The Three-Sphere Circus of Compliance

Schellman senior manager Eric Sampson comments on the challenges of meeting cybersecurity compliance mandates -- is it a juggling act? Read a portion of the ebook below, or download it in its entirety on the SC Media website.

By Evan Schuman

Ever-changing rules, corporate landscapes, and supply chains put compliance mandates always in play. Juggling those variables make the CISO’s compliance requirements a moving target. Evan Schuman explains.

When wrestling with compliance requirements, CISOs often feel like they are a performer in the middle of a three-ring circus, rapidly trying to juggle sharp knives. No matter how fast or perfectly they juggle, there is an assistant, or in this case regulator, behind the curtain constantly throwing out more and more knives, each one larger and more deadly. But instead of knives, the real enterprise CISO juggling acts are spheres of compliance.

The horror of cybersecurity compliance can be viewed as two or three rotating spheres, each orbiting around another.

The first sphere represents the rules, the constantly morphing set of geographical and vertical compliance requirements from around the globe. Sometimes these rules and regulations can contradict one another, adding an additional layer of headaches and challenges for the CISO.

The second sphere is the enterprise itself with its own compliance landscape changing weekly. Changes might come as the company launches new products, changes its business practices, or moves into and out of different geographical areas and verticals (perhaps through mergers, acquisitions, and division sales), which itself can change the compliance rules that its CISO must address.

The third sphere, which applies to a smaller percentage of companies, includes a company’s customers as they move in and out of different verticals and locales and what data they choose to store with you. For example, if a retail market chain client of a hosting company were to acquire a drug store that held customers’ personal health information and started storing that data on the host’s site, that hosting service would be required to meet a variety of different compliance requirements that it previously might not have been required to meet. If the client does not inform the hosting provider of the new data stored on its servers, the provider could be out of compliance and vulnerable to lawsuits.

With apologies to IBM, one can think of this as compliance’s Sphere, Uncertainty and Doubt — the SUD factor. The task of tracking where all spheres are at any one point faces a number of hurdles, including internal politics (another business unit not promptly sharing plans that will impact compliance), conflicting legal interpretations of both rules and contract language with contractors, and technological obstacles, especially with cloud, mobile, and internet of things (IoT) environments.

Not all compliance executives surrender to this compliance insanity, although many are tempted. 

“If you take compliance to [mean] just checking the box, well, it’s one step above negligence but it gets you the certificate.”

“I choose not to focus on the compliance nightmare. Go ahead and have your 30 seconds of self-pity and move on. You’re not going to beat Goliath here,” says Christopher Rogers, the deputy CIO and global security officer for consulting firm Sykes. “If you take compliance to [mean] just checking the box, well, it’s one step above negligence but it gets you the certificate.”

“We get so many requirements, we can’t make sense of them,” says Doug Graham, CISO and chief privacy officer for AI testing at the translation firm Lionbridge Technologies Inc. of Waltham, Mass.

Graham points to the European Union’s General Data Protection Regulation (GDPR) as an example. Although the EU has published a version of GDPR, that might well not be the rules with which many companies will have to comply. The EU is giving every member country the ability to modify GDPR however it chooses. That means that, as a practical matter, companies will have to comply with as many versions of GDPR as there are EU countries where it has employees, contractors, or customers. Officially, there’s no guarantee that every EU country will opt to make changes, although many might select that option.

“There are clear areas where countries are encouraged to go their own way,” Graham says, adding that there are also situations where the baseline EU flavor of GDPR will be dominant. The best route to try and keep up, Graham says, is to decentralize the compliance officer role and embed compliance specialists within as many key business units as practical.

Many companies on the Fortune 500 list and their comparably-sized private counterparts are gradually shifting an increasingly large percentage of their data off-premises and into the cloud. It is not surprising that the cloud poses some of the most curious compliance challenges.

One of the more daunting challenges is that cloud platform staffs — especially the megacloud service providers where a large percentage of Fortune 1000 sized-companies purchase services — will make multiple settings and configuration modifications daily without informing corporate tenants. Cloud providers likely will stress that they are compliant with a wide range of geographic and vertical requirements, and this is typically true.

However, the cloud vendor being compliant with the Payment Card Industry Data Security Standard (PCI), Health Insurance Portability and Accountability Act (HIPAA) or GDPR is very different from offering an environment that guarantees that same level of compliance for tenants.

Each tenant has a different compliance landscape so each tenant’s CISO must make their own compliance determinations. That means that these megacloud providers cannot know how even a minor, seemingly innocuous setting change could impact the compliance efforts of a Fortune 1000 tenant.

One possibility is that one of these cloud companies might opt to position themselves as the compliance-friendly cloud provider as a competitive differentiator. They would then compile a daily list of every setting/ configuration change from that day and share it with all tenants, either via an email blast or having that day’s document of changes accessible via a secure page on their site.

Even if a major cloud vendor opted to share all that data, there still is the issue of every change made by the cloud vendor’s many subcontractors, including backup and disaster recovery services. In order to pursue full compliance, every tenant would also need to know every change made by every subcontractor. And so, as each modification in the supply chain becomes just another line item in this ever- expanding nightly list, the nightmare gets worse.


