“Whats our compliance strategy?”
Pretty much every worker in technology management has probably heard some version of this question in the last few years. From the Sarbanes-Oxley Act to the Health Insurance Portability and Accountability Act to industry-specific regulations to security best practices to internal corporate governance issues, every single company has to deal with compliance in one way or another.
But how did you and your IT co-workers handle that question about the companys compliance strategy? Did you decide to build internal applications and processes to address your compliance needs? Or did you go out and buy enterprise software solutions specifically designed to handle compliance?
The option to buy a “compliance solution” can be a very attractive one. After all, there are plenty of large software vendors out there peddling products designed to ease your compliance woes. And pretty much every major analyst company has released charts and studies showing the leading vendors in regulatory compliance.
And, face it: In many businesses, there can be a lot of pressure to have a dedicated product to handle a major problem. When it came to enterprise security, for example, lots of companies succumbed to the attraction of big single-box security solutions, so why not do the same for compliance? These kinds of products make it much easier to answer that lead-off question: “Our compliance strategy is based on Acme Softwares Compliance-o-Matic.”
But in the same way that single-product security solutions couldnt address the complex and widespread issues they were up against—not to mention that they became a single point of failure—compliance isnt something that can or should be handled with one product.
When it comes to security, every IT manager worth his or her salt knows that each level of the IT stack needs security measures in place—from the network to the servers to the applications to the user systems to the access control procedures. Compliance requires much the same.
In fact, eWEEK Labs has seen key compliance capabilities in nearly every product weve tested in the last few years. Conversely, weve seen many products labeled with the word “compliance.” These products proved to be effective tools for helping to manage regulatory issues, but, in all cases, every so-called dedicated compliance product weve tested was actually just something else (a security scanner, document management system, storage management application, reporting tool and so on) rebranded with compliance in the name and with additional features added to boost its compliance capabilities.
In fact, eWEEK Labs contends that the makings for a robust compliance management platform are right at most IT managers fingertips (see chart, Page 33).
Strong reporting is a must for any product that touches a compliance area, but reporting tools alone are only part of the process. Document management and enterprise rights management systems not only provide reporting on how documents are being routed and used in a business but also can be used to make sure that content never ends up in the wrong hands.
Powerful ILM (information lifecycle management) and CAS (content-addressed storage) systems make sure that regulated data can be easily tracked and managed throughout the storage infrastructure. Identity management products control who can access what and who has been accessing what. And security scanning tools let administrators know where their security infrastructure fails to meet industry standards and regulations.
So when that question about your company compliance strategy comes up, we offer another response to the standard build-or-buy answer based on our testing: “Were leveraging the compliance capabilities in the applications and systems that our organization already has in place.”
An even more important part of that answer should be: “Were making sure that new products and upgrades that are added to our infrastructure have strong compliance capabilities that will meet the specific needs of our business.”
Following, we break down several areas in which compliance capabilities should be a key factor when choosing a solution for your business, and we make recommendations for how to best leverage existing solutions to meet various regulatory mandates.
When it comes to compliance, no other technology area is more important than storage. To a large degree, all your companys compliance initiatives rely on the capabilities of your storage infrastructure.
In fact, if you went back through all eWEEK Labs storage software reviews from the last few years, youd see that most of them could be easily co-branded as compliance reviews: From archiving tools to ILM to our recent look at CAS, dealing with compliance is always a core evaluation benchmark for storage.
This, of course, makes sense. Many regulatory compliance requirements deal with what data is saved, how to find and retrieve that data, and how to make sure that the data hasnt been altered or tampered with. Like enterprise content management, storage management systems aid compliance simply by providing their standard functionality.
Next Page: Systems for managing compliance.
Systems for Managing Compliance
A key factor in many of these products is in their integration with the other compliance-oriented products that rely on them, which is probably why weve seen partnerships and even mergers and acquisitions in many of these areas (such as EMCs acquisition of Documentum).
To a large degree, many of the regulatory requirements that companies must adhere to break down to management and tracking of key corporate documents and records. Given this, its no surprise that products that deal with document, content and rights management play a big role when it comes to dealing with compliance.
The main goal of an enterprise content management solution is to effectively manage and track the creation, sharing and archiving of documents and content within an organization. By the very nature of their design, enterprise content management solutions are effective tools for handling compliance issues, even if they have no specific built-in features for compliance.
Of course, enterprise content management vendors have been listening to their customers and have added plenty of features and custom modules to help companies manage compliance issues within a content management framework. In fact, one of the first dedicated SarbOx applications that we looked at—OpenPages SOX Express—was essentially built on a document management model.
