Blog

Improve Security and Compliance with SAML

ZenGRC Team · August 12, 2015 ·

If your business operates with cloud-based applications, chances are you have heard of SAML. Despite being around since 2002, SAML is just now becoming a buzzword in the cloud security space. As businesses look to protect their data in the cloud, many are scrambling to understand what security benefits SAML has to offer them. What is SAML and why is it vital for your compliance objectives going forward? Hopefully over the next few paragraphs we can answer these questions for you.

What Is SAML?

SAML, or Security Assertion Markup Language, is a platform-neutral standard that allows for the secure transfer of information over the cloud through the integration of disparate security systems. One of the most important features offered by SAML is single sign-on or SSO, which enables access to multiple web applications through a single user account. A good example of this is Google Apps, where Gmail, Google Calendar and other applications can be accessed through one profile.

Why Use SAML?

As businesses adopt the services of different cloud-based applications, increasing amounts of their data and confidential information are being shared with outside parties though the web. Furthermore, the use of more applications complicates identity management, as users must maintain the security of multiple accounts. With all these increased risks, one may think that utilizing cloud services spells disaster for compliance and security. Thankfully, there is the SAML standard to save the day!

By eliminating passwords and instead using digital signatures for authentication and authorization of data access, the SAML standard immensely improves security and compliance. Identities are never stored or synchronized, which leaves less vulnerabilities for hackers to exploit. Furthermore, with SSO consolidation, employees only need to worry about protecting a single identity and are far more likely to develop enhanced security protocols for this account. As a result, identity management becomes not only more secure, but more straightforward as well and people are empowered to be compliant with security policies.

We have looked to further meet your compliance and efficiency needs by integrating the SAML standard into ZenGRC. We are happy to announce that ZenGRC is now OneLogin, Okta and Ping Identity compatible. Check out the latest release of our product and get compliant today!

Photo Credit: Perspecsys Photos

Changes Are Coming For The Trust Services Principles And Criteria – Are You Ready?

ZenGRC Team · July 14, 2015 ·

This post was originally published on BARR Assurance and Advisory, Inc.

In late 2014, the American Institute of Certified Public Accountants updated the criteria for the Trust Services Principles related to security, availability, processing integrity, and confidentiality (most commonly reported out using SOC 2 and SOC 3).
Soon, there will be even more updates as proposed in the recent exposure draft.

The AICPA’s planned revisions will look to further clarify the criteria and eliminate redundancy while reflecting how much change is occurring in the technology and business environments. These changes may initially seem like a lot of added work on your end, but they are necessary improvements that will actually make your life easier once they go into effect in spring 2016.

What exactly is changing?

The changes enacted in 2014 overhauled the 2009 TSPs by creating criteria common to all of the principles (CC) as well as specific, incremental criteria for the availability principle (A), the processing integrity principle (PI), and the confidentiality principle (C).

However, the 2014 changes excluded any updates to the privacy principle. So, the next set of updates will strip out redundant legacy privacy criteria until only the incremental criteria are left.

The three most significant changes proposed in this round of changes include:

Restructured privacy criteria. The updates present additional criteria for the privacy principle that include illustrative risks and controls related to privacy (e.g., notice, choice and consent, collection, use, retention, disposal, access, disclosure, notification, quality, monitoring, and enforcement). The Generally Accepted Privacy Principles can still be leveraged as a management framework for protection and management of personal information.

Calling out risk management. The 2016 version calls for more specific risk management practices than before. This includes third party risks, customer identified risks, and emphasis on having processes in place to address risks that are identified internally.

New confidentiality criteria. The updates also require a more robust emphasis on the data lifecycle to specifically call out confidential data retention and disposal commitments and requirements.

What do these changes mean for you?

Changing up your routine can be annoying, but these updates are good news and won’t require too many adjustments on your end. They’re largely cosmetic, and in the end, they’ll only make reporting easier.

To prepare for the updates, be sure to review your current exchanges and reports. Don’t be afraid to ask for help. If you aren’t already reporting on privacy, you might want to consider beginning to do so if you gather personal information directly from end users. And if you’re already doing a SOC report, these updates will make it easier to add to what you’re already doing.

