Friday, 10th July 2020

How to avoid compliance fines through automation and better people processes

The number of regulatory standards and security best practices infrastructure teams have to comply with, and the associated penalties for not doing so, are no laughing matter. By Jonny Stewart, Principal Product Manager, Puppet.

Auditors expect their I&O teams to implement and abide by operational, security and regulatory policies 24/7. The risks for failing to do this can be severe and costly. Rarely do you hear that I&O teams are getting more budget and it’s not like their job is getting simpler with the onset of technologies. In fact, infrastructure is getting way more complex and hard to manage manually - which is what a lot of companies still do.

So, how do companies stay on top of these increasing pressures? By following DevOps principles of cross-team collaboration and implementing both automated compliance assessment and vulnerability remediation, companies of all sizes will find that many of these burdens are lessened.

Compliance in an age of regulation

As organisations scale, their IT infrastructure inevitably becomes more complex – huge numbers of servers, firewalls, routers and switches needing to be managed, hundreds of devices often from different technology vendors also need to be configured and maintained, often manually. A vastly increased IT footprint leaves more space for vulnerabilities to take hold. Compliance, when dealing with these issues, is becoming even more time consuming, and in turn, even more costly for enterprises of all sizes. Manual record keeping and endless spreadsheets to stay on top of what was patched when and what passwords need updating next week are simply unmanageable.

Since the creation of the European Union’s General Data Protection Regulations (GDPR), governments across the world have queued up to implement their own data protection laws. This can pose a particular problem for large businesses that operate across national borders. Legal definitions, imposed by GDPR for example, are different to those imposed by the California Consumer Privacy Act (CCPA) and businesses that deal with data across these two locations must comply to both, nevermind their internal compliance with benchmarks such as CIS. Failure to do so can put enterprises at risk of huge and sometimes catastrophic fines – up to 20 million euros or 4% of annual global turnover, in the case of GDPR breaches. The pressures of these regulations are only heightened by the abundance of industry standards and best practices that are a constant feature of IT and compliance work. The only way to avoid this is to ensure that compliance is consistent and continuous, that it is proactive, rather than reactive.

Changing company culture

While tools and technology can do a lot to ensure continuous and repeatable remediation of vulnerabilities, it alone will not solve all the problems. One sure fire way to tackle a lot of compliance-related issues within an organisation is to invest time and energy in changing company culture. If an organisation embraces DevOps principles and promotes cross-team collaboration and communication – the resulting synergy can remove many of the hurdles that currently stand in the way of efficient compliance. Implementation of technology that can automate much of the usual compliance workload can only happen effectively if siloed teams begin to work towards a common goal.

It is too often the case that security teams and IT teams operate adrift from each other to the point where it almost seems as if there exists a false belief that there is some sort of rule or regulation that prevents IT Ops and InfoSec teams from collaborating or even meeting!

But both teams are responsible for compliance, so by not working closely together they make it much harder for themselves. For example, many IT teams do not have the correct access to APIs that would allow them remediate vulnerabilities swiftly. Sometimes getting such access can take weeks or even months, the whole time extending the period in which the company’s infrastructure is at risk of drifting from its desired state of being kept up-to-date.

The knock-on effect of this is, of course, that it also extends the period in which a company could find themselves falling foul of compliance and security standards and regulations as security patching is not done in a timely manner and all necessary records are not being kept. There is no tangible reason that this needs to be the case or that IT teams should not have access to the live data that would allow them to identify and remediate vulnerabilities as quickly as possible and ensure compliance standards are adhered to.

Once these two teams start to collaborate more, they will quickly be able to identify and share their pain points before eliminating any unnecessary steps in their compliance and security processes. Following this, the introduction of compliance as code can begin to automate many of the remaining stages in the process from identification through to remediation of vulnerabilities.

Create a Sound Process to Adhere to Standards and Create Repeatability

Manually synchronizing policy enforcement and compliance at scale is not an option. The right processes and technology should also be put in place to ensure that people in every corner of the organisation always adhere to security protocols. Especially as digital infrastructure needs continuously updating, improving and scaling in the face of this ever-changing regulatory landscape.

For an IT team to manually address even the smallest issues is incredibly time consuming and inefficient – especially if you consider the different processes, tools and internal protocols used by various departments within a large enterprise. The further down the digital transformation journey, the more essential the automation of these processes becomes. The good news is that there is technology out there that makes compliance-related work easy, or at least less burdensome.

The best of these tools will enable the IT team to automate configuration management, allowing them to rapidly scale compliance processes. By utilizing these tools, IT teams can describe their desired state, describing configuration in a manifest just one time only, which is then automatically applied to the entire infrastructure. When the compliant state has been defined and is running across the entire IT stack, these tools can continuously monitor, enforce and remediate using automation.

These basic checks, which are often time consuming and repetitive to do manually, are the kind of tasks that machines excel at. Your I&O team can then be freed up to do what they excel at: seeking out and tackling new, more complex threats to your IT infrastructure. This automated process can be repeated again and again meaning that both I&O and InfoSec teams can rest safe in the knowledge that these tasks are being done.

Automation helps your bottom line

Finally, and let’s not be coy about this, what automation essentially does is save your organisation money. Sometimes vast quantities of it. Digital transformation is all about efficiency and smarter ways of working. A huge part of this is automating simple but time-intensive tasks. The problem with compliance work is that it can be hugely time-intensive, and very expensive should it go wrong.

Implementing new systems configurations across an entire organisation’s infrastructure can take a long time. Having to do this repeatedly in order to comply with new and evolving requirements from regulatory or industry bodies only increases time spent on these tasks. Preparing reports for audits to prove that all of this is being done consistently and in line with best practice is another task costing your IT team valuable hours. And should something go wrong, a data breach, a cyber-attack, or a hefty fine for not being compliant could find your organization in real trouble.

The beauty of automation in an age of compliance and regulation is that it has the potential to solve these issues. It frees your IT teams up to focus on the things that really matter. Using compliance as code, all these tasks which, once upon a time, could distract your team for weeks or months, can take hours or minutes. Implementing automation reduces your organisation’s overheads dramatically and focuses IT operations on strategic initiatives. Every moment your IT team isn’t pushing new innovations and driving growth, is time wasted which is antithetical to what digital transformation is all about.

Adam Mayer, Senior Manager Technical Product Marketing at data strategy company Qlik talks about the...
Today’s DevOps professionals have a lot to monitor and react to in order to keep IT systems running...
As businesses continue to embrace digital transformation, availability has become a company’s most v...
AI is constantly evolving and, with every development, its value to businesses grows. As demonstrate...
The IT world is fond of buzzwords and talk of the ‘next big thing’. A few years ago, it was the clou...
In the digital era, it's now easier than ever to support a remote workforce as so many applications...
With the coronavirus outbreak continuing to gather pace, many businesses around the world are having...
Back in 2003 the Harvard Business Review published an article, “The Quest for Resilience” . It state...