How Clients Are Using Regulations to Springboard Organizational Change
IBM Champions for Power Systems Felipe Besa, Torbjorn Appehl and Dmitry Mironov share how their organizations overcome compliance challenges.
Image by Joseph Vass
By Dmitry Mironov, Felipe Bessa, Torbjörn Appehl01/01/2019
Security-related regulations can sometimes be viewed as a drag on company resources, with CEOs, CIOs and IT departments having to dedicating valuable time to ensure strict compliance. But not having these regulations would lead to a nightmarish landscape of security, privacy and operational disintegration—an implosion of basic data governance.
Indeed, regulations can be beneficial to businesses that take them seriously. Compliance is almost like a Good Housekeeping seal of approval, proving to customers and business partners that companies aren’t taking any chances with their data. And from a bottom-line perspective, compliance can help organizations avoid substantial fines should a security breach occur.
The hows of compliance can sometimes be mysterious, especially if a company doesn’t have the proper tools in place to assist with and automate much of the compliance process. That’s why IBM has created solutions such as IBM PowerSC* security and compliance and IBM PowerVC* virtualization that can remove much of the complexity of becoming and remaining compliant to the alphabet soup of regulations (some of which are described here) currently being enforced.
To help remove compliance hesitation due to compliance confusion, we spoke with two IBM Power Systems* clients and an IT-services provider who’ve gone through the process. Although their journeys to compliance may not exactly mirror those of others, they’re proof that regulation compliance doesn’t have to become a dreaded chore.
Compliance and the Insurance Industry
I work for a large insurance company. We use the IBM Power Systems platform to support our core SAP systems, and in an ongoing effort to improve support for our business, we’ve always aimed to maximize the use of all available resources. To achieve this goal, we’ve done an in-depth analysis of our processes, tools and competencies.
We started from the assumption that we needed to implement the best practices defined by manufacturers of the solutions that we use to support our IT operations, but we also needed a method to apply the necessary changes and control compliance. When we first began, we didn’t have all of the tools we needed—so guess what we did? Yes, we started using spreadsheets. Obviously, this wasn’t the best way to accomplish what we wanted; it was time consuming and subject to errors.
Thanks to IBM’s commitment to deliver innovative solutions to its clients, we were happily surprised by two great new tools: IBM PowerSC security and compliance and IBM PowerVC virtualization and cloud manager. With the help of IBM Systems Lab Services, we were able to overcome the following challenges: centralized management and proactive monitoring, best-practices adoption, deployment-standardization improvements, simplification and acceleration of the build process, and the implementation of security and compliance requirements.
We’ve modified our build process by defining a Standard Operating Environment (SOE) with all necessary adjustments to our use cases, as well as automation through PowerVC virtualization. The images we use today are secure by default, and to achieve this, we used IBM PowerSC security and compliance to build, test and apply a custom profile to meet our security requirements. Yes, we used spreadsheets for control, but now we use the IBM PowerSC GUI as our single pane of glass for IBM Power Systems platform security.
In our cloud adoption, we’re seeing the transformation of our IT environment into something increasingly hybrid, and to reduce risks even more, we decided to take a step forward and now we are implementing CIS controls to increase cyberdefense. To achieve this, we’re evaluating the possibility of using PowerSC to automate the application of CIS benchmarks—configuration guidelines to safeguard systems against cyberthreats.
Being in compliance can be a transient state, and we’ve realized we have to know why our systems are compliant and why they aren’t. And now we can!
Felipe Bessa is an IBM Champion for Power Systems and IT specialist with a leading South American insurer.
Having Full Control of Your Data
I’d say the overall maturity level involving security in the Nordic and Europe in general is still quite low. But new regulations such as the European Union’s General Data Protection Regulation (GDPR) and the Clarifying Lawful Overseas Use of Data (CLOUD) Act—in combination with several of security-related scandals—are now forcing companies to think about why they store data, where they store it and who can access it.
When it comes to IBM i, most things are still on a very basic level—like using the QAUDJRN security audit journal—but the interest surrounding solutions such as PowerVC virtualization is growing rapidly as the demands for securing data are growing and the complexity of meeting those demands increases. For example, auditing everything on a system is easy, but to find out all the evil things an employee may have done in the system eight to 14 months ago is very difficult if you’re not using the proper tools.
Also, it’s still too easy to fool auditors—“Are you logging everything?” As someone said during the IBM Technical University in Rome last October, “Torbjörn, if auditors knew what we could do to a system, we would all be in prison.” The good thing is, if you have full control of your data, you’ll have an easy journey, no matter which regulation you’re dealing with.
Torbjörn Appehl is a compliance assurance partner for CGI Sweden.
Compliance Doesn't Need to be Complex
I like compliance audits—and I’m not even preparing for their passage. Sound strange? Let me explain. I work for a large financial institution that has to comply with a lot of requirements, both local and international, like Basel III, GDPR, PCI DSS, etc.
During dialogues with auditors, I often surprise them with the standard features of AIX*. For example, I was once asked which monitoring events would arise if I changed the file protected by the integrity control system, and they were very surprised when I showed that it was technically impossible. Trusted Environment technology truly ensures system integrity without any compromise. The demonstration of role-based access control (RBAC) opportunities caused another respectful nod. I emphasize that these aren’t part of a special enhanced version of AIX, but standard features.
“IT security and compliance are complex processes. Use modern technologies, read books, learn best practices and you'll succeed."—Dmitry Mironov, IBM Champion for Power Systems and Power Systems expert with a large Russian financial institution
If you have many instances of the OS and need to ensure full control of their compliance, the best way is to use additional software such as IBM PowerSC. Usually, the auditors have no further questions after demonstrating this.
But I want to warn readers about two common mistakes: First, while you may have powerful and flexible tools, they require fine-tuning, testing and maintenance.There's no security out of the box.
Second, remember my first statement, that I’m not preparing for audits. This is because ensuring compliance isn’t a test for which you can quickly prepare, pass and forget until next year. This is an ongoing process, starting from planning and then going through the entire life cycle. The system should be always ready. Remember this and explain it to your colleagues.
Here’s an example of how I work with compliance standards. I carefully read the document and mark the requirements. Then I align them with the IT platform settings. This is the basis for the system configuration policy. I regularly carry out manual policy checks—not relying just on automated tools. Of course, when a standard is updated, you’ll have to run the whole cycle again—but it’s worth it.
IT security and compliance are complex processes. Use modern technologies, read books, learn best practices and you’ll succeed.
Dmitry Mironov is an IBM Champion for Power Systems and a Power Systems expert with a large Russian financial institution. Felipe Bessa is an IBM Champion for Power Systems and IT specialist with a leading South American insurer. Torbjörn Appehl is a compliance assurance partner for CGI Sweden.