Virtualization Technology News and Information
Security Compliance: Are You Secure and Compliant?


By Sina Walleit, Parallels

Compliance does not necessarily equate to security. This has already been proven countless times in data breaches involving companies who were actually compliant with one or more data security standards, laws or frameworks when security was compromised. This realization is driving organizations to pursue security compliance, a combined approach deemed effective at minimizing the risk and impact of a cyber incident or avoiding it altogether.

You probably heard about the massive Target data breach of 2013. But did you know the retail giant was actually certified as being compliant with the Payment Card Industry Data Security Standard (PCI DSS) just weeks before the attack? Heartland Payment Systems, another victim of a major data breach, was also PCI DSS compliant for six straight years before they were attacked. Cyber incidents like these, which are more common than you think, stick out like a sore thumb because standards like PCI DSS are supposed to prevent them from happening.

Motivations Behind Cybersecurity Initiatives and Data Privacy Legislations

Over the last few decades, businesses have been subjected to an ever-burgeoning alphabet soup of security/privacy standards, laws, and frameworks such as the PCI DSS, Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) and General Data Protection Regulation (GDPR). Why have these laws and regulations been crafted in the first place?

As organizations become increasingly reliant on IT systems, data, and other digital assets, they attract criminals who can make a lucrative business out of stealing, sabotaging or holding these assets captive. To counter these threats, organizations adopt security policies, procedures and controls.

Unfortunately, some organizations are not willing to spend resources on security. Others simply don't know where to start. To address these issues, legislators and industry regulatory bodies craft standards, laws and regulations that serve as guidelines and (in the case of penalties and fines) motivators for businesses to enforce strong security practices.

Overview of Some Data Protection Laws and Regulations

There are countless standards, laws and frameworks that are designed to secure data and other digital assets. Some of the more common ones include the following:

  • Health Insurance Portability and Accountability Act (HIPAA)-A US federal law designed to secure sensitive patient data in healthcare organizations.
  • Payment Card Industry Data Security Standard (PCI DSS)-An industry-spearheaded standard aimed at securing credit card data in businesses that store, transmit and process credit cards.
  • General Data Protection Regulation (GDPR)-A regulation crafted by the EU to protect citizens' personal information from abuse.

Difference Between Security and Compliance

While security and compliance are clearly two different principles, they each have their own benefits (we'll discuss these in detail later). The benefits contribute to reducing business risk. For this reason, organizations need to focus on achieving both security and compliance. This is the only way businesses can bring down levels of risk considerably.

From the very start, we've declared that security is not the same as compliance. But how exactly do they differ? Let's talk about that.

Protection by security and compliance security (which, in this context, really means information security), is the sum of physical and technical systems and tools as well as policies and procedures put in place to mitigate risks on an organization's digital assets.

Compliance is similar in that it also consists of physical and technical systems and tools, etc., except that, unlike security, the systems are usually geared towards protecting a specific set of digital assets. For example, in HIPAA, the protected asset is patient information; in PCI DSS, it's card data; and in GDPR, it's personal information of EU citizens. Security, on the other hand, has a more all-encompassing scope on what to protect.

Roles and tools of the trade

Cybersecurity analysts normally spend most of their time monitoring and checking the network, threat intelligence feeds, and logs for any potential threats. Their usual tools are Security Information and Event Management (SIEM) systems and Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS). The moment they spot something suspicious, they perform further analysis and, if necessary, use other tools to contain threats, eradicate danger or recover data.

While internal compliance officers are also concerned with security, their normal workday consists of audits, interviews, reports and communications. Instead of using technical tools, they usually handle a lot of paperwork. Their main roles are to verify and document that the organization's security infrastructure and its policies and procedures are compliant with relevant standards and laws.

Consequences of failure

In most cases, you work to achieve security because you know that if you fail in this area, your organization could suffer from a data breach, a malware outbreak, a network outage, etc. The consequences are usually technical in nature.

Compliance initiatives are also aimed at mitigating these risks. But usually, the ultimate reason for achieving compliance is to avoid a million-dollar fine and, in some cases (like when you violate HIPAA or the Sarbanes-Oxley Act), multi-year jail time.

Determination of success

Organizations that undertake security initiatives that are not imposed by any data protection law or regulation are accountable to only themselves. Their determinant of success is doing business without suffering a cyber incident.

On the other hand, organizations that are governed by data protection/privacy laws or regulations must answer to a third party. For example, with HIPAA, the government agency responsible for enforcement is the Department of Health & Human Services Office of Civil Rights. In PCI DSS, a Qualified Security Assessor oversees compliance. Your company does not determine whether it has succeeded in compliance endeavors or not.

Reputation booster

Compliance with a widely accepted standard, law or regulation can be used as a seal of approval that you can advertise to potential customers and receive a favorable response. A lot of customers, especially in the B2B space, are already familiar with HIPAA, PCI DSS, SOX, GDPR, etc., and tend to interpret compliance as proof of an organization's dedication to security.

