Obscure Technologies Blog

Solve remote working headaches with compliance intelligence | ITWeb

Written by ITWeb | Oct 21, 2020 10:00:00 PM
Karl Fischer, Automation Lead, Obsidian Systems.

We can pat digital technology on the back for helping make the jump to remote working. But it was a rushed transition, with little time for managing those changes and their ripple effects. Now that things are starting to settle, it's necessary to revisit those areas that took the strain of the change, including technology compliance.

Compliance already demanded a lot of IT's time, and it's likely to now be a much tougher nut to crack. Karl Fischer, Automation Lead at Obsidian Systems, even wonders if they will be able to complete their compliance audits in 2020: "I'm not sure how companies will be approaching their IT audits this year. It's an exercise that could already take weeks, and that was when everyone and everything that impacted compliance was within close proximity. Now you have all that distributed along with employees, not to mention a whole bunch of new configurations created to support remote working."

Cyber crime, as well as data laws such as POPIA and GDPR, already place pressure on compliance. Gradual migrations to cloud providers are also straining the ability to ensure compliance is applied equally everywhere. These issues have sparked a big appetite for compliance solutions, but as many unqualified claims that technology can resolve it all. Some solutions go as far as to say their technologies can solve POPIA and GDPR enforcement, which is not accurate. Good compliance remains a very human problem.

Observe and report

Compliance can't be solved by technology alone because it is such a mercurial and moving target, said Fischer: "You might have dealt with existing compliance issues, but then you introduce new machines. Your new stuff isn't compliant, even though you fixed the old problems, because you didn't have a decent policy of publishing all these changes across your entire infrastructure."

The crux of the problem is that we confuse reporting with observability. Reports are generated and reveal issues after the fact. This approach was sufficient in less-complex IT environments. But modern systems require more active attention, causing massive demands on IT teams, and now remote working threatens to break the compliance camel's back.

Hence the shift to observability: "You can't wait until an audit to see what is wrong. There are too many moving parts for that. You need compliance intelligence, which means the ability to observe, test and fix things – in an automated fashion, if possible."

Compliance intelligence comes down to regularly scanning your infrastructure and matching those findings to preset compliance and configuration benchmarks. By using a customisable compliance rules engine that frequently audits configurations on the IT estate, any device or appliance connected to a network can report its status. These statuses can be brought to the attention of administrators or even remedied using preset scripts.

Building compliance IP

Making this type of service your own is crucial – cookie-cutter compliance solutions will eventually fall short of what you need, Fischer explained: "If a product claims to take care of GDPR or POPI, you can be certain it won't. Such things aren't fixed by technology. The problem is visibility: can you tell if your policies are being enforced where they should be and whether things are configured correctly? You need compliance observation systems that you can customise to suit your environment. You need to be able to build a type of compliance IP."

The best approach for compliance management technology is the ability to observe and report, and then intervene through prescribed methods. A good compliance management engine should scan devices every 10 to 20 minutes, always hunting for shortfalls. This methodology will help identify immediate issues, as well as build a long-term view of compliance requirements: "Observability is like a weather report, and this can help you protect your business accordingly. If you know there's a storm and hail coming, you can move your car under a roof. The same applies to compliance, which is always shifting. A compliance system that's based on observability gives you that ability to see business impact, create a baseline for your compliance, and makes sure your policies and practices are reflected by everything connected to your network."

If we're not careful, IT teams will be chasing the tracks of compliance for the rest of their days. They were already in that troubling position, but now it's gone into overdrive due to remote working. As companies take stock after lockdowns and into a new reality, they can win big by revisiting how they can observe and manage compliance. They might even get rid of those time sinks when IT people do nothing but audit compliance and generate reports.