Simplify Compliance Management with New Features in Cybersecurity Solution

Companies can leverage a centralized, easy-to-understand tool to align with compliance standards.

July 12, 2019, DES MOINES, IA – Trility® Consulting has launched two new features to the IronBench Compliance Navigator™ product built to enable centralized management and reporting of your organization’s alignment to standards. The Trility team originally set out to simplify how their own teams understand, implement, manage and audit today’s information security/regulatory compliance requirements while building solutions for their clients. The result of this effort rendered a number of new software products including IronBench Compliance Navigator. 

IronBench Compliance Navigator

“Our IronBench Compliance Navigator product targets organizations that want a simple, light-weight and centralized method of managing their organization’s compliance efforts without the complexity and cost many folks experience today. People want the flexibility to handle multiple standards, audits, projects and teams at the same time, understand at a glance where risk exposures exist and to know that as people come and go, data and history will not be lost because a spreadsheet left with the last exiting team member,” says Matthew Edwards, CEO of Trility.

…data and history will not be lost because a spreadsheet left with the last exiting team member.

“We’ve seen the plight of the information security folks who get left behind learning about projects, risks and issues in arrears. We’ve seen amazing people doing amazing things to keep up and ensure their organization is prepared for the next audit or attack. We think it should be easier. That’s why we built IronBench Compliance Navigator.” 

What’s does IronBench Compliance Navigator offer?

  • The California Consumer Privacy Act (CCPA) module shows companies what is required of them to meet California’s new consumer protection law and provides an intuitive, centralized method of managing and reporting your company’s status against this law today and into the future. Take a 1-minute, free assessment to determine if this law impacts your company. If it does, the CCPA module within IronBench Compliance Navigator helps you manage your ongoing compliance requirements in a simple, easy-to-understand manner today and into the future.
  • The Payment Card Industry Data Security Standard (PCI DSS) module shows companies what is required of them to meet today’s payment card industry requirements in an intuitive, centralized method of management and reporting. If your company accepts credit cards as a form of payment, you are expected to evidence compliance regularly. This module helps companies understand what is required, as well as helps manage your organization’s on-going compliance status in a low-friction, easy-to-use experience year after year.
  • The NIST Cybersecurity Framework (NIST CSF) module shows, in everyday language and concepts, private sector companies what is recommended in order to prevent, detect and respond to cyber incidents in today’s critical technology infrastructure. If you are looking for a centralized, easy-to-understand and use method of aligning your organization to the NIST-CSF, this module will guide you through the material and enables you to manage your organization’s alignment as your company, your industry and as the standard itself changes through the years.

    To get started, you can also take a free Maturity Assessment to understand where your organization is along the path to alignment with the NIST CSF. 

IronBench Compliance Navigator guides you through the process of identifying which standards apply to you, where your organization is strong and where it needs work, as well as helps you identify possible solutions to increase your preparedness along the way. Customer benefits include:

  • Track all compliance requirements, risks and responses in one secure location that’s accessible to all of your teams anytime, anywhere
  • Track your organization against multiple standards at the same time, in the same tool, year after year – change history included
  • Stay on top of new regulatory compliance standards in the marketplace, as well as changes to existing standards against which you currently manage your organization
    Delegate responsibility to others to acquire answers instead of having to personally perform each and every step manually

Create a free account to view the available tools in the IronBench Cybersecurity Suite and purchase only the ones relevant to your organization. If you’re interested in a white-label solution or an enterprise version of this tool that meets your specific needs, contact us

The IronBench Cybersecurity Suite of tools, as well as all associated patents and trademarks, are wholly-owned by IronBench LLC. IronBench and Trility Consulting, as well as all associated patents and trademarks, are wholly-owned subsidiaries of Trility Group Holdings, Inc. Trility provides strategic management consulting, digital transformation expertise and advanced technical solutions for forward-thinking global businesses.

Pack Line Cloud Security

Basketball season is in full swing. I have been lucky for the last seven years to coach different levels of basketball ranging from Youth teams through the local High School team. Coaching continues to be a rewarding experience and many of the lessons I have learned working with athletes and other coaches apply directly to my work with product teams. It doesn’t matter how much you work to perfect your craft, be it system architecture or coaching a team of 5th grade athletes, there are always new challenges to tackle. A core tenant of sports is continuous improvement which should be applied to everything we do with technology. No one starts playing basketball ready to play in the pros, but everyone has it in them to be successful. It takes a tremendous amount of practice, a dedication to learning new things from others, and celebrating the little victories along the journey.

