Automated Compliance: Making the Case and Reaping the Rewards
In this exclusive interview, Dwayne Melancon of Tripwire discusses:
Dwayne Melancon joined Tripwire in 2000 and serves as Tripwire's Vice President of Corporate and Business Development leading the company's strategic partnerships and alliances. In previous positions at the company, He was vice president of Professional Services and Support, Information Systems, and Marketing.
Prior to joining Tripwire, Melancon was Vice President of Operations for DirectWeb, Inc., where he was responsible for product management, logistics, electronic supplier integration, customer support, information systems, infrastructure development, and other business operations.
Before DirectWeb, he ran Pan-European Support for Symantec Corporation, managed support for several of Symantec's leading product lines, and spearheaded the development of tools and processes. In other positions, Melancon was responsible for Symantec's global Web presence, program management for Symantec's encryption products, and functional integration for mergers and acquisitions. Prior to joining Symantec, he spent eight years at Fifth Generation Systems, Inc. where he created an award-winning global support organization, was a software developer, and directed the company's software and hardware Quality Assurance teams.
Melancon is certified on both IT management and audit processes, possessing both ITIL Foundations and CISA certifications.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is regulatory compliance, and I am privileged to be speaking with Dwayne Melancon, Vice President of Corporate and Business Development with Tripwire. Dwayne thanks so much for joining me today.
DWAYNE MELANCON: Yeah, thank you. It's good to be here.
FIELD: Dwayne, just to get started, why don't you take just a second to introduce Tripwire and yourself and your role with the company?
MELANCON: Okay, sure. So, Tripwire is a software company, and we focus on helping people audit and control their IT environments. So, basically what that means is allowing them to gain intense visibility and hold people accountable for doing things properly when they are managing and interacting with their IT infrastructure.
So, it's everything from security policies to regulatory compliance to making sure that people follow the basic hygiene in their operational practices, and what we do is provide visibility across the infrastructure and give you the ability to very quickly determine where you are and how that compares to your policies and what you need to do to bring things back into compliance if they happen to be out of compliance. And we also provide you the ability to report on that at any point in time on demand through either dashboards or detailed reports that can be handed off to practitioners to resolve the issues.
From my own personal perspective, I am responsible for Tripwire's relationships with our strategic partners, but I also spend a lot of time dealing with our customers out in the field. So one of the other aspects of my job is providing people with guidance on how to achieve automated compliance, because I happen to be a certified IT auditor as well as a Tripwire employee, and I spend a lot of time helping people sort of navigate the world of compliance and determine how to implement strong IT controls to be able to satisfy the needs and the sort of demands and questions that auditors will show up with when it comes time to sit down and have an audit performed.
FIELD: Well, that's great because I wanted to ask you about your customer experience. We are all sitting back and watching what is happening in the economy over the past few months -- what are you hearing from your customers in terms of the ties between the economic conditions and their regulatory compliance efforts?
MELANCON: Well, I definitely hear a lot of uncertainty out there, so you know I think people are already a little bit skeptical about particularly some of the privacy regulations and personal financial regulations and things like the PCI Standards for the payment card industry because even though these things have been around for awhile, they are still hearing all of these news stories about high-profile credit card breaches and people stealing information.
And then on top of that, when you hear all of these issues with banks and some of the lenders and credit crisis and all this kind of stuff, I think people get a little nervous and they are starting, what I am hearing, is that they are hoping that there is a lot more oversight and a lot more demand for reassurance that not only companies be aware of their compliance requirements, but that they are actually doing what they are supposed to be doing.
What is interesting to me is that the financial services industry kind of seems to be in the middle of all of this even though historically they are pretty much the most heavily regulated industry as far as internal controls. So, it is kind of interesting -- even though there are all of these regulations, they are still having all of these issues, and we think a lot of it gets down to whether they've actually operationalized best practices for being compliant over time, or whether they are just kind of taking an ad hoc approach. I think obviously we would prefer to see an automated and integrated approach.
FIELD: Dwayne, we've talked an awful lot about consumer confidence over the past few months. What's the tie between regulatory compliance and this confidence?