As enterprise content management has increased in profile in recent years, its applicability to compliance issues has only increased. Indeed, the increased integration of business process management products and capabilities within enterprise content management platforms has made it possible to enforce compliance requirements not only on documents but also on the actual business flows that create them.
As in many other product areas that touch on compliance, enterprise and document management products often will include templates or modules to help businesses deal with a specific compliance area. In our experience, these templates vary in their ability to be applied out of the box, but they do tend to serve as a good starting point in developing your own policies.
Weve noted that solutions from major enterprise content management players such as EMC Documentum, FileNet and OpenText tend to provide lots of compliance-related capabilities. However, lower-end systems, such as the Xythos Document Management suite that we reviewed last year, will also aid in compliance.
In addition, rights management systems such as Adobe Systems LiveCycle and Microsofts RMS (Rights Management Services) make it possible to apply fine-grained controls over access to documents.
E-Mail and Collaboration Management
As many companies have found to their dismay, not all vital corporate communications are done in documents and forms. When it comes to many government regulations, one of the main danger points is in the company e-mail system.
A good e-mail management and security platform can go a long way toward limiting the likelihood of a compliance violation through an errant or a malicious e-mail. Along with the ability to stop spam and viruses, many e-mail security platforms include the ability to scan e-mail for specific content—content that your company may not want to go to the outside world.
E-mail management systems can be easily geared to work with both industry and government regulations, as well as with a companys own governance initiatives. These tools let businesses track e-mail messages, see what is being circulated both internally and externally, and even prevent messages with certain words or attachments from being sent externally.
Any good e-mail management and security system will provide content-level controls over outgoing e-mail, but two of the best that weve seen in recent years are SendMail Mailstream Content Manager (an eWEEK Excellence Awards winner) and Orchestria Active Policy Management (an eWEEK Labs Analysts Choice). Both products give messaging administrators and compliance personnel the tools to ensure that workers are adhering to company communications policies.
ID Management and Authentication
One of the scariest elements of regulatory compliance for many companies is when auditors show up to check on procedures and security. Having to walk auditors through a complex authentication, system-security and password-management protocol is the very definition of a bad day for any administrator.
Next Page: Assuring secure compliance.
Assuring Secure Compliance
A good identity management and authentication system can make this procedure much less painful and time-consuming. Strong authentication and identity management systems provide a high level of assurance that only authorized people have access to vital company resources. These systems also can tell who has accessed what and when. This information can be vital when dealing with any compliance issue.
One way to ensure strong access control is to leverage two-factor authentication. When you think authentication, you tend to think RSA—and rightly so, as RSAs Sign-On Manager has performed well in our tests. Another product that has performed well in this area is Courions Enterprise Provisioning Suite, which provides enterprise-class controls over user access and passwords.
Security and Vulnerability Scanners
Its true that businesses should follow good practices and procedures to maintain strong security—not just to comply with an industry or a government regulation—but these security guidelines also provide a good base line for knowing how your company is doing when it comes to meeting requirements to lock down vital networks, systems and applications.
Compliance-aware tools that scan for holes and vulnerabilities in everything from Web applications to servers to entire company networks should offer a comprehensive collection of canned reports to help administrators detect if their implementations are meeting certain requirements.
Nowadays, you would have to look pretty hard to find a security scanning product that didnt provide lots of canned compliance reports. Most important, though, is to make sure the product you are using or evaluating can effectively scan the things you need to protect.
Products such as Hercules Citadel can check networks and systems for potential compliance-breaking holes, for example, while quality assurance scanners such as those from Watchfire and SPI can help find holes in Web applications before they go live.
Systems and Network Management
Like security tools, systems and network management tools offer compliance assistance through their ability to create custom reports on how a corporate infrastructure is meeting certain regulations and requirements.
As our recent reviews of event log managers such as Quest Softwares InTrust 9.0 and configuration management products such as Configuresofts ECM (Enterprise Configuration Manager) 4.8 have shown, these tools provide a good real-time look at how an IT infrastructure is complying with a variety of regulations: They make it possible to track servers, systems and networks to detect when and why changes and failures occur on systems.
Also like security tools, systems and network management applications often include prebuilt reports and modules for tracking compliance with specific regulations and procedures. Configuresoft, for example, makes available no-cost compliance tool kits for many financial, health care and security guidelines with its Enterprise Configuration Manager solution.
Technology Editor Jim Rapoza can be reached at [email protected]
Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.