Security, by itself, doesn't evoke the same response. Because security is mostly technical in nature, only technical people can easily appreciate its value when you use it to attract customers. CEOs and CFOs can appreciate HIPAA or PCI DSS compliance easily, but not all would be able to understand the significance of having multi-factor authentication (MFA), 4096-bit Rivest-Shamir-Adleman (RSA) encryption or Security Assertion Markup Language (SAML).

Benefits of Security and Compliance

With security compliance, businesses can upgrade cybersecurity and reduce risk, keep their reputations safe, avoid fines and improve data management. Here's how.

Upgrade cybersecurity and reduce risk

Striving to adhere to security compliance standards means that organizations put the utmost effort into ensuring that their security frameworks are as impenetrable as can be, leading to fewer security breaches.

Businesses that invest in the latest security technologies safeguard the organization's digital information assets and any customer information they may hold. This not only reduces the risk against evolving threats significantly but also expedites the compliance process.

Safeguard business reputation

An unsecured network can fall victim to a data breach easily, and the consequences for this are dire. Several big-name enterprises-eBay, Under Armour, Zynga, Target, etc.-have learned it the hard way. One major impact is the significant damage that it brings to the company's reputation.

A cyberattack that compromises users' information undermines not only the trust of all consumers but also that of business partners. This could be disastrous for the company, bringing about loss of customers, business opportunities, and eventually, sales and profits.

Avoid fines, penalties and other costs

Companies that are found out of compliance with regulations can be slapped with hefty fines. The penalties vary depending on the regulation, but any fines could impact the business financially. For instance, a HIPAA violation imposes a $100 to $50,000 fine per incident, with a maximum of $1.5 million annually.

Violation of the GDPR results in charges of 4% of a company's global turnover or €20 million, whichever is higher, while violation of the PCI DSS carries a fine between $5,000 and $100,000 per month. These figures don't even include the costs that a business incurs when dealing with a data breach-e.g., litigation expenses, public relations activities, and credit monitoring for affected consumers.

Improve data management capabilities

Keeping security and compliance standards up to par starts with an organization evaluating the type and volume of customer information it holds on servers or in the cloud, what it's doing to protect it, and what regulations apply. All these considered, the organization should assess current policies for accessing and modifying data.

Businesses that are accountable under the GDPR for example, are required to provide customers (upon request) access to data collected from them as well as information about how and where the data is stored. This also requires that data is organized in a structured and consistent manner so that only authorized staff has access to the information when it is needed.

Achieve Security Compliance with Parallels RAS

In a constantly-evolving business landscape with increasing reliance on remote work, companies are struggling to meet the needs of remote workers while maintaining security compliance. The foremost technology in this recent trend is virtual desktop infrastructure (VDI), easily the most widely-used technological solution for enabling remote work.

VDI allows remote workers to access corporate data and applications hosted in a central location such as a data center or a public cloud from a wide range of devices including PCs, laptops, thin clients, tablets and smartphones. VDI environments are inherently secure since the applications and data aren't stored on the endpoint devices and hence remain safe, even if a VDI-supported endpoint device gets lost or stolen.

However, despite its inherently secure architecture, most VDI solutions are still vulnerable to man-in-the-middle attacks, brute-force attacks and other threats. Parallels® Remote Application Server (RAS) mitigates these threats while also helping achieve regulatory compliance through a comprehensive selection of security features, including SSL/TLS with FIPS 140-2 compliant encryption, MFA, data segregation, and load balancing.

SSL/TLS with FIPS 140-2 compliant encryption

SSL/TLS data-in-motion encryption protects data from man-in-the-middle attacks and other network-based threats. Combined with cryptographic elements that comply with the Federal Information Processing Standard (FIPS) 140-2, SSL/TLS not only secures data, but also complies with a wide range of stringent encryption laws and regulations. US government agencies require FIPS 140-2 compliance.

Multi-factor authentication

Multi-factor authentication (MFA), which adds more layers of protection to password-based authentication, is a proven method for foiling brute-force attacks and is a major requirement in highly prescriptive regulations and standards like PCI DSS. Parallels RAS offers several MFA options, including text-based one-time password (OTP), time-based OTP, secret key and others.

Data segregation

Data segregation is a must-have security function in multi-tenant infrastructures, where data can sometimes leak into another tenant's or organization's environment due to misconfigurations and other causes. The Parallels RAS data segregation feature prevents applications, desktops and data from being shared between sites in a Parallels RAS infrastructure.

Load balancing

Although often left out in security discussions, availability (of infrastructure, applications or data) is actually a major pillar of information security. It's the A in the CIA information security triad (the other two letters stand for Confidentiality and Integrity). Parallels RAS ensures availability through its load balancing feature, which distributes workloads among Remote Desktop Session Host (RDSH) servers and internal components, such as RAS Gateway, and prevents outages due to overload.

There's more. Read about further security features supported by Parallels RAS.

As industries adopt remote work environments, threats to digital assets will only increase. You can counter them by employing a solution that's fully capable of supporting your security compliance efforts. Parallels RAS can help you in that regard. Try it out now in our 30-day trial.

Published Friday, October 30, 2020 7:41 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2020>