192 WP GettingAheadofTheComplianceCurve 2 13

WHITE PAPER: GETTING AHEAD OF THE COMPLIANCE CURVE

White Paper

Getting Ahead of the Compliance Curve Adopting a Managed Approach to Web Security and Regulatory Compliance

White Paper: Getting Ahead of the Compliance Curve

Getting Ahead of the Compliance Curve

CONTENTS Introduction: You Can’t Get Ahead if You’re Busy Catching Up . . . . . . . . . . . . . . . 3 Compliance and the “2.0” Effect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Regulatory Fragmentation: When Cybersecurity Laws Go Viral . . . . . . . . . . . . . . 4 Compliance + Cloud Computing = Complexity9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Need for a Managed Approach to Security and Compliance . . . . . . . . . . . . . 6 How to Get Ahead of the Compliance Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Automated Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Automated Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Alerts, Reports and Audit Trails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Flexibility and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Administrative Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2

White Paper: Getting Ahead of the Compliance Curve

Introduction: You Can’t Get Ahead if You’re Busy Catching Up Compliance is a fast-moving target, and it’s getting harder to keep up. In a survey by IT Policy Compliance Group, a consortium dedicated to helping IT security professionals meet policy and compliance goals, 70 percent of all respondents reported being subject to multiple regulatory compliance mandates, as well as contractual obligations and industry standards.1 Meanwhile, IT budgets are getting leaner as organizations strive to increase cost efficiency in tough economic times, and the emergence of cloud-based services has increased the complexity of compliance management. Given these challenges and tight deadlines, many organizations are addressing compliance requirements in silos using a “checklist” approach. Unfortunately, this tactical, reactive approach can lead to higher compliance costs, more audit deficiencies, greater business downtime, and increased risk of data loss. To avoid this trap and get ahead of the compliance curve, organizations need solutions that can help them take a more proactive approach and plan for – instead of reacting to – the rapidly changing compliance environment. Compliance and the “2.0” Effect Many organizations today still wrestle with the myriad of existing compliance regulations that have emerged over the last 10-15 years. The Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA), the Healthcare Information Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) standard are only a few of the seemingly infinite number of regulations that organizations must address. And now, a new wave of regulations are beginning to take effect, many of which significantly augment or alter existing regulations, as illustrated in Table 1. The result is a growing realization that organizations won’t be able to keep pace with change by using a “checklist” approach, or by managing security and compliance in silos. Regulation Date

Requirements/Impact

BASEL II

2009

Requires that banks use encryption technology to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.

FISMA 2.0

2010

Requires continuous monitoring of information systems as part of every U.S. federal agency’s information security program; agency CIOs must implement software to continuously monitor the security of their networks by the end of the 2012 government fiscal calendar.

PCI DSS 2.0 2011

1.

New standard for payment card security programs; became available at the beginning of 2011, and organizations must stop using the previous version before the beginning of 2012.

Symantec: “Financial Information Security and IT Risk Management.” 2008 - http://eval.symantec.com/mktginfo/enterprise/ brochures/b-brochure_financial_services_10_2008_14163207.en-us.pdf

3

White Paper: Getting Ahead of the Compliance Curve

Regulation Date

Requirements/Impact

HITECH Act 2011

Requires healthcare providers, insurers, clearinghouses and business associates to achieve “meaningful use” of electronic health records technology by the end of 2015. In the event of a data breach, organizations must notify all affected individuals within 60 days, unless data is “undecipherable” (i.e., protected with strong encryption).

Table 1. Examples of “2.0” regulations and their impact on IT security and compliance

Regulatory Fragmentation: When Cybersecurity Laws Go Viral Those who remember when SB1386 first came into effect in 2003 know all too well how the law went “viral” as other states took notice and quickly passed their own data breach notification laws. Today, nearly every state in the nation has a data breach notification law similar to California SB1386. For example, Massachusetts has passed preventative legislation requiring companies or persons who store or use personal information to develop a written, regularly audited plan to protect that data2, further complicating compliance requirements for organizations that operate across state lines. The European Union’s Directive on the Protection of Personal Information (EU Directive 1995/46/EC)3 is another example of how legislation can spread virally. In effect, this directive establishes a common data protection and privacy baseline for each EU member state, providing a framework from which all EU member states must derive their own internal data protection and privacy laws. To comply with these laws, organizations must take appropriate technical and organizational measures against unauthorized and unlawful processing, loss, or destruction of personal data. These data protection and privacy laws also make it unlawful to transfer personal data to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Several nations around the world have passed data privacy and protection legislation to facilitate access to European markets. Many of these laws closely follow the EU Directive 1995/46/EC framework, making it a de facto international standard for the protection of personal information. In almost every case, these laws require the use of technical controls such as encryption to protect personal information from theft, loss and exposure.

