Continuous global cyber security compliance enforcement
“We’ve seen a 75% reduction in the work simply needed to coordinate priorities between our security and IT operations teams. SaltStack SecOps is the catalyst to help IBM Cloud achieve the goal of continuous compliance while optimizing collaboration and output between our global security, IT, and governance teams.”Stephen Dumesnil | IBM Cloud Network Engineering Governance Manager READ THE CASE STUDY
Maintaining IT compliance is only getting harder
Compliance is constantly evolving and IT systems are getting larger and more complex. As a result, SecOps teams are forced to juggle between chasing compliance at the expense of innovation or maintaining bare-minimum security standards that leave them exposed to attacks and regulatory fines. SaltStack can help.
Find it. Fix it. Fast
Chasing compliance drift on existing systems can feel like a recurring nightmare. SaltStack actively scans for compliance drift and provides automated remediation steps to enforce defined security policies—saving resources, improving security posture, and reducing risk.
Built on CIS-certified best practices
Most organizations must comply with multiple regulations and standards, each made up of thousands of individual requirements and checks. SaltStack provides CIS-certified, framework-mapped security content, allowing teams to enforce requirements for multiple standards with a singe action.
Flexible control for hybrid systems
SaltStack offers flexible agent, agentless, and API-based options to ensure compliance on every type of IT asset—on-prem servers, VMs, public and private cloud, containers, even network and IoT devices—from a single platform.
Closed-loop compliance for all
Security and operations need solutions that enable collaboration and communication. SaltStack provides role-based access and specialized dashboards that allow security and IT to define compliance and security policies, scan systems against them, remediate issues, and track trends—all while ensuring proper governance and control.
Enterprise IT systems are subject to laws and regulations about how they are set up and managed. This is particularly true in cases where IT systems store or handle sensitive data about customers, patients, or employees.
Security compliance, or cyber security compliance, refers to the IT security teams’ responsibility to ensure that all of the IT infrastructure and systems used to support the business remain compliant with external laws and any internal security protocols established by the organization.
Maintaining security compliance is critical to an organization for two main reasons. First, organizations out of compliance with laws and regulations are subject to fines, legal action and damage to their public perception that can be expensive and detrimental to achieving objectives. Second, enforcing secure compliance standards hardens critical IT systems and makes it more difficult for bad actors to exploit them for monetary gain, data theft, or malicious attacks on the organization.
This is why many organizations create their own internal security compliance standards based on best practices from industry security leaders—such as CIS—that augment and improve the external standards they are legally required to meet.
According to a recent report from Tenable, 95% of organizations have faced organizational and technical roadblocks when trying to implement a compliance framework. In addition, 44% have automated fewer than 1/3 of the foundational controls. These challenges are due in large part to limited human resources, the size and complexity of digital IT environments, and the disconnect between security and IT workflows and priorities.
Compliance automation technologies such as SaltStack Comply allow IT operations teams to define the framework of a compliant environment with certified content from security leaders such as CIS, ensure all new systems are built in accordance with the framework, and detect deviations from the policy and correct them via automated runbooks.
CIS, or the Center for Internet Security, is a non-profit organization that, since 2000, has worked to define a set of standard configurations that can serve as a secure baseline for technologies used in business and government IT.
CIS provides a series of tools—including Benchmarks and Controls—that help IT security professionals stitch together and simplify requirements across multiple frameworks and regulations. While CIS is the first to recognize that their resources do not cover every use case and there is still a need for other frameworks, the “spirit of the law” approach they take to mapping their content across industry frameworks has made them the standard for many organizations worldwide.
CIS (the Center for Internet Security) harnesses the vast knowledge and experience of a global IT community to define and refine their security guidelines. Specifically, CIS Controls are a standardized set of 20 guidelines and related subcontrols that security teams can use to build a baseline security policy for their organization.
If we think of CIS Controls as the guideline for creating a best-practice security policy, then CIS Benchmarks are the specific recommendations for applying that policy to all of the technologies an organization is using. There are currently 140 CIS Benchmarks for specific technologies, including operating systems, middleware, software applications, and network devices.
IT security teams use frameworks from CIS, NIST, ISO, and others to build out foundational security compliance policies as well as enforce specific requirements on their IT infrastructure, operating systems, applications, and so on.
SaltStack Comply provides certified CIS Benchmark scans and automated remediations that can be easily applied across the organization’s entire environment. These Benchmarks also include cross references to frameworks from NIST, ISO, HIPAA, and others. This allows IT security teams to use the CIS Benchmark content to “kill multiple birds with one stone”. In other words, they can ensure they are meeting the requirements of multiple frameworks and regulations while only needing to enforce the CIS framework.