Compliance, compliance, compliance. It's not that companies don't want to be compliant. They do. It's more that there are many things that complicate the process, like vendors with too much access to private information and virtual environments. Two recent surveys highlight these issues.
Outside Vendors Create Inside Challenges
A survey conducted by Goodwin Procter and the International Association of Privacy Professionals (IAPP) found that 60 percent of information privacy professionals say their organizations have more than 10 vendors with access to personal information.
Because of many new state rules, like those in Massachusetts, which can impose significant requirements on entities possessing personal information of state residents, companies are facing some challenges complying with data security rules.
And it isn't cheap. The survey also showed that complying with the new regulations is costing 33 percent of respondents more than US$ 50,000, with another 12 percent of those surveyed saying their organizations have spent between US$ 10,000 and US$ 50,000 and 44 percent spending more than 100 hours in compliance activities.
Mobile Security Goes to DUST
The Compliance Research Group (CRG), an industry analyst firm focused on IT risk management and compliance, has developed a new mobile security model to help organizations define and manage compliance requirements for wireless devices and services.
The DUST Model, as it is referred to, includes Devices, Users, Sessions, Transactions and provides guidelines for complete wireless security for corporate IT and vendor community.
There's no denying that access to enterprise computing networks via remote smartphones is growing and the technology supporting it needs to be secure. The DUST Model aims to provide just that.
In a layered approach, it boasts being the first end-to-end model for mobile security and strongly asserts that the mobile environment cannot be fully secured without protecting its four major elements.
Five Ways to Control Virtual Environments
So now that you're struggling to reign in access your vendors have and manage the security of your mobile environments, it can feel like you're fighting an uphill battle. Fortunately, RSA and VMware are here to help.
The best practices address the intersection of compliance and security and work to "see good, strong, auditable controls that provide both" in a virtualized environment. A very brief overview of the five steps include:
- Platform-hardening: Configure the virtualization platform, both the hypervisor and administrative layer, with secure settings, eliminate unused components and keep up-to-date on patches.
- Configuration and change management: Extend your current change and configuration management processes and tools to the virtual environment, as well.
- Administrative access control: Server administrators should have control over virtual servers and network administrators, over virtual networks, and need to be trained in virtualization software in order to avoid misconfiguration of systems.
- Network security and segmentation: Deploy virtual switches and virtual firewalls to segment virtual networks, and use your physical network controls in the virtual networks as well as change management systems.
- Audit logging: Monitor virtual infrastructure logs and adapt automated tools and SIEM systems to integrate logs from both environments.