Compliance vs innovation – a coming circle to be squared

Profile picture for user mbanks By Martin Banks November 21, 2017
There's potential for a clash between automated compliance management in security and the move to the end user community as the source of future innovations.

Data security concept in blue with circuit board background © adrian_ilie825 -
An interesting, and potentially truly-disruptive, development in cyber-security was one of several subjects that came up for discussion at a recent seminar on the topic held by cyber security specialist, Fortinet, at its Sophia Antipolis facility.

This is the issue of compliance management as a counter to the natural outcomes of human frailty. There is little doubt that the interactions between humans and information technology are the primary cause of nearly all security lapses.

It starts with the writing of application code, where a wide range of different-sized 'holes' inadvertently get written into code that can then be exploited by hackers. The infamous 'zero day exploits' are classic examples of this in action.

It is then aided and abetted by users of all varieties and calibres being caught out by enticements and blandishments – or perhaps an interesting 'offer[ from a friend or acquaintance – and persuaded to perform some simple task………just click on this file, download, link or whatever and some form of nirvana will be yours.

As attempted resolutions to these human weaknesses, millions of words of Policy have been written on every conceivable angle of curtailing the natural sloppiness of human behaviour. Rules and strictures of `how to’, and more importantly 'how NOT to', have been written aimed at stopping such sloppiness. All that is needed is for humans to comply with them.

Such policies are sent to users who are instructed to abide by them. Sometimes they even do – for a while at least. But humans and compliance to IT operational constraints are a bad mixture which at the very least is unstable over time.

Hence the notion of compliance management – ensuring that as much human weakness is managed out of existence as much as possible. The core objective here is to make it increasingly difficult for users to step outside the structures of compliance, and the growing availability of machine learning and automation is now leading to the possibility that users will be unable to transgress those compliance regulations. They will be proactively prevented by management systems that progressively learn the behaviour patterns of individual users - learn that 'sloppy activity A' really means 'perform Task ' - and act accordingly.

Innovators – forget the tech

This probably sounds like heaven for a hard-pressed CISO, and there the story would end if it were not for a different trend in the industry emerging at the same time. This is the ubiquity of commodity of both hardware and base software technologies in cloud services moving the goalposts of innovation away from said technologies and into the area of their use.

In essence, the new hunting ground for innovators is to be found in creating new collaborations of disparate applications and tools that provide whole new ways for building business processes and creating whole new business processes that have not been possible until now.

The trouble with that, however, is that quite a large amount of the innovators’ output is going to start running counter to the strictures of automated compliance management systems, an issue acknowledged by both Patrice Perche, Fortinet’s Snr Executive Vice President for Worldwide Sales and Support, and Derek Manky, the company’s Global Security Strategist. Both addressed the issue with a drawn-out 'ye-e-e-e-s' and the suggestion that there is no immediate answer to this impending dilemma, with Perche adding:

It will need a compromise and more development work for the compliance management team.

But the probability is that new innovations in business management will fall foul of automated compliance management systems when new ways of running existing business processes and entirely new business processes both run the risk of appearing non-compliant.

Such developments may be quite widespread for a while as businesses accelerate their efforts to move further down the road of digital transformation. And as Barbara Maigret, the company’s Vice President of International Marketing, pointed out at the seminar:

It affects all parts of the business and is no longer just the responsibility of the IT department.

With all departments contributing and exploiting digital transformation, the combined but contradictory effects of sloppy human activity breaching weak compliance management and new, innovative business processes being trapped by overly-zealous automated compliance systems are likely to become common occurrences.

With users seeking to digitally transform to improve operational efficiency, deliver better customer experience, become more agile and responsive and better manage business risk, Maigret sees the best defence in putting digital at the heart of being the key service to the whole company:

It is about bringing business and IT together, and that means a digital-ready network that has to be secure.

Some of the challenges she sees making these issues more problematic for many users is the increasing complexity of cyber-security, hybrid IT environments, which includes people working from home, the on-going cybersecurity skills shortage, traffic and application latency, and of course the growing attack surface that digital transformation then offers the hackers.

This, according to Perche, was one of the driving forces behind last year’s launch of the Fortinet Security Fabric:

This pulls together all the various tools, technologies, and devices into a unified whole with single pane of glass management environment. It has a single network operating system and everything, including third party devices, can work with a single source of threat intelligence. We have made the API for it widely available to the industry and many of the big names in cybersecurity now work with it.

Practicing best practices

The underpinning of all compliance issues, of course, is the application of security best practices, and getting all staff to accept that this is a `good thing’. Fortinet’s Senior Solutions Marketing lead for EMEA, Ronen Shpirer, took the seminar through six of them that, he suggested, formed the best platform on which businesses can build a sound cyber-security environment. The first of these is knowledge of issues such as what constitutes the weakest link in the security chain of any business:

That is usually people. They are the source of 98% of incidents and breaches, according to a recent Verizon survey, and they are also the first line of defence. So businesses must invest in security awareness training.

The second best practice is software patching, and even with automated systems this still does not always happen, he suggested. And the problem can be huge: for example, this past October there were 192 patches from Microsoft alone. And even after well-publicised attacks, systems remain unpatched for many weeks – so many businesses are still at great risk.

Third up is segmentation, which he suggests is something to now be wary of. The traditional dichtomic Security Model, where everything is either trusted or untrusted, is based on the notion that trusted services are usually inside the organisation, while everything else is outside, and untrusted:

This has been the norm, but technology and operations have moved on. The modern exploit kill chain now includes an element of exploiting something, such as previously uploaded malware, that is already internal to the business.

This model of up uploading malware and not using it until much later means that all resources must now be accessed in a secure manner, usually on a `need to’ basis, where everything must be verified and never trusted. So all traffic must be logged and inspected, with networks designed from the inside out.

The fourth best practice is the need to automate protection against the unknown. This means using sandboxes to test everything remotely suspicious, and this should be an automated process; if malware is suspected coming in, it is sandboxed and exercised. And if malware is found, then all access points of the corporate network, such as branch offices, are informed and access to the source immediately blocked across the whole network.

Up fifth is the need to align security. Enterprises should have a uniform, asset-based security objective, strategy and posture across the business. This includes common security management and common threat intelligence available to all that might ever need it.

Last but not least, is that need for common threat intelligence that is available to all – and that now means shared widely between different businesses and cyber-security environments. This way, all elements of security can communicate and update all other elements in order to strengthen the overall security.

My take

There is undoubtedly a role for AI in bridging the divide between the cyber-security need for control and restriction of all activity beyond the 'one true path' of best practice operations and user behaviour, and the freedom for businesses to use the inherent operational agility now available in modern cloud-based environments to create better, faster, and wildly exotic new business processes.

It is a safe bet that many of these will break the letter of compliance management law, while in practice opening up new business opportunities. And they will be coming thick and fast, to the point where only AI systems will be able to determine which break not only the letter of the law, but the spirit as well.