Balancing Security + Compliance

Introduction

“Obtaining the minimum level of compliance for an organization’s designated security standards isn’t enough.” — Daniel Griggs

The quote above exemplifies how critical it is for organizations to not just get cybersecurity right, but underscore why it’s something that needs to be right each and every time in order to remain compliant. That includes, of course, keeping devices, users and data secure.

In this updated blog, we’ll explore the core tenets of compliance in cybersecurity by:

• Defining the role of compliance in cybersecurity
• Outlining the importance of compliance for organizations
• Introducing the concept of balancing security and compliance
• Providing examples of the technologies that help bridge the gap between both

What is compliance in cybersecurity?

Let’s begin by examining the various definitions of compliance to get a better idea of what it truly means, as defined by Merriam-Webster.

compliance noun

com·pli·ance /kəm-ˈplī-ən(t)s/

1a

: the act or process of complying to a desire, demand, proposal, or regimen or to coercion

Patient compliance in completing the treatment regimens was excellent.

—Georgia A. Chrousos

b

: conformity in fulfilling official requirements

His actions were in compliance with state law.

2

: a disposition to yield to others

3

: the ability of an object to yield elastically when a force is applied : see FLEXIBILITY

Alongside the various definitions, the one that applies most succinctly to cybersecurity is 1b, “conformity in fulfilling official requirements”, because that is the true aim of being compliant in cybersecurity: to abide by the requirements set forth by a governing body or agency in the proper:

• gathering
• handling
• processing
• storage
• distribution
• dissemination
• disposal

of protected data and systems by authorized users and to prevent all others (unauthorized) from accessing protected data types.

The goal of compliance in cybersecurity

Generally speaking, the goal of compliance is to basically avoid violating any of the laws to which an organization is subject. By implementing compliance measures, the goal is to follow a blueprint if you will, to side-step the potential landmines that lead to incurring violations.

As it pertains to cybersecurity, the above still very much so applies, however, there is an additional challenge: to keep business data protected in addition to the users that access it and the devices upon which it is processed and stored. In this instance, the word “protection” means beyond just keeping safe from threat actors but extends also to keeping on the right side of any thing, action or circumstance that would otherwise place data protected by regulations at risk of violating said regulations.

A great example of this is an IT employee who has access to a file server used by employees to store work data. Even though each directory has user permissions set so that only the defined user can explicitly access their designated folder, IT — by default — has administrative privilege to modify directory permissions, as needed. If IT receives a ticket to troubleshoot an issue with a user’s folder, they are allowed to modify permissions to correct the issue without affecting compliance. However, if they take it one step further and drill down into the user’s directory to view protected data, that may violate regulatory requirements since, for the purposes of this example, IT personnel may not have authorization to view or handle this type of data.

Key regulations and standards related to cybersecurity compliance

Remember the use of the word “blueprint” earlier? This was used specifically because, as an architect drafts a blueprint for construction teams to follow when building a structure, IT and Security teams can rely on standards when implementing a security plan to check the boxes if you will of the various regulatory requirements that their organization must adhere to.

Just for clarification, standards ≠ regulations. Standards are a means of achieving goals as they pertain to complying with regulations. At a high level, they are a formalized set of security best practices, grouped similarly to actionable to-do lists, that provide “battle-tested guidance” of response processes for just about any environment to meet its compliance goals.

Each organization is different, as are their respective needs and their ability to reach their compliance goals is often impacted by a number of variables. That said, regulations provide information on what needs to be protected in order for it to be deemed compliant by governing agencies; standards provide details on the best ways to configure protection per regulations.

Let’s take a look at some key global regulations in cybersecurity:

• HIPAA: Provides protections for health data and sets limitations for its sharing, requiring explicit authorization by patients for its use.
• PCI-DSS: Sets guidance for credit card payment processors relating to the capture, processing and storage of card-based data.
• GDPR: Privacy-based governance aimed at upholding user’s rights from using any private data without explicit consent.
• FERPA: Limits access to educational records and data belonging to students, as well as controlling its disclosure.
• FSMA: Provisions oversight of insurance, investment business and banking, alongside emerging fintech markets, like cryptocurrency.

Now, let’s look at some key, globally-accepted standards and frameworks for cybersecurity:

• Essential Eight: The eight most critical mitigation strategies to help organizations prioritize controls to protect themselves from cyber threats.
• NIST: Methodologies aimed at businesses to protect against a wide gamut of security threats, providing guidance for the protection of critical infrastructures.
• ISO: International information security management system comprised of a family of standards, whose subsections address a variety of cybersecurity issues and threats.
• Cyber Essentials: Information assurance framework for implementing security controls deemed effective in protecting organizations from internet-based threats.
• CIS: Prioritized safeguards that work as part of a defense-in-depth model to identify and prevent critical threats to cybersecurity through benchmarks and baselines.

