By Stephen J. Bigelow, Senior Technology Writer
The majority of businesses are affected by regulatory compliance obligations. Some organizations are subject to specific industry regulations, such as HIPAA or PCI, while every publicly traded company must meet Sarbanes-Oxley (SOX) and other general regulations. Although there are over 10,000 different regulations that may affect your client, they all deal with protecting the security of your client's data. Consequently, solution providers must include compliance considerations in any access control project.
The first installment of this Hot Spot Tutorial presented the basics of access control, identities and authentication. The second chapter covered management issues and business considerations for solution providers. This final section focuses on compliance considerations for access control.
Access control compliance demands
Access control projects can be challenging for solution providers. Successful implementation involves the deployment of physical technologies and the configuration and management of rules and policies. The resulting system must meet the compliance regulation requirements affecting the client's business. "I can't think of one specific compliance regulation that does not include access control," said Robi Papp, strategic accounts manager with Accuvant Inc., a nationwide security consultancy based in Denver. "The compliance frameworks all have a specific section on authentication and access control."
Compliance regulations don't affect the selection and deployment of access control technologies or the configuration or management of the resulting system. Rather, it is the end result of the access control project that must stand up to compliance scrutiny. For example, a regulation may require the inclusion of access controls and delineate the objectives of that resource, but will not specify particular products or configurations. Solution providers are free to accommodate the unique circumstances of each customer -- as long as the resulting access control system meets the goals of each compliance regulation.
Solution providers engaged in access control must know and understand the needs of each regulation as well as the needs of the client -- a difficult goal for even the most seasoned channel professionals. Providers must also be able to resolve potential conflicts between overlapping regulations, often defaulting to the "lowest common denominator" between regulations. For example, if a client is affected by three major regulations, each with different auditing periods, the provider may select the most frequent auditing period in order to satisfy all of the regulations.
Solution providers must know compliance law and the potential penalties their clients face. Many providers employ a lawyer to clarify compliance liabilities. "It's an area where you just can't be a technologist; you have to dig in and understand the legal ramifications," said Dave Sobel, CEO of Evolve Technologies, a solution provider in Fairfax, Va. Sobel said that knowledgeable legal counsel benefits both the provider and the client. "In general, protecting your customer and protecting yourself do not have to be mutually exclusive," Sobel said. "In this area, they certainly align very closely." Many providers choose to work with companies that specialize in compliance, auditing and the legal aspects of corporate governance.
Governance, risk and compliance (GRC) tools help map internal business controls and processes to regulatory requirements, allowing providers (and their clients) to identify anomalies that can be addressed. Some notable products include Archer Solutions from Archer Technologies, Polivec EGS from Polivec Inc., Paisley Enterprise GRC from Paisley, GRC software from Kazeon Systems Inc., and the ControlPath Compliance Suite from ControlPath Inc.
Access control compliance liabilities
So what happens if your client fails a compliance audit or suffers a security breach through access controls that you configured? The specific liabilities faced by solution providers are difficult to gauge because there are many factors involved, and statutes can vary between locations around the world. "By acting as a knowledgeable trusted advisor, you are providing guidance to your customers, and they are going to leverage that -- and potentially expose you to risk," Sobel said. A solution provider should consult with legal counsel for guidance in all aspects of business liability, but there are some considerations that can help to mitigate your risks.
As a solution provider, recognize any gaps in your collective experience or skill set that may expose you to liability. Most solution providers have little tangible expertise with compliance issues, and this should be taken into consideration when pursuing proposals for work. "I can guarantee the first time a customer misses their compliance [audit] because of some solution you sold them, they'll either want their money back, they'll want more services, or they certainly won't work with you again," said Andrew Plato, president of Anitian Enterprise Security, a security solution provider headquartered in Beaverton, Ore.
Some solution providers address deficiencies by recruiting staff engineers that specialize in certain compliance regulations, while other providers look outside their organization. "If solution providers feel they're not in a position to be compliance experts, go out and find a firm that is and partner with them," Plato said, noting that clients can perform in-house "self-certifications" for routine compliance checks, but it's best to engage an independent firm to provide an audit that is free from any internal bias that a solution provider may have. Full compliance audits should occur at yearly intervals unless there is a breach or some other event to trigger additional auditing.
Some experts recommend more aggressive auditing criteria. "Audits should be conducted at least semi-annually, whenever compliance mandates or requirements change, whenever staffing changes, whenever technology infrastructures are upgraded, or whenever applications are developed and introduced into the organization," said Allen Zuk, president and CEO of Sierra Management Consulting LLC, an independent technology consulting firm.
Rely on your contract or work agreement to outline your obligations and limit liabilities wherever possible. It's crucial to define obligations so that they can be delivered adequately. "You want to be very clear," Sobel said. "That's what a service agreement is for -- to define those obligations." Along with a well-developed work agreement, solution providers should generate and retain project documentation that outlines the work performed and the reasons behind it. Documentation can be key evidence in litigation. "That is what the courts will look for in terms of intention around what was done," Sobel said.
Plato argued that solution providers should shoulder none of the liability, placing the onus on the clients themselves to ensure that their interests are being met. "If Joe's Networking Services doesn't do a good job implementing controls for compliance, and the client doesn't make PCI compliance, the auditor doesn't care that Joe did a crappy job," Plato said. "It really falls on the client to make sure that their service providers are doing a good job."
Revenue opportunities for access control and compliance
Solution providers can generate revenue during the assessment and deployment phases of access control implementation. The setup of rules and policies is included with deployment, though providers can realize additional revenue through periodic configuration reviews and routine maintenance of the access control logic.
There are also revenue opportunities in log auditing and compliance auditing services. Log auditing involves reviewing reports and log data generated by the access control system. The goal is to identify improper configurations (e.g., users or groups that have been granted unnecessary or excessive rights) along with anomaly investigations that look for users attempting to access inappropriate resources. The results of those analyses can translate into new update work, or feedback to the client for their corrective action.
There is also demand for audit work focusing on compliance issues. "There are also quite a few smaller, niche players that focus solely on the compliance auditing aspect with a core specialty in information security, which encompasses access control," Zuk said. Both clients and general solution providers will partner with these specialists to verify compliance. However, compliance auditing work requires solid analytical and assessment skills, along with a thorough grasp of the compliance mandates affecting the client.
Regardless of the audit type, clients must understand the amount of remediation that the solution provider will provide -- this can be critical in terms of compliance. "If you want a provider to come in and audit against a certain compliance framework, they may not charge a lot, but they might not help you remediate your issues," Papp said. "Clients will go for the lowest price, but then they're not satisfied with the work." Since many clients (especially clients in the SMB space) may not have the expertise or credentials to perform compliance audits themselves, it is a wise investment to engage a provider that can also correct deficiencies.
This was first published in December 2008