The CIO compliance challenge
There are two things that could see the CIO summoned to the boardroom to explain himself: Any major incident that results in downtime; or failing a compliance audit. Emile Burger, managing director of Micro Focus South Africa, says: “Failure to download a patch or having the incorrect posture on an operating system could cause trouble for the CIO.”
Every CIO will have faced some kind of issues around compliance and patching over the course of their career, having faced auditor or compliance queries. It’s the CIO’s responsibility to establish an assessment framework against which vulnerabilities are classified, and anything that’s classified high risk is music to the ears of an auditor. Burger says: “If the CIO hasn’t deployed the necessary patches, and the worst thing happens, then they are responsible, so the onus is on the CIO to do everything in their power to prevent this from happening.”
Alvin Barnard, Pre-sales team lead at Micro Focus SA, cites the example of the CIO of a financial services provider who didn’t patch to the right version of an operating system, leaving the door open for a denial of service attack. “This oversight rendered the bank unable to transact, negatively impacting the business from a financial and reputational perspective. Much like insurance, having to patch and be compliant are onerous, but when you need it, it better be there.
“If you ask each vendor who is best suited to patching their software, they’ll say themselves. The problem is that the customer is then faced with an assortment of vendors, all sending through patches. If these can be aggregated into a central place where they’re assessed for vulnerability and deployed accordingly, this makes the CIO’s job that much simpler.”
Doing so enables the low-risk vulnerability items to be deployed in the normal patch cycle, whether that’s biweekly or monthly. If there’s a high-risk vulnerability, it can be deployed immediately because the threat to the business of not deploying it is so much greater.
Barnard goes on to emphasise: “Bringing data from all providers into a central point and being able to visualise potential risk and the resulting impact on the environment, then making informed decisions, is key. Items can be remediated within the normal cycle but you also have the ability to identify something that requires immediate remediation. You also need visibility of threats and the success of remediation across all vendors in a central point.”
The question is, what measures do businesses take to ensure that they’re adequately updated from a patching perspective as well as being properly compliant? Burger clarifies: “While some vendors will scan an environment and tell the business how to fix it, that doesn’t automatically render them compliant. What they need is a provider that can examine the business’s infrastructure and fix compliancy issues. Normally, compliance scanning is an auditor security function. The security team is responsible for creating the necessary mandate and checking it, while the operational team do the actual work. What’s really needed is a vendor that can tell the business where it isn’t compliant and remediate that, bridging the gap between security and operations.”
He cites the example of a bank that failed a compliance audit then followed the approach recommended above and passed its next audit with flying colours. “All CIOs can relate to the stressors surrounding compliance and audits, and need to have confidence that the business can pass these. Automation is one tool in their toolkit that can make their job that little bit easier.”
Barnard talks about how vulnerability patching can impact availability, referencing a business in the telecommunications sector that not only improved its patching management and compliance processes, but also added workflows around pre- and post-steps to reduce the time it takes to deploy updates, saving the business hours on every patch cycle, not to mention the massive cost savings incurred.
“We’d all like to believe if you get a patch from one of the bigger operating system purveyors it’ll just work, and mostly it will, but unfortunately the one time it doesn’t, it can bring down entire network, or it conflicts with other areas of installation, causing massive disruption. We recommend a rollback procedure that allows you to go back to the last known safe state, so that you can resume operations while figuring out why the patch is causing issues.”
Barnard explains why patches can’t just be rolled out and where automation comes into play. “You have to be certain that you’ll still be able to deliver service after the update, which requires a fair amount of manual effort if you don’t have an automation tool to do that for you. Being compliant entails hardening the server and closing any gaps to make it harder to hack, but a patch might require that gap in order to work, so automating can help overcome this type of issue and reduce the time and cost factor.”
Attempting to explain the intricacies involved, Burger draws on the analogy of self-driving cars. “An operating system gives a piece of hardware instructions on how to work. In a self-driving vehicle, the operating system tells the car where to drive and on what road, but because of variables such as potholes, robots that don’t work and road works, each environment has a certain level of uniqueness. So when you load a patch, it issues a new instruction, but it needs to identify existing potholes. That’s why a patch might work in certain environments but not in all.“
The CIO failing to get to grips with vulnerability and compliance can have far-reaching implications beyond being called into the boardroom. “While local legislation such as POPIA and other standards need to be complied with, internationally this type of legislation can be backed up by large fines or even a prison sentence.” Barnard cites the example of when local bank Absa was affiliated with Barclays Bank and therefore had to comply with international regulations: “It would have incurred massive fines if it hadn’t been compliant with the prerequisite legislation.”
Discover more about data centre automation by downloading Info-Tech’s Data Quadrant Report.