Nearly everything we do depends on our increasingly interconnected and rapidly-expanding digital capabilities, and it seems like daily breakthroughs change and streamline how we shop and live online. But with all this high tech power comes exposure, liability, and serious risk. If you operate a business or service on the web, it’s incumbent upon you to remain compliant with any and all regulations governing your industry.
Is your organization ready?
What is Compliance?
Compliance is the general state of being in accordance with prescribed standards and laws. In the digital world compliance concerns generally focus on network and data security, but other details—like how employees move and handle data within your secure environment—are also crucial considerations.
Here are some key compliance focus areas:
The Payment Card Industry Security Standard Council is the global consortium of experts dedicated to developing and evolving security measures that protect the billions of online payment card transactions occurring every day in the modern economy. The PCI Council doesn’t just keep your business safe, it charges you with the task of meeting and complying with the minimum security standards it establishes for processing credit card transactions online.
To do so, it has established the Payment Card Industry Data Security Standard (PCI DSS), to govern account data security and best practices. Learn more about PCI DSS Compliance.
The now ubiquitous HIPAA is one of the largest and most rigorous compliance areas in the United States. The Health Insurance Portability and Accountability Act of 1996 outlined the requirements for protecting vital patient health data, from physical records like files, to network security for virtual data, to proper procedures for working with this information. Every employer, health care provider, school administrator, and many more interest groups are directly impacted by HIPAA and responsible for complying with the act.
Learn more about HIPAA compliance requirements.
The General Data Protection Regulation (GDPR) is intended to give citizens of the European Union (EU) greater control over their personal data and make data handling regulations consistent across the EU’s 28 member states.
The GDPR implements several measures to protect personal data, including standards for:
- Citizens’ rights to erase personal data
- Data security practices and technologies for organizations
- Assessing the risk of data privacy or protection incidents in projects that deal with personal data
- Data Protections Officers at organizations that monitor or process high volumes of protected data
- Supervisory authorities who govern EU data protection in each member state
- Public notification policies after an organizational data breach
- Portability of personal data
- Data retention
Sumo Logic is taking the necessary steps to gain GDPR compliance validation and obtain proof of compliance by May 2018.
Learn more about GDPR compliance requirements.
SOC 2 Compliance
Service Organization Control (SOC) reports came into widespread use in 2011. There are three types of SOC reports, but SOC 2 focuses explicitly on the security protecting financial transactions. SOC 2 compliance requires retail and service providers to submit a written overview of how their system works and the measures in place to protect it, with particular attention to five areas:
- Processing Integrity
Popular in part for its scalability, SOC 2 compliance allows organizations to assess and resolve security issues within the custom framework of their environment.
Originally issued into law in 2002 as the Federal Information Security Management Act, this bill was revised in 2014 to become the current FISMA , which keys on the following five metrics:
- Identify: pinpoint all of the equipment involved in your data security plan.
- Protect: safeguard these systems with anti-virus and malware programs, physical security plans, and other means for keeping essential data protected.
- Detect: Detection compliance includes reactive approaches like stopping an active intrusion and proactive programs like routine deep penetration testing and audits.
- Respond: prepare the policies, procedures, and training programs you will need when you face inevitable threats.
- Recover: FISMA compliance guidelines are designed to help you recover from a malicious event or disastrous data loss in a fast, logical way.
The International Organization for Standardization was formed in the late 1940s to help businesses trade consistently across national borders. In the technology age its guidelines, called ISO standards, took on increased significance for safely moving data around the internet. ISO 27001 compliance standards specifically detail best information security management practices.
Children’s Internet Protection Act (CIPA) of 2000. In the early days of the internet boom, unmonitored content found its way too easily onto the screens of unsuspecting kids using classroom computers. CIPA was passed to leverage technology like monitors and filters to keep harmful content away from kids. Administrators in every school district in the country are tasked with screening content and complying with this act so that the full educational potential of the web can be unleashed in classrooms without fear of inappropriate detours into the darker side of the internet.
These are just some of the compliance areas that require special attention. But there are other considerations to keep in mind when developing a holistic approach to compliance.
Having a theoretically secure environment isn’t enough. Today compliance requires proving that your network and data security are effectively protecting your customer data. Most compliance models require active proof of your measures’ effectiveness. The most recent changes to PCI DSS 10, for example, call for semi-annual audits from approved third-party security professionals who perform deep penetration trials and report vulnerabilities before they can be exploited.
Complying with security guidelines means constantly testing your organization’s limitations to understand not just their strengths, but where they are most likely to face intrusion attempts and what to do when threats impact your environment.
Compliance & Logs
In any environment, especially those already utilizing DevOps approaches telemetry and feedback power compliance efforts. The ability to look under the hood and see how the pieces and parts of your network are interacting—and what those interactions produce—is the difference between a safe, efficient environment and one with compliance nightmares waiting to happen.
