SOX compliance has changed the way organizations approach security. It used to be all about asset protection and securing of sensitive data by utilizing authentication, encryption and intrusion detection. This still holds true; however, the advent of SOX has created the need to push security measures far out into the end-user environment and to focus on a holistic security approach. By holistic, I mean that organizations must monitor, lock down and continually evaluate the security policies, security architecture, security management and incident-response capabilities of the entire enterprise environment.
So how does this affect the VPN world?
VPNs have always been considered a secure mechanism for transmitting sensitive data between client and server applications for remote workers. VPN technology is well known and is widely deployed across the world. How have SOX compliance mandates impacted VPN solutions? In a nutshell, the SOX mandates have pushed organizations to deliver end-to-end VPN security. This means that the VPN itself is not enough.
There need to be specific, granular security policies that can be assigned and enforced on an individual or group level. This is directly related to SOX, as SOX requires organizations to articulate the security policies for different organizational entities such as executives, sales or end users of the infrastructure. If you have different security policies (which you should) for different groups or individuals, the differences should be reflected in your security deployment as well.
Finally, many VPN systems do not provide the ability to easily manage and maintain the security of the clients utilizing the VPN solution. This includes visibility into client-loaded software to ensure the clients are up to date, as well as the ability to "push" out updates to the clients. There are mechanisms such as SMS for doing this; however, SMS is not necessarily considered a security policy enforcement technique. It can be, but the VPN industry is moving towards integrating this into the VPN systems themselves.
So, as can be seen from these examples, the regulatory security eye (SOX) is beaming brightly on the VPN world and is driving significant developments in VPN technology. Remote access is the window to the corporate environment, and security (up front and ongoing) takes on a whole new meaning with SOX. Be very cognizant of these factors when evaluating a VPN solution in terms of security.
This was first published in October 2005