Nightmare? Or dream come true?The Compliance Engine Enters The Technology Arena "With the growing cost of compliance exceeding $3 billion, companies are searching for a resource management solution that can facilitate the compliance process. Companies are identifying how these new regulations will change their storage requirements" writes Dave Crocker, president of NTP (Network Time Protocol) A TCP/IP protocol used to synchronize the real time clock in computers, network devices and other electronic equipment that is time sensitive. It is also used to maintain the correct time in NTP-based wall and desk clocks. Software. [ILLUSTRATION OMITTED] A pacing question is whether compliance--with this imposing array of laws--can be automated, and to what extent. To address this question, Computer Technology Review interviewed two experts in the area. Troy Toman to·man n. A gold coin formerly used in Persia worth 10,000 dinars. [Farsi t  m
Kazeon Systems "I don't think that you can make compliance automatic." Is the "compliance engine" real, imaginary--or a combination of both? I don't think that you can make compliance automatic. But I draw a distinction between "automatic" and "automated." There are things you can do to automate compliance processes, but you will always have some level of human involvement in the process of compliance. If you don't, you are probably defeating the purpose of compliance to begin with. With all the types of data and information that people have, there is always going to have to be some human judgment in the system. The question is: "Can you build enough automated tools to enable people to keep up with the volume?" What elements are not subjectable to automation? Whenever you are looking at information and understanding intent, then you need to have some judgment in the process. So, I might be able to identify the criteria of the kinds of documents that warrant inspection or might be outside of my governance policy, but the likelihood that I'm going to do that with zero false positives based on looking at how technology has evolved to this point is unlikely to be there in the future and the automation process will occur over time. So initially there will be heavy human involvement. The customers that we talk to, for instance. When they start wanting to move files around or copy them in bulk--and certainly when they delete files--everybody that I know wants to have a human involved in those decisions. What you want to do is sort it down to where people are looking at a very small number of files relative to the whole universe. What an automated engine might determine as a piece of personal, private information under HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, may, upon the review of an individual, not violate the standard at all. Is it possible, over time, that these systems will learn more and the processes will become more and more automated? I think that is likely what will happen; but not immediately; certainly not in the next 12 to 24 months. If so much of the compliance process is judgment dependent, and not dictated by the statute or a published interpretation, is it possible to automate any of it at all? There are things that you can begin to automate. Just the process of identifying potential documents that are in violation or may be subject to compliance rules. If you are a large financial institution that is starting to create a billion e-mails a year, you are going to need some kind of automated process under which you are culling culling removal of inferior animals from a group of breeding stock. The removal is premature, i.e. before completion of its life span, disposal of an animal from a herd or other group. the more obvious things that either need to be regulated or are outside of regulation. If you look at a lot of these statutes, they don't actually call for everything to be 100% accurate or bulletproof Refers to extremely stable hardware and/or software that cannot be brought down no matter what unusual conditions arise. See industrial strength. bulletproof - Used of an algorithm or implementation considered extremely robust; lossage-resistant; capable of correctly . They call for some kind of reasonable process to be in place over time. You have to have automation to deal with the volume of information out there. But it will be some time before the legal process and the regulatory process will say that pure automation--without human oversight--will be adequate. If you look, for example, at the [SEC] 17a-4 environment, not only is there regulation around what needs to be saved and what is to be retained over time, they do call for supervisors to look at a percentage of the communications traffic in person. There are, then, actual spot checks built into some of the regulations. While you can have tools that make sure that you're tracking that review activity, you certainly can't supplant sup·plant tr.v. sup·plant·ed, sup·plant·ing, sup·plants 1. To usurp the place of, especially through intrigue or underhanded tactics. 2. it with a fully automated process. At this point in time, considering the need for human intervention, are the storage technologies trustworthy withinyour definition? I think everyone out there who is building solutions aims for them to be trustworthy. But I don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. any customer who is going to take a vendor's statement at face value without doing some of their own validations. Are we trying to build trustworthy solutions? Absolutely. However, I believe most of these solutions are software-based, and I don't think that anyone has ever developed a bug-free or perfect software system. So some level of testing and oversight will continue to be required. More advanced tools will make it easy for people to have a level of check pointing and process checking. Any other thoughts? The companies themselves are sorting out the ways to manage all this. They can't be expected to buy a black box that you will flip on and you will suddenly be compliant. I think and hope that some time down the road we will get there, but for the next 2 to 4 years we will be in a period of great experimentation. Users will need solutions that are flexible and vendors that are practical in what they tell you they can or can't do. Troy Toman is vice-president of marketing at Kazeon Systems. Troy brings 17 years of experience in search and storage infrastructure software to Kazeon (Mountain View, CA). [ILLUSTRATION OMITTED] www.kazeon.com Rob Peglar Xiotech Corporation "I think today there are some capabilities that do exist." Is the "compliance engine" real, a fantasy--or somewhere in between? Currently, I think it is somewhere in between. There are interesting companies that are developing software around the notions of file systems and structure additional attributes, or metadata, around compliance. The attributes could include retention periods, classification of files for certain types of data ... value of data, for example in different categories or classes. There is also some kind of what I call "poor man's Poor man's is a common slang term