DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. Why Industry Compliance Is Not Enough

Why Industry Compliance Is Not Enough

Information security is affecting the entire IT landscape.

Narendar Nallamala user avatar by
Narendar Nallamala
·
May. 07, 19 · Analysis
Like (1)
Save
Tweet
Share
3.31K Views

Join the DZone community and get the full member experience.

Join For Free

This post was originally published here.

Growing awareness of information security is affecting the entire IT landscape today. By 2020, it’s estimated that the average cost of data breaches will be in excess of $150 million. Due to the increasing attacks targeting businesses, more and more companies are lining up to invest heavily in information security. Much of the drive behind this investment is compliance. Security standards implemented in many industries require businesses in that sector to conform with a specific set of requirements.

The need for compliance is a great driving force indeed, but it is not to be mistaken for the sole objective of investing in security. Simply aiming for compliance is not enough; far from it, actually. There are several reasons why compliance is not enough, and we are going to review them in this article.

The Lagging Regulations

Compliance is based on regulations which govern specific industries, for example, Ibexlabs support many healthcare organizations whose cloud infrastructure and software must conform to. Unfortunately, making changes to the governing regulation is never an easy process. This leads to the security standards required for compliance becoming insufficient, and there is a simple reason for that.

The attacks targeting businesses and individuals are constantly adapting and evolving to new challenges and better security measures. In fact, they are adapting at an incredible rate; a rate that cannot necessarily be matched by changes in standards and regulations.

When you aim only for compliance, you are following ‘outdated’ standards that are not always capable of protecting sensitive information from the newer challenges. This means leaving the majority of your infrastructure exposed to bigger risks.

Lack of Involvement

Compliance also seldom touches an important element in information security: the people. Sure, training and security policies are part of complying with information security standards, but they are certainly not enough if the goal is creating a secure IT infrastructure.

A more comprehensive set of policies are needed to really protect sensitive information from within. Access management and monitoring, including detailed access logging, are also essential in preventing data breaches caused by human error or deliberate acts.

Speaking of human error, there is also the need for regular training, reminders, and blanket understanding of information security best practices. Every part of the organization needs to assume a more active role in protecting information crucial to the organization and its stakeholders.

Infrequent Reviews

Sticking with these evolving challenges, there is also the fact that most compliance standards only come with annual or bi-annual security reviews. What usually happens is sudden changes and adjustments being made prior to the comprehensive review process, all for the sake of complying with the security standards.

Information security is no longer a one-time thing. It is a continuous process that involves constant monitoring and evaluation. This is where tools such as Amazon GuardDuty – a tool for active threat monitoring in the Amazon Web Services environment – becomes very important.

If your IT infrastructure relies on the Amazon cloud platform, you actually have more tools to use. AWS also comes with Inspector and the AWS Artifact, both of which are crucial tools for security assessments.

Combined with existing features like AWS IAM and CloudHSM, maintaining maximum information security becomes a continuous process that is inseparable from your operational workflow. This is how the highest security compliance standards are surpassed.

A More Proactive Stance

It is also important to note that information security is not only about protecting yourself from attacks. It is actually more about preventing attacks from ever affecting your IT ecosystem, which is not a primary objective for many security compliance standards.

Referring back to the tools mentioned earlier, many of the Amazon cloud security features are designed for better early detection and prevention of data breach. GuardDuty is very comprehensive on its own. It analyzes activities at an incredible speed and immediately detects potential threats.

The tool will then display those threats on your intelligence feed. You can clearly see malicious IP addresses and sources of bad requests, including requests that come from your own EC2 instances. This means GuardDuty can perform a comprehensive check of existing ecosystems as soon as it is activated.

Compliance Only Helps You Achieve The Bare Minimum

Last but certainly not least, there is also the fact that compliance standards are designed to be inclusive. The industry needs many — if not all — of its players to have the ability to comply with the security standards without having to make big changes. Most compliance standards are only designed to be the bare minimum rather than a comprehensive set of requirements.

Think of security compliance as setting a password. Yes, it’s possible to use 12345678 as a password because one is required (though who does that nowadays?), but the password is far from secure. Adding a password is a start; the next step is changing the password so that it is more difficult to guess. To complete the set, you make sure the password is protected and isn’t shared with anyone.

Taking additional steps and exceeding the bare minimum is a must. When you consider the complexity of today’s cyber attacks, simply complying with the security standards is not enough.

For more on conforming to healthcare industry standards, check out our article Technical Safeguards for HIPAA Compliance.

Information security Amazon Web Services

Published at DZone with permission of Narendar Nallamala. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How to Create a Real-Time Scalable Streaming App Using Apache NiFi, Apache Pulsar, and Apache Flink SQL
  • Predicting the Future of Data Science
  • Microservices Discovery With Eureka
  • How to Build a Recommender System Using TensorFlow

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: