Welcome!

@CloudExpo Authors: Olivier Huynh Van, Carmen Gonzalez, Liz McMillan, Elizabeth White, Pat Romanski

Related Topics: Cloud Security

Cloud Security: Article

The Rise of the Managed Compliance Provider

Today, security is more complex than simply deploying firewalls and virus protection

You may think IT compliance is nothing more than big government sticking its nose into everyone’s business. Compliance equals Big Brother. OK, so there is some truth in that government compliance regulations are a little over the top, and perhaps there are just too many of them that functionally do the same thing. It’s not just about government regulations — it’s also about non-government standards, such as PCI, that need to be addressed.

Look at SOX, FISMA, FERPA, HIPAA and the brothers FERC and NERC. Aren’t they basically the same rules? Can’t we have just one large compliance regulation with small amendments for each specific industry? That would be easier, but since various politicians have stakes in their own versions, I don’t think we will see unification in the short term. That is one reason why regulators have to levy heavy fines and other punitive measures to force organizations to follow their rules.
However, if we look at compliance in a slightly different light, perhaps complying with these regulations will be just a little less painful.
 
Today, security is more complex than simply deploying firewalls and virus protection. For a company to be secure, it also has to look at security from an overall company risk perspective. This includes cybercrime and physical security as well as regulatory risks and profit risks around the costs versus the gains of implementing security measures.
In order to achieve complete security, your strategy needs to include multiple layers across three functional areas:
 
1) The protection of assets and data. This is the traditional implementation of firewalls, IDS systems, vulnerability protection, virus protection, penetration testing and many other standard security practices. Of course this is a very expensive proposition, so organizations must make technology strategy decisions based on budget and their type of business.
 
2) Process and procedures to adequately maintain security technology. You need to have methods and rules on how and when you update security components such as firewall policies, IOS, virus protection, log-in polices, and active directory policies. All of these need to be reviewed and updated frequently.
 
3) Defining and enforcing policies. It is one thing to have a policy on updating your virus definitions, but if these policies are not followed, then the first two areas cited above are worthless.
 
Many companies spend hundreds of thousands or even millions of dollars on firewalls, biometric devices, IDS/IPS, and anomaly detection but fail to deploy basic compliance-management systems. This places businesses at risk because it is very easy for someone to go into a device on the computer network, make changes that do not follow corporate security guidelines, and then open a hole in your defenses. An effective, automated compliance system continually validates that the rules of all devices follow correct security procedures.
 
Another aspect to consider is that compliance is often mandated by regulatory decrees, such as SOX, HIPAA, FISMA, GLBA and many others—or by industry requirements such as PCI and ISO. Non-compliance can result in significant fines and, in some cases, criminal prosecution. But even if compliance is not mandated, it is common sense to create policies and procedures and to verify they are being followed.
 
While risk management and mitigation serve as key drivers, incorporating business objectives and policies is an important part of the desired objective and is ultimately the end game. This is where compliance comes into the picture. Compliance proves the organization has the correct policies in place, and that the policies are being followed.
Security, compliance and risk assessment are the processes, but in the past, they have been 100 percent manual processes, time consuming, and prone to error. As a result, there is now an emerging trend to outsource the mechanics of monitoring the validation process to a local service provider, also called a Managed Compliance Provider or MCP.
 
MCPs perform the grunt work in tracking compliance processes through a managed service. Effective MCP solutions provide clients with near real-time dashboards and reports on their compliance status while also eliminating or significantly reducing error-prone, manual processes. Some MCPs even have the ability to certify if clients are within compliance.  
 
Security does not imply compliance, and compliance does not beget security. There must be a unification of both programs, which is what compliance is all about. Compliance also should not be viewed as some government oversight, but instead a common-sense approach to protecting the assets and value of your business.