used to compare one thing with another. It is not necessarily a derogatory term. It is usually used in a sentence as "X is a poor man's Y", with "X" being the person or thing one is referring to, and "Y" being the superior but similar person or compliance" techniques that are available and can be done with a little operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. work and some scripts. Some solutions make use of a read-only file Noun 1. read-only file - (computer science) a file that you can read but cannot change computer science, computing - the branch of engineering science that studies (with the aid of computers) computable processes and structures system or other mechanisms built in to help the process. The darker half is that, on a file-by-file basis, because of the file systems that are built into today's OS (such as NTFS (NT File System) An optional file system for Windows NT, 2000 and XP operating systems. NTFS is the more advanced file system, compared to FAT32. It improves performance and is required in order to implement numerous security and administrative features in the OS. ) there isn't a real good mechanism to classify files down to the level that compliance would require. What areas of compliance can be automated today--here and now? I think today there are some capabilities that do exist. There is some scripting that can be done on a site-by-site or a case-by-case basis. I don't think we've quite reached the Holy Grail Holy Grail: see Grail, Holy. A very desired object or outcome that borders on a sacred quest. There are several Holy Grails in the computer business. of a completely automated engine that would allow you to throw a file into a "compliance bucket" or compliance share without doing some background checking to see what actually can be done when the file reaches the OS level. Some companies are trying to completely encapsulate en·cap·su·late v. 1. To form a capsule or sheath around. 2. To become encapsulated. en·cap a file within their own database and just use block storage to hold the actual bytes that a file would contain and completely go around the traditional file systems built into OS today. These solutions tend to be more proprietary; you can't use existing file systems or existing mechanisms for the creation of data and putting that into a file format that the system would understand. The more standard operation would be to write creative scripting that would let the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. do its job in terms of trying to move these files around within tiered storage A data storage system made up of two or more types of storage based on their access speed. For example, magnetic disk and tape or magnetic disk and optical disc are widely used in a tiered storage system. See HSM. . How do you successfully get past the OS weaknesses? The OS has to be as generic as possible, but you're going to see extensions that begin to help the process, and there are proprietary solutions out right now. But new extensions are likely to be 2 to 4 years out because there is so much data stored on existing file systems right now. The extensions would have to get in and people would have to get used to using them. Some companies are working hard on it on the OS side. They've got some good ideas, and they would be wise to follow the DMF (Distribution Media Format) A floppy disk format from Microsoft that was used to distribute its software. DMF floppies compressed more data (1.7MB) onto the 3.5" diskette, and the files could not be copied with normal DOS and Windows commands. A DMF utility had to be used. vision as that starts to come out. Many storage vendors have identified regulatory compliance as a driver for new revenue. They claim that their software or their hybrid solution is the one to bring compliance into manageability. Are they overstating this? Are we still far from that point? It's not far away in terms of point products. There are point products out there today that can help do all of this. But more overall solutions are still a year or two out, I think, so solutions are in the realm of point products. What problems do these "point products" solve? Several areas right now. One is authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. . When data is introduced and a file is created, the generator and successive readers have to be authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. . There are a lot of compliance regulatory bodies looking at that. It's an enhanced audit trail really: Who is reading the file? Who created it? Where was it placed? Was the user authorized to put it there? The point products do a very good job of doing that. Authorization is another. The checking of security controls--answering the question not who are you but are you authorized to do this? Some products are handling the problem of encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. of the data automatically, based on policy. So, other products are addressing immediately whether a file that's created is treated as a normal file to be indexed, or a file immediately on the WORM media. [Editor's Note Editor's Note (foaled in 1993 in Kentucky) is an American thoroughbred Stallion racehorse. He was sired by 1992 U.S. Champion 2 YO Colt Forty Niner, who in turn was a son of Champion sire Mr. Prospector and out of the mare, Beware Of The Cat. Trained by D. : SEC Section 17 specifically designates unalterable media. No other major regulation in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. is so specific.] In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , on the very first write it could be instructed to be put immediately on WORM media instead of on disk, for example. Other more generic attributes that these products deliver, such as authentication, encryption, tagging data for retention periods ... another important area is retention policy. Individual files can be placed under the policy or not, as the administrator or the creator of the file chooses. As more becomes automated, there will be a temptation to invest now. What is the danger of vendor lock-in In economics, vendor lock-in, also known as proprietary lock-in, customer lock-in, lock-in is where a customer is dependent on a vendor for products and services and cannot move to another vendor without substantial switching costs, real and/or perceived. ? There is a significant danger of vendor lock-in. The more automated a solution you can obtain today, in general, the more proprietary the mechanism is to achieve that automation. Two years from now, when the DMF works through its vision, there will be DMF models and much more specific use cases around compliance in conjunction with ILM. That's going to be a lot easier. Rob Peglar is vice president for technical solutions at Xiotech Corp. A regular contributor to CTR See click-through rate. , Rob spearheads technical innovations for Xiotech (Eden Prairie Eden Prairie A city of eastern Minnesota, a residential suburb of Minneapolis. Population: 57,300. , MN). [ILLUSTRATION OMITTED] www.xiotech.com |
|
||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion