Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/13/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Ditch the Big Ass Spreadsheet with Continuous Security Compliance

Replacing outdated spreadsheets with automated, continuous monitoring reduces workload and increases reliability, making compliance easy.

Find the biggest monitor on the market, display the specifications for any compliance standard on it, and then try to determine whether or not your cloud infrastructure is actually compliant. The NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells. While the document certainly contains all the necessary data, in that format it is far from an accurate depiction of what’s going on with your IT environment. Auditors and compliance managers need a real-time format that gives them insight into the state of compliance, and an automated way to fix issues. To do that effectively, it’s time to ditch that big ass spreadsheet.

The traditional tools used to address security and compliance issues no longer work for cloud environments. The behaviors are outdated as well, as auditing simply can't abide by checks that occur in regular intervals. To effectively address compliance and security risks, those checks now need to be done continuously. The very reasons that you choose the cloud are the very reasons you’re running into challenges. The cloud is dynamic, agile, and responsive. It is moving and adapting, and so too are those who wish to do you harm.

While cloud service providers (CSPs) do their part to adopt standards, it is up to you to measure and demonstrate compliance in your systems. Like many other organizations, you may struggle to do so in this new cloud paradigm. And here's the kicker: the critical thing about compliance is that you have to be compliant ...all the time. Once a condition is not being met, your organization is vulnerable. Now, the NIST Cybersecurity Framework alone has almost 400 specific requirements, all of which must be meet at all times. The task of ensuring that type of compliance can quickly become overwhelming if done manually, even with a fully staffed team of experts.

It’s surprising that, given the magnitude of the task, many organizations manage their compliance function through spreadsheets. Yes, massive spreadsheets remain open on desktops and one-by-one requirements are assessed, and potential risks are identified.When needed, remediation steps go into play. It's a continuous loop of attention and hope, and a bit of faith that nothing will be missed in the identification or subsequent remediation of violations. It's hard to know if that’s a result of perverse tradition or laziness, but time and again it’s proven to be a slow solution to a problem that is immersed in speed. Thankfully, there are tools that provide a much faster, more elegant way of handling compliance.

Automating compliance delivers a magnitude of scale to your compliance efforts, but it provides other advantages as well. For instance, a tool that is continuously monitoring your cloud environment will deliver a lot of usable data about other aspects of the state of your cloud security. This information can help you not just remediate as needed, but apply long-term fixes to ongoing problems. You'll also have a running log of data points that can be used for audits and infrastructure performance reviews.

Getting rid of the spreadsheet means that your organization must commit to using a solution that gives insight across all of your cloud environment. That tool will become your de facto guide for how you identify compliance risks before they become a problem, and will allow you to apply active management of policies as a way to mitigate any breaches that occur.

Too often we rely on outdated systems out of habit or the perception of ease. We're even willing to accept a little pain to maintain the status quo. But automated, continuous compliance monitoring makes life easier because it reduces workload and increases reliability. Financially, and brand-wise, this is a boon to forward-thinking organizations that are serious about maintaining a secure and compliant IT infrastructure in the cloud.

So, we rally the call to rid yourself of that big ass spreadsheet that acts as Sisyphean reminder of your never-ending task of compliance monitoring. Tools and expectations have evolved to the point where it is not tenable for you to manually perform compliance checks any longer -- nor should you have to.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.
CVE-2021-27495
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.
CVE-2021-32807
PUBLISHED: 2021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict acce...
CVE-2021-22521
PUBLISHED: 2021-07-30
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
CVE-2021-34629
PUBLISHED: 2021-07-30
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.