Reducing the Cost of Compliance

Reconciling multiple regulatory schemes doesn't have to be as painful as it would seem, but is virtualization helping or not?

In many ways, compliance is the new security. It's a hot-button topic, it isn't going away anytime soon, and there are loads of consultants and vendors trying to make a buck off misunderstandings as well as actual needs, and if the customer can't tell the difference, so much the better. But how big of a problem compliance represents for IT is another matter entirely. That's because IT is a discipline that rewards best practices in the first place. "What to do" is pretty well understood, while "how to do it" is what's debated.

Because good IT practitioners are already willing to put in a little extra effort to document and verify processes and tasks, they may assume that everything's OK until someone says otherwise. That's not necessarily the case, as I remember from my first audits as an IT manager. Compliance-and its relationship to governance and risk management-is better defined today than ever before, both for the business as a whole as well as for IT in particular.

Governance, risk management and compliance are often summed up under the "GRC" acronym. It's a useful umbrella term, because the three areas are closely related. Their interests intersect and overlap, and the simple fact is that compliance models are driven by the requirements of governance and risk management, and as the attention given to specific concerns will ebb and flow over time, so will the demands placed on IT.

It's also important to remember that compliance isn't just a matter of hitting one set of marks. Depending on the nature of one's business, location and structure, there may be multiple layers of requirements that have to be met. Nevertheless, explained Gartner Vice President and fellow French Caldwell, the reality is that by the point where these affect IT, they tend to harmonize with one another instead of clashing. As an example, he pointed to privacy laws, noting that even with the diversity of cultures and jurisdictions, these laws "all follow a common set of principles from which you can derive a standard set of controls." This extends into other areas as well, and it turns out that the result is beneficial for the business as a whole as well as IT.

That's because in rationalizing controls, one is reducing the audit surface. Caldwell claimed that when organizations get serious about this, they can "reduce the number of controls by about 30 percent, " meaning that they have that much less to audit and maintain, and reducing the actual cost of compliance by eliminating the overlap between various compliance schemes.

One question that comes up is how IT compliance relates to the overall enterprise compliance effort. Forrester Research Senior Analyst Chris McClean believes that while "it's helpful to have them coordinated" in terms of remediation workflow, reporting, and even basic terminology, "there are so many different elements of IT risk versus enterprise risk-same [story] with compliance-that you need those subject matter experts to be within those different groups." In contrast, Caldwell of Gartner sees "an enterprise compliance program, and IT plays several roles within that program."

Compliance in a Box?

Although IT compliance isn't something one can simply buy, there are a number of vendors that offer ways to automate the implementation and verification of required practices. Caldwell argues that the main benefit of the enterprise-class GRC management tools is their enablement of this kind of rationalization of controls. As he put it, "you've got to get them off of spreadsheets and email... and onto a common set of records."

Some of the best of these tools, whether as stand-alone packages or integrated with larger enterprise management software, are based on the Unified Compliance Framework (UCF), a joint venture of the Latham & Watkins law firm and the Network Frontiers consultancy.

The UCF is based on the analysis of what are called "authority documents" in the form of audit guidelines, contractual obligations, laws, standards and similar instructions or mandates. According to the venture's Website, more than 700 of these have been distilled into the current version of the framework. These include the biggest names in compliance and governance frameworks, such as ISO 9000, ITIL, Six Sigma and Carnegie-Mellon's behemoth Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), as well as another dozen or more major contributors to the discipline, including national and international standards and professional practices.

An obvious advantage of any canned compliance solution when compared to the homegrown approach is that in the former case, the heavy lifting required to reconcile seemingly contradictory requirements is already done. The downside, as Caldwell pointed out, was that providers might not respond as quickly to changes in regulations as one might need. After all, "my software didn't tell me this was wrong" is only a slight improvement over "the dog ate my homework." Of course, any supplied compliance management system is going to require some tweaking to meet local requirements or to implement recent changes in regulations.

Fortunately, IT compliance tools may not be as much of a burden to deploy as one might think. Compliance tools that use the UCF as a foundation can take the form of a managed software-as-a-service (SaaS) deployment as well as stand-alone software. For organizations invested in an existing enterprise management system, Caldwell said, the tools may simply take the form of an add-on. "It used to be that you didn't have any choice but to put the pieces together," he added, "but we now see the large ERP vendors like SAP and Oracle, and some of the business analytics vendors like IBM and SAS, trying to provide one-stop shopping."

Challenges for IT

Yet enterprise suites don't do a very good job of addressing some of the most important measurements of compliance-those associated with the hardware side of IT, Caldwell pointed out. "Where they fall short is in monitoring IT infrastructure. They can monitor IT at the application level... but as far as automated monitoring of server configuration, controls [and] vulnerability, they don't have that capability."

The drive for compliance is taking place at the same time businesses are finishing the most dramatic shift in IT since the shift to client-server processing. Virtualization may simplify physical infrastructure by offering host consolidation and improved manageability, but it also adds a layer of complexity to determining whether a given system is in compliance. So-called compliance tools for virtualization are for now more about configuration compliance than anything else; they aren't any more capable of examining how a virtualized machine and its software are being used than a hardware manufacturer's server management tools are.

We're still a few years away from packages that can look at application-level compliance and hardware-level compliance with equal grace, Caldwell said. "IBM is probably the closest to closing that gap," thanks to its in-house experience with systems management, by way of its Tivoli product line.

In essence, the answer to the question "How do we get compliant?" has to be answered with a question: "How do you use IT?" On the one hand, if you're on the edge of the technology curve and an early adopter of new technologies, there's a decent chance that you have your work cut out for you. On the other, if your organization makes use of well-developed ecosystems-such as what one sees in a mature ERP deployment-one can expect to find the hooks needed to implement a compliance tool that is designed to mesh with the rest of the software stack.