Reconciling multiple regulatory schemes doesn't have to be as painful as it would seem, but is virtualization helping or not?
In many ways, compliance is the
new security. It's a hot-button topic, it isn't going away anytime soon, and
there are loads of consultants and vendors trying to make a buck off misunderstandings
as well as actual needs, and if the customer can't tell the difference, so much
the better. But how big of a problem compliance represents for IT is another
matter entirely. That's because IT is a discipline that rewards best practices
in the first place. "What to do" is pretty well understood, while "how to do
it" is what's debated.
Because good IT practitioners
are already willing to put in a little extra effort to document and verify
processes and tasks, they may assume that everything's OK until someone says
otherwise. That's not necessarily the case, as I remember from my first audits
as an IT manager. Compliance-and its relationship to governance and risk
management-is better defined today than ever before, both for the business as a
whole as well as for IT in particular.
Governance, risk management and
compliance are often summed up under the "GRC"
acronym. It's a useful umbrella term, because the three areas are closely
related. Their interests intersect and overlap, and the simple fact is that
compliance models are driven by the requirements of governance and risk
management, and as the attention given to specific concerns will ebb and flow
over time, so will the demands placed on IT.
It's also important to remember
that compliance isn't just a matter of hitting one set of marks. Depending on
the nature of one's business, location and structure, there may be multiple
layers of requirements that have to be met. Nevertheless, explained Gartner
Vice President and fellow French Caldwell, the reality is that by the point
where these affect IT, they tend to harmonize with one another instead of
clashing. As an example, he pointed to privacy laws, noting that even with the
diversity of cultures and jurisdictions, these laws "all follow a common set of
principles from which you can derive a standard set of controls." This extends
into other areas as well, and it turns out that the result is beneficial for the
business as a whole as well as IT.
That's because in rationalizing
controls, one is reducing the audit surface. Caldwell claimed that when
organizations get serious about this, they can "reduce the number of controls
by about 30 percent, " meaning that they have that much less to audit and maintain,
and reducing the actual cost of compliance by eliminating the overlap between
various compliance schemes.
One question that comes up is
how IT compliance relates to the overall enterprise compliance effort.
Forrester Research Senior Analyst Chris McClean believes that while "it's
helpful to have them coordinated" in terms of remediation workflow, reporting,
and even basic terminology, "there are so many different elements of IT risk
versus enterprise risk-same [story] with compliance-that you need those subject
matter experts to be within those different groups." In contrast, Caldwell of
Gartner sees "an enterprise compliance program, and IT plays several roles
within that program."
Compliance in a Box?
Although IT compliance isn't
something one can simply buy, there are a number of vendors that offer ways to
automate the implementation and verification of required practices. Caldwell
argues that the main benefit of the enterprise-class GRC
management tools is their enablement of this kind of rationalization of
controls. As he put it, "you've got to get them off of spreadsheets and email...
and onto a common set of records."
Some of the best of these tools,
whether as stand-alone packages or integrated with larger enterprise management
software, are based on the Unified Compliance Framework (UCF), a joint venture
of the Latham & Watkins law firm and the Network Frontiers consultancy.
The UCF is based on the analysis
of what are called "authority documents" in the form of audit guidelines,
contractual obligations, laws, standards and similar instructions or mandates.
According to the venture's Website, more than 700 of these have been distilled
into the current version of the framework. These include the biggest names in
compliance and governance frameworks, such as ISO 9000, ITIL, Six Sigma and
Carnegie-Mellon's behemoth Operationally Critical Threat, Asset, and
Vulnerability Evaluation (OCTAVE), as well as another dozen or more major contributors
to the discipline, including national and international standards and
An obvious advantage of any
canned compliance solution when compared to the homegrown approach is that in
the former case, the heavy lifting required to reconcile seemingly
contradictory requirements is already done. The downside, as Caldwell
pointed out, was that providers might not respond as quickly to changes in
regulations as one might need. After all, "my software didn't tell me this was
wrong" is only a slight improvement over "the dog ate my homework." Of course,
any supplied compliance management system is going to require some tweaking to
meet local requirements or to implement recent changes in regulations.
Fortunately, IT compliance tools
may not be as much of a burden to deploy as one might think. Compliance tools
that use the UCF as a foundation can take the form of a managed software-as-a-service
(SaaS) deployment as well as stand-alone software. For organizations invested
in an existing enterprise management system, Caldwell
said, the tools may simply take the form of an add-on. "It used to be that you
didn't have any choice but to put the pieces together," he added, "but we now
see the large ERP vendors like SAP and
Oracle, and some of the business analytics vendors like IBM
and SAS, trying to provide one-stop shopping."
Challenges for IT
Yet enterprise suites don't do a
very good job of addressing some of the most important measurements of
compliance-those associated with the hardware side of IT, Caldwell
pointed out. "Where they fall short is in monitoring IT infrastructure. They
can monitor IT at the application level... but as far as automated monitoring of
server configuration, controls [and] vulnerability, they don't have that
The drive for compliance is
taking place at the same time businesses are finishing the most dramatic shift
in IT since the shift to client-server processing. Virtualization may simplify
physical infrastructure by offering host consolidation and improved
manageability, but it also adds a layer of complexity to determining whether a
given system is in compliance. So-called compliance tools for virtualization
are for now more about configuration compliance than anything else; they aren't
any more capable of examining how a virtualized machine and its software are
being used than a hardware manufacturer's server management tools are.
We're still a few years away
from packages that can look at application-level compliance and hardware-level
compliance with equal grace, Caldwell
said. "IBM is probably the closest to
closing that gap," thanks to its in-house experience with systems management,
by way of its Tivoli product line.
In essence, the answer to the
question "How do we get compliant?" has to be answered with a question: "How do
you use IT?" On the one hand, if you're on the edge of the technology curve and
an early adopter of new technologies, there's a decent chance that you have
your work cut out for you. On the other, if your organization makes use of
well-developed ecosystems-such as what one sees in a mature ERP deployment-one
can expect to find the hooks needed to implement a compliance tool that is
designed to mesh with the rest of the software stack.