From compliance database to central pillar of digital transformation: CMDBs today
A saying common in cybersecurity circles is, “you can’t protect what you don’t know about.”
That’s very true, and points to one of the truths about today’s enterprise networks, which is that because of the mass adoption of technology, it’s sometimes difficult to ascertain what’s on the network. And here, the “network” now includes often many thousands of cloud-based instances of apps and services.
There should be another saying, too, along the lines of “you are responsible for the assets you don’t know about.” That’s because adhering to data compliance regulations needs enterprise networks to be transparent to compliance teams — ignorance of exactly what exists on the network is no excuse in the eyes of the law.
That’s why compliance and vulnerability management solutions are proving very effective right across the APAC and Australasia now: one platform not only helps protect the organization’s digital assets, but it also aids compliance efforts. In the Asia-Pacific region, local governance with regards to data regulations is complex, and that complexity is increased when business is conducted overseas, into Europe, Russia, or the US, for example.
Furthermore, despite the APAC’s reputation for developing cutting-edge technology, the very latest tech often sits alongside older, outmoded systems that present a security risk.
As companies of all sizes get further along in their digital transformation journeys, it’s surely a given that both new solutions and legacy systems are safe, reliable, and compliant. After all, why adopt new platforms to speed time to market, or lower costs, if the platforms and processes achieving those aims are putting the enterprise at risk — either from legislators or cybercriminals?
The discovery process
Thanks to the consumerization of technology, the use of business software and hardware solutions is an everyday occurrence. People carry smartphones which are highly powerful, mobile networked devices, and can therefore pretty much pick up most pieces of new technology and use it right out of the box. For businesses adopting a more aggressive digital stance, that’s great news, but the widespread nature of tech means that in even small companies, there’s usually a great deal more digital activity than even CTOs are aware of.
That’s why any compliance investigation, digital transformation process, or business process mapping exercise begins with an audit of IT systems.
While the audit process often turns up long-forgotten pieces of hardware (like a load balancer or IDS system quietly working away untended for years), today’s next-generation CMDB suites (compliance management databases) also help organizations find cloud-based or hybrid-hosted apps and services of which the rest of the enterprise was unaware. That’s partly down to the ease at which resources can be deployed by small groups or even individuals, but is a significant enough issue to have its own dedicated term: “shadow IT.”
Protecting the assets, detecting the defects
To circle back to the two sayings mentioned at the beginning of this article, protecting the enterprise’s IT stack is crucial on two fronts: compliance and external threats. Both have the capability to cost the business substantially, either in purely financial terms (caused by loss of unique intellectual property, or because of stringent fines levied by lawmakers), or in terms of public standing, reputation, and perceived value of the brand.
Based on the more precise picture of what’s present in the enterprise, CMDBs help ensure that proper monitoring and attenuation can be applied right across the enterprise WAN to each and every endpoint, server instance, cloud service, network node, IoT device, and employee-owned smartphone.
That means older systems can be flagged for replacement, security policies for cloud services can be tightened, and processes and practices that cause compromise of defenses can be changed before serious incidents can happen.
To respond, or to be pro-active?
The nature of technology today is such that there’s no static picture of the entirety of the enterprise’s overall network that can be drawn. Maintaining a constant oversight in the simplest possible way is therefore very important — attacks or data breaches can take just a few seconds to occur, so an element of real-time monitoring is considered essential as the business continues its transformational journey.
Here at Tech Wire Asia, we’ve chosen just two suppliers of the type of cutting-edge compliance and vulnerability management systems that go well beyond the definition of the terms. That’s because managing security and compliance accurately produces its own significant benefits right across the organization, far beyond a mere defensive stance.
Read more to find out the unique value-adds which these suppliers bring to the table to aid your progression along the digital transformation curve.
From the initial in-depth audit into the enterprise’s IT apps, services, cloud services, servers, and endpoints, the Qualys compliance and vulnerability solution forms the vital core at the heart of any CMDB and reshapes it so it becomes a pivotal feature around which the organization can transform digitally.
The solution provides an ongoing monitoring and categorization schema through continuous discovery, which ensures new devices or instances added to the network are apparent through the single-pane-of-glass dashboard — even across the most complex and shifting hybrid network. The powerful platform enables companies to maintain a fully compliant stance and protection from outside threats via the same mechanism.
Operators can quickly drill down into data, navigating groups of resources, down to the individual instance. Out-of-date software, license violations, unauthorized software or hardware — all can be easily exposed, and results collated into reports that help lay out the strategic way forward for IT and the enterprise’s technology resources.
As software moves out of a compliant status, needs updating, or requires a different licensing model, users of Qualys solutions can see what’s on the horizon six, nine, or twelve months away, enabling practical migration and update plans to be placed. Additionally, with polling data reaching the Qualys Cloud Platform as often as every two seconds, any non-authorized element can be flagged, and operators can see what systems that hardware has access to, its user, and all activity on the enterprise WAN emanating from it.
You can read more about the Qualys solution on the pages of Tech Wire Asia here.
IBM’s policy and compliance management platform is named OpenPages, which is a solution that helps users consolidate policy and compliance management, with particular emphasis placed on its ability to interact with regulators. The platform can supply the information needed by compliance governing organizations (local or national government departments, typically) in formats and at times that are stipulated by existing legislation.
As security and compliance policies change, OpenPages helps the enterprise manage changes, both from internal policy but also according to alterations in data regulations. The software reduces the complexity and expense of complying with industry, privacy, and government-based regulatory mandates.
Like the other CMDB solution from Qualys featured above, the IBM OpenPages platform offers significant other advantages over a pure compliance and security mandated platform. OpenPages provides a document check-in and check-out, centralized data repository which helps complex enterprises keep tabs on movements of crucial or sensitive information, to ensure both regulatory compliance, as well as safe practice.
There are also several significantly incisive reports that can be drawn from the data, presented in different formats according to an individual business function, for example. That means problematic areas in business processes can be pinpointed and the issues addressed at source before problems occur with security or local stipulations.
Learn more about OpenPages here.
*Some of the companies featured on this editorial are commercial partners of Tech Wire Asia