MELANCON: Well, you know, people see banks -- you know, you watch old movies and things like that, and people see banks as this secure, safe place to store their assets, and I think people want to believe that financial services industries, and anybody who is dealing with their personal financial information or personal medical information whatever it is, that they are actually taking care of that information and safeguarding the assets.
But trust only goes so far, and just hearing these organizations say "trust me" really isn't working very well. So now I think people are starting to ask for proof and saying, hey you know, show me what you are supposed to be doing and what others expect you to do as an institution and then demonstrate that you are doing that. So give me some reassurance. You know, it's not just enough for me to see a big fancy building and a nice logo; I want to actually see what are your practices, and how do I know you are following the rules?
FIELD: So one of the things we hear pretty consistently from institutions is that they are very willing to make investments in technology and services, but they've got to be able to see a real business case there. So if you are looking at, say, configuration assessment change management for a financial institution, where do you find the business case, the real bottom line value for those investments?
MELANCON: Well, I think one of the other phenomena that I have seen over the last few years is that people are often looking for a quick fix, and a lot of this gets down to things that aren't really quick fixes. They are about having strong policies and strong controls to hold people accountable to those policies. And those things a lot of times will require a little more investment in terms of cultural change within the organization, creating consequences when people don't do the right thing.
But I think the payoff is really that you have much better ability to manage risk, and that can be measured in terms of better security posture, reduced costs of compliance, better efficiency, operational effectiveness, fewer outages because there is less variance and less sort of flying by the seat of the pants going on in the organization. Because really, at the end of the day, if people are able to institute firm policies and support that with good technology controls, then it makes it easier for their people to do the right thing. And when people do the right thing, it serves the business very well.
So not only are they not doing things that are risky for the business, but they are also becoming more efficient and more proficient at what they do, so that you allow people to become better at operating your IT infrastructure over time and better at producing evidence that they are actually doing it consistently and in accordance with the organization's policies or the external regulatory policies that they have to be compliant with.
All of that pays off in terms of reduced operating costs, in terms of reduced re-work. One of the things that we see a lot of times is that because people take a very ad hoc approach to compliance, they may end up redoing the same controls manually every month or every quarter, and that is not very efficient.
So what we like to see is more of an integrated, automated approach where the repetitive tasks are required for compliance are actually handled sort of automatically, and then you can manage by exception by dealing with just normal daily dashboards that are part of your normal operations procedures. That way, you don't end up in the situation where there is a big fire drill every time an audit is coming, and you can actually operate on a daily basis in a compliant mode.
FIELD: Dwayne one of the things that you have talked about at Tripwire are the five core competencies of compliance. Could you outline those for us and tell us how financial institutions might approach those competencies?
MELANCON: Sure. So, the first one is around assessments. From an assessment perspective a lot of this gets down to understanding what you have and whether you can trust it, so from an assessment perspective we recommend that you look at your infrastructure and your practices based on external standards and known best practices in the industry.
We provide a lot of that information out of the box, so we've done a lot of the heavy lifting on finding out what the best practices are and codifying them within our product so that from day one people can actually assess where they stand based on industry best practices, but you also have the ability to tune that for your own internal policies.
We find that just knowing where you are is a huge step forward for a lot of organizations, and that allows you to get better visibility into the infrastructure. But knowing where you are is only part of it, so the next step is really to achieve the competency where you can hold people accountable. So, accountability is a big thing here.
I've been involved in a number of audits, and one of the things that is often very difficult for people to answer is this: How do I know you are doing what you are supposed to be doing, or what I like to call the "so what" test. So, people may have a policy, it could be documents -- you know, a lot of people could know about it, but one of the questions I will ask a lot of the times is okay, so what? If someone goes around this policy and circumvents it and does the wrong thing, what will happen to them?
In a lot of organizations the answer is nothing, and it's not necessarily because they are not willing to take action, but it is mostly because they lack the visibility to be able to detect when people are not doing the right thing and that's where these automated controls really come in handy. Because you can, for example, you may have a policy that says developers are not allowed to make changes in production. It is very hard to enforce that unless you have some automated mechanism in place to detect all changes and measure those changes back to who made the changes and whether they were authorized to make those changes.
So for example, one of the reports that we provide is an unauthorized change report where you can see if people made changes to systems they weren't supposed to touch and who those people were so that you can immediately go and talk to those people with evidence to instill some accountability and say, hey you just broke the rules, and we need to do something about that.
