Ditch the Checklist: Why Automation is the Key to Content Compliance

Compliance frameworks provide guidelines for effective and secure operations for content management across a company’s various repositories. They’re written as a set of controls, each one which corresponds to different settings and policies that an organization must follow in order to ensure the safety of their data. They’re designed to be very organized and actionable, and tend to operate similar to a checklist IT and security teams create policies and rules that define how processes and transactions will satisfy a framework’s controls. In an ideal world, IT admins would simply operate off of a scorecard that indicates what policies were, and were not, compliant. Ideal, but unfortunately, not realistic.

Checklists work for things like house maintenance; you identify and fix the things that don’t meet building codes, and then you feel safe, and the building inspector is happy. Content, however, doesn’t operate like that. Some content is essentially stateless; because of collaboration or continuously changing data, content assets change. Identifying adherence to compliance controls, therefore, means it has to be evaluated continuously.

‍Compliance must scale to meet the pace of continuous change

‍Cloud adoption continues at a rapid pace for all types of applications, partly because it’s inherent flexibility and scalability translate into a variety of cost savings and a reduction in IT architecture complexity. But just as cloud customers adapt to apply a new way of security for their users and data, they also are learning how to apply an effective compliance model to the content that’s stored, shared, and managed in their cloud environment.

At issue for any organization is the scale and demands of compliance frameworks. They attempt to provide structure across the entirety of the IT infrastructure, but it’s simply overwhelming for any organization. Consider that the NIST 800-53 spec consists of more than 2,000 separate requirements. Each requirement corresponds to some aspect of a company’s IT infrastructure that, if not met, could create a vulnerability for sensitive content. It would also render the organization non-compliant, which would limit its ability to conduct business and subject it to hefty fines. Consider that in 2018 the average HIPAA fine was approximately $2.5 million, with Anthem, Inc being responsible for a $16 million fine alone.

The issues surrounding data and content compliance are complex, partly because the nature of data is ephemeral; compliance, as a discipline, likes things that are binary. An organization’s agility gives it operational advantages, but compliance standards are built for systems that are more static in nature. Managing compliance is stressful for IT teams, and performing the myriad tasks cannot be done manually. There simply aren’t enough people who have the right kind of visibility into content stored in various repositories across a company’s cloud and on-premises environments. These teams have to know, at all times who access files, changes to those files,  and the adherence (or lack of adherence) to corresponding compliance frameworks.

‍Automation reduces compliance complexity

‍When it comes to compliance adherence, it’s not simply the number of controls in the framework, because the numbers become exponential every time a new API connection is made, a user is added (or removed), or even every time a new file is added.  Every one of the items in a framework requires attention and evaluation, and it demands always-on scrutiny. It’s not possible for humans to provide the level of insight and analysis that is demanded, so organizations must apply automation to perform the heavy lifting required to effectively maintain compliance.

Automated, continuous monitoring is imperative for companies that depend on their critical content to make business decisions and conduct operations. With this approach, an organization has an always-on proactive approach to identifying and measuring.  It gives IT and governance teams actionable data about their content -- when it is at risk, how it’s being used, and ideally, insight into how it can be better protected.

‍Visibility is best delivered with a continuous approach

‍Companies cannot rely on a basic “pass/fail” report to determine where security and compliance gaps exist. In order to take necessary action to reduce risk and adhere to compliance controls, IT teams need visibility into how files are used and the users who are accessing them. Automation provides this and other necessary benefits, including:  

• Analytics and insights: Awareness and context is key to effectively managing compliance. Rules can be set up by IT teams to dictate acceptable content usage, collaboration, and management. Security teams can apply automation to identify and deliver insights about the specifics of those frameworks across every content repository.
• Scale: As organizations grow, they achieve an ever-increasing data footprint. That increases user activity and higher potential for compliance controls to be compromised. The only way to wrangle this growth is through compliance automation; any effort to do so otherwise will grow beyond manual capabilities.
• Cohort analysis: Content repositories can have hundreds of discrete entities performing exactly the same task. Workflows and business processes might send tasks to multiple identical repositories for the same content asset.  By aggregating files into a single source, teams can more easily identify who is working on which assets, and can track the resulting outcomes.
• Content baseline: Compliance automation is about understanding what constitutes acceptable behavior in the eyes of the framework. Use that within your monitoring so anomalies are detected based on their deviation from the baseline.
• Change detection: Once a policy has been updated, it also requires some form of codification of it. Change detection enables you to make note of it.

Content is dynamic and performs in an always-on manner. Mitigating risk and adhering to compliance standards can no longer work with a checklist and an internal team. Companies that aren’t applying automation as part of their compliance approach have only limited visibility and put their businesses at great potential risk. With an effective content services compliance strategy that uses automation, companies can cover and protect the data under their responsibility.

To learn more, check out the Egnyte Security Framework which explains how the Egnyte Platform weaves data governance and compliance into every layer of enterprise file sharing with behavioral anomaly detection to deter insider threats and compromised accounts, as well as signature-based and zero-day ransomware detection.