So, look your service supplier in the eye and ask to see their operation, inspect their processes, ask about their incident management and response process and, if satisfied, sit comfortably and feel the pain ease away as the compliance worries dissipate.
Martin Dipper is head of managed services at CNS