What we find is that very quickly that in itself will create cultural changes where people recognize they are not going to be able to get away with just skirting the rules or violating policies because they are a little bit difficult to follow or they require extra steps. We find that that becomes a very self-reinforcing mechanism where the accountability really drives a lot of success in a lot of the other areas.
Obviously, that requires the third competency, which is auditing. Auditing is really where not only do you ensure that you can see what is happening, but the controls that you designed are in place and effective. Auditing is how you provide evidence on demand. Auditing can be things like ongoing testing of the environment to be sure that your configurations and standards are being adhered to. It can be checking to make sure that people are not going outside of their roles and responsibilities. It can be checking for simple things like making sure that when an employee leaves the company that their access to your important systems gets terminated.
So there are a lot of aspects to this, but what it really gets down to is measuring what is really happening against what is supposed to be happening, and providing detailed reports to allow people to actually manage from that.
The next competency is configuration management. Configuration management is really about creating consistency in the environment, consistency of practice. So configuration management is the act of making changes and configured IT infrastructure and the easiest way to be able to trust what you have is to be able to hold people accountable to certain standards.
So, one of the risks in a lot of organizations is that because people are involved in configuration management there is oftentimes a lot of individual variance, depending on who made a particular change or who deployed a particular piece of software, and what we find is that an automated means of validating the configuration management results actually reduces configuration variance, reduces operational risks, and makes it so that no matter who you assign the task to, you get very similar results.
And that is a key in being able to scale and being able to prove compliance, because one of the analogies I have heard is that if you have 1,000 servers that are configured insecurely but identically, those are actually easier to manage than 1,000 servers that are configured very securely but all different. Because it is much easier to manage servers as a group than it is to go and deal with individual servers with individual personalities, and configuration management is the means to instill that kind of operational consistency in any IT organization.
And then the final, fifth competency is really around change control. So, change control really is the way that you can prevent people from creating a Wild, Wild West kind of environment in your IT infrastructure. So one of the risks -- and I mentioned this policy of not allowing developers to make changed directly in production before -- one of the reasons that exists is because developers tend to make changes to fix things, but don't necessarily document what they do very well.
Change management processes and change control are really a means to provide bottlenecks or funnels to allow limited numbers of people to touch your production infrastructure in a very controlled way and it allows you to very quickly look across your environment and ensure that you know about all of your changes, and that you can vouch for them and verify that not only are they authorized, but that they are made at the right time, to the right systems, by the right people and be able to detect exceptions very, very quickly.
So when you put those things together, assessments, accountability, auditing, configuration management and change control, you have a very solid posture for achieving very efficient and effective IT infrastructure management.
FIELD: Well, Dwayne, that all makes sense. I guess the question I have is, where is the entry point? In other words, you've outlined the competencies here; what practical steps would you advise to a banking institution to follow to be able to sort of assess where they are, jump on the bandwagon here, and achieve compliance efficiently and effectively?
MELANCON: Well, a lot of it starts with really getting a strong understanding of what you are expected to comply with. So depending on the standards or the regulations and the policies that you have to comply with, some are very vague and some are very specific. I think starting with what you know and what is left up to interpretation is a good place; where you can come up with a plan based on the requirements.
So, I'd say the first is to really get a strong understanding of what your requirements are, and then the next step I would advise is to do a top down risk based assessment of your environment. Understand what controls are in place, where there may be gaps, and we recommend that people think of controls in three categories:
Preventative controls, which are designed really to help people do the right thing. So these can be things like workflow diagrams, role and responsibilities, standard operating procedures that are documented so that anybody in the organization sees the same version of them and so forth. So those are basically, I kind of think of them as the ropes that define the swim lanes. So you are telling people what is expected of them and how they should operate inside the environment.
The next aspect of controls are detective controls. Detective controls are the controls that detect when people do not do what they should be doing. So they are kind of, to use the swim lane analogy, they are the things that detect when you drift out of your lane. Those can be things like Tripwire for example, which is a detective control in a lot of environments where, because we can see all of these changes across the infrastructure, we can very quickly determine when people make a change that is not complaint or that is made by the wrong person or against the wrong set of systems.
