Click here to close now.




Welcome!

@CloudExpo Authors: Elizabeth White, Pat Romanski, Dana Gardner, Liz McMillan, Stefan Bernbo

Related Topics: Cloud Security

Cloud Security: Article

The Rise of the Managed Compliance Provider

Today, security is more complex than simply deploying firewalls and virus protection

You may think IT compliance is nothing more than big government sticking its nose into everyone’s business. Compliance equals Big Brother. OK, so there is some truth in that government compliance regulations are a little over the top, and perhaps there are just too many of them that functionally do the same thing. It’s not just about government regulations — it’s also about non-government standards, such as PCI, that need to be addressed.

Look at SOX, FISMA, FERPA, HIPAA and the brothers FERC and NERC. Aren’t they basically the same rules? Can’t we have just one large compliance regulation with small amendments for each specific industry? That would be easier, but since various politicians have stakes in their own versions, I don’t think we will see unification in the short term. That is one reason why regulators have to levy heavy fines and other punitive measures to force organizations to follow their rules.
However, if we look at compliance in a slightly different light, perhaps complying with these regulations will be just a little less painful.
 
Today, security is more complex than simply deploying firewalls and virus protection. For a company to be secure, it also has to look at security from an overall company risk perspective. This includes cybercrime and physical security as well as regulatory risks and profit risks around the costs versus the gains of implementing security measures.
In order to achieve complete security, your strategy needs to include multiple layers across three functional areas:
 
1) The protection of assets and data. This is the traditional implementation of firewalls, IDS systems, vulnerability protection, virus protection, penetration testing and many other standard security practices. Of course this is a very expensive proposition, so organizations must make technology strategy decisions based on budget and their type of business.
 
2) Process and procedures to adequately maintain security technology. You need to have methods and rules on how and when you update security components such as firewall policies, IOS, virus protection, log-in polices, and active directory policies. All of these need to be reviewed and updated frequently.
 
3) Defining and enforcing policies. It is one thing to have a policy on updating your virus definitions, but if these policies are not followed, then the first two areas cited above are worthless.
 
Many companies spend hundreds of thousands or even millions of dollars on firewalls, biometric devices, IDS/IPS, and anomaly detection but fail to deploy basic compliance-management systems. This places businesses at risk because it is very easy for someone to go into a device on the computer network, make changes that do not follow corporate security guidelines, and then open a hole in your defenses. An effective, automated compliance system continually validates that the rules of all devices follow correct security procedures.
 
Another aspect to consider is that compliance is often mandated by regulatory decrees, such as SOX, HIPAA, FISMA, GLBA and many others—or by industry requirements such as PCI and ISO. Non-compliance can result in significant fines and, in some cases, criminal prosecution. But even if compliance is not mandated, it is common sense to create policies and procedures and to verify they are being followed.
 
While risk management and mitigation serve as key drivers, incorporating business objectives and policies is an important part of the desired objective and is ultimately the end game. This is where compliance comes into the picture. Compliance proves the organization has the correct policies in place, and that the policies are being followed.
Security, compliance and risk assessment are the processes, but in the past, they have been 100 percent manual processes, time consuming, and prone to error. As a result, there is now an emerging trend to outsource the mechanics of monitoring the validation process to a local service provider, also called a Managed Compliance Provider or MCP.
 
MCPs perform the grunt work in tracking compliance processes through a managed service. Effective MCP solutions provide clients with near real-time dashboards and reports on their compliance status while also eliminating or significantly reducing error-prone, manual processes. Some MCPs even have the ability to certify if clients are within compliance.  
 
Security does not imply compliance, and compliance does not beget security. There must be a unification of both programs, which is what compliance is all about. Compliance also should not be viewed as some government oversight, but instead a common-sense approach to protecting the assets and value of your business.

More Stories By Jim Hare

Jim Hare is channel chief and VP of worldwide sales for eGestalt Technologies, a cloud-computing provider of IT-GRC applications for enterprises, including small to mid-size enterprises. Based in Santa Clara, CA, eGestalt has created “The Managed Compliance Provider Cookbook,” which is available to all Managed Compliance Provider (MCP) partners. The cookbook is a guide for service providers and MSPs looking to enter the lucrative field of compliance services.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
So you’ve heard how click-to-call widgets can really enhance a website’s potential for customer interaction and you want to try it out for yourself. Or you’re considering offloading pieces of your VoIP infrastructure, but want to see how that would unfold first. Where can you find this technology, that’s free and available to try out? Spotting the potential in a space where customers can experiment with these types of features, Voxbone is launching The Workshop.
When it comes to cloud computing, the ability to turn massive amounts of compute cores on and off on demand sounds attractive to IT staff, who need to manage peaks and valleys in user activity. With cloud bursting, the majority of the data can stay on premises while tapping into compute from public cloud providers, reducing risk and minimizing need to move large files. In his session at 18th Cloud Expo, Scott Jeschonek, Director of Product Management at Avere Systems, discussed the IT and busin...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, will demonstrate how to move beyond today's coding paradigm ...
"My role is working with customers, helping them go through this digital transformation. I spend a lot of time talking to banks, big industries, manufacturers working through how they are integrating and transforming their IT platforms and moving them forward," explained William Morrish, General Manager Product Sales at Interoute, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The cloud market growth today is largely in public clouds. While there is a lot of spend in IT departments in virtualization, these aren’t yet translating into a true “cloud” experience within the enterprise. What is stopping the growth of the “private cloud” market? In his general session at 18th Cloud Expo, Nara Rajagopalan, CEO of Accelerite, explored the challenges in deploying, managing, and getting adoption for a private cloud within an enterprise. What are the key differences between wh...
The pace of innovation, vendor lock-in, production sustainability, cost-effectiveness, and managing risk… In his session at 18th Cloud Expo, Dan Choquette, Founder of RackN, discussed how CIOs are challenged finding the balance of finding the right tools, technology and operational model that serves the business the best. He also discussed how clouds, open source software and infrastructure solutions have benefits but also drawbacks and how workload and operational portability between vendors ...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2016 Silicon Valley. The 19th Cloud Expo and 6th @ThingsExpo will take place on November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Interne...
"We work in the area of Big Data analytics and Big Data analytics is a very crowded space - you have Hadoop, ETL, warehousing, visualization and there's a lot of effort trying to get these tools to talk to each other," explained Mukund Deshpande, head of the Analytics practice at Accelerite, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The idea of comparing data in motion (at the sensor level) to data at rest (in a Big Data server warehouse) with predictive analytics in the cloud is very appealing to the industrial IoT sector. The problem Big Data vendors have, however, is access to that data in motion at the sensor location. In his session at @ThingsExpo, Scott Allen, CMO of FreeWave, discussed how as IoT is increasingly adopted by industrial markets, there is going to be an increased demand for sensor data from the outermos...
The initial debate is over: Any enterprise with a serious commitment to IT is migrating to the cloud. But things are not so simple. There is a complex mix of on-premises, colocated, and public-cloud deployments. In this power panel at 18th Cloud Expo, moderated by Conference Chair Roger Strukhoff, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships at Commvault; Dave Landa, Chief Operating Officer at kintone; William Morrish, General Manager Product Sales at Interou...
Internet of @ThingsExpo has announced today that Chris Matthieu has been named tech chair of Internet of @ThingsExpo 2016 Silicon Valley. The 6thInternet of @ThingsExpo will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.
As organizations shift towards IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. Commvault can ensure protection, access and E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his general session at 18th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Part...
Dialogic has announced that ZVRS chose Dialogic® PowerMedia™ XMS software media server as part of its latest video relay and translation service offering. ZVRS uses Dialogic’s PowerMedia XMS technology to provide a robust solution that supports a broad range of legacy devices and any-to-any video capabilities with its flagship Z70 videophone. ZVRS selected Dialogic’s solution to facilitate a release of Z70 that met its stringent requirements for legacy device support (H.263 and H.264) with high...
CenturyLink has announced that application server solutions from GENBAND are now available as part of CenturyLink’s Networx contracts. The General Services Administration (GSA)’s Networx program includes the largest telecommunications contract vehicles ever awarded by the federal government. CenturyLink recently secured an extension through spring 2020 of its offerings available to federal government agencies via GSA’s Networx Universal and Enterprise contracts. GENBAND’s EXPERiUS™ Application...
Basho Technologies has announced the latest release of Basho Riak TS, version 1.3. Riak TS is an enterprise-grade NoSQL database optimized for Internet of Things (IoT). The open source version enables developers to download the software for free and use it in production as well as make contributions to the code and develop applications around Riak TS. Enhancements to Riak TS make it quick, easy and cost-effective to spin up an instance to test new ideas and build IoT applications. In addition to...
In addition to all the benefits, IoT is also bringing new kind of customer experience challenges - cars that unlock themselves, thermostats turning houses into saunas and baby video monitors broadcasting over the internet. This list can only increase because while IoT services should be intuitive and simple to use, the delivery ecosystem is a myriad of potential problems as IoT explodes complexity. So finding a performance issue is like finding the proverbial needle in the haystack.
You are moving to the Cloud. The question is not if, it’s when. Now that your competitors are in the cloud and lapping you, your “when” better hurry up and get here. But saying and doing are two different things. In his session at @DevOpsSummit at 18th Cloud Expo, Robert Reeves, CTO of Datical, explained how DevOps can be your onramp to the cloud. By adopting simple, platform independent DevOps strategies, you can accelerate your move to the cloud. Spoiler Alert: He also makes sure you don’t...
Edge Hosting has announced a partnership with and the availability of CloudFlare, a web application firewall, CDN and DDoS mitigation service. “This partnership enhances Edge Hosting’s world class, perimeter layer, application (layer 7) defensive mechanism,” said Mark Houpt, Edge Hosting CISO. “The goal was to enable a new layer of customer controlled defense and compliance through the application of DDoS filters and mitigations, the web application firewall (WAF) feature and the added benefit ...
Digital Initiatives create new ways of conducting business, which drive the need for increasingly advanced security and regulatory compliance challenges with exponentially more damaging consequences. In the BMC and Forbes Insights Survey in 2016, 97% of executives said they expect a rise in data breach attempts in the next 12 months. Sixty percent said operations and security teams have only a general understanding of each other’s requirements, resulting in a “SecOps gap” leaving organizations u...
"A lot of times people will come to us and have a very diverse set of requirements or very customized need and we'll help them to implement it in a fashion that you can't just buy off of the shelf," explained Nick Rose, CTO of Enzu, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.