theDocumentId => 1329106 Ditch the Big Ass Spreadsheet with Continuous ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/13/2017
11:00 AM
Tim Prendergast
Tim Prendergast
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Ditch the Big Ass Spreadsheet with Continuous Security Compliance

Replacing outdated spreadsheets with automated, continuous monitoring reduces workload and increases reliability, making compliance easy.

Find the biggest monitor on the market, display the specifications for any compliance standard on it, and then try to determine whether or not your cloud infrastructure is actually compliant. The NIST 800-53 spec alone weighs in at more than 2,000 spreadsheet cells. While the document certainly contains all the necessary data, in that format it is far from an accurate depiction of what’s going on with your IT environment. Auditors and compliance managers need a real-time format that gives them insight into the state of compliance, and an automated way to fix issues. To do that effectively, it’s time to ditch that big ass spreadsheet.

The traditional tools used to address security and compliance issues no longer work for cloud environments. The behaviors are outdated as well, as auditing simply can't abide by checks that occur in regular intervals. To effectively address compliance and security risks, those checks now need to be done continuously. The very reasons that you choose the cloud are the very reasons you’re running into challenges. The cloud is dynamic, agile, and responsive. It is moving and adapting, and so too are those who wish to do you harm.

While cloud service providers (CSPs) do their part to adopt standards, it is up to you to measure and demonstrate compliance in your systems. Like many other organizations, you may struggle to do so in this new cloud paradigm. And here's the kicker: the critical thing about compliance is that you have to be compliant ...all the time. Once a condition is not being met, your organization is vulnerable. Now, the NIST Cybersecurity Framework alone has almost 400 specific requirements, all of which must be meet at all times. The task of ensuring that type of compliance can quickly become overwhelming if done manually, even with a fully staffed team of experts.

It’s surprising that, given the magnitude of the task, many organizations manage their compliance function through spreadsheets. Yes, massive spreadsheets remain open on desktops and one-by-one requirements are assessed, and potential risks are identified.When needed, remediation steps go into play. It's a continuous loop of attention and hope, and a bit of faith that nothing will be missed in the identification or subsequent remediation of violations. It's hard to know if that’s a result of perverse tradition or laziness, but time and again it’s proven to be a slow solution to a problem that is immersed in speed. Thankfully, there are tools that provide a much faster, more elegant way of handling compliance.

Automating compliance delivers a magnitude of scale to your compliance efforts, but it provides other advantages as well. For instance, a tool that is continuously monitoring your cloud environment will deliver a lot of usable data about other aspects of the state of your cloud security. This information can help you not just remediate as needed, but apply long-term fixes to ongoing problems. You'll also have a running log of data points that can be used for audits and infrastructure performance reviews.

Getting rid of the spreadsheet means that your organization must commit to using a solution that gives insight across all of your cloud environment. That tool will become your de facto guide for how you identify compliance risks before they become a problem, and will allow you to apply active management of policies as a way to mitigate any breaches that occur.

Too often we rely on outdated systems out of habit or the perception of ease. We're even willing to accept a little pain to maintain the status quo. But automated, continuous compliance monitoring makes life easier because it reduces workload and increases reliability. Financially, and brand-wise, this is a boon to forward-thinking organizations that are serious about maintaining a secure and compliant IT infrastructure in the cloud.

So, we rally the call to rid yourself of that big ass spreadsheet that acts as Sisyphean reminder of your never-ending task of compliance monitoring. Tools and expectations have evolved to the point where it is not tenable for you to manually perform compliance checks any longer -- nor should you have to.

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37436
PUBLISHED: 2021-07-24
Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers, who have physical access to a device after a factory reset, to obtain sensitive information via a series of complex hardware and software attacks. NOTE: reportedly, there were vendor marketing statements about safely removing pers...
CVE-2021-32686
PUBLISHED: 2021-07-23
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In PJSIP before version 2.11.1, there are a couple of issues found in the SSL socket. First, a race condition between callback and ...
CVE-2021-32783
PUBLISHED: 2021-07-23
Contour is a Kubernetes ingress controller using Envoy proxy. In Contour before version 1.17.1 a specially crafted ExternalName type Service may be used to access Envoy's admin interface, which Contour normally prevents from access outside the Envoy container. This can be used to shut down Envoy rem...
CVE-2021-3169
PUBLISHED: 2021-07-23
An issue in Jumpserver 2.6.2 and below allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets.
CVE-2020-20741
PUBLISHED: 2021-07-23
Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to bypass authentication via the "CE Remote Display Tool" as it does not close the incoming connection on the Windows CE side if t...