So those kinds of things allow you to very quickly know when things are not going well and manage by exception. That allows you to then kick into the third category of controls, which are the corrective controls.
Corrective controls are how you put things back in compliance, and that can be anything from scripts to restore settings, back to restore processes and then in the Tripwire world we have tried to make that easier by providing very detailed remediation guidance so that this allows you to -- when you see something that is configured in a noncompliant way -- we provide all the step by step information to bring that setting or those settings back in compliance. You can assign that to someone, and even a very junior level administrator can operate very consistently within the bounds of the company's policy and bring it back into compliance.
So those controls work together to help people do the right thing, detect when they are not, and then fix it when things are out of compliance. So we find that really focusing on the policies and the controls makes the most sense for most organizations.
It is also best to focus on systems that have risk because we find a lot of organizations waste a lot of time on incidental systems that really have no business impact if they get compromised or if they are misconfigured. Really, your ROI comes when you focus on the most risky systems; the ones most subject to regulations and the one most critical to the business operations.
FIELD: That does make sense. Now earlier we talked about how you make the business case for these types of investment. Let's go to the end of this; we've automated compliance, so where are we going to find the return on investment?
MELANCON: Well, the ROI really comes in several different areas. One, you are able to monitor what is happening in your environment all the time. That visibility actually provides value to the business because when something goes wrong, it is generally because something is out of whack somewhere, and that could be the result of a rouge change or a mistake or something like that. Being able to detect that very quickly will reduce outages.
Your response time for things like security and investigations and so forth and holding people accountable to their service level agreements and things like that will actually help pay off as well.
From a compliance perspective, because we've been talking a lot about compliance, the ROI really comes in the efficiency in the process because there are a couple of dynamics here. First, when you treat an audit as an event rather than an ongoing posture, you end up wasting a lot of time finding information to be able to prove you are doing what you should be doing, digging through emails to get approvals and all kinds of things that are very time consuming.
If you implement an integrated automated compliance approach, using IT controls, then finding all of that information is automatic and it becomes part of your daily dashboard and your daily reports, so you don't waste a lot of time digging for information. You don't waste a lot of time trying to produce custom reports for auditors because those things just come as a byproduct of the business.
When you put those things together, what you find is that you are able to spend a lot less time trying to figure out what happened, and you are much more efficient at it because you can look at what actually did happen and figure out what you want to do about it. So instead of looking for a needle in a haystack, you just start with the needles and figure out what you want to do about them. The ROI that we have seen comes very quickly, and as people start to see the value of this you also see that they tend to, in our world, a lot of times people may start with a subset of their systems that require compliance reporting, and then they very quickly expand from there because they see that this adds value not just in the world of your regulated servers, but across the IT infrastructure because any piece of infrastructure that delivers service for the business requires the same kind of hygiene; that same assessment accountability auditing, configuration management and change control. So it really does become something that adds value back to the business everyday.
FIELD: At the outset of our conversation you talked about the time that you spend with customers and I am curious, especially in financial services, even if you can't name a specific customer, can you give us a good for instance of a customer that has sort of gone down this path and realized the types of benefits you have discussed?
MELANCON: Sure. One example is Rothschild Bank in Zurich. When we started working with them, they had a real challenge trying to get visibility across their very distributed, very diverse IT infrastructure. They had multiple locations, lots of different vendor environments in place, everything, servers, network devices, databases, all sorts of types of infrastructure, virtual machines and hypervisors and so forth.
So what they were looking to us to do was help them implement an automated and really cost efficient method to monitor the change activity across that diverse infrastructure. The other aspect was, because of all their regulatory requirements -- and they had a lot of banking specific regulations as well as some that are very similar to things like Sarbanes-Oxley around financial reporting -- they needed to be able to establish accountability by implementing more stringent change and access control and process control. So, we went in and helped them actually monitor across their serves, their active directory and a lot of other pieces of their infrastructure to give them complete visibility into all the change that was happening there. We actually analyzed the changes and reconciled those back to change authorizations, so we could very quickly tell them when people are making unauthorized changes.
That also provides them the information that they need to not only manage risk or hold people accountable for internal security policies, but when they are dealing with bank auditors they actually have all the information as part of their normal operating reports to be able to show when exceptions have happened, what they've done about them and prove that their controls are in place and effective.