Everything that happens in your network is captured somewhere in the many system pouring data into logs. By unifying logs and metrics into actionable, interactive control panels a clear picture of network life emerges and compliance concerns can be surfaced and solved.
Compliance in the Cloud
The great migration from on premise data centers to decentralized, virtualized platforms is well underway and eventually almost all services will run in the cloud. Will this make compliance easier or tougher?
The cloud definitely comes with the advantage of a wealth of data. Cloud hosting services like AWS or Microsoft Azure offer native logging services that capture any and every piece of information that could impact your environment or be necessary to illustrate compliance. But sorting through haystacks for the scarce needles that matter is easier with the right help. In this in-depth webcast, experts from IP Architects and Teledoc discuss how Sumo Logic’s suite of tools help them focus on critical compliance areas in the cloud, including:
- Developing apps that integrate security into every level of development, which makes compliance part of app DNA
- Understanding platform logging systems and where they store data
- Realizing that a compliance plan doesn’t guarantee compliance, and planning for worst case scenarios
- Leveraging Sumo Logic’s tools to manage and simplify cloud compliance
Enterprise-Level Compliance Concerns
At the enterprise level, the information pertinent to compliance can represent a massive amount of data each day. Worse, experts estimate that up to 90 percent of intrusions within an enterprise network go undetected, representing a serious risk to security and compliance.
Tools like Sumo Logic’s LogReduce help you compress and analyze log data, helping you react to anomalies it in real time and even predict coming threats. This datasheet outlines additional ways to bring industry leading tech tools to your enterprise. It keys on three immediate ways to simplify and secure your compliance environment:
Identify data exfiltration. Highlight logins and security events throughout your entire enterprise, with automated machine learning that draws correlations betweens problems and activity and lets you know if data has touched or removed.
Lower compliance cost. Generating and analyzing reports can be expensive and time consuming. Get the data you need instantly and simply, freeing your professionals for more profitable pursuits.
Audit access. Remaining compliant means conducting mandatory audits, which can be a massive undertaking without the right tools.
The Challenge of Compliance
As the capabilities of modern networks continue to expand, so too will the need for reliable, standardized ways of protecting customer information and moving/storing data within your environment. The secret to remaining compliant with emerging standards is deep, real-time insight into how your environment lives and breaths and knowing where and how to obtain, manage and analyze the data you need to meet your requirements.
Sumo Logic Assurance Programs
See Who’s Running Securely on the Sumo Logic Cloud Platform
Download free analyst reports, white papers, data sheets and videos to learn how Sumo Logic Cloud Platform maintains security and compliance in the cloud
A journey down the path of enlightenment and leveraging the power of automation.
The Sumo Logic security model is an end-to-end process, focused on keeping customers’ information safe.
Assessing the Risk: Can the Cloud Can Be More Secure Than Your On-Premise Environments?
Sumo Logic currently achieved the following attestations/certifications:
- PCI DSS 3.2 Service Provider Level 1
- SOC 2 Type II
- ISO 27001
- CSA Star
- US-EU Privacy Shield
- TRUSTe Certified Privacy
While many other SaaS providers rely on AWS certifications, Sumo Logic implemented its own security controls, completed audits with a third party independent audit firm, BrightLine CPA, and obtained attestations/certifications for its log management service.
Only customers have access to their data, unless they enable access to their data to Sumo Logic’s Customer Success team. Even then authorized Sumo Logic employees will access a customer data only in response to a specific support request. All access to customer data is logged and auditable. Moreover, Sumo Logic has read only access to customer data.
Data ingested by Sumo Logic is split into two streams, an Index stream and a Raw stream. Each of these streams is encrypted using customer specific encryption keys rotated every 24 hours. In addition to the encryption keys, the disks are themselves encrypted. When data expires per the retention period, the indexes and customer specific keys are deleted. This accomplishes two things,
- The indexes cannot be located and thus recovered
- The raw data cannot be decrypted
This unrecoverable data will remain on additionally encrypted disks until Sumo Logic runs a periodic disk cleanup, which is done using a DoD 5220.22-M scrub.
If the customer wants to pull out any of their unexpired data in the event they choose to cancel their Sumo contract, the data can be pulled down from the API, exported to CSV or placed in an S3 bucket owned by the customer. This must be done before the contract/subscription expires or is cancelled.
We use Sumo Logic for logging and alerting on security events. All security events are addressed in accordance with our incident response policy:
- Critical Issues: Remediation efforts will begin immediately
- High Severity Issues: Remediation efforts will begin within 5 days
- Medium Severity Issues: Remediation efforts will begin within 60 days
- Low Severity Issues: Remediation efforts begin in accordance with their business and customer impact
To report any disruptions or suspected security incidents to the Sumo Logic platform or service, please contact us at Securityfirstname.lastname@example.org.