First in a series.
The need to comply with emerging government regulations is giving IT executives a reason to kick the tires on technologies they may not have otherwise considered -- and would have had a hard time getting budgeted -- just a few years ago.
For most IT environments, becoming compliant with the Sarbanes-Oxley Act (SOX) of 2002 and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 usually means setting up processes from scratch.
It may also mean building a federated policy management system that requires purchasing or evaluating still-evolving tools. Technologies range from configuration, identity and vulnerability management and privacy protection to public-key cryptography and single sign-on. Depending on the enterprise, compliance requires using some or all of these methods.
"For [SOX], we had to look at new change management and documentation practices we didn't have before," said Bill Randall, director of MIS infrastructure at Red Robin Gourmet Burgers Inc., in Greenwood Village, Colo. "We added a tool for reviewing logs and a tool for seeing how successful we were in getting our patches out."
And Ryan Hunter, senior technology consultant and data center manager at Watson Wyatt Worldwide, a financial consulting firm in Washington D.C., said his company was able to invest about $300,000 in configuration management software to help manage policy for data centers in four locations.
A longer shelf life than Y2K
Unlike the no-show Y2K computer bug that had a hard stop when the calendar page turned to Jan. 1, 2000, SOX, HIPAA and other government regulations involve far broader compliance issues and many incremental deadlines. The government doesn't offer advice on how to comply, of course. In some cases, it's hard to tell if a compliance strategy is successful unless a company participates in an audit.
For IT executives the job is never done. Businesses change, employees come and go and relationships between companies are constantly evolving. "IT executives always need to look at compliance as a process, not a project," said Michael Rasmussen, an analyst at Forrester Research Inc., a Cambridge, Mass., consulting firm.
But after several years of coping with tight budgets, SOX and HIPAA are helping IT managers get some dollars to shake loose. "IT shops are finding [that] a way to get a lot of things approved is by flying the flag of compliance," Rasmussen said. "For those who are politically savvy and know how to manipulate the process, this could be good for them. Of course, if people are being asked to do more with less, this is a significant challenge."
For software vendors, this is heaven. Companies that sell management, security and networking software all want a piece of the action. There is a huge range of emerging software that is now marketed as a tool for achieving compliance, said Scott Crawford, a security analyst at Enterprise Management Associates Inc., a Boulder, Colo., consulting firm. Such tools, he said, are being billed as a way to broaden management capabilities throughout an enterprise, as opposed to simply serving as a firewall or an intrusion detection system.
Plenty of compliance tools for sale
Today, users can buy tools to check a system so it doesn't drift out of compliance. For example, Configuresoft Inc., of Colorado Springs, Colo., makes software that it says measures regulatory requirements and can bring a system back to an audit-worthy state.
Another company, Palo Alto, Calif.-based Skybox Security Inc., provides some context to the management of vulnerabilities. For example, it may be useful to know if a particular Web server vulnerability is in the lab and not on a public server in the DMZ. "So much critical information is based on an awareness of the network infrastructure," Crawford said.
Perimeter protection is also big in any compliance strategy. Solsoft Inc., in Mountain View., Calif., sells a console that lets IT managers check out all their perimeter security devices from one site. Cupertino, Calif.-based ArcSight Inc. sells an enterprise security product that collects data from heterogeneous devices.
Small vendors such as ArcSight must make their pitch to IT executives alongside the traditional vendors, such as its Cupertino neighbor, security powerhouse Symantec Corp., which offers its own enterprise security policy manager. And management vendors such as NetIQ Corp., in San Jose, Calif., and Irvine, Calif.-based Quest Software Inc. build on Active Directory policy management.
NAP to come, NAC is here
Microsoft and Cisco Systems Inc. are building policy enforcement into their products on the network perimeter. For the Longhorn version of Windows, Microsoft is developing its Network Access Protection (NAP) technology that will be built into Windows Server. NAP checks security credentials between a system and a domain controller at login.
While Longhorn is still a few years away, Cisco is already a leader in perimeter security with its Network Admission Control (NAC) for routers and switches at the network layer. At RSA Conference 2005 in February, Cisco broadened the reach of its NAC program by releasing a handful of perimeter security technologies that fight network- and application-layer threats.
Confused? For many IT decision-makers, it's tough to know where to begin
"It's like anything else," said Rich Ptak, a consultant with Ptak, Noel & Associates, in Amherst, N.H. "You have to figure out what applies to you and where you are at risk, and then make an assessment of what your needs are."
The other side is balancing which processes should be manual and which should be automated. Ptak advises IT executives to automate as much as possible, because most of the testing is repetitive.
Some compliance work is already done
Not every IT manager believes you have to spend a lot on software or reinvent the guts of a corporate network to comply with regulatory rules. For some, it's a matter of documenting many of the procedures already in place, although this can be a challenging task in itself.
At Paxson Communications Corp., a West Palm Beach, Fla., cable television broadcasting company, IT executives recently added some change management software and set some new standards for their PC and Windows environments. "In the big iron [mainframe] days with the big IT shops, we had [stringent standards in place] because of all the developers and testers we used before going into production," said Scott Saunders, director of systems technology at Paxson.
"With the small PC and Windows environments, we have a lot of ad hoc and simple solutions that are undocumented," he said. "Now, everything that touches the financial system, even a patch, has to be documented."