Regulatory Compliance and Red Hat Security

Posted on June 26, 2019 by Elizabeth MillsElizabeth Mills

In today’s interconnected world, data security has never been more important. Virtually every industry, from healthcare to banking and everything in between, has rules for how businesses handle data. Failure to meet regulatory compliance spells serious trouble for your business. Depending on the severity of the infraction, you could end up with fines, loss of reputation/revenue, or jail time.

Fortunately, these consequences are avoidable with a few proactive steps. By training your IT staff to keep your systems secure, you can prevent harmful or costly data breaches.

Important Data Standards

There are two major data standards that organizations must be aware of when designing a security solution: the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). PCI DSS deals with credit card data, and HIPAA regulates the use of healthcare information. If your organization handles either of these sensitive data types, you must follow guidelines to keep your systems secure.

Each of these standards has its own lengthy list of administrative, physical, and technical requirements designed to protect client data. While their requirements differ slightly—and may change annually—both PCI DSS and HIPAA require organizations to build and maintain a secure network and systems using the following security measures:

  • System auditing
  • Access control
  • Security policies
  • Disk encryption
  • Compliance scanning

Understanding how to comply and implement safeguards is crucial for avoiding costly fines and maintaining your business’s reputation. The new Red Hat Certified Specialist in Security certification is designed to prepare IT staff to meet these challenges head-on. Here are a few steps you can take to meet regulatory compliance in your organization:

System Auditing

Tracking security events with an audit system is a crucial part of any security strategy. After all, you can’t mitigate threats you don’t know about.

To meet regulatory compliance, your organization needs an auditing process.  You should be monitoring system calls or changes, commands users are running, and access to your files or network. The Linux Audit system is a great solution. It compares activity events to a set of rules to determine if a given event should be logged for review. Further, it can also generate reports of all logged events on a given date, or category, like the number of failed logins for a given user.

Access Controls and Policies

Setting appropriate access controls and policies is crucial for keeping systems secure from outside threats and preventing users from making accidental or unauthorized changes. Steps for system hardening include controlling SSH and root permissions, restricting USB devices, and enforcing password and account lockout policies.

Set which users are allowed or denied SSH and sudo access in configuration files to restrict elevated permissions to only authorized employees. Use a tool like USBGuard to blacklist and whitelist USB devices based on their attributes. Finally, use the Pluggable Authentication Module (PAM) to set password requirements and lock out users with too many failed logins.

Disk Encryption

Another important requirement of PCI DSS and HIPAA is encrypting data at rest. This ensures that old or lost devices containing sensitive data cannot be accessed by unauthorized parties.

Your security team can use the Linux Unified Key Setup (LUKS) to encrypt and decrypt physical disks to keep data secure when not in use.

Compliance Scanning

Due to your systems constantly updating and reconfiguring— it can be hard to know if you are still meeting compliance requirements. To stay compliant with PCI DSS and HIPAA, your organization must use a compliance scanning tool like OpenSCAP.  This tool verifies that your systems follow the recommended security policies.

OpenSCAP shows that a firewall is installed and running, that the Telnet protocol is disabled, and so on. Additionally, the SCAP Workbench graphical utility performs configurations, scans local and remote hosts, create reports, and even generates scripts to quickly fix issues.

Stay Compliant with Linux Academy

Looking for security training to keep your business compliant? Our brand new [Red Hat Certified Specialist in Security (Exam EX415) Prep Course] by Bob Salmans covers all of these topics and more. Bob has over 12 years of experience and knows the security industry inside and out. And he is dedicated to sharing his expertise with other security specialists. Check out the course, and get in touch with Bob on LinkedIn or the #security channel of the Linux Academy Community Slack.

We look forward to training your team!

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *