Tech Analysis: The means for meeting regulations is as near as your IT stack.
"Whats our compliance strategy?"
Pretty much every worker in technology management has probably heard some version of this question in the last few years. From the Sarbanes-Oxley Act to the Health Insurance Portability and Accountability Act to industry-specific regulations to security best practices to internal corporate governance issues, every single company has to deal with compliance in one way or another.
But how did you and your IT co-workers handle that question about the companys compliance strategy? Did you decide to build internal applications and processes to address your compliance needs? Or did you go out and buy enterprise software solutions specifically designed to handle compliance?
The option to buy a "compliance solution" can be a very attractive one. After all, there are plenty of large software vendors out there peddling products designed to ease your compliance woes. And pretty much every major analyst company has released charts and studies showing the leading vendors in regulatory compliance.
And, face it: In many businesses, there can be a lot of pressure to have a dedicated product to handle a major problem. When it came to enterprise security, for example, lots of companies succumbed to the attraction of big single-box security solutions, so why not do the same for compliance? These kinds of products make it much easier to answer that lead-off question: "Our compliance strategy is based on Acme Softwares Compliance-o-Matic."
But in the same way that single-product security solutions couldnt address the complex and widespread issues they were up against—not to mention that they became a single point of failure—compliance isnt something that can or should be handled with one product.
When it comes to security, every IT manager worth his or her salt knows that each level of the IT stack needs security measures in place—from the network to the servers to the applications to the user systems to the access control procedures. Compliance requires much the same.
In fact, eWEEK Labs has seen key compliance capabilities in nearly every product weve tested in the last few years. Conversely, weve seen many products labeled with the word "compliance." These products proved to be effective tools for helping to manage regulatory issues, but, in all cases, every so-called dedicated compliance product weve tested was actually just something else (a security scanner, document management system, storage management application, reporting tool and so on) rebranded with compliance in the name and with additional features added to boost its compliance capabilities.
In fact, eWEEK Labs contends that the makings for a robust compliance management platform are right at most IT managers fingertips (see chart, Page 33).
Strong reporting is a must for any product that touches a compliance area, but reporting tools alone are only part of the process. Document management and enterprise rights management systems not only provide reporting on how documents are being routed and used in a business but also can be used to make sure that content never ends up in the wrong hands.
Powerful ILM (information lifecycle management) and CAS (content-addressed storage) systems make sure that regulated data can be easily tracked and managed throughout the storage infrastructure. Identity management products control who can access what and who has been accessing what. And security scanning tools let administrators know where their security infrastructure fails to meet industry standards and regulations.
So when that question about your company compliance strategy comes up, we offer another response to the standard build-or-buy answer based on our testing: "Were leveraging the compliance capabilities in the applications and systems that our organization already has in place."
An even more important part of that answer should be: "Were making sure that new products and upgrades that are added to our infrastructure have strong compliance capabilities that will meet the specific needs of our business."
Following, we break down several areas in which compliance capabilities should be a key factor when choosing a solution for your business, and we make recommendations for how to best leverage existing solutions to meet various regulatory mandates.
When it comes to compliance, no other technology area is more important than storage. To a large degree, all your companys compliance initiatives rely on the capabilities of your storage infrastructure.
In fact, if you went back through all eWEEK Labs storage software reviews from the last few years, youd see that most of them could be easily co-branded as compliance reviews: From archiving tools to ILM to our recent look at CAS, dealing with compliance is always a core evaluation benchmark for storage.
This, of course, makes sense. Many regulatory compliance requirements deal with what data is saved, how to find and retrieve that data, and how to make sure that the data hasnt been altered or tampered with. Like enterprise content management, storage management systems aid compliance simply by providing their standard functionality.
Systems for managing compliance.