Riding the Wave of New Cybersecurity Regulations with Stateful Segmentation

Riding the Wave of New Cybersecurity Regulations with Stateful Segmentation

Despite the fact that we often view regulations as preventative measures designed to protect individuals, enterprises, or governments, the truth is that a large percentage of regulations are actually enacted in response to things going badly. In other words, they’re often not preventative at all - they’re trying to remedy something that’s already doing harm. From seat belts being required in cars to the prohibition of lead in household paint, regulations are often the result of serious harm being done. What we’re seeing today around cybersecurity regulations are no different. Over the past ten years or so, the wave of breaches experienced across the globe and up and down the spectrum of organizations and individuals are now driving a new wave of regulations intending to better protect IT infrastructures, and by extension, the users and owners of those systems.

As a current snapshot of existing regulations, there are some that are more mature than others. PCI DSS, HIPAA, MiFID, SOX, NERC CIP, and GDPR are examples of regulations that have been around for some time and are relatively mature. However there are also a number of organizations that provide guidance documents which, as they mature, are being converted into formal regulations. For example CBEST, FFIEC, SWIFT, and the Australian Signals Directorate (ASD) all currently provide various cybersecurity guidances to their respective industries/members, which are likely to evolve into regulations in the coming months and years. 

One of the consistent themes throughout these new regulations is environmental segmentation - both for visibility and control of communications. GDPR for example requires organizations to be able to track the access and use of customer data across country borders and jurisdictions whereas with PCI DSS, organizations can limit the scope of compliance by properly segmenting their PCI infrastructures.

This is a new area for many governments and regulatory bodies, however. For those new to the game, finding a place to start is often a challenge, so those organizations lean on the body of work already done by others. The NIST Cybersecurity Framework and ISO/IEC 27000 are two often-cited reference documents for new guidances and regulations. ISO/IEC 2700 in particular contains a variety of requirements for properly segmenting networks and data centers. As more and more regulations are enacted across the globe and across industries, the key principles within these documents will continue to appear over and over.

So what are organizations that fall under these regulations (or will fall under regulations in the future) to do? It largely depends on your approach to security and appetite for risk. At vArmour, we have seen organizations dealing with the incoming wave of regulations in three different ways, with highly regulated industries - financial services, infrastructure, service providers, and healthcare - furthest along on their compliance journey. 

For many organizations, the impacts of security vulnerabilities, data breaches, and associated brand damage are all too real as they have already been impacted. These organizations have seen firsthand how not actively performing risk assessments and not investing in what are coming to be seen as mandatory security controls can have a tremendous negative impact across the organization and its perception with customers. For these risk sensitive organizations, keeping up with new and evolving regulations is far less painful as they are concerned with protecting the organization rather than simply checking the box on a compliance form. They are also far more likely to have already adopted emerging best practices and guidance before it becomes regulation, making the transition to complying with new regulations as painless as possible.

Other organizations currently see the writing on the wall that increased regulations are coming in their respective industries and are working to adopt current best practices so that they are not playing catch up once those practices become regulation. These organizations tend to accelerate their adoption of new security implementations once they’ve started because they begin to see operational, as well as security, benefits with a more proactive approach to their security posture and regulation compliance.

Sadly, not all organizations see the benefits delivered by industry best practices and instead wait until new regulations are finalized before attempting to improve their security posture. Although this “check the box” mentality can keep an organization compliant, the late adoption of new security policies, procedures, and technologies leaves the organization unnecessarily vulnerable in the interim. These organizations tend to be the ones scrambling to adopt new security strategies by upcoming deadlines (May 25, 2018 for GDPR, for example) and inadvertently derailing other business priorities and projects that have dependencies on security. This is generally not the group you want to be in.

With the coming wave of regulations designed to improve the cybersecurity standards across countries, regions, and industries, one thing is for sure - all organizations will be subject to increasing security standards. Whether your organization proactively implements new approaches and tools in advance of coming regulations or you are dragged kicking and screaming into the new cybersecurity world is up to you, however, those organizations that are proactive not only reap the benefits of additional security sooner, but are also have an advantage over competitors when the deadline approaches as they’re not scrambling at the last minute. As is often the case, those that have prepared and planned are placed in a far better place to succeed than those that wait until they are forced to change.

Obviously the process of adopting a set of new security standards can be a daunting task - this is often why organizations put it off until they are forced to. An approach that we consistently see customers succeed with is to first gain a detailed understanding of their environments in order to identify critical applications and their dependencies, followed by adopting recommended best practices (or regulatory requirements) for those key applications. This not only achieves improved security for the most important aspects of the organization's IT infrastructure, but also serves as a smaller scoped exercise in understanding how easy it can be to improve overall security, compliance, and control.

We recently conducted a survey to identify top IT priorities of enterprise IT professionals. 80% of the respondents have an active or upcoming segmentation project and all of them driven to various extents by regulations - HIPAA, PCI, SOX, GDPR and others. Today, the regulation wave shows no signs of ebbing, so rather than be crushed on the beach due to missing or incomplete compliance, organizations need to address and anticipate regulations to ensure a smooth ride. Although proper environmental segmentation  comprises only one aspect of regulatory compliance, it is arguably one of the most critical aspects as it can not only deliver visibility into what applications and traffic flows need additional security, but it can also clearly define the scope of some regulatory requirements - making compliance vastly simplified.

Related Posts