The 2016 updates will allow for greater clarity for organizations that report on the privacy principle as this is typically the most complex principle for organizations with geographically diverse users.

The changes also recognize the continued need to evolve risk management practices, and they are a good reminder for organizations to evaluate their own risk management methods. Are you just blocking and tackling your way through security? Are you merely compliance driven? Or are you truly being proactive in managing your risks and your third party risks? Reflect and act upon these questions in addition to reviewing the changing criteria.

These changes are expected to go into effect for reporting periods ending on or after March 15, 2016, but there’s no point in waiting until then to take action. Early adoption is permitted, and doing so will ensure a smooth transition.

ZenGRC includes SOC2 preloaded content and updates, click here to find out more.

The Changing Risk Management Landscape

ZenGRC Team · July 6, 2015 ·

This post was originally published on TechSling.

Security breaches in every industry are all over the news these days, and companies are becoming more mindful of the need for compliance and risk management. As a result, they’re putting their cloud service providers under a microscope.

But the business world is changing. The fixed cost model is fading as subscription-based services thrive. Speed and system availability are necessary to a successful business, and these qualities take precedence over fancy, complex features.

Customers are evolving as well. If you don’t know what I’m talking about, shut down a teenager’s Twitter handle for a few minutes. The teenager of the ’90s was OK with waiting an hour for a song to download on Napster, but times have changed. Today’s consumers have no patience for downtime because of a “security issue” — or any other reason, really.

Companies rely on the services they offer to keep their products in demand. One false move or a few bad press items can lead to a failed company. Sixty percent of the time, organizations can be compromised within minutes, yet companies sometimes take weeks or months to discover a breach, according to the latest Verizon Data Breach Investigations Report. Such discrepancies aren’t going to be an acceptable norm when the compromise impacts customers.

Discover Risks More Quickly

One reason discovering issues takes so long is that there’s just too much data to analyze. Risks and security incidents used to be manageable on a case-by-case basis, but that approach doesn’t work anymore. Incidents are more complex, interdependent, and non-linear.

Traditional information security triangles include confidentiality, availability, and the integrity of the systems and data. Better risk management allows for a faster intake of all incidents and events, whether they’re customer- or security-related. However, traditional models typically don’t consider time when it comes to information security, and time should be taken more seriously.

Cloud Concerns

One of the biggest challenges facing security is that most companies rely on outdated legacy systems that are open to vulnerabilities. They can’t keep the systems patched enough to withstand security breaches. However, the benefits of moving an organization onto the cloud — such as speed to market and scalability — bring with them the concern of “the cloud multiplier effect,” which is an increased probability of a data breach.

There’s no such thing as a silver bullet; however, the cloud multiplier effect brought forward the fact that there are opportunities to embrace the cloud to enhance your security posture. The cloud should be a natural extension of the enterprise. You rarely hear of services hosted on Amazon Web Services, Google Cloud, or Microsoft Azure being breached. So the fear of losing control of their data should wake companies up to the reality that security is too complex to try to tackle alone.

Cloud Opportunities

Cloud service providers have the opportunity to alleviate concerns, better define where risks are for their clients, and establish where the shared responsibility for managing security should lie.

All CSPs (not just the big ones) need to be aware of security- or compliance-as-a-service. They need to stay ahead of the risks and provide access to structured compliance documentation (SOC 2, PCI, HIPAA, ISO 27001, etc.), detailed log management to identify security anomalies, data encryption to centralize key management, and internal and external vulnerability scans.

Gartner projects that there will be more than 13 billion connected “things” in the consumer sector alone by 2020. The Internet of Things is just the tip of the iceberg when it comes to why risk management needs to be addressed in every industry.

