30 Days of Compliance Q&As #16: What’s Driving Increased Compliance Requirements?

We recently surveyed IT professionals as part of our “2014 IT Priorities Survey.”

We asked how many of them are subject to IT compliance requirements. Here’s what they told us:

65% said that they were subject to at least one IT compliance mandate.

 … and most were subject to more than one.

Compare this to five years ago … or even two years ago. IT is turning into a regulated industry, and the velocity is only increasing.

Information Week recently addressed this issue with an article called, “HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security.”

Let’s take a look at the driving forces behind the approaching audit crisis: datacenter virtualization, enterprise applications in the cloud, and BYOD.

Datacenter virtualization: 
In addition to geographic redundancy for business continuity, virtualized datacenters and cloud services make it easier to scale capacity quickly and on demand. They also enable in-house teams to streamline operations, reduce costs, and focus on mission-critical tasks. Yet, with the move to virtualization, many organizations are outsourcing, not only services and software, but also infrastructure. This means the traditional defend-the-perimeter approach to security and compliance is no longer valid.

Until recently, compliance has been pretty straightforward, because IT knew exactly how data was secured within the perimeter. But in virtualized environments, many organizations are trying to leverage the same security policies, processes, and tools they used with traditional on-premises infrastructure. To meet impending compliance and audit requirements, businesses will need to adopt a designed-for-security approach. The goals are greater visibility into virtualized security controls, centralized security functions, and assurance from providers that access to corporate assets is properly managed.

Cloud-based enterprise applications: 
Businesses store sensitive financial, personal, and operational data in enterprise application databases. As a result, many organizations are moving to a private cloud infrastructure that takes advantage of the cloud’s elasticity while maintaining control of corporate data behind a dedicated firewall.

This kind of infrastructure requires a different set of security and compliance considerations. For example, a core benefit of private cloud environments is that they break down departmental silos and increase accessibility across business units. But lax access management and inconsistent enforcement of role- and/or rule-based access can lead to unwanted security breaches. As a result, a growing number of compliance initiatives now mandate application controls and audit requirements focused on insider threats. This year, I expect business customers of applications and IT services (especially when the architecture is cloud-based) will ask providers to demonstrate appropriate security through compliance audits.

BYOD (and apps)
: Bring-your-own-device security has been a major pain point for some time now, and for good reason: It increases the risk of data loss and vulnerability exploitation. At the same time, user security habits involving their personal devices haven’t changed much. Even though security breaches are consistently a hot topic, few organizations are keeping pace with these escalating risks. Government regulators and industry standard bodies are starting to address this new reality with rules that give IT departments greater control over the content and configuration of these devices.

In 2014, businesses can also expect auditors to flag potential BYOD risks unless companies demonstrate the devices meet overall security policies — an action that will likely drive even more internal audits. If, at minimum, BYOD audits require the same assurances for employee-owned devices as corporate-owned PCs and mobile devices, organizations will need to prepare a complete record of all devices connecting to their corporate network, the security posture of each device, and which corporate assets they can connect to on the network.

Additionally, regulated businesses will need to create mobile device policies about permitted apps, remote wiping, the preparation of private and corporate information, data encryption (static and in transit), automated security scans on each device, and the prohibited use of rooted or jailbroken devices. Container solutions will become more widely adopted to separate and protect corporate information on personal devices.

Bottom line: Whether you’re facing new compliance mandates surrounding datacenter virtualization, enterprise apps, or BYOD, your businesses will need security policies that are easily understood, up to date, fully implemented, complied with, and consistently enforced.

Read the full article here: HIPAA, SOX & PCI: The Coming Compliance Crisis In IT Security.