• Home
• Articles Archive
• Features List

• Media Pack
• Contact Us
• Subscribe

ALL AT SEA …on a raft of rules and regulations

From STORAGE Magazine Vol 7, Issue 6 - September 2007

Compliance is a tricky issue and there are no quick fixes, as editor Brian Wall reports

The thing about compliance, as the word implies, is that you don't have much choice but to … well, comply. Most technology is presented in such a way that the promise of rich rewards for those that implement is the primary message. The return on investment, the lowering of costs and a string of business benefits are all up there in bright lights.

With compliance, the starting point is 'do it - or else'. Yes, of course there are many positives from implementing it. But you can't quite get away from that sense of doom and gloom that hangs over everything, like a bad smell. First, there is the raft of legislation around this thorny topic, governing the way that data has to be retained and retrieved - and to this more and more planks are constantly being added.

Achieving compliance, therefore, necessarily introduces many new operating practices around how information is handled, protected, retained, secured, and made available and searchable. It means implementing the appropriate systems - and finding the right hardware and software to make it happen - to ensure your business is not only complying, but continuing to compete effectively in its particular market.

Addressing compliance challenges with Information Technology has previously required compromise, either in terms of increased cost or increased risk. However with new levels of maturity in not only IT hardware and software, but also with operational services, compliance can just be a side-benefit of a healthy IT governance policy.

"One long-term impact of regulatory compliance will be the challenge of creating an IT infrastructure that can be responsive to specific current and future regulatory requirements," says Gavin McLaughlin, solutions development manager, Sun Microsystems UK & Ireland. "The idea, therefore, is to create a compliance-ready infrastructure. By taking this approach, IT planning and development can commence without the need for a detailed analysis of the compliance requirements.

“There are a number of issues that must be addressed when creating a compliance-ready infrastructure and many of these are unique for each company, depending upon the nature of their business. Such issues include central information store strategy, an information lifecycle strategy, business continuance strategy, indexing and retrieval requirements, media storage life, scalability and user access requirements."

Today, a compliance-ready infrastructure might be a destination too distant for many organisations, but there are approaches by vendors that can ease the journey. "One such approach is the 'compliance appliance' model," suggests McLaughlin - the benefit of being able to adhere to regulations without significantly impacting operating costs, by adding technology quickly and economically.

"As an example, Sun Microsystems designed the Secure Data Retrieval Server (SDRS) appliance as end-to-end 'plug-and-comply' appliance solution. The first development of SDRS sees a combination of the disruptive technology found in the X4500 data server and CopperEye's Live Archive indexing software. SDRS addresses not only the secure retention and life cycle of communications data (as required in the EU directive that affects all communication service providers),
but also the business processes by which this data is rapidly retrieved and securely disclosed."

Further versions of the SDRS appliance will, he adds, see the product tuned to other vertical market's regulatory compliance challenges, as well file-based indexing applications.

Customers are recognising the value of this new approach too. Gareth Niblett, head of information security, Kingston Communications, comments: "due to the appliance approach adopted by Sun and CopperEye, and its price/performance, we have been able to implement a fully resilient solution, co-located at two geographically separated data centres, along with a significantly expanded storage capacity. This would not have been economical with alternative approaches. We are achieving this with minimal modification to our vital business systems, reducing distraction from our core business objectives and minimising additional project risks in meeting our obligations."

WIDER IMPLICATIONS
According to James Kirkland, technical sales manager, EMEA, CA, addressing the issue of compliance is not solely an IT problem. It's a concern that affects the business across all departments and levels, and keeping on top of it can be a huge task. Many enterprise companies have got dedicated compliance teams just to keep up with the requirements from all the differing sets of regulations.

"The best way for businesses to manage the risk of regulatory compliance is for there to be a mechanism to allow the compliance department and IT to work closely together," Kirkland says, "but this is surprisingly uncommon. Without clear and in-depth understanding of the requirements, it is common for all information and data to be kept - creating its own storage problems."

The difficulty is that this approach commonly results in the retention of data that shouldn't be retained, which can be even more damaging than deleting it. It is also unfair to lay the complete burden of information storage at the door of IT when there is a huge amount of physical information in existence, he adds. This has to be accounted for and regulated in accordance with the same guidelines as soft data.

"The creation of a very clear retention and discovery process, and policies, is crucial to help IT know what is required and what isn't, which takes away the burden of responsibility and, importantly, minimises the risk that the company is exposed to.

"It is important to look at how data is stored and certainly using an open format is something that CA advocates. But this is very much the second stage. A clear retention policy outlining how long a record is stored for, what it's used for, how its stored, etc., is the first stage. And understanding this without involvement from the business is typically where problems and risk increase."

The other thing to be wary of, in terms of implementing such a policy, is how it fits in with content management solutions, he stresses. "Such systems are good at what they do. But, when used as a central repository for managing a retention policy, companies run into problems. Incorporating a searchable email archive, for instance, will cause the whole thing to grind to a halt and that's before you try and tackle the issue of including physical information. A federated approach can get round this problem by using meta-data in a central repository."

Customers also need to think carefully about ways of preserving data in an accessible and readable format for many years. While at a high level this seems intuitive, at a technical level this is a much bigger challenge, involving global standards and raging debates, says Ivan Fernandes, senior manager - financial services vertical, global industries group, EMC.

"Paper and microfiche are analogue, stable and readable many years after they were created. Electronic data might not be accessible, if the access programmes, operating system or chip designs change, or if the storage media degrades. To properly address risk management and compliance, a strong consideration must be given to the vendor being selected and format for the data preservation.