How to Keep Procedures Up-to-Date and Communicate Security to Companies

Sound risk management helps protect brands, streamline processes, and quantify losses. Security risk management isn’t focused solely on compliance because regulations are usually outdated by the time they’re written down; it uses dynamic controls to link events across multiple disciplines. Here’s how to keep your security procedures up-to-date:

Know customers’ assets. CSPs shouldn’t be responsible for enforcing what data is transmitted to them from customers, but they should have an understanding of how customers classify their data. CSPs should categorize their systems appropriately and understand the impact of any losses in confidentiality, integrity, or availability of customer data.
Layer security. Customers are concerned about how CSPs can protect their information among all the co-mingled data in VM and hypervisor environments. There’s no silver bullet to protect data, but layering security
Secure APIs. APIs should bring better integration to other business applications, which is why OAuth has become a standard. However, insecure APIs and interfaces that rely heavily on outside authentication expose significant vulnerabilities.
Establish accountability and communication. When security events occur, CSPs need to have the tools and processes in place to detect and correct the breaches. They also need to have an organizational structure that keeps pace with emerging security concerns and keeps the company informed. CSPs should communicate frequently with customers to collaborate security across the entire customer base.
Provide independent assurance. CSPs are typically dependent upon their customers and data, which presents unique risks. Customers see great value when CSPs provide independent audit and assurance reporting of their environment.

Protecting your critical infrastructure and business assets from hackers and other threat actors is more important than ever, as they’re becoming increasingly sophisticated. After several large breaches, companies are beginning to take closer looks at their own risk management and compliance procedures, as well as at the approach of their CSPs. Providers that can ensure their risk management and compliance measures are up-to-date will be able to alleviate detrimental effects on their clients’ businesses and establish long-lasting trust.

ZenGRC has new audit functionality and redesigned emails!

ZenGRC Team · June 22, 2015 ·

In ZenGRC version 1.95.1.2, we’ve re-imagined the audit module with deeper, more practical functionality.

Keep track of test plans

We now allow you to assess controls based on their test plan, and create both requests and issues based off these investigations.

When creating and updating controls, you’ll notice a new stock attribute, called Test Plan. This field is important because it gets pulled into control assessment in Audit module when you are ready to create an Audit.

Remediate test plan results

If you open the Audit module and LHN (left hand navigation), you’ll notice 2 new objects:

Control assessments
Issues

Control assessments can be generated in an Audit based off in-scope controls that are mapped to any given program. “In-scope controls” simply mean the controls currently mapped to the program. Control assessments will generate and be mapped to each respective control. You can also create control assessments for cherry-picked individual controls in the Audit/control assessment tab, for any controls outside of the in-scope Program controls.
To generate control assessments for an audit based on your in-scope controls, just go to the In Scope Controls tab and click on the up-arrow to create your list of corresponding control assessments:

Each control assessment will be mapped to both a control and an audit. Depending on the control’s test plan, you’ll want to map other objects such as systems, policies and processes to the control assessment as well, to provide evidence for test findings.

Based on the results of your control assessment findings, you’ll then be able to indicate the effectiveness of the control, for both design and operation.

Track effectiveness of controls

There are 2 stock drop-down menu’s in each control assessment object to track your findings for the design of the test plan and the operational history of the control:

Create Issues and/or Requests

After you indicate the effectiveness of the control, you’ll now be able to not only create requests, but also issues.

Requests remain part of existing ZenGRC functionality. You can upload a PBC list to an audit to batch-generate a list of requests that show up in everyone’s dashboard.
Issues are new objects, and they can be created in 2 ways:

First, within an audit, issues can be created once the findings for a control assessment are documented. Within an audit, issues will always be automatically mapped to its respective control, audit, program and control assessment. An audit-generated issue will also pull the test plan from the mapped control.
Second, you can create issues independent of an audit. These issues can also double as incidents, as they don’t require mappings to a control assessment, program and audit. They can live in your system-of-record independent of those audit objects, and be mapped to workflows for issues tracking and management. They can also be mapped to other issues to show those dependencies.

Possible mappings relationship between new audit objects

An illustration of a mappings possibility with our new audit objects:

Usability improvements

Help modal for the object filter

Use the new these help tips to construct a boolean search. This will allow you to filter down a long list of objects in with more precision:

Ability to close the info panel

From left to right, you can minimize, restore, maximize, or close an object info panel.

Modernized emails

We now send email notifications with HTML design, instead of the simple text emails. This improves readability.

5 Things to Know as You Prepare for a Compliance Audit

Libby Bevin · June 8, 2015 ·

5 Things to Know as You Prepare for a Compliance Audit

This post was originally published on SmartDataCollective.

