The case for automated security compliance

Feb. 15, 2022
Maintaining the security of people, places and systems is challenging and complex but essential to mitigating risk

Small and medium-sized businesses (SMBs) are often the most vulnerable to cyber-attacks. According to several industry reports, more than a quarter have no security plans in place, and more than half have no in-house IT security experts. In fact, according to Verizon’s 2021 Data Breach Investigation Report, 61% of SMBs report experiencing at least one cyber-attack or data breach over the last year.

With the increase in non-discriminatory cyber-attacks, it would behoove fast-growing businesses to implement security measures in the early stages of their launch, or they risk failing before even getting off the ground.

For those business leaders not well-versed in information security, implementing comprehensive security measures can be a daunting task and many don’t know where to start. The most common way they get introduced to security outside of a breach is with security compliance frameworks like SOC 2, ISO 270001 and HIPAA.

Although these security frameworks are effective in evaluating a business’s security posture, the audits necessary to achieve compliance traditionally require a significant amount of time and money. This makes them almost unattainable for fast-growing businesses since the resources they have are understandably focused on product development and growth.

Fortunately, automation is helping level the playing field in expanding access to security for businesses of all sizes. Much of the work required to pass a SOC 2 audit, for example, is largely dependent on the completion of repetitive, time-intensive tasks that computers can do much better than humans.

When it comes to control activities, many of the same principles around automating security compliance can be applied to physical security compliance. SOC (System and Organization Controls) 2, one of the most prominent security compliance frameworks that a business or organization can hold, is an apt comparison.

In the SOC 2 scheme, organizations must design and operate controls that meet the American Institute of Certified Public Accountants (AICPA)’s Trust Services Criteria for Security, Availability, Confidentiality, Processing Integrity and Privacy. Security is a required criterion, and all others are optional. For those who are familiar with financial controls frameworks, the SOC 2 criteria were built upon the COSO Integrated Framework, so SOC 2 is essentially the COSO for information security.

Common Controls and the Need for Automation

Some common SOC 2 controls include technical items such as establishing and maintaining firewalls and perimeter network controls; scanning systems and networks for technical vulnerabilities; tracking and remediating technical vulnerabilities within defined timelines or SLAs (service-level agreements), and, encrypting confidential datastores at rest and in transit.

Similarly, physical security controls typically include establishing and maintaining a secure perimeter; regularly checking the perimeter fence line for signs of a breach attempt; documenting perimeter weaknesses and fixing them in a timely manner; securing and locking secure areas; and maintaining secure communications channels.

SOC 2 also includes administrative control requirements that are common to many facility security requirements, including establishing and maintaining policies and procedures; performing risk assessments; conducting appropriate background checks and screening of personnel; and, providing security training at time of hire and regularly thereafter.

So how does automation enable security teams to manage these technical, administrative and physical security controls more efficiently and effectively?

Firewalls and Secure Network Perimeters

Automated monitoring processes run continuously to review both firewall rule sets and system configurations against a known good configuration, or simply the settings that we expect. Any deviations, either from a misconfiguration by personnel or an unintended change by a malicious outsider, are reported to security teams as alerts in real-time. Some systems can take it one step further and remediate the vulnerable configuration by changing it back to the known good state.

While automated monitoring of physical perimeters and fence lines is less common today because the technology is not yet widely deployed, with the Internet of Things (IoT) technologies the technical capability is becoming increasingly available. Smart fences with networked sensors can automatically detect and alert security teams on breach conditions or unsecured access points. Similarly, drones can automatically scan perimeter defenses and alert on observed changes, based on a map of the known good state.

Technical Vulnerability Detection and Remediation

Technical vulnerability scanning and remediation is a technical process closely related to the maintenance of a secure perimeter with one key difference: technical vulnerabilities arise not from a misconfiguration or change, but because new weaknesses are discovered by security researchers nearly every day.

For example, the Apache Log4j vulnerability continues roiling the security community, causing teams to work 24/7 to find and remediate potential vulnerabilities in their environments as they scramble to batten down the hatches. The challenge of managing technical vulnerabilities is that what you thought was secure yesterday could be vulnerable today. Without automated scanning processes, identifying and remediating these vulnerabilities is all but impossible.

You might say that physical security practitioners have an advantage here, as fences that work fine one day don’t tend to fail the next day. However, this is where emerging IoT is a double-edged sword. On the one hand, automated detection and alerting can be dramatically improved, but technical vulnerability management needs to be applied to all physical security systems, and the capabilities of scanning and detection tools will likely lag behind the adoption of IoT-enabled infrastructure.

Datastores and Communications Encryption

To maintain the effectiveness of encryption technologies, they must be correctly applied to in-scope transmission channels and systems, and keys must be managed securely. Here again automated security processes continuously check databases, file systems and transmission settings to ensure that encryption is applied and that keys are secure and managed in accordance with policy and SLAs.

The physical security analogy is smart doors, windows and locksets that continuously report on their state and alert users of insecure conditions. This level of technical monitoring and alerting is already deployed in many consumer and business settings. Doors are monitored to make sure that they are closed, and locked, audible alarms are triggered when doors are held open or if unauthorized user credentials are scanned at door readers.

Risk Assessment, Human Controls and Training

The last bucket of controls in both information and physical security contexts is the administrative control set. In SOC 2, human controls are some of the most common offenders in unsuccessful audits, primarily because we are far less consistent and reliable than machines. Security teams have competing priorities and a broad spectrum of responsibilities, so it's easy to miss an SLA training, provision access before policies have been accepted, or fail to complete a disaster recovery test within the required period. The maintenance of administrative controls can be greatly enhanced through system automation simply by reminding staff members what they are supposed to do, when they are supposed to do it, and where they are currently tracking.

Human resource information systems (HRIS) maintain a source of truth for each employee; these systems can be technically integrated through application programming interfaces (APIs) with service providers such as background screening and training organizations. The status of employee background checks, training and policy acceptance is continuously monitored, so if they are not completed within expected timeframes alerts are sent to employees along with managers and compliance teams.

Similarly, automation tools can monitor time-sensitive controls such as the completion of periodic risk assessments and alert teams when they need to be updated. For example, eleven months after the last update to a risk assessment, administrators and compliance teams are notified so they have time to prepare for the next assessment, helping the organization maintain a state of continuous compliance and audit readiness.

Maintaining the security of people, places and systems is challenging and complex. Threats are constantly evolving and changing. The complexity grows as more built environments are digitized and connected to the internet, but that also enables automation to help address challenges and provide the necessary insights and controls.

Security management, monitoring and response processes automation is still novel in some sectors, but it is quickly becoming table stakes for online businesses of all sizes. You no longer have to break the bank or be an IT expert to ensure your company is - and remains - secure and compliant.

About the author: Matt Cooper is a certified Facility Security Officer (FSO) and the Principal of Cybersecurity & Data Privacy at Vanta, an automated security compliance SaaS. In his role, Matt assists customers with audit readiness; working to understand the big picture of what they are trying to achieve; and helping them prepare to meet their SOC 2, ISO, or HIPAA compliance goals. Follow Matt on LinkedIn: