Guardian and Compliance: The Security Stack
At Guardian IT Solutions, we spend a lot of time thinking about how to best and most accurately address data security and compliance, for every potential model (examples could be HIPAA/HITECH, EU Safe Harbor, PCI, Sarbanes Oxley, FedRAMP/FISMA, FDA, SSAE16 on the physical layer, etc.). The way Guardian provides services to market is as a solutions aggregator. That is, we choose and combine Best-in-Class solutions to protect the customer’s data (as well as online security and safety) and to increase overall performance – all while saving on cost. We can best explain it this way:
The Physical Layer (Data Center/CoLo Hosting Provider) –
Our data center partners are all SSAE16 compliant and with certifications. It’s important to note that that certification is very specific to the physical layer and does not actually guarantee compute safety, but does guarantee process in place with regard to the hosting piece. Determining which hosting partner we recommend to a customer will depend on a few factors (location, performance, gear or application requirements), however, we can provide that certification on demand once we have the details worked out.
The Compliance Metric (per the various models mentioned in the above paragraph) –
Guardian recommends a Best-in-Class business risk intelligence solution, which identifies and manages disparate risk silos across global enterprise networks and automates governance, risk and compliance (IT GRC) management processes. With our Business Risk Intelligence engine, the solutions and CISO reporting tools provide the customer with heat maps and compliance assessment reports that reveal a comprehensive, immediate and intuitive picture of their organizations’ security and compliance risk posture. Put simply: every compliance model has similarities and differences. And each specific customer stack will need, necessarily, to be measured and vetted to ensure compliance with their particular industry model. A FedRAMP or HIPAA certification is not like a fishing license, in that one cannot certify a stack to be compliant on its own (without the customer’s applications and data already in the stack). What’s more important is that the customer’s IT stack is not only right (with regard to compliance in the associated model), but that the data (the company’s IP, customer/student/patient records, corporate documents, etc.) is safe.
Making the Data Safe –
Our solution proactively protects data at the byte level, from inside out. We use AES256 (Advanced Encryption Standard with 256 bit key length) to protect customer data. The files are kept securely on servers hosted in the world-class data centers or our partners. In fact, the data is generated in multiples to ensure resilience. It cannot be lost. It is protected using Data-Centric Security that in very simple terms shreds the data. These pieces cannot be put back together again until they are called up. Even if an attacker were able to compromise a server the data is stored on, all they would see is unrecognizable digital confetti.
Managing the Continuing Threat (Operationalized Threat Intelligence) –
Our service is a highly effective, proactive security solution that blocks advanced threats. It delivers up-to-the-minute protection against malware, DDoS and other advanced attacks, and enhances the customer’s existing security posture by improving the effectiveness of firewalls, IDS/IPS, routers, switches, endpoint and other security tools. The service protects the network and devices by automatically delivering best-in-class threat intelligence to their perimeter security devices, including firewalls, routers and switches. As a cloud-based service, it is easy to deploy and manage, and does not require upgrades to the customer’s infrastructure or new hardware. Once deployed, the service provides immediate relief by deflecting attacks and unwanted or malicious traffic.
It’s important to Guardian IT Solutions that everything, and anything, we offer can and will make the customer more safe. It’s possible to be in compliance and still be compromised. It’s also possible to ensure the safety of data by simply turning off the machines (though harder to do business). Our methodology is to provide solid hosting, compliance and verification, ensure data security and safety and manage the continuing threat of a compromise. All the main points to any compliance model (logs, reporting, data retention models, etc.) are well understood by our team and our partners. It’s the detail around understanding and protecting the customer stack that makes all the difference between a “check the box” model (which may or may not work, but you’ll know in either case immediately) and a comprehensive, managed model.
We are at your service. Let’s talk.