One of the fundamental challenges we see for security compliance professionals today is the struggle between the desire to design and configure secure systems and the difficulty and complexity of doing so. There has been a proliferation of security standards from the National Institute of Standards and Technology (NIST), Cloud Security Alliance (CSA), International Standards Organization (ISO), and others that provide excellent starting points. However, compliance professionals are still faced with applying these standards to complex and heterogeneous systems that are subject to constant change over time.
For years we have established boundaries around our systems and generated static documents in Word or Excel that we periodically check to try and maintain compliance. This approach provides an accessible document that is easier for auditors to follow, but there are serious underlying problems with this methodology. Due to the complexity, controls are often lifted at the border, masking potential security issues inside the border. Second, the implementation of each security control is subject to changes over time that may not be detected until the next audit, resulting in unmanaged risks within the environment.
This legacy approach to protecting boundaries and static compliance documents is not maintainable in today’s cloud-centric, mobile-native world. Things are just changing too fast; the limits are more imaginary than real, and the need to deliver new capabilities as part of organizations’ digital transformation strategies is pushing the pace of innovation faster than our compliance documents can keep up. The old method no longer works and a new strategy must be developed.
We are advocates for composable, real-time compliance that shifts compliance left to align with and support business needs. This approach is no different from what I do with my children when I play Legos. When you look at the seemingly endless list of parts needed to assemble this new star destroyer model, it seems overwhelming and daunting. However, Lego does a great job of breaking the task down into its individual components and including step-by-step instructions that show you how to put the overall model together. With this approach, you get a detailed understanding of how the whole thing works by putting it together one piece at a time from scratch. Cybersecurity compliance should work exactly the same way.
The NIST Open Security Control Assessment Language (OSCAL) team has developed a new component model that allows you to layer controls on each feature of your system to create a composable system security plan (SSP) from its individual elements. Instead of a giant frontier SSP, you get an SSP which consists of its various components such as load balancers, network switches, web servers, databases, storage, etc. As the plan is built from the bottom up, you get a more detailed understanding of how each component of the system works, how secure it is, and how you might evaluate it in the future. Additionally, this approach will allow vendors to publish hardening guides that align with OSCAL for better out-of-the-box security when configuring their products.
Even better, the new OSCAL model is machine-readable. This means that in the future, tools will be able to automate assessments, integrate with scanners, and update documents in real time. Not only can system security hardening be improved through composability, but lifecycle costs are reduced through automation while risks are identified closer to real-time versus process waiting. evaluation manuals that always lag behind the risk indicators.
By implementing each layer of the OSCAL framework (catalogs, profiles, SSPs, components, etc.), we are able to quickly compose and secure new systems, linking them to the existing investments our customers have made in their products. existing security systems and update them themselves. paperwork using an API-centric approach. Even better, by leveraging a NIST standard, artifacts produced on our platform should interoperate and be portable with other OSCAL-compliant technology vendors.
Are you ready to embrace a secure world of real-time, composable systems? Learn more today at NIST OSCAL website.