It is not surprising there are so many different Cloud Security analogies available on the Internet. Cloud Security is a difficult concept to describe given the wide range or tools, services, and seemingly infinite combinations organizations can utilize to solve business problems. If you are a fan of basketball, using different defensive schemes is a great way to describe different views on Cloud Security processes. In all cases, the goal is to prevent the offense, or in this case bad actors, from scoring while providing dynamic responses to a constantly changing product architecture and threat landscape. Typical Cloud Security frameworks today can be compared to two classic defenses: man-to-man and zone.

Man-to-Man

Man-to-Man Cloud Security involves security controls developed around individual services of products. Each control is focused on denying the service from sending or receiving information to other services in the system and aggressively focusing on protecting a single service. Firewalls, both web application and network, focus on denying traffic to block bad actors from easily accessing services. Logging and application specific analytics can be used to build a profile of a service and alert when the service profile is not followed. The disadvantage with man-to-man Cloud Security is in its aggressive focus on the individual service and a lack of real understanding of the big picture. There is a general lack of information on what other services are doing and because of this, any weakness in the focus on a single service can lead to breakdown of the security in general and, in basketball terms, an easy lay-up.

2-3 Zone

Zone Cloud Security primarily revolves around the frameworks in place for infrastructure deployed to support a wide variety of services. We still see organizations bringing the rigid security frameworks utilized for years in brick and mortar data centers and trying to apply them to Cloud Security. Deployed like a 2-3 zone in basketball, the defensive posture is to watch a specific area of the infrastructure and report back to a central service for monitoring and support. As information travels through the zone, communication is critical to ensure nothing gets lost in the shuffle. Each position in the zone is devoted to a specific task supporting a number of different services including both perimeter and core defense. The disadvantage with any zone defense is the gaps and in the public cloud space, gaps are appearing every day.

Server-less architectures are an exciting approach to utilizing the true power of elastic capacity while providing developers easier and easier ways to deploy features to production environments. However, in reducing the amount of infrastructure under direct monitoring the threat surface area is increasing at an equal rate. As any basketball coach will tell you, the easiest way to defeat a zone defense is by moving the ball and attacking the gaps in the zone. Another easy lay-up.

Trility takes a different approach to Cloud Security: the pack line.

Pack-Line

Pack Line Defense, created by Dick Bennett of Wisconsin-Stevens Point, is commonly used in some form by many coaches including Tom Izzo at Michigan State and Tony Bennett at Virginia. It is a variation of man-to-man defense with the biggest difference being off-ball defenders play in the gap instead of pressuring their player and denying the pass. Everyone except the player guarding the ball plays inside an imaginary line 16 feet from the rim also known as the pack line. As the ball moves around the perimeter, it is the responsibility of each defender to close out on the ball and aggressively pressure while the remaining defenders adjust their position accordingly to see both man and ball and prepare to help their teammates – 5 against the ball.

Cloud Security is everyone’s responsibility and while we are aggressively providing man-to-man defense on the active products, the rest of the team is continuously adjusting to find and fill gaps in the defensive strategy. We react to changing conditions and close out on threats while keeping business goals front of mind. 

The ephemeral and elastic nature of the public cloud along with software defined infrastructure and platforms provide an opportunity for service specific architectures. Trility utilizes two patent pending tools to help provide high quality customized security for cloud services: IronBench Compliance Navigator  and IronBench Cloud Config.

IronBench Compliance Navigator empowers organizations to develop highly customized compliance guidelines for products and services. Throughout the product lifecycle, IronBench Compliance Navigator uses standards and regulatory information updated as regulatory compliance laws and standards change to provide a solid foundation for product development teams.

IronBench Cloud Config is an enterprise framework and provides the source code for the entire implementation. Product teams can utilize a customizable secure framework based on industry standards and practices on which to build secure supporting infrastructure. Compliance Navigator helps you aggressively challenge the ball handler while Cloud Config supports the team by helping them adjust to changing product needs efficiently and securely working from a library of standards based templates.

No easy lay-ups.

Don’t Forget the “V” in MVP

Security, operational readiness, reproducibility, and scalability are all important parts of any product, which helps validate the viability of a product. Unfortunately, in the race to production these items fall by the wayside and show up on the backlog.

Securely develop products

Minimum Viable Product, or MVP, is a common term used by business leaders and product owners to help drive quick, iterative, product development to get products released to market faster. The goal is to release just those core features necessary to put the product in front of customers to learn about customer needs and validate assumptions prior to larger investments in a new product. Release quickly, release often, and adjust the product based on feedback from customers.

Product teams today do a great job of focusing on the M, Minimal. Constantly asking the team and business stakeholders when new feature requests are made, “Is this a requirement for MVP?”, helps prioritize development efforts and keep the team focused on making a timely and relevant release. Business stakeholders on a regular basis can see the features being developed during frequent demos and can provide direct feedback which goes back through the same intake process grounded by the same question focused on releasing the MVP. When the cycle is managed by a proactive Product Owner, it can be an extremely efficient way to get ideas from a napkin at lunch to a product in front of customers.