The results that we were able to achieve there have been that they are monitoring all their change 24/7, and they were able to do that without increasing staff headcount. So that is a key in today's environment. A lot of people don't have the discretion to add staff, so to the extent that we can add these automated controls, implement them and allow people to manage it without increasing their staff, that in itself adds a lot of value and ROI back to the business.
But where they saw the results were really in better response time when questionable changes happened, they were able to investigate them and resolve them very quickly. And when it came time to sit down for regulatory compliance audits, they found they spent much less time sort of babysitting the auditors and proving that they had the history of good operating hygiene to achieve compliance. They were actually able to provide the auditors themselves with some report logins and allow them to kind of look through the information themselves and get the assurance that they needed to be able to reduce the amount of time and money that they spent on audits.
FIELD: Well that's a great example. Dwayne can you give us any sort of a sense of timeframe of how long it takes to achieve those types of results?
MELANCON: Typically, it is within a few months. We've seen organizations, and it kind of depends on what is in place, we've seen organizations start to achieve results and pass audits in 30 days. Some organizations that are more complex, it may take a few months, but we are talking weeks and months and not months and years. So this is very rapid implementation.
A lot of organizations, like Rothschild Bank for example, brought in our professional services team to help with kind of the front end of this because we do interact with so many different customers that deal with regulatory compliance. We find that we can really shorten the learning curve pretty significantly by spending just a few days with people and sharing some of those best practices.
FIELD: Again, I want to draw a little bit on your customer experience. I mean ,you've spent time out talking with people in the banking industry and I think we all have a sense that new regulation and new regulatory oversight is coming; it is just a question of what and when. I guess I would ask you, drawing from what you hear, what sort of compliance trends are you looking at in 2009, and where do you think Tripwire can lend a hand to people?
MELANCON: When we look ahead at some of the trends that seem to be emerging, I think a lot of the sort of information-specific regulations like the PCI standards will continue to accelerate. But we are also seeing that there are things like FFIEC guidelines, there are even--particularly internationally we are seeing people start to use standard space like some of the ISO regulations to hold people accountable to best practices for security and saying, well, regardless of the industry that you are in, these best practices make sense in terms of protecting information risk.
So, I would say we are seeing an increase happening already around assurance and accountability, which relate back to financial reporting and protection of personal financial information. And then there are also internal controls to check for things like changes within financial applications to make sure that people are not allowed to sort of alter key information inside of financial systems -- that they are not allowed to sort of go back and revise the past and so forth.
From the Tripwire perspective, we have the world's largest library of CIS benchmarks, and CIS is the Center for Internet Security. They are an independent organization that looks across multiple types of standards and provides very prescriptive guidance on how to operate IT infrastructure in a compliant way. We have a lot of their standards built into our products, so it makes it easy for people, whether they are adopting CIS or ISO or have to be compliance with PCI or SOX, we have these templates in place so that from day one you can start creating relevant reports about your infrastructure and manage and hold people accountable to those standards.
As these things evolve, as we see more emphasis on a particular financial regulation emerge, we adapt and we create new policies there. So, whether it's in the government where we are starting to see NIST and FISMA guidelines become much more stringent, or where we are seeing an increase in a lot of personal financial information, personal health information regulations and all of those things have a lot in common in terms of those five competencies that I talked about.
It really is about understanding what you have, holding people accountable for doing the right things, being able to audit that on an ongoing and automated basis, and then really policing the configuration management and change processes to ensure that the organization is actually managing proactively in a way that prevents risk and achieves compliance everyday. That is really the business the Tripwire is in is helping people do that in a very effective and efficient manner.
FIELD: Safe to say that Tripwire and its customers are going to be very busy in 2009?
MELANCON: Yeah I would say so. Yeah, we're very busy now, and we only see it increasing.
FIELD: Dwayne, I appreciate your time and your insight today. Thanks so much for spending time with me.
MELANCON: Yeah, thank you. It was great.
FIELD: We've been talking with Dwayne Melancon, Vice President of Corporate and Business Development with Tripwire. For Information Security Media Group, I'm Tom Field. Thank you very much.