Navigating the Landscape of Security Standards when Managing an Event Mesh
One blog post can’t turn you into a professional – each standard is its own full-time job with dozens of documents to maintain, audits to pass and people to influence. The goal here is to provide some key information on a few important compliance steps that most organizations need to follow – and frame it from the perspective of those who manage event brokers and a global event mesh.
An event mesh is a network of interconnected event brokers that allow events and information to flow between decoupled publishers and subscribers (producers and consumers). With PubSub+ Event Broker serving as the bridge between systems, data flows efficiently and securely across the organization. It is also queued for consumption and can move into dead message queues, which means that the data must be secured both at rest and in motion.
The Importance of Complying with Security Standards
Compliance takes the form of both systems and processes. It helps you to ensure that sensitive data is protected, vulnerabilities are mitigated, and regulatory requirements are met. It also instills confidence in stakeholders, partners, and customers – confidence in the form of compliance documentation that suppliers must provide you, and that you must provide to your customers and regulators.
Two metaphors come to mind here: house of cards, and leap of faith:
A House of Cards
Regarding the house of cards – your supplier has suppliers, and they have suppliers, and so on. You are building that house down. And if you have customers and they have customers, and so on, then you are building that house up. This exposes a huge attack surface area and a lot of opportunities for weak links. It is why the supplier vetting process is so crucial and why documentation and audit exists. It is also why many organizations require support for their open-source work – because without support then they are responsible for maintaining it and ensuring that any day zero events get patched quickly.
Let me be clear here, in my opinion, it is at best a misnomer and at worst simply unfair to assume open-source is not secure in today’s day and age. However, without someone to manage technology inside an official process, it is a definite risk. Even widely used open-source with strong governance can be vulnerable, as demonstrated by the back door Linux hack in early 2024 that increased risk for the entire community.
What you want is your house of cards to be a house of bricks – and this is the role of security compliance standards that are solid and well-considered.
A Leap of Faith
Even with documentation and audits, you have to trust that your suppliers are operating securely all the time. And since there are so many potential suppliers, it is a lot of leaps off cliffs of unknown height. It is enough to keep a manager up at night.
So how do security and operations managers deal with this impossible task? It is simply a change of language or mindset. You can never say, “we won’t get hacked”. All you can say is, “we have taken all the necessary risk mitigation steps needed to secure a particular system based on the risk of the specific data in that specific system.” If that doesn’t let you sleep at night, then it may be time to find another job before the stress kills you, because the hackers aren’t going away any time soon.
How Solace Helps
When you work with Solace brokers, either on-premises software or as a cloud service, you can have faith that your EDA house is made of bricks. We maintain the full set of documentation and audit materials that you need for your RFP or compliance risk mitigation processes. Our security and compliance teams are working full time at both the IT and development functions, and our customers hold us to a very high standard. If your organization prefers to manage its own event infrastructure for security, compliance, or competitive differentiation then you can know that Solace technology is built, and documented, with security in mind.
Some organizations prefer to outsource to cloud services and offload certain costs to the vendor. PubSub+ Cloud customers can use managed cloud brokers where Solace maintains the necessary infrastructure, monitoring and security practices with the necessary compliance documentation – you can find some of the key documents here for those looking for the details.
Let’s look at a few critical standards to be listening for when talking to your security team or your suppliers.
ISO 27001: Safeguarding Information Security
ISO 27001 is an internationally recognized standard for information security management systems (ISMS). Middleware managers working with event brokers can benefit from ISO 27001 compliance by implementing a structured approach to identifying, managing, and mitigating security risks.
Key Aspects of ISO 27001 Compliance for Middleware Managers:
- Risk Assessment: Conduct a comprehensive risk assessment to identify vulnerabilities and threats in their middleware architecture. This includes evaluating the security of event brokers and their integration points.
- Security Policies: Develop and implement information security policies that encompass event broker configurations, access controls, encryption, and monitoring.
- Continuous Monitoring: Establish continuous monitoring mechanisms to detect and respond to security incidents in real-time. Event brokers play a crucial role in delivering the logs, metrics and traces needed for a modern security posture.
