Friday, May 15, 2015

Seamless & Transparent Compliance & Security operations

Information Security and IT operations generally do not go hand in hand or I rather make a not so controversial statement that IT Operations Folks generally don't like Information Security Folks for they see the Information security folks to be the Show Stoppers.  The way I have witnessed it in my career, I have had the Label of "Bad Man of IT" then they used to call me "Risky Guy of IT" and all other sorts. I have had worked with various organization on consulting assignments and every time there used to be the same story - Chief Security Officer / Chief Information Security Officer would have to literally wrestle with the IT Operations for getting the Budget and then getting the technologies implemented. 

As quoted by one Vice President of IT at one of the client - "Don't bother much about them, they are just running various Projects that go no where and just wastes the money." When I interacted with the CISO on job and a direct report of CIO, he stated - "We have been able to procure some best of the techniques for Security, Risk and Compliance Management, But we have not been able to integrate them with the rest of the IT Systems, for they would not give us time to test the APIs and Connectors."

In another case where my team was conducting an IT Audit to help them identify the improvement areas to align with ISO 27001, I have had another weird experience.  The IT Manager who was the contact point for my team was my audience for the observations presentation.  And to my surprise or should I say dismay, he told me - "You do your work and submit the report, I will see where do I take this?" I was shocked as my team was engaged in a full length consulting assignment to finally ensure that the client organization gets to the level of being awarded ISO 27001 certification for IT practices.  What happened next over the course of time was altogether a different story.

Sounds strange, but its pretty much true as this is not a heard story and I myself have been the witness to have them say what they said and that has lead to me thinking on the ways Information Security and Compliance Management can actually be integrated into Daily IT Ops.  I have been an advocate of Information Security Culture rather than Enforcing the Information Security to avoid any such negative traction as to create stiff work environment.

To this effect, I have always thought about Security with Transparency or say Transparent Security.  The way it works for me that if there is a problem then certainly there is something NOT working right and there is a Problem.  This very problem is the issue creator for the IT Security Function to be able to work the way they are required to. These problems can then be used as the base cases by the IT Ops to push every issue towards IT Security.  So, I opine to establish the control regime in such a fashion that the overall IT Security Function becomes transparent to the level it can.  

For an IT Security Operation to be transparent, the first few steps would certainly involve automation of certain controls and functions. A very good way to proceed on automation journey would be to start from Log Aggregation and Correlation using the SIEM tool and then integrating the same with a GRC tool to create Dashboards and Reports. The next steps then would be to integrate an enterprise level IAM tool and Two factor Authentication (Preferably Soft tokens to be used) with the LDAP and other Applications to enable seamless connectivity with lesser passwords to manage (we all hate passwords, but remember that the hackers love them and if we would have lesser passwords to manage, we would feel better. and the two factor authentication would as is cover up for the weak passwords...), the IAM tool can also be extended for the purpose of Federated Identity Management as well as Single Sign On (SSO) and User Self Help to reset the Passwords.

Once the initial steps are successfully taken, the next step that I would suggest would be to integrate the GRC tool with the various tools and technologies deployed across the IT Landscape to obtain direct feed using APIs and Connectors. This though may be cumbersome and initially the IT Ops may oppose, but in a long run even they would start loving the results.  The live feeds configured can be used to identify any anomalies or say unauthorized changes or similar other compliance issues that may jeopardize the security of the system and leave it vulnerable for compromise.  

The whole benefit that can be derived out from the Integration of GRC tool with SIEM tool as well as the other IT tools and technologies is to be able to create the Dashboards and Reports for various Management Levels to provide them runtime snapshot of the Enterprise Security and Compliance Posture.  Also, this would mean that the IT Ops is not being bugged or harassed (as IT Ops actually feels) by the IT Security, Compliance an Audit functions for various data and evidence requests, because the required data and evidence feed would already be available on the GRC tool or the connected EDMS (Electronic Data Management System) library.

Also, it needs to be noted that the misconception of the Security, Compliance, Risk and Audit being the Pain areas for IT Ops would not end so soon unless they understand the importance of what we all do in our space.  We can start with the various steps as summarized above, but the mindset would take time to arrive at a cordial relations between IT Ops and the Security, Compliance, Risk and Audit guys....