If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

#infosec #devops #bigdata #cloud IT security initiatives can benefit from a devops approach enabled with a flexible framework


What do you get when you mix some devops with compliance and its resulting big data?

Okay, aside from a migraine just thinking about that concept, what do you get?

What TraceSecurity got was TraceCSO – its latest compliance, security, cloud mashup.


The concept of big "operational" data shouldn't be new. Enterprise IT deals with enormous volumes of data in the form of logs generated by the hundreds of systems that make up IT. And the same problems that have long plagued APM (Application Performance Management) solutions are a scourge for security and compliance operations as well: disconnected systems produce disconnected data that can make compliance and troubleshooting even more difficult than it already is.

Additional data that should be collected as part of compliance efforts – sign offs, verification, etc.. – often isn't or, if it is, is stored in a file somewhere on the storage network, completely disconnected from the rest of the compliance framework.

Now add in the "big data" from regulations and standards that must be factored in.

There are a daunting number of controls we have to manage. And we are all under multiple overlapping jurisdictions. There isn't a regulatory body out there that creates an authority document that doesn't, or hasn't overlapped an already existing one. The new US HIPAA/HITECH Acts alone have spun a web of almost 60 Authority Documents that need to be followed. Even PCI refers to almost 5 dozen external Authority Documents and there are at least 20 European Data Protection Laws.

-- Information Security Form: Unified Compliance Framework (UCF) 

While the UCF (Unified Compliance Framework) provides an excellent way to integrate and automate the matching of controls to compliance efforts and manage the myriad steps that must be completed to realize compliance, it still falls on IT to manage many of the manual processes that require sign off or verification or steps that simply cannot be automated.

But there's still a process that can be followed, a methodology, that makes it a match for devops.

The trick is finding a way to codify those processes in a such a way as to make them repeatable and successful. That's part of what TraceCSO provides – a framework for process codification that factors in regulations and risk and operational data to ensure a smoother, simpler implementation.


TraceCSO is a SaaS solution, comprising a cloud-hosted application and a locally deployed vulnerability scanner providing the visibility and interconnectivity necessary to enable process automation. Much like BPM (Business Process Automation) and IAM (Identity and Access Management) solutions, TraceCSO offers the ability to automate processes that may include manual sign-offs, integrating with local identity stores like Active Directory.

tracecso-wizardThe system uses wizards to guide the codification process, with many helpful links to referenced regulatory and compliance documents and associated controls. Initial system setup walks through adding users and departments, defining permissions and roles, coordinating network scanning and selecting the appropriate authority documents from which compliance levels can be determined.

TraceCSO covers all functional areas necessary to manage an on-going risk-based information security program:

  • arrow7 Risk
  • arrow7 Policy
  • arrow7 Vulnerability
  • arrow7 Training
  • arrow7 Vendor
  • arrow7 Audit
  • arrow7 Compliance
  • arrow7 Process
  • arrow7 Reporting

TraceCSO can be integrated with a variety of GRC solutions, though this may entail work on the part of TraceSecurity, the ISV, or the organization. Integration with MDM, for example, is not offered out of the box and thus approaches compliance with proper security policies via an audit process that requires sign-off by responsible parties as designated in the system.

tracesecurity-screen1Its integrated risk assessment measures against best practices CIA (Confidentiality, Integrity, Availability) expectations. TraceCSO calculates a unique risk score based on CIA measures as well as compliance with authoritative documentation and selected controls, and allows not just a reported risk score over time but the ability to examine unimplemented controls and best practices against anticipated improvements in the risk score. This gives IT and the business a way to choose those control implementations that will offer the best "bang for the buck" and puts more weight behind risk-benefit analysis.

By selecting regulations and standards applicable to the organization, TraceCSO can map controls identified during the risk assessment phase to its database of authorities. Technical controls can also be derived from vulnerability scans conducted by the TraceCSO appliance component.

TraceCSO is ultimately an attempt to unify the many compliance and risk management functions provided by a variety of disconnected, individual GRC solutions today. By providing a single point of aggregation for risk and compliance management as well process management, the system enables a more comprehensive view of both risk and compliance across all managed IT systems.

It's a framework enabling a more devops approach to compliance, which is certainly an area often overlooked in discussions regarding devops methodologies despite the reality that its process-driven nature makes it a perfect fit. The same efficiencies gained through process and task-automation in other areas of IT through devops can also be achieved in the realm of risk and compliance with the right framework in place to assist.

TraceCSO looks to be one such framework.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.