If there is one thing IT pros know about compliance it is that keeping up with changing compliance requirements is increasingly challenging. The regulations get tougher and enforcement tighter every year. Two prime examples being PCI DSS, which regulates the use of credit cards and electronic payments, in the United States, and GDPR, a new sweeping set of rules for companies that do business in Europe.
While these rules may seem a major burden for technologists, the benefits of being in compliance are a far more secure environment for your data, and fewer data breaches and criminal exploits. In fact, even companies that do not need to comply with regulations would be wise to move in the same spirit and tighten security in many of the ways these regulations demand.
PCI DSS and Two-Factor Authentication
PCI DSS will undergo a major change by June 2018 – the increasing need to apply two-factor authentication (2FA). Under PCI DSS Requirement 8.3.1, multi-factor authentication (MFA) for all non-console access into the Cardholder Data Environment (CDE) is needed for all persons with administrative access. The end result is that MFA must be used by all administrators of CDE systems and devices.
Even without this new requirement, however, using MFA and 2FA in all security-sensitive areas is a worthy goal.
Another rule, Requirement 8.3.2, demands that MFA be applied to remote access to the CDE. This means workers must use MFA to connect to the internal network and under 8.3.1 use MFA to connect to the CDE system. Moreover, this authentication must be separate for each step of the connection and not reused.
Preparing for GDPR
The General Data Protection Regulation (GDPR) is set of rules that mandates tougher data protection for citizens and companies in the European Union. These stringent rules go into effect May 25, 2018. MSPs and IT should already be preparing, and if not, get started quickly.
While some believe that GDPR impacts only companies operating in the European Union, it has far broader implications for MSPs, as one service provider notes. “Though GDPR is a European regulation, it impacts our business because we’re responsible for the data of our European customers,” said Mark Shaw, president, Stored Technology Solutions, Inc.
GDPR represents a sea change in how security is approached. The good news is that complying with GDPR makes your overall security much stronger – a huge added benefit. “Companies need to understand that this is a major reform in data protection law; it rethinks everything about data security,” said Joanne Bone, a partner at law firm Irwin Mitchell LLP, who advises businesses across all sectors on IT issues, with a specialization in data protection and GDPR.
“Any organizations that think GDPR is a simple tweaking of data protection requirements is missing the scope of how this law will impact so many areas,” Bone said. “Given the breadth of the legislation, if you don’t start the process of looking at how you can be compliant early on, it will be much more painful and expensive later on.”
GDPR demands companies notify customers of data breaches quickly and in a detailed manner. This requires deep visibility into systems, endpoints and the network. And that means leveraging a layered model to ensure the right technology solutions are being deployed.
Why a Layered Approach?
Regardless of the regulation, ultimately, you must be able to show you are taking the necessary steps to keep your organization safe. A firm that uses a layered model to capture the correct data is able to prove easily it is taking the right actions and offering proper protection.
Remote monitoring and management (RMM) enables IT teams to monitor and remediate applications, servers, workstations, and remote computers. Admins need to know quickly when problems arise or there is a change in system status. Preventing breaches and cyber-attacks can be done with software management; in particular with a solution that automatically updates servers, workstations, and remote computers with patches and software updates.
While most layered models take a network diagram approach (thinking from the endpoint to the network core), a better framework for compliance is based on a layered model that begins with providing complete visibility, both on-and-off network, and then using automated methods to keep the network hardened. Topping off the model are advanced features to facilitate a quick recovery should a critical event occur. All data and documentation should be stored in a single source of truth that can be queried with detailed and thorough information from hardware to network to prove compliance.
Although one IT management solution will never meet all compliance needs, some IT management solutions put the puzzle pieces together better than others. The right solutions can be used in a multi-faceted way and build on multiple layers that gather more valuable data to demonstrate both your IT organization’s actions and the protection it provides.
Bonus - Grab This: To learn more about how taking a layered approach to compliance can benefit your business download our whitepaper “Compliance: How a Layered Approach Helps you Breeze through Audits.”
Miguel Lopez is senior VP of managed services providers at Kaseya. Read all Kaseya blogs here.
