Security and compliance: a perfect match?
Markus Krauss, Vice President Identity and Security Management EMEA, Novell explains why IT security and compliance should go hand in hand
According to the Ponemon Institute, 55% of UK IT practitioners have reported one or more data breaches at their organisation. The rise in popularity of cloud computing means traditional IT desktop end-point security measures such as USB blocking and firewalls are no longer effective in dealing with this problem. Yet, widespread internet access and the proliferation of mobile devices means it is now possible for employees to access confidential data from wherever they are.
So, IT security must remain one of the top concerns for most Chief Information Officers wanting to protect their IT infrastructure and data from both internal and external unauthorised access.
The challenge of compliance
The need for appropriate IT solutions to address the issue of compliance is still limited for many enterprises. In fact, many businesses still find it difficult to ascertain the benefits of compliance and primarily consider it a cost. The argument that regulatory requirements only need to be fulfilled to avoid financial penalties remains widespread. Yet, the realisation that IT measures are necessary to ensure adherence to legal requirements and internal regulations has become increasingly clear over the past few years.
Among the international legal requirements that enterprises are obliged to fulfil are the Sarbanes Oxley Act of 2002 and Basel II of 2004.These control the use of personal data in IT systems and broadly relate to corporate reporting systems, laws and regulations for data and privacy protection. Such regulations, while unable to prevent abuses, can help identify problems at a rapid rate. Addressing this laws may sound daunting and expensive, money spent on IT security can be used to meet compliance requirements as well. Adopting a holistic approach and deploying automated solutions, enterprises can kill two birds with one stone.
System Insight
In a study conducted in conjunction with Novell, Friedrich Alexander University in Erlangen-Nuremberg examined the advantages and challenges of IT supported, automated compliance solutions. On the basis of interviews with employees of companies using such solutions, it was found that centralised systems must be in place to satisfy compliance requirements effectively and efficiently.
Two become one
An automated compliance solution can help with this. Regulations must be embedded into a comprehensive risk management strategy. In addition to risk minimisation, help desk and administration costs are reduced and reporting procedures are simplified. Standardised and transparent processes can be optimised so are more efficient. Internal control is improved and companies can address future improvements more flexibly. This solution had clear advantages over manual and isolated solution across the corporate IT infrastructure. Further, the objectives of compliance can be applied equally to IT security through an automated solution. Compliance becomes a comprehensive and important strategic factor within the corporate IT environment, rather than an unloved extra.
When investing in IT security, companies want to protect the data stored within their IT infrastructure against unauthorised access. This requires various measures, ranging from the correct allocation of all necessary resources and identities, to control of external and internal access to the company network. A comprehensive automated solution that covers employee, contractor or customer provisioning and de-provisioning as well as overall identity and access management ensures that only authorised users can access information. More importantly, it also provides the means to centrally remove access to information when no longer authorised.
Solutions for automated management ultimately also serve to increase compliance. These solutions protect personal data, regulate the handling of information in business reports, and reduce the risk of legal violations, fines and the subsequent damage to the corporate image. So, only when businesses and public authorities recognise that compliance and IT security are two sides of the same coin will they be truly protected.
