In a security landscape that brings new threats and attacker approaches daily, CIOs face challenges of threats on one side of the spectrum and IT security compliance challenges on the other. From the Sarbanes–Oxley Act (SOX) and Payment Card Industry (PCI) Data Security Standard to HIPAA and a host of other regulations, a wide spectrum of business sectors continues to struggle with implementing integrated security technologies.
CIOs must face a variety of emerging ingress and egress security challenges due to IoT, BYOD, cloud computing, and the growing need for application access, among others. These all pose different and overlapping regulatory and other compliance challenges that require CIOs to provide end-to-end, adaptable, and easily reported security measures.
For example, many healthcare organizations still struggle to reach HIPAA compliance, particularly with the HIPAA Security Rule. According to the 2017 SecurityMetrics Guide to HIPAA Compliance research report, smaller-entity non-compliance poses a threat to larger-partner entities. The research shows that:
- 50 percent of respondents don’t know if their organizations use multi-factor authentication
- 41 percent don’t know how often their firewall rules are reviewed
- 26 percent don’t use mobile encryption
- 27 percent don’t encrypt emails containing patient data
- 51 percent don’t test employees on HIPAA-related training
Regulatory-compliant firewalls, PHI encryption, mobile device security, wireless network security, emails, and access management are all areas where CIOs in healthcare, finance, and retail can have compliance security challenges. The cloud stack becomes both a source of opportunity and a vulnerability that affects these areas.
Read on to discover the top compliance and security challenges facing CIOs.
1. THE CLOUD STACK, SHADOW IT, AND VPNS
The cloud stack—whether it be software as a service, platform as a service, or infrastructure as a service—has become integral to every sector. This has created an environment where private, public, and hybrid cloud solutions define businesses’ approach to computing, networking, storage, and security. While security is a challenge for every business, it is particularly challenging for the healthcare, financial, and retail sectors, which must deal with data security and compliance regulations.
Essentially, businesses must put processes and technologies in place for data and access management throughout the cloud computing life cycle.
For example, PCI compliance is a major concern on the cloud, as many businesses must provide application access for consumers to make transactions quickly, efficiently, and safely. Here, application delivery controllers can play a major role in securing that access via appliance integrated firewalls as well as load balancing, compression, and caching.
The democratization of the cloud has enabled departments to provision cloud services for storage, communication, application access, and application development, among other things, without going through the IT department. This shadow IT becomes a major security challenge when the CIO’s security team is bypassed and is unaware of its use.
While employees are the weakest link in an organization’s infrastructure, anyone with access to corporate endpoints, data, and applications is a security risk, including contractors and business partners. This can manifest in cybersecurity risks via email, web use, mobile devices, and more.
This requires an overarching set of tools and protocols for monitoring, provisioning, and securing these areas. For example, the right cloud-as-a-service provider can facilitate a customized cloud model to fit both business and compliance needs. Of course, the movement of data to and from the cloud is part of a larger compliance concern that starts with the network.
2. NETWORK INGRESS AND EGRESS SECURITY
The increasing demand for network access has driven a need for securing devices within the on-site network as well as those outside of the network. This has spurred greater regulatory requirements for attaining network security compliance, which includes:
- Securing mobile devices
- Enabling protection from malicious software
- Gaining control over access, permissions, and termination of network devices
Here is where end-to-end cybersecurity support via continuous monitoring tools and protocols can be vital in maintaining compliance with other security standards like HIPAA, SOX, and PCI. A solid continuous monitoring strategy incorporates analysis and reporting, management oversight, tools, training, and testing.
The use of remote-access VPN solutions that integrate Internet Protocol Security and SSL technologies in a single platform can enable unified management while establishing an encrypted tunnel across the internet for remote employee access. The advent of virtual firewalls for private cloud, hybrid cloud, or public cloudenvironments provides uncompromised flexibility, effectiveness, and performance. Some virtual firewalls integrate additional networking functions such as site-to-site and remote-access VPN, QoS, and URL filtering.
Data encryption is an important tool, but encryption alone does not satisfy every IT security compliance challenge. The entire area of access management requires a more holistic approach that integrates technology solutions and protocols to ensure access control and lessen the security compliance burden.
3. ACCESS MANAGEMENT
According to a Citrix/Ponemon Institute survey released in January of this year, 71 percent of IT leaders admit they are at risk from an inability to control employees’ devices and apps. The proliferation of BYOD, coupled with cloud, network, and application access, provides CIOs with access management challenges. Consequently, identity and access management solutions should include:
- Mobile device management policies and technologies
- Mobile app management security apps
- Enterprise mobile management suites
- Robust encryption and automated encryption key management
- Multi-factor authentication and biometric tools
When it comes to IT security compliance, CIOs must create a holistic approach to data and access security to protect the organization from both internal and external threats. Data protection requires that CIOs create and oversee holistic policies and integrated technologies to keep their organizations safe and secure.