More Stories By Jim Hare

Jim Hare is channel chief and VP of worldwide sales for eGestalt Technologies, a cloud-computing provider of IT-GRC applications for enterprises, including small to mid-size enterprises. Based in Santa Clara, CA, eGestalt has created “The Managed Compliance Provider Cookbook,” which is available to all Managed Compliance Provider (MCP) partners. The cookbook is a guide for service providers and MSPs looking to enter the lucrative field of compliance services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, June 6-8, 2017, at the Javits Center in New York City, NY and October 31 - November 2, 2017, Santa Clara Convention Center, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
HyperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let’s say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
FinTech is the sum of financial and technology, and it’s one of the fastest growing tech industries. Total global investments in FinTech almost reached $50 billion last year, but there is still a great deal of confusion over what it is and what it means – especially as it applies to retirement. Building financial startups is not simple, but with the right team, technology and an innovative approach it can be an extremely interesting domain to disrupt. FinTech heralds a financial revolution that...
What if you could build a web application that could support true web-scale traffic without having to ever provision or manage a single server? Sounds magical, and it is! In his session at 20th Cloud Expo, Chris Munns, Senior Developer Advocate for Serverless Applications at Amazon Web Services, will show how to build a serverless website that scales automatically using services like AWS Lambda, Amazon API Gateway, and Amazon S3. We will review several frameworks that can help you build serverle...
Imagine having the ability to leverage all of your current technology and to be able to compose it into one resource pool. Now imagine, as your business grows, not having to deploy a complete new appliance to scale your infrastructure. Also imagine a true multi-cloud capability that allows live migration without any modification between cloud environments regardless of whether that cloud is your private cloud or your public AWS, Azure or Google instance. Now think of a world that is not locked i...
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
SYS-CON Events announced today that Infranics will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Since 2000, Infranics has developed SysMaster Suite, which is required for the stable and efficient management of ICT infrastructure. The ICT management solution developed and provided by Infranics continues to add intelligence to the ICT infrastructure through the IMC (Infra Management Cycle) based on mathemat...
Historically, some banking activities such as trading have been relying heavily on analytics and cutting edge algorithmic tools. The coming of age of powerful data analytics solutions combined with the development of intelligent algorithms have created new opportunities for financial institutions. In his session at 20th Cloud Expo, Sebastien Meunier, Head of Digital for North America at Chappuis Halder & Co., will discuss how these tools can be leveraged to develop a lasting competitive advanta...
MongoDB Atlas leverages VPC peering for AWS, a service that allows multiple VPC networks to interact. This includes VPCs that belong to other AWS account holders. By performing cross account VPC peering, users ensure networks that host and communicate their data are secure. In his session at 20th Cloud Expo, Jay Gordon, a Developer Advocate at MongoDB, will explain how to properly architect your VPC using existing AWS tools and then peer with your MongoDB Atlas cluster. He'll discuss the secur...
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and management into a ...
SYS-CON Events announced today that SD Times | BZ Media has been named “Media Sponsor” of SYS-CON's 20th International Cloud Expo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. BZ Media LLC is a high-tech media company that produces technical conferences and expositions, and publishes a magazine, newsletters and websites in the software development, SharePoint, mobile development and commercial UAV markets.
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, will present a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to max...
"I think that everyone recognizes that for IoT to really realize its full potential and value that it is about creating ecosystems and marketplaces and that no single vendor is able to support what is required," explained Esmeralda Swartz, VP, Marketing Enterprise and Cloud at Ericsson, in this SYS-CON.tv interview at @ThingsExpo, held June 7-9, 2016, at the Javits Center in New York City, NY.
Why do your mobile transformations need to happen today? Mobile is the strategy that enterprise transformation centers on to drive customer engagement. In his general session at @ThingsExpo, Roger Woods, Director, Mobile Product & Strategy – Adobe Marketing Cloud, covered key IoT and mobile trends that are forcing mobile transformation, key components of a solid mobile strategy and explored how brands are effectively driving mobile change throughout the enterprise.
My team embarked on building a data lake for our sales and marketing data to better understand customer journeys. This required building a hybrid data pipeline to connect our cloud CRM with the new Hadoop Data Lake. One challenge is that IT was not in a position to provide support until we proved value and marketing did not have the experience, so we embarked on the journey ourselves within the product marketing team for our line of business within Progress. In his session at @BigDataExpo, Sum...
Keeping pace with advancements in software delivery processes and tooling is taxing even for the most proficient organizations. Point tools, platforms, open source and the increasing adoption of private and public cloud services requires strong engineering rigor - all in the face of developer demands to use the tools of choice. As Agile has settled in as a mainstream practice, now DevOps has emerged as the next wave to improve software delivery speed and output. To make DevOps work, organization...
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service.