Last updated Feb 15th, 2020 by Dan Rheault

Compliance is about defining, measuring, and mitigating risk. Enterprises use third-party audits to periodically assess their networks for compliance with internal and regulatory security controls. Audits reduce risks by identifying gaps between the desired state of network configurations and processes and those that actually exist in the network.

Yet, a compliant network can still suffer a breach. For example, weeks after Target was certified as PCI DSS compliant, attackers planted malware in the retailer’s network.

If a business can be breached after a successful audit, what’s wrong with this picture?


Independent Auditors Don’t Understand Your Network

Generally, compliance audits are conducted by independent parties. These outsiders, however, do not know your network and are not specialists in security policy. They’re likely to be unfamiliar with your benchmarks of acceptable risk and typically rely on staff interviews for verification. They also may be unfamiliar with the latest exploitation techniques and may not be technically proficient. Their gap analyses are driven more by process than technical requirements and change management, and they do not proffer ways to bolster risk management. It’s up to you to figure out how to get back into compliance.

Audits Don’t Account for Future States

Even when you do maintain compliance, changes occur every day on enterprise networks, each possibly opening up a new risk through non-compliant access. You can have a successful audit one day and introduce violations the next. And even your industry compliant access controls may, in fact, still be risky based on your internal security policy, and possibly exploited in an attack.

You may be confident of your existing security policy and recent changes, but you still need to account for access rules predating your tenure that need to be removed or classified as exceptions. Often, changeover in personnel and a lack of historical context make some rules “necessary” because no one knows their purpose, and administrators don’t want to knock an application or network offline. The zones of a segmented network can keep hackers from sensitive data and applications only if the rules governing traffic between them are limited to those essential for current business needs. Unused or obsolete rules are connectivity points that hackers can utilize. Will a successful audit catch these? It’s unlikely because audits don’t prioritize unused access as a risk. You need to hire an auditing company that will not only assess compliance, but also identify additional risks within the network that are outside the scope of regulatory mandates. Compliance doesn’t necessarily equate to security.

The Imbalance Between Security and Business Agility

Compounding the challenge is the inherent tension in many enterprises between security and business agility. Yours may emphasize security and change processes, in which change requests are routed through your security team. Your team inspects them for risk and compliance and, as a result, you have a good handle on policy health and the compliance of access. The downside to this approach can be a slower pace of change in the business. On the other hand, your company may emphasize agility, in which applications are launched, and connections made, all at the speed of business. The security consequences of how something works are not as critical as the fact that it does work. However, focusing only on business success can ignore network compliance and bypass any sort of risk assessment, which can be dangerous.

So how do you maintain a compliant security posture against regulatory and internal security policies without compromising business agility? This balancing act can be achieved through automating your network security policy management.

See Everything You Have, and What You Don’t Need

Effective security policy management begins with visibility into your entire network—all the different network security devices, the public cloud, the private cloud, etc. How do they connect? What are the underlying policies?

With visibility, you can identify and mitigate risks. You can remove rules that haven’t been used in months, identify rules that require business justification, and expose non-compliant access rules. For rules that are non-compliant with your internal security policies or regulatory mandates but are necessary to the business, you can designate them as exceptions with specified expiration dates for recertification. You then can track them for their duration.

Maintain Continuous Visibility Over Compliance

Gap analysis is a spot check of the existing state of compliance and can be referenced for future changes. It ensures audit preparation for network compliance. But gap analysis shouldn’t be a single point in time. And it shouldn’t just be aligned to one security policy framework. Compliance against one mandate doesn’t equate to compliance to another.

Maintain Compliance

If you can process each new change as it occurs with a compliance check, you can determine if it introduces risk or non-compliance into your network. Yet tracking every change in busy enterprise networks is a laborious, manual process that’s prone to errors. A mechanism for automating the review of each change will enable you to address violations by rejecting them promptly or tracking them until they’re no longer necessary, at which point they can be removed. The trick is to operationalize your security policy by integrating it with your processes. This way the security policy can be accessed and used by other tools or APIs. This leads to continuous gap analysis, replacing occasional snapshots of your network’s compliance with an ongoing, automated process, reducing mistakes and oversights.

Empower Your Team for the Future

Third parties alone can’t help you achieve continuous compliance. Only by empowering your organization’s staff—the people who manage your network and know it best—can you analyze and track ongoing changes. You’ll have automated processes in place that continuously assess for compliance assessment. Your security team will sign off on a documented security policy against which all future changes in the network will be measured.

When you have a technically integrated compliance model and leverage automation, you gain constant gap analysis, ongoing audit preparation, and continuous compliance. But remember that compliance is more than an obligatory fact of network life. Greater visibility with a documented compliance model is a true business asset, enabling informed strategic decisions on compliance matters. You’ll safeguard your company from risk, streamline processes, improve efficiencies, and attain the agility to drive your company’s competitiveness.

And external audits will no longer be a pain point. You’ll improve the likelihood of a successful audit and ensure its findings will be far less unexpected and disruptive.

If you want to hear how a large payment processing organization uses security policy management to assess and maintain their continuous compliance, tune in to the Monext podcast.

monext podcast


Monext Speaks with Security Current