As organizations continue to struggle to address the challenges posed by a constant barrage of cyber-breaches and attacks, one question in particular comes to the fore: How is it that so many breaches, including some very large incidents, have occurred in environments where compliance with various governmental and/or industry security regulations has been taken quite seriously – and adhered to in ways that the organizations involved felt they were doing everything necessary to ensure data safety and integrity.
Focusing diligently on regulatory compliance alone clearly does not guarantee that an effective security operations profile will be maintained.
Last October, for example, Atrium Health announced that 2.65 million patient records had been compromised. With 44 hospitals under management, Atrium maintained an active HIPAA compliance program aimed at ensuring the privacy of “protected health information” (PHI). Unfortunately, Atrium had outsourced its billing and online payment system to a third-party vendor with inadequate security controls. The vendor experienced a week-long breach that allowed for the exfiltration of a large volume of patient data. Under the federally-mandated HIPAA regulations, Atrium was responsible for ensuring proper patient-privacy practices by its business partners, but in this case it failed to do so. Focusing narrowly on its internal systems alone, Atrium put its patients’ PHI at risk.
Compliance with regulatory requirements is by no means the same as achieving operational security on all fronts. Indeed, compliance audits can give the illusion of effective security when in fact gaps exist that compliance guidelines haven’t anticipated. Compliance programs encourage a mindset that focuses on “checking boxes” to meet audit requirements. But achieving cybersecurity in the real world means going beyond the constraints of any given set of compliance requirements. It means implementing practical network security controls to complement regulatory requirements with proven vendor solutions.
Time for actionable cybersecurity compliance
Multiple security control frameworks have arisen over the past two decades. From NIST to ISO/IEC to the IETF, organizations around the globe have put forward various, often overlapping, sets of cybersecurity standards, practices, and policies aimed at reducing risk by preventing and mitigating the effects of cyber incursions. One such group, The Center for Internet Security (CIS) has leveraged the power of its extensive global membership across multiple industry verticals to investigate and develop a body of consensus-driven best cyber-defense practices. It has translated these learnings into a set of 20 specific security controls that serve as best-practices to ensure comprehensive cybersecurity coverage. Importantly, these controls also map to the core requirements of regulatory compliance, such as PCI, HIPAA, and NIST. Out of the 20, the CIS calls out the need to implement 6 “Basic” Controls:
- Inventory and control of hardware assets
- Inventory and control of software assets
- Continuous vulnerability management
- Controlled use of administrative privileges
- Secure configuration for hardware and software on mobile devices, laptops, workstations, and servers
- Maintenance, monitoring, and analysis of audit logs
At their core, these 6 requirements are designed to ensure comprehensive network and endpoint visibility and to maintain full, ongoing intelligence of all network device activities. Genians’ Network Access Control (NAC) solution explicitly supports each of these 6 controls with its Next-Gen NAC capabilities. Without disturbing existing IT infrastructure or impacting systems availability, Genian NAC gathers and monitors the hardware and software asset information of all IP-enabled devices. It then leverages its Device Platform Intelligence capability to determine each device’s technical and business contextual details, identifies all known or potential device vulnerabilities, establishes the level of user access to be provided, and ensures that all detected devices are in compliance with customer requirements. Genians NAC can also integrate with security solutions such as NGFW, SIEM, and EMM to share intelligence to respond to cyber threats on time.
Genians Next-Gen NAC thus supports the necessary balance between the dictates of compliance and an organization’s need to effect and maintain operational security. Rather than compromising either of these two critical components, Genian’s Next-Gen NAC solution ensures that they work in tandem, communicating and collaborating with each other to fortify cybersecurity.