- Documentation: Maintain detailed documentation of security controls and procedures related to event broker management. These can be either self managed or cloud vendor managed – but the documentation still needs to rest within your organization.
- Auditing and Certification: Regularly undergo independent audits and seek ISO 27001 certification to demonstrate compliance with international security standards – and through compliance documentation ensure that your suppliers are also audited.
SOC (System and Organization Controls) Standards
SOC standards, developed by the American Institute of CPAs (AICPA), encompass a series of reports that focus on various aspects of an organization’s controls, including security, availability, processing integrity, confidentiality, and privacy. Middleware managers can leverage SOC reports to assess the security posture of their event broker providers.
Key Aspects of SOC Compliance for Middleware Managers:
- Review SOC Reports: Obtain and review SOC reports (e.g., SOC 2) from event broker providers to assess the effectiveness of their control environments.
- Risk Management: Identify and mitigate risks associated with event brokers and their impact on the organization’s controls.
- Compliance Auditing: Conduct internal and external audits to ensure compliance with SOC standards, especially when event brokers are critical to control processes.
- Data Handling: Ensure that event brokers handling sensitive data comply with SOC requirements for data protection and confidentiality.
- Incident Response: Align incident response processes with SOC requirements to address security incidents efficiently.
HIPAA: Protecting Healthcare Data
Healthcare is a sector where a lot more attention is paid to the privacy of data than to others, which is why almost everybody knows about the Health Insurance Portability and Accountability Act (HIPAA). If you don’t deal in health information then you probably don’t care beyond your own personal experience, but it is an American act that generally applies around the world, by which I mean if you can satisfy HIPAA compliance you can probably meet the compliance needed for your local government.
Even though Solace doesn’t deal directly in health information, it may pass through our products and certainly does pass through our cloud services when the customer deals in health information. As a result, we have run our systems through the compliance standards and can provide what is called, a Business Associate Agreement or BAA. The BAA is our documented proof that we have the required compliance protocols and technology in place to mitigate risk in the healthcare sector as it relates to protected health information in the USA.
Key Aspects of HIPAA Compliance for Middleware Managers:
- Data Encryption: Ensure that event brokers encrypt ePHI both in transit and at rest. Implement strong access controls and authentication mechanisms.
- Auditing and Logging: Maintain detailed audit logs of all activities related to ePHI (electronic protected health information), including the ability to audit those with access to event broker systems.
- Business Associate Agreements (BAAs): If working with third-party event broker providers, establish BAAs to ensure they also comply with the necessary standards.
- Incident Response: Develop a robust incident response plan that includes specific procedures for handling ePHI breaches involving event brokers.
- Employee Training: Train staff on HIPAA compliance, including the secure use of event brokers.
CSA: Cloud Security Assurance
The Cloud Security Alliance (CSA) provides guidelines and best practices for ensuring the security of cloud-based middleware components. Solace has completed the Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CAIQ) v3.1., which offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.
Key Aspects of CSA Compliance for Middleware Managers:
- Cloud Vendor Assessment: Evaluate cloud event broker providers based on CSA’s Cloud Controls Matrix (CCM) to ensure they meet security standards.
- Data Security: Implement data classification and protection mechanisms, especially when handling sensitive data through cloud-based event brokers.
- Identity and Access Management (IAM): Use IAM controls to manage access to event brokers and other cloud resources, enforcing the principle of least privilege.
- Compliance Auditing: Regularly assess and audit the cloud event broker environment for compliance with CSA best practices.
- Secure Integration: Implement secure APIs and ensure proper authentication and authorization when integrating with cloud-based event brokers.
Conclusion
For application architects defining technology stack, and middleware managers operating them, event brokers play a pivotal role in ensuring the flow of events across an organization.
To thrive in today’s digital landscape, middleware managers must prioritize security and compliance with relevant regulations and be able to trust in providers like Solace – trust that is backed by documentation. By adhering to these standards and requiring proof of compliance, organizations can best protect sensitive data, enhance trust with stakeholders, and ultimately ensure the smooth operation of their middleware architecture.
In an ever-evolving threat landscape, the commitment to security standards compliance remains a cornerstone of effective middleware management.
The post Navigating the Landscape of Security Standards when Managing an Event Mesh appeared first on Solace.