The importance of compliance in cybersecurity

The role of compliance in cybersecurity is not unlike a system of checks and balances. Cyber threats that present risk to an organization answer the question, What does the organization need to protect itself against? Standards, as mentioned above, answer the question, How do we best implement organizational protections? Lastly, compliance answers the question, Did we succeed in protecting the organization?

Benefits of compliance for organizations

Arguably, the greatest benefit of compliance to organizations is peace of mind: the knowledge that devices are in alignment with industry standards and secure baselines. Meaning devices are hardened against security threats, users have been granted access up to and including only what is necessary to perform their job functions and data is secured through effective controls that meet or exceed requirements, minimizing the risk of compromise or lack of enforcement.

Risks of non-compliance

Certain industries are subject to regulatory oversight due to the nature of the business, its practices and/or whom they partner with. Additionally, the region where a business operates may have an impact on the number of regulations that it could be subject to, seeing as regulations are mandated by government organizations and applicable at any or all of the following levels:

• Local (city, county, borough, tribal, territorial)
• State
• Federal
• Country
• Region

Examples of the consequences of non-compliance

Each may have its own set of requirements that could be more (or less) stringent than the next — and make no mistake — businesses that are part of regulated industries are expected to adhere to each regulatory requirement from each branch of government lest they be found guilty of violating regulations, which can carry any of the following penalties:

• Steep fines per violation/infraction (up to millions of dollars per year)
• Civil liability (from users of services/products impacted negatively)
• Criminal liability for employees and executives (found guilty of knowingly committing violations)
• Denial of grants and/or government funding/incentives
• Negative on public opinion/company reputation
• Impact on business operations/revenue
• Loss of partnerships/business opportunities due to data loss
• Injunctions barring the use of products/services
• Seizing of assets/business closure

Balancing security and compliance

The IT world has no shortage of phrases and acronyms used to describe technologies. Often these are grouped together to provide gravitas to a category of tools or services used for a similar purpose. Other times, they may appear oxymoronic or juxtaposed to one another.

Security and compliance are examples of terms that, while both connoting a sense of protection, mean two disparate things. In other words, just because something is secure does not mean it is compliant; vis a vis, something could be compliant without it necessarily being secure. Hence the existence of this section, in which we explain how striking a balance between security and compliance is both challenging but ultimately rewarding when done properly.

Challenges of balancing security and compliance

There are several challenges present that need to be ironed out when attempting to find a balance that works for your organization. Some of these challenges are unique to the organization, for example, the tools available to your IT and Security teams, their knowledge base and skill set limitations (if any), and certainly, the financial aspect all play a crucial role in bridging the gap between security and compliance.

Other critical considerations are:

• Regulatory regulations related to your industry
• Device management and monitoring resiliency of your solutions
• Risk vs value proposition when implementing new tools
• Impact on user’s privacy and productivity
• Stakeholder support of standards adoption and implementation
• Time-sensitive requirements and constraints

How compliance can be integrated without sacrificing security

One of the most prudent ways to integrate new solutions of any kind in IT is through careful project planning and management. This also includes a testing component that requires sampling changes within a testing environment before they are implemented into production.

Not only does this methodology provide ample feedback for support teams and stakeholders but said feedback will come in most handy when evaluating current and future changes. After all, an iterative cycle is a critical key to any change management process.

As with most things at the organizational level, it will change depending greatly on the specific needs of your company. There is no ‘one-size-fits-all’ method, solution or tool that will bridge the gap between security and compliance, unfortunately.

Best practices for balancing security and compliance

It cannot be underscored enough that proper planning is sacrosanct to succeeding in achieving balance. A crucial part of planning and managing this project effectively is knowing two specific points concerning your security and compliance:

1. Where does the organization currently stand?
2. Where does the organization need/want to be?

The former represents their security posture as of day one, also noted here as your starting point. The latter provides your organization with a clear, concise goal once risk assessments have been performed, compliance standards and/or frameworks have been selected, implementation and testing phases are completed and analysis has been performed to assess any discrepancies between your security and compliance standings.

Never forget, it’s an iterative process. If you don’t quite get to where you need to be the first time around, seize that opportunity by documenting your findings and using that data as lessons learned to drive the organization closer to your goal’s balance point.

Another aspect touched upon earlier in this section was risk vs value proposition. As part of the iterative process, knowing where your organization stands at all times is critical to compliance and security. Say, for example, organizational policy mandates that only company-owned devices managed by the company MDM are allowed to access business data. Because the organization does not have ample licenses to manage personally owned devices, users are verbally told using personal devices is prohibited. Without insight into non-company devices or additional security solutions to logically prevent them from accessing business data, how would the organization know if business resources were accessed and data processed or stored on personal devices?

They wouldn’t. This presents a significant risk to both compliance and security given the tradeoff that requires additional funding to provision licenses for each user’s personal device and additional IT employees to support the influx of devices they must now manage. Is the risk greater, less than or equal to the added costs and employee concerns? The point of this exercise isn’t to answer the question outright (as that depends on your organization’s unique needs) but to highlight the distinction between risk and value that must be considered when striking a balance.