2.

3.

Commonwealth of Massachusetts: “201 CMR 17.00 Compliance Checklist.” December 2009 - http://www.mass.gov/ ocabr/docs/idtheft/compliance-checklist.pdf European Union: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. November 1995 - http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

4

White Paper: Getting Ahead of the Compliance Curve

Country

Legislation

Year

Argentina

Law for the Protection of Personal Data

2000

Chile

Law for the Protection of Private Life

1999

Hong Kong

Personal Data Privacy Ordinance

1996

Japan

Japan Personal Information Protection Act

2003

Taiwan

Computer-Processed Personal Data Protection Law

1995

Singapore

(Proposed) baseline for data protection

2012

South Africa

Electronic Communications and Transactions Act

2002

South Korea

Act on Promotion of Information and Communication Network Utilization and Information Protection7

2002

India

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules8

2011

4

5 6

Table 2. Examples of Data Privacy and Protection Laws Around the World

Compliance + Cloud Computing = Complexity9 Cloud computing technology is a top priority for many CIOs10. Organizations are accelerating their uptake of cloud-based services, and Gartner Research has estimated that enterprises around the world will cumulatively spend USD $112 billion on cloud services over the next five years11. At the same time, an IDC survey of IT executives reveals that security is the #1 biggest challenge facing IT cloud services12. Gartner Research has identified seven specific areas of security risk13 associated with enterprise cloud computing. Table 3 lists some of the compliance-related issues that organizations should bear in mind when evaluating a cloud-based service. Issue

Challenge

Accountability

Organizations are responsible for the security and privacy of protected electronic data, even when a third-party cloud service provider hosts that data.

Access Control

Organizations must be able to confirm that their cloud service providers can maintain adequate hiring, oversight, and access controls to enforce administrative delegation.

G&A Management Consultants Limited: Privacy of Personal Data in Hong Kong. http://privacy.com.hk/ ZDNet Asia: “S’pore sets data protection law for 2012.” February 16, 2011 - http://www.zdnetasia.com/spore-sets-data-protectionlaw-for-2012-62206733.htm 6. Parliament of the Republic of South Africa: “Electronic Communications and Transactions Act, 2002.” July 31, 2002 - http://www. internet.org.za/ect_act.html 7. United Nations Public Administration Network: “Act on Promotion of Information and Communication Network Utilization and Information Protection.” December 31, 2001 - http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN025694.pdf 8. BNA International Global Law Watch: “Analysis: Data Privacy in India.” – May 23, 2011 - http://www.globallawwatch.com/2011/05/ analysis-data-privacy-rules-in-india/ 9. Commonwealth of Massachusetts: “201 CMR 17.00 Compliance Checklist.” December 2009 - http://www.mass.gov/ocabr/docs/ idtheft/compliance-checklist.pdf 10. Gartner Research: “EXP Worldwide Survey.” January 19, 2010 - http://www.gartner.com/it/page.jsp?id=1283413 11. Gartner Research: “Gartner Says Worldwide Cloud Services Market to Surpass $68 Billion in 2010.” June 22, 2010 - http://www. gartner.com/it/page.jsp?id=1389313 12. IDC Research: “New IDC IT Cloud Services Survey: Top Benefits and Challenges.” – December 15, 2009 - http://blogs.idc.com/ ie/?p=730 13. Gartner Research: “Assessing the Security Risks of Cloud Computing.” June 3, 2008 - (http://www.gartner.com/ DisplayDocument?id=685308 4. 5.

5

White Paper: Getting Ahead of the Compliance Curve

Issue

Challenge

Data Provenance Many SaaS providers leverage cloud-based storage solutions from third parties (Amazon, Rackspace, etc.), and some providers utilize data center capacity outside the United States. As such, organizations should ask service providers where their data centers are located and if they can commit to specific privacy requirements. Multi-Tenancy

Many public clouds are shared environments, and it is critical to make sure hosting providers can guarantee complete data segregation and network isolation for secure multi-tenancy.

Data Recovery

Cloud computing outages can – and do – happen. Organizations must make sure their service provider has the ability to rapidly restore all data and services in the event of a disaster.

Monitoring and Reporting

Monitoring and logging public cloud activity is complex, and organizations should make sure upfront that their cloud service providers can monitor both physical and virtual network traffic, and that they can fully support investigations and compliance audits.

Business Continuity

Technology businesses – especially startups – come and go. Organizations should ask hard questions about the financial stability of their providers and the portability of their data to avoid lock-in or potential loss if the provider’s business fails or is acquired.