"As a result of the 'dot com' bubble, many customers were running applications and infrastructure from firms that were no longer in business. In early 2000, there were many business applications being run on the applications and infrastructure of those small/out-of-business firms. However, there wasn't a tremendous amount of data being maintained in electronic format as records, because companies and the courts had not yet adopted electronic records as a format for compliance.

"Therefore, while there was a challenge for migrating business applications off of these platforms, there wasn't a records management disaster," he points out. "Had there been widespread records management adoption by customers on the platforms and infrastructure of those particular firms, customers would have been forced to support code bases and technology products many years into the future just to access corporate records. With that in mind, viability of the vendor needs to be considered to remove the burden of support and maintenance from the customer to the vendor."

The second consideration is the format of the data being preserved. While today many applications do not support a standards-based archive, many customers are asking for just such an archive. "Customers want a format-neutral way of archiving data, so they are not locked into a database schema, application interface or vendor to access their data years down the road after the application has been removed from the corporate servers," adds Fernandes.

"Today, customers are doing several things; one involves archiving the code base to access the data. If it is an application, a server environment or a business intelligence interface, customers are creating virtual runtime environments that contain all of the needed applications and access information they can then archive until that virtual environment needs to be loaded up onto a server to run again to access the data.

“The other major activity for customers is archiving data in XML and/or PDF-A. Either format contains self-describing ways of accessing, and still maintaining information about, the data that can then be used to leverage that data in the future."

Recent Gartner research* shows that, by the end of 2008, more than 40% of enterprises will implement four or more of the eight basic IT GRCM. The eight core functions are:

• Controls and policy mapping
• Policy distribution and attestation
• IT control self-assessment and measurement
• GRC asset repository
• Automated general computer control collection
• Remediation and exception management
• Basic compliance reporting
• Advanced IT risk evaluation and compliance dashboarding

Ruth Bowen, head of EMEA compliance team, Symantec, believes key capabilities among these are policy management, IT controls assessment, and compliance reporting. "Policies must be developed, based on risk evaluation of critical IT assets and processes, then published to the appropriate audiences and acceptances, and exceptions tracked. Policies should then be mapped to control frameworks, such as ISO17799 and COBIT, which are often recommended to support compliance to external regulations and internal IT best practices.

"Frequent IT audits carried out on the basis of both technical and procedural (non-IT) controls assessment against policies help identify necessary corrective actions to reduce IT risk. In addition, data collected from these audits is held in an evidence repository, providing reporting that allows the organisation to prove compliance to their multiple mandates. Compliance dashboarding provides compliance and risk management information to inform business decisions."

Automating this policy compliance process is key for organisations to achieve operational efficiencies and repeatability. Bowen believes this can be achieved through comprehensive policy compliance management tools, such as the Symantec Control Compliance Suite.

"Real-time monitoring through SIEM solutions, such as Symantec Security Information Manager, allows the effectiveness of the controls to be proven on an ongoing basis. Using the approach described above, an automated policy compliance process specifically can reduce the time to demonstrate and manage storage compliance requirements. For example, after determining that email communications are critical data that must be stored, data retention policies should be established to help IT manage and demonstrate compliance. Data retention policies should be published to key stakeholders and any acceptances and exceptions noted."

On a frequent basis, automated IT audits would be conducted to ensure that executive email is stored in accordance with data retention policies, she suggests. Any deficiencies detected, such as non-compliance by a particular business unit, would be managed through an integrated workflow system. "IT policy compliance automation constitutes a key part of an organisation's governance and risk management strategy, reducing cost and complexity while demonstrating high standards of best practice and effective measurement of compliance with internal and external mandates."

It is not uncommon to hear companies complain about the many burdens being placed on them to meet increasingly strict compliance obligations, many of which are justified and understandable. "The additional business overhead of compliance can be substantial and expensive," says Steve Tongish, director of marketing (EMEA) at Plasmon. This is particularly true in the US where government regulations mandate long-term document retention for many businesses, with fines and possible jail sentences for those that do not comply.

"This has been such a concern for some public companies in the US that they have actually privatised their businesses to avoid the compliance burden, and some European companies have chosen to discontinue trading with the US to distance themselves from the long arm of US regulation,” adds Tongish. “However, compliance can also be seen as a benefit to business, if viewed in a different light. The reason compliance applies such a tremendous burden on some organisations is because they do not properly classify and manage their data.

"Day-to-day business and financial pressures have instilled a very short-term approach to IT problem-solving. Storage capacity within the network has been allowed to grow and backup windows increase with no real regard for the actual data being stored. There is often a major disconnect between the user of the data and the IT team that manages the storage resource. This approach is a recipe for bad governance and excessive business risk," he warns.

Any IT organisation that is disconnected from the priorities and operations of the business, and driven by stop-gap decisions will find it exceeding difficult to address the compliance challenge. "Meeting compliance obligations requires a systemic change in business and IT philosophy from short-term tactics to longer-term strategies. Demands for compliance can actually be a very good thing, to the extent that they compel organisations to properly categorise and manage their data
and to make IT decisions against the backdrop of decades, rather than months."

There are specific software and hardware products that can aid a company in its march on the road to regulatory compliance, he adds, but first and foremost is a corporate commitment and long-term business philosophy that will define success.

"A structured environment that understands the value of data and manages it in accordance with good governance over the long-term is already halfway home. This approach also has business benefits far beyond compliance. It has sustainability that can reduce corporate risk, optimise the use of storage infrastructure and enable access to corporate assets in a way that serves the fundamental objectives of the business." ST