For most cloud service providers, a compliance audit is, at best, a necessary evil — the root canal of the business world.

Like a root canal, it can be a painful process that you regret about halfway through, even if you know it’s good for you. But just as you can avoid root canals with proper dental hygiene and regular checkups, the pain of compliance audits can be avoided with proper preparation.

You need to see compliance audits as an integral part of your company culture that help maintain standards over each internal control, rather than as an annual nuisance that everyone wants to complete as quickly as possible. By asking the right questions before an audit and making sure your company’s priorities are in order, compliance audits can not only be relatively painless, but also actively beneficial to both your company and clients.

What Does Compliance Mean for a Cloud Service Provider?

Keeping track of multiple internal and external compliance requirements can be taxing for any company, and that’s especially true for cloud service providers (CSPs).

Unlike companies in other industries, CSPs are rarely able to align themselves with one industry vertical, meaning that it’s not always clear which regulations apply to which situations. CSPs can easily find themselves overwhelmed by a multitude of requirements and standards, including those from the PCI Security Standards Council, the Sarbanes-Oxley Act, HIPAA, FISMA, internal audits, privacy protection laws, and customer audits.

This is where the trouble begins. Faced with a host of governing bodies (each with its own set of regulations) and an uncertain path forward, many companies default to a reactive approach. They attack compliance on a departmental basis and wait for issues to come to them. Or on the other extreme, they push paper around trying to prove compliance in every possible area and fail to take into account their own unique risks.

At the extremes, companies end up focusing on the wrong priorities, sending compliance auditors down rabbit holes and making themselves vulnerable. CSPs can’t approach the compliance audit process with a check-the-box mentality. This will only lead to false positives. Rather, they need to evaluate their unique risks and figure out how compliance can mitigate those risks.

In a practical sense, this means that CSPs need to adopt a unified compliance policy that focuses on long-term solutions, not short-term Band-Aids. If they have sound assurance and policy practices already in place, they should be able to tackle most compliance issues across different service lines and industry verticals. And by working to mitigate risk first and foremost, a company can align its priorities and figure out what regulations it needs to adhere to.

Key Questions to Ask Before a Compliance Audit

Once you have the right structure in place, your compliance initiative will become a regular business process. With a better understanding of your own goals, you can arm yourself with the right questions well before the compliance auditor comes. This way, you’ll get the most out of the process. Here are five key questions you need to ask yourself as you plan for your audit:

1. What is the scope of the audit? Because there are so many paths an audit can go down, it’s important to be aware of scope creep. Make sure you understand things such as your key systems and range of IP addresses ahead of time so that you aren’t casting your net too wide. And avoid getting caught up in industry jargon by focusing on how the audit will impact your end users. As a starting point, consider mapping out a data flow diagram for key business processes.

2. Have the findings in previous audits been corrected? Why or why not? If you’re going through audits and finding the same compliance issues year after year, then the audit isn’t serving its purpose. The sooner you find out what is stopping you from correcting these issues, the easier subsequent audits will be. And if you undergo an audit and find zero issues, then you’re probably spending too many resources on compliance without a balanced focus.

3. How will you handle the results of the audit? Think about how you’ll assign responsibility for prioritizing and resolving issues that come up during the audit. And make sure you have a plan in place for addressing problems identified in the last audit report and incorporating them into a continuous process of monitoring and improvement. The results of your audit should reverberate throughout the company for a long time to come.

4. Is there proper management in place to make sure the audit moves efficiently? Although the results might reverberate long after the audit is over, the audit itself should not last forever. Clearly communicate your business needs in the context of your audit plan, and ensure your audit firm knows how to handle issues as they arise — whether those are issues identified during the audit or challenges with reaching milestones.

5. How will the audit affect the bottom line? If you’re spending money on an audit, make sure you’re making back that money in other ways. How will the audit help increase revenue or reduce costs? How will it manage your risks? An audit is more than just something to get out of the way; it’s an opportunity to improve the way your business runs.

Regulatory compliance — regardless of whether you agree with the regulations — should be seen as a key differentiator, not a drain on resources. With the right approach, an audit can be more than just a way to find out what you’re doing wrong; following audit procedures can illuminate the way forward.