The Janus effect

Ancient Romans might well have considered dealing with today’s compliance as the Janus effect, named for the god of doorways, beginnings and endings. Rogers says that he often finds cloud provider compliance can make compliance far more difficult given communication issues, but that they can also make compliance easier given the superior security mechanisms many of the largest vendors have in place.

Rogers notes that even with notice from vendors change is never easy. “Microsoft Azure gave us about an hour’s notice that they were going to do some significant patching. There was no request that we approve it, nor any understanding of how long it would take. It was ‘Here it is. You need to deal with it.’ I am losing control of my ability to directly influence my environment,” he says.

“We ask our cloud vendors where they can provide [compliance] attestations and where they can’t,” Rogers says, adding that he has seen some improvements over the years. “In the early days of Office 365, we couldn’t get attestations from Microsoft."

As for the suggestion that a cloud vendor might share more details about their environments, along with those of third parties they have retained, Rogers was supportive but not optimistic. “The request is not unreasonable, but the reality is that it is not going to happen, unless you’re a Netflix. It would mean that every time they patched, changed connectivity, [it would have to be reported to tenants]. These companies are massive and to just share the standard operational details, the level of small and medium changes are going to be almost constant.”

Rogers’ quip about Netflix reflects the practical concern that many security specialists share: Negotiating with cloud vendors is a matter of clout and size. Is the cloud vendor larger than the customer? How much does the cloud vendor want that particular piece of business? The idea that a cloud vendor might share this very lengthy list of details with every enterprise tenant is highly unlikely, he believes.


Managing responsibilities

Security compliance specialist David Deckter, a partner with the Edgile consulting firm of Austin, Texas, where he leads Edgile’s governance, risk, and compliance practice, suggests CISOs simply list out everything handled by the enterprise versus the cloud vendor — and all of the cloud vendor’s contractors and subcontractors — in order to have a better sense of who is supposed to handle what.

“Define the stack, and by stack, I mean all the different topics that will come up, including network change management, network configuration, firewalls, operating system config, OS patches, etc. You define your full stack and that is your entire universe,” Deckter says. “I, as the tenant, have control over only these subsets. And here’s what the vendor manages. I am forced to rely on the [cloud] SOC (security operations center).”

As for sharing all the specific changes, Deckter also finds that highly unlikely. He cites Microsoft Exchange email as an example. “Do you think that Microsoft is going to let one of their customers fiddle with the firewall rules and the network configurations?”

The suggestion is not changing anything, but merely being aware of what has changed.

"If Amazon makes a change with a subservice organization, are they going to report on it? I’m not sure they would."

“If Amazon makes a change with a subservice organization, are they going to report on it? I’m not sure they would,” says Eric Sampson, senior manager of Schellman & Company, a security and privacy compliance assessor.

Another critical compliance issue with cloud platforms is the cloud subcontractors specifically. “In the banking world, you need to know who your fourth parties are,” Deckter says, in order to comply with the Office of Foreign Assets Controls (OFACT) sanction list. “Perhaps you can’t do business with Venezuela or Syria. You need to understand the geography of where your work is taking place,” he says, pointing to various data sovereignty issues.

“Cloud providers have global operations. You might have contracted with company X with a U.S. domicile [but] they have operations and staff sitting offshore. Who is doing the administration of your system? Where are these people? And who has access to your environment?” 

Deckter argues that many CISOs are not negotiating for the appropriate rights in cloud contracts, such as disclosing fourth-party details. Another Deckter concern is the right to audit and what exactly the cloud vendor considers to be an audit.

“The right to audit clause is one that is frequently missed,” Deckter says, pointing to a third-party review of all service providers. “That’s the first thing you bump up against.” He notes that the cloud vendors will say to CISOs, “Sorry. Go away. You have no right to audit.” More typically, however, Deckter says he sees enterprise CISOs being given contract terms allowing for the right to audit just once a year. That is where the definition of what constitutes an audit comes into play.

Continue reading the ebook on SC Magazine website >>

About the Author

Eric Sampson

Eric Sampson is a Senior Manager with Schellman & Company, LLC. Since joining Schellman in 2008, Eric specializes in SOC, PCI, and WebTrust for Certification Authorities (CA) examinations for organizations across various industries. Eric has over 15 years of experience comprised of serving clients in various industries including cloud and technology service providers, healthcare, and financial services, among others. Eric has led hundreds of project engagements in the areas of SOC, PCI, WebTrust for CAs, HIPAA, Federal PKI, and agreed-upon procedures.

More Content by Eric Sampson
Previous Article
Locking up the 'internet of things'
Locking up the 'internet of things'

A wide range of internet of things connected devices are now required to include reasonable and appropriate...

Next Article
The Year Ahead: Technology and Talent in 2020
The Year Ahead: Technology and Talent in 2020

Accounting Today reached out to a selection of top firm leaders including Schellman's Avani Desai to get th...


First Name
Error - something went wrong!