Table 3. 7 Areas of Enterprise Cloud Computing Security Risk As Identified by Gartner

Additionally, when moving from using just one cloud-based service to using several from different providers, enterprises must manage all these issues across multiple operators, each with different infrastructures, operational policies, and security skills. This complexity of trust requirements, when coupled with the growing complexity of compliance requirements, drives the need for a ubiquitous and reliable method to secure data as it moves to, from and across the cloud. The Need for a Managed Approach to Security and Compliance SSL and code signing certificates enable secure online transactions and data through authentication, encryption and verification. The ever-expanding and changing compliance landscape has fueled a dramatic increase for encryption and authentication demands. As a result, the administration and management of certificates has become a challenge as installation increases over time and is distributed at different locations across the company. Changes in IT staffing can also add complexity in terms of controlling and maintaining visibility over technical contacts and other individuals who may have access to certificates. In the meantime, many IT operations are faced with the need to operate with a reduced budget while complying with internal and external security policies. Table 4 illustrates some of the specific pain points facing IT organizations that manage large volumes of SSL and code signing certificates.

6

White Paper: Getting Ahead of the Compliance Curve

Issue

Challenge

Visibility Large segregated networks and variance in network operations and Control make it difficult for administrators to determine the status of certificates across the entire enterprise and to manage the lifecycle of digital certificates. Many vendors do not provide a central data repository to track and manage certificates. Efforts to manually track and monitor certificates through spreadsheets or SharePoint do not scale, and introduce discrepancies and overhead. Business Continuity

Unplanned certificate expiration can lead to business disruptions and increase service calls. Organizations may experience a major outage of their online systems that could potentially lead to huge revenue lost. Prolonged certificate expirations can also result in penalties from non-compliance and reputation damage.

IT Operations

Managing SSL and code signing certificates across the organization is laborious and time consuming when done manually. Many IT administrators support a diverse ecosystem of applications and operating systems, each with unique methods for life cycle management. Keeping track of every certificate’s location and expiry date can be challenging, especially for organizations that use certificates from multiple vendors.

Table 4. SSL and Code Signing Certificate Management Challenges

Under these circumstances, many IT operations are looking for the means to simplify their processes, increase operational efficiency, and minimize risk. How to Get Ahead of the Compliance Curve To get ahead of the compliance curve and to take a more proactive approach to Web security, organizations need an enterprise-class solution that will enable them to manage all SSL and code signing certificates from a single, secure point of control. To help ensure that you find the best solution to fit your needs, the sections below outline some key features to look for in any solution you consider. Automated Scanning While it is possible to audit networks manually, this approach would simply take too long and require too many staff resources to be feasible in a large, complex enterprise environment. Be sure to select a service that enables your team to conduct automatic scans that will detect all certificates from its providers. Automated Processes Manually issuing, renewing and installing SSL and code signing certificates is not feasible for large enterprises. You need a solution that can improve productivity by automating key administrative processes, such as certificate request approvals, and route certificate requests to the right administrator to save time and effort.

7

White Paper: Getting Ahead of the Compliance Curve

Alerts, Reports and Audit Trails An expired certificate puts data at risk, so it is important to find a service that will send alerts before a certificate needs renewal. You need a solution that will help you proactively manage risk with administrative activities. Flexibility and Scalability Enterprise networks are dynamic, ever-changing environments, which means a certificate discovery service should have configurable parameters, such as the duration of the scan, which IP addresses to scan, etc. In addition, the service must be scalable to allow for future growth. Administrative Delegation In a large enterprise, it is absolutely imperative to delegate administrative duties and access privileges. If your account manages multiple organizations and organizational units, you should be able to select the appropriate roles for the different administrators. Conclusion SSL and code signing certificates are essential to maintaining security and compliance efforts. However, the growing complexity of the compliance landscape has given rise to a proliferation of certificates, which in turn has created the need for services that make it easy to discover and manage certificates across the enterprise. Ideal for medium to large companies with a variety security and compliance requirements, Thawte Certificate Center Enterprise Account allows enterprises to automate discovery tasks and set up alerts to notify administrators when certificates expire or require maintenance. To learn more about how Thawte Certificate Center Enterprise Account can help you simplify security and take a more holistic approach to compliance, please visit: http://www.thawte.com/ssl/volume-discount-ssl-certificates/ index.html

8

White Paper: Getting Ahead of the Compliance Curve

More Information Visit our website http://www.symantec.com/ssl To speak with a Product Specialist in the U.S. 1-866-893-6565 or 1-650-426-5112 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec protects the world’s information and is the global leader in security, backup, and availability solutions. Our innovative products and services protect people and information in any environment – from the smallest mobile device to the enterprise data center to cloud-based systems. Our industry-leading expertise in protecting data, identities, and interactions gives our customers confidence in a connected world. More information is available at www.symantec.com or by connecting with Symantec at: go.symantec.com/socialmedia. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. . UID: 192/02/14