Regulatory & Industry Compliance
Many organizations continue to struggle with regulatory compliance requirements such as PCI DSS, SOX, HIPAA and others. Industry regulations, federal regulations and privacy acts require implementation of audit and security controls to protect regulated data. The implementation of these controls presents a complex IT challenge and is a costly barrier to achieving compliance. The primary controls are:
- Sensitive data access auditing
- Privileged user monitoring
- Development and maintenance of secure Web applications
An efficient implementation of these controls requires taking into consideration the network topology, application requirements and the specific aspects of data platforms like databases and file systems.
Sensitive Data Access Auditing
Regulations requiring auditing of user access to sensitive data demand that an audit trail detailing data access events be available to support data breach investigations. Different regulations require auditing different events, for example:
- PCI DSS which is focused on protecting card-holder information from theft or leakage requires auditing of all 'read' access to card-holder information, but does not require auditing data change events
- SOX which is concerned with the integrity of the public companies financial data requires auditing of all changes to regulated data, but does not require auditing of data 'read' events
Efficient audit solutions provide granular audit policies, automate the audit process, centrally manage audits across heterogeneous data systems, and scale to meet deployment requirements.
Privileged User Monitoring
Privileged user monitoring poses a specific audit and security challenge as these users require unrestricted access to perform their job. Most often, privileged activity is performed directly on data systems, thus it is not visible outside of the system itself. One of the biggest concerns around privileged user monitoring is separation of duties: privileged users should not have rights over the monitoring solution as they may use these rights to conceal irregular activities.
Development and Maintenance of Secure Web Applications
PCI DSS requirement 6 focuses on the establishment of controls that minimize the exposure to security vulnerabilities in systems and software. It specifies requirements for software patching, vulnerability identification, secure software development, change controls, and attack protection. While some of the requirements are relatively straightforward and easy to implement, the Web application, database and file security requirements present significant technical and business challenges.