Compliance and regulations have been a key driver of security for a long time. The compliance, for the most part, is doing the least amount of work for the most checkboxes. The regulations have gotten more stringent with data breaches, and the fines and even jail time have been added to some regulations such as HIPAA and PII data breaches. This changed the dynamics of how compliance is viewed. Now with GDPR kicking in with fines up to 4% of global revenue, the game now gets very serious.
From the impending GDPR regulation within the EU and upcoming EU ePrivacy regulation, to established regulations such as SOX,PCI, HIPAA, and recommended security methodologies such as STIG, NIST and ISO27000, to a host of corporate policies and initiatives, organizations are now exposed to more complex and varied compliance requirements than ever before, both nationally and internationally.
The compliance challenge today
The IT, security, and risk management professionals don’t have visibility into the risk posture at any point of time. Compliance is only an after-effect of auditing and is mostly reactive today. Organizations can’t keep up with the changing regulations. The new hybrid IT and DevOps world leaves everyone not knowing what their responsibility is for security and compliance.
What is needed?
A unified visibility into security and compliance posture across your both on-prem and hybrid cloud environment.
A capability to detect, respond, and recover from incidents and violations. Automation to reduce human error.
Continuous process of assessment and orchestration for dynamic management of configuration drifts.
A new cloud and AI based approach for compliance
There are many canned or packaged solutions for PCI, HIPAA, etc in the market that claim to establish compliance. The approach does not take into account the changing regulations, and you may need a package for each compliance regulations thereby increasing the complexity of compliance solutions.
A better approach is to look at common denominators and hardening your systems and processes to address any compliance regulations. This lets you future proof your investments.
Monitoring users, apps, data, and network using UBA, SIEM, CASB is a great way to have a 24×7 monitoring. Combining this with securing specific standards such as STIG, CIS, NIST will ensure a solid technology process in your organization.
When you combine the monitoring and standards with security frameworks such as NIST 800, ISO 27000, and CIS CSC, you get the best of people, process, and technology. This will ensure that you are prepared to address standards and regulations such as SOX, HIPAA, GDPR, FISMA, PCI, etc.
How can Oracle help?
Oracle’s new machine learning platform has a unified data model across IT ops, SecOps, DevOps. This ensures that management, security, and development platforms have common data that can be used for monitoring for various use cases.
The machine learning based platform also have configuration management that continuously is enforcing and monitoring for industry-standard configuration, and fixes drifting. This is helpful whether you have old IT or new IT. This platform also has automation built to remediate violations in real-time.
So, create your enterprise security policies once and enforce it on both old and new IT. This is autonomous and keeps updating itself with new and changing regulations.
Read more about the how Compliance AI can disrupt your organization here: http://www.oracle.com/us/solutions/cloud/compliance-and-security-4218800.pdf
Sridhar Karnam 