Tools and technologies for balancing security and compliance

Armed with risk analysis information to determine which security protections are necessary and having chosen which standards and frameworks will be used to achieve their compliance goals, organizations need a vehicle to drive security and compliance closer into balance with one another.

This is where technologies and tooling come into play. Not only will the right technologies help to bridge any gaps between the two, but the proper tools will implement security configurations and enforce compliance moving forward.

Technologies that can help organizations implement security

In this section, we take a look at several broad technologies to help organizations achieve balance. From a security perspective, the following technologies help by implementing secure configurations based on generated guidance from standards and frameworks aligned to specific regulations.

• Mobile Device Management: MDM solutions allow IT to simplify the complexity of managing hundreds to tens of thousands of devices regardless of where they’re physically located. Capable of supervising company-owned devices, as well as personally-owned ones in any ownership model, management solutions provide a balance of their own between secure device configurations and settings, app deployment, segmenting business data from personal data volumes and policy-based enforcement of compliance standards.
• Endpoint Security: Security solutions actively monitor and report on device health. By identifying and preventing known threats, Security teams can rest assured that endpoints maintain a baseline security posture. Behavioral analytics aid threat-hunting teams in discovering unknown threats, while remediation workflows mitigate threats to bring devices back into compliance.
• Identity and Access: By integrating identity solutions to management and security, the additional layer of trust limits access permissions to authorized users only. Additionally, adhering to compliance requirements and security best practices, the principle of least privilege enabled by identity and access solutions ensures that users can work with protected data to a degree necessary for them to perform their job function — no more.
• Zero Trust: Based on the principle of “never trust, always verify”, this model of security builds upon identity and access solutions by performing a key function: restricting access by default to all endpoints each time a request is made until critical device health parameters have been verified. If verified, access is granted to the requested resource; if not, integration with security and management solutions assesses the vulnerabilities before remediation workflows are deployed to automatically sanitize the device before verifying device health again.

Examples of tools to successfully enforce compliance

In this final section, we explore the tools that will help organizations enforce compliance on their balance journey. The tools listed below are essential to deploying standards-based secure configurations while holistic management, identity and security solutions ensure that endpoints are not only secure but users and data as well, while remaining compliant with applicable regulations.

• Jamf Pro: Best-of-breed Apple device management solution that makes it easy to manage macOS, iOS, iPadOS, tvOS and watchOS devices with an easy yet powerful interface that is capable of scaling to your needs. Deploy and configure hardware using zero-touch workflows, install managed apps, apply settings and implement policies so that devices stay managed.
• Jamf Connect: Leverage your cloud-based identity provider with Mac and mobile devices so that only authorized can use hardware or access business resources. Powerful identity-based workflows ensure that users with valid credentials and using devices that are verified to be vulnerability-free are granted access to protected resources, using encrypted microtunnels for each request to prevent network-based attacks, like MitM, on remote connections — always-on protection — regardless of the network connection used.
• Jamf Protect: Enhance endpoint security with security baselines, ensuring that endpoints remain secured as they are actively monitored, kicking off incident response workflows by alerting Security teams of unknown threats while managing known risks, like OS common vulnerabilities and exposures (CVEs), are mitigated immediately upon detection across your device fleet. Extend infrastructure security by integrating with your preferred SIEM solution to centrally manage logging data, sharing device telemetry data with management and identity solutions via secure API to enable advanced automation of remediation workflows based on up-to-date threat intelligence and powered by machine learning.
• Jamf Compliance Editor: Based on the macOS Security Compliance Project (mSCP), generate security guidance based on specific compliance requirements that are aligned to supported global governance standards and frameworks, and customized to meet the unique needs of your organization. If you require a more granular approach, choose only the configurations you wish to implement and/or specify custom levels of security you wish to set, then automatically create and upload assets to your Jamf MDM instance, ready for deployment across your entire device fleet.
• Jamf Safe Internet: Best-in-class network threat protection and comprehensive content filtering solution are key features of Jamf Protect, targeting enterprise devices. For educational institutions, Jamf Safe Internet delivers the same level of granular protection against zero-day phishing threats, blocking unsafe content and privacy protections as its enterprise offering, just like Jamf School includes similar education-focused management and security for educators, IT and staff as found within our flagship offering. When integrated, both education-optimized solutions provide granular insight into device usage statistics from a simple, intuitive console.
• Jamf Executive Threat Protection: Protection against the latest evolutions across the modern threat landscape is at the core of Jamf endpoint security solutions. But remote detection of security incidents utilizing advanced detection and remediation capabilities means Security teams have the tooling necessary to respond to incidents. Beyond that, incident response teams can delve deeper into threats, assisting in comprehensive investigations with extended visibility into mobile fleets from anywhere. With the remote collection of rich mobile endpoint telemetry data at your fingertips, investigation time is reduced to just minutes, thanks in no small part to integration capabilities that extend feature sets ideal for enterprise- and government-based sectors.