Power, Responsibility, Compliance, and Segmentation

Author: Andrew Lowe

“With great power there must also come great responsibility.” – Stan Lee, 1962.

It may not be what Stan Lee was talking about, but this philosophical phrase fits when talking about compliance. It is the compliance department’s responsibility to guide an organization in its pursuit to follow the regulations and/or guidelines set in place by law or by the organization itself. Compliance departments have the ability to enforce change and are sometimes thought to have the power to disrupt workflow. Despite what some may perceive, compliance teams are looking to improve individual department workflows, which in turn helps optimize their organizations.

One of the compliance team’s greatest responsibilities is to define the parameters of the program to be evaluated and audited, which is known as a scope. Compliance brings an advantage to organizations bidding for contracts and enhances marketing power and public relations building. However, compliance is costly, and organizations may not have the budget to evaluate an entire network due to the amount of audit data that has to be analyzed. I am often asked how an organization can scale down its audit scope while supporting an increasing number of compliance frameworks—and without adding analyst headcount.

One approach to solving the challenge of scaling is through network segmentation, a network access control technique that utilizes network technology to isolate a portion of a network for all the data that falls within compliance parameters. PCI-DSS is an example of where segmentation is useful—even required—as it is a portion of most businesses. Payment transactions have no place on the employee work area networks and should be isolated through segmentation.

Common technologies used to implement network segmentation include firewalls, SD-WANs, Layer 2 or 3 switches, and routers. In addition to the actual segmentation itself, logs from these devices are invaluable for auditors during evidence collection. They’re also helpful for security teams’ hardening efforts and incident response and for legal teams providing data to insurance companies if a breach does occur.

It’s a lot of power and a lot of responsibility. Keep the philosophical words of the late Stan Lee in mind and remember that as compliance and/or security specialists, we have great power but also great responsibility for our organizations’ and clients’ data. Network segmentation is important and very useful, but it is only one piece of the puzzle.

Read more about compliance and auditing implementations in my Intelligence Brief. For those of you in the midst of audit and compliance efforts, “Excelsior!”.

The NSS Labs 2019 Enterprise Intelligence Brief on Compliance and Auditing offers visibility into current enterprise requirements for regulatory and guideline frameworks, assessment phases, and clarifying terminologies. The paper is available to subscribers to our Research Library.