Where Product teams struggle is with making sure the V, Viable, is taken into consideration as a team. Security, operational readiness, reproducibility, and scalability are all important parts of any product which helps validate the viability of a product. Unfortunately, in the race to production these items fall by the wayside and show up on the backlog. When the team does release the product and receive customer feedback, they’re often stuck in a challenging position of either picking up the items in the backlog tagged as After MVP or continuing to refine the product to keep customers engaged. As it should, the focus remains on the customer and meeting the business objectives for the product. The weight of the backlog eventually causes cracks in the team, cracks in the product, and a new round of questions for business stakeholders to consider regarding whether to refactor, rewrite, or sometimes, a new MVP to fix the problems from the previous MVP.

Continuous Integration, Continuous Deployment, Security by Design, Test Driven Development, Performance Testing, Infrastructure as Code – these are all terms many development teams are familiar with and actively promote inside organizations today. However, many of these items are the first things added to the backlog during MVP development when teams are racing against the clock. We need to do a better job as Engineers communicating to business stakeholders that each of these items are individually, and collectively, an important part of making a product viable.

We can still meet the needs of a minimal product by constraining the conversation in each case to the product being developed. The product may not have a need to support a thousand requests a second for the MVP, but we should ensure performance testing frameworks are in place and exercise the product on a regular basis so issues can be discovered early and often during the development process. The product may only require a small amount of simple infrastructure to be deployed to support the MVP, but the infrastructure should be built and deployed in code alongside the rest of the product so as needs change the foundation is already in place to support rapid growth. The product may not have a requirement to support a security standard for the MVP, but the application should be built following a set of standard security practices and validated regularly with automated testing to support a growing customer base. 

Viable – the ability to work successfully and securely.

Product teams need to ensure when MVP is defined, the product’s ability to work successfully after release is front and center during the development process. Minimal helps you get to the first release; Viable ensures you make it to the second.

Iowa start-up launches new product!

ShowPal, a Des Moines, Iowa based start-up founded by Chad Torstenson, recently launched its first product named ShowPal ID!

ShowPal ID, the first of multiple products and services planned by ShowPal’s CEO, is designed to enable increased safety for Realtors as they meet and interact with clients who often are not personally known to them.  ShowPal ID performs on-the-go identity verification of homebuyers on behalf of real estate agents in advance of engaging with a client so that all parties know who is involved before they meet for the first time.

“Every year real estate professionals are placed in harms way by individuals fraudulently posing as a prospective client.  The statistics of crimes committed against Realtor’s such as robbery, physical assault, sexual assault and homicide are staggering. We intend to change that,” says Torstenson. 

In order to accomplish the goal of building software solutions for the Realty industry, ShowPal engaged Trility Consulting, also of Des Moines, Iowa, to help design, build and deliver a cloud-based software solution that seeks to address a very important problem in today’s real estate marketplace — the safety of Realtors and Buyers.

Trility Consulting focuses on helping companies adopt, build and operate in secure enterprise cloud frameworks so companies can focus on serving customers.

Visit ShowPal’s site! Or stay in touch with them on Twitter  and Facebook!

Update: In the true spirit of a start-up’s need to test, learn and refactor, ShowPal published and tested ShowPal ID and determined that while an important problem to solve, this product doesn’t meet ShowPal’s own requirements for viability. Resultantly, this product has been put to sleep with the potential of re-launching in the future if and when it makes sense. It is hard to build and deliver product.

 

 

We are Trility Consulting!

Hello and welcome to Trility Consulting!

We are a people-first, full-spectrum solutions company focused on helping our customers and partners enjoy success with today’s digital transformation needs. From cloud adoption, migration, implementation and evolution to multi-level continuous cyber-security solutions and full-spectrum application and systems development, our focus is understanding your needs, providing you multiple options and implementing solutions that constantly enable the ability to change as your needs change.

Our team is comprised of people who value relationships, have a history of delivering on commitment, are life-long learners and enjoy being involved anywhere and everywhere in the product solution life-cycle — from the initial “here’s my idea” conversations at a coffee shop on a napkin to production implementation, support and evolution.

And we’ve been around. Collectively we’ve worked in cellular telecommunications infrastructure, financial, health, agriculture, cable, insurance, real estate, residential and commercial security, embedded, non-governmental organization, federal, state, internet of/connected things, lots of cloud, continuous flow-based delivery mechanisms and so on.

We’re available to help you define and refine opportunities, discover solution options and directions, coach, collaborate, lead, develop and deliver on your needs now.  If you’re considering cloud adoption or migration, wondering how cloud changes cyber-security needs or wanting to build software for the cloud, get in touch with us. We’re ready.