Today I gave a talk at the Interop Data Center Summit happening during the Interop conference this week in Las Vegas. The talk was titled Demystifying Compliance. The goal was to dissect what compliance regulations and mandates mean for the future of IT. It was well attended with roughly 375 people. Thanks to the Andreas and Johna from Nemertes Research for inviting me to speak.

Interop was kind of a strange but interesting place to be talking about compliance. It’s traditionally a very networking focused conference. Interop has it’s roots in proving interoperability of various vendor’s technologies. Three days before the start of the show more than 40 vendors build a network from scratch. It’s sort of a living laboratory of networking technologies — wireless, wired, security, management etc.

But Interop has been growing up. The conference went through a “survival time” with the boom and bust of the networking market over the past few years. Now it’s leaner and meaner but healthy enough to start exploring things “up the stack” including security and yes, compliance.

Turns out not many people that attend Interop know much about compliance. I wasn’t even sure if they’d be interested : ) So I started out by try to identify the top myths we get bombarded with about compliance and explore what the heck compliance really is and why IT people, in particular networking folks should care.

Myth #1: Compliance equals regulations with specific actions.
False. The reality is most regulations have fuzzy or no detail about IT implementation. The dirty little secret of compliance is auditors are getting rich off each new mandate. Since most mandates are not prescriptive at all, they require complex interpretation for every business. Auditors can also be finicky too. What worked this year or this quarter won’t necessarily work next year or next quarter.

Myth #2: Compliance is an IT security issue.
False. Most mandates are just as concerned with integrity and availability of IT systems. Security it turns out is only a part of what compliance mandate interpretation means for IT. In fact mandates like SOX often have a much larger burden on IT because of the increased dependency on things like effective root cause analysis.

Myth #3: I have to store my original IT data for seven years.

False. Very few mandates specify data retention times. It use to be considered plausible to delete all your data after some period of time. Frank Quattrone and CSFB proved that theory wrong when the former investment banker was confronted with evidence of allegedly-incriminating emails in a widely publicized series of trials. The banks policy was that all emails were deleted after 30 days and thus they could not produce materials for trial. Unfortunately, those pesky emails always have a way of showing up cached on another server or laptop somewhere. But the question remains, how long should I keep my data? Since mandates don’t spell out specific retention times and you can’t keep everything forever, what do you do?

Myth #4: A canned set of reports will make me compliant.

False. See Myth #1. The regulations almost never list a specific report.

Myth #5: I need to buy a commercial solution to be compliant.

False: Vendors don’t have any special insight into what will make you compliant. In fact the reports that vendors supply are typically developed by some junior product manager, sitting in a cubicle, trying to interpret what a mandate might mean for your industry and company. Needless to say, the auditors (internal and external) won’t buy off on that. How could they? They wouldn’t get paid!

What is compliance?

So if these are the myths, what is compliance? The interpretation of any set of compliance mandates really involves adhering to all standards, policies and regulations applying to a given organization in a given industry. Compliance is really an overlay to IT security, IT operations, HR, finance
or any other business function. It is not a separate function in an of itself.

Compliance is usually driven by external laws and regulations (SOX) and internal policies (ITIL). Every business process in a mature organization has some compliance dimension.

Compliance is on the IT agenda largely because of a wave of accounting scandals exposing a lack of internal controls — Enron, Tyco and Andersen started a tidal wave of backlash for more checks and balances. More recently the perceived threat of electronic sabotage to critical infrastructures has lots of IT people thinking about compliance. A piece in the Washington Post pointed out for example the number of times a day hackers slip past security measures and break into the national energy grid. Scary stuff.

But there have also been a number of well-publicized incidents involving the theft of information and identities. 45.7M credit and debit card numbers stolen from TJX. 145,000 consumers’ personal data purchased by 50 fraudulent companies from Choicepoint. AT&T’s online store web site hacked and credit card information for up to 19,000 customers stolen.

Of course the continued expansion of IT into every aspect of corporate, public and private life means our exposure to being ripped off and the number of compliance attempts to control the situation will only get worse.

Why do companies care about compliance?

Because newer legislation and regulations with real teeth are now being put into law, companies are starting to really care about compliance. The Payment Card Initiative (PCI) includes the possibility of up to $500k per incident and possible termination as a merchant meaning you can no longer take VISA or Mastercard. CA SB 1386: forces disclosure to each individual consumer of possible security breaches and identify theft including the notification by mail to every consumer impacted. And of course the lawyers are not asleep. Negligence lawsuits are now starting to set a higher standard for “duty of care.” Number US banks are suing TJX over the costs they’ve incurred and the courts appear to be very eager to hear the arguments.

There are all kinds of things driving compliance initiatives including:

• Controlling overall corporate risk
• Protecting customer/consumer/employee privacy
• Protecting trade secrets
• Controlling unauthorized use of IT resources
• Avoiding liability due to employee misbehavior
• Winning lawsuits using electronic evidence
• Ensuring fairness in financial markets
• Servicing discovery requests by law enforcement
• Protecting government classified information

Why is compliance painful?

The primary reason compliance is so difficult is no one seems to have a clear picture of what it means. Inconsistent interpretation by different auditors and regulators creates constant confusion. Escalating enforcement - what worked last year won’t work this year - means it is always a moving target. The only real solution is to demonstrate an understanding of the spirit of the mandates that apply to your industry and company and to demonstrate that you’re living up to the spirit of the mandate.

Just be very careful because vendors of everything IT are claiming they address
compliance requirements. It’s no wonder customers purchasing compliance solutions are confused.

What does compliance mean for IT?

I’d like to find time to explore later what compliance means for IT - formulating some recipes for understanding different mandates (prescriptive and non-prescriptive) but here are a few ideas of the basic things compliance means to IT will probably have to do.

• Provide reporting on IT data as proof of compliance controls.
• Protect IT data against modification or deletion and provide audit trails.
• Day-to-day review of systems to compare behavior versus policy.
• Monitor network devices, servers, applications and transactions for risks.
• Perform root cause investigations.
• Service electronic discovery requests by law enforcement.
• Conduct HR investigations of employee activity.
• Enable ad-hoc access to IT data by compliance personnel.

Compliance means access to data from applications, servers, network devices — anything in the data center.