System iNetwork

September 11, 2007

The Compliance Cornucopia, Part II

My blog of last week on compliance products stimulated a surprising amount of response, private e-mails as well as public response postings to the blog itself. Because of the nature of those responses, I need to revisit the topic of compliance this week to correct and clarify some parts of last week's entry.

Before I do anything else, I should correct a big oversight on my part, which was that I left out of last week's discussion two important product families, those of Bytware and Tango/04 Computing Group. Both companies spread these capabilities over multiple products that, viewed together, provide many of the capabilities I set out for compliance products. I certainly apologize to Bytware and Tango/04, and to all of you as well, for missing two important elements of the product set I'm trying to define.

Bytware's Network Security embodies most of the features I defined for compliance products. As far as its unique features, Network Security takes a somewhat different approach to compliance activities than many of the other products I profiled last week. It's network-based, and so by default is geared to multiple servers. After installation, it starts out by simply analyzing network traffic for a while, and putting information about, for example, which users (e.g., user accounts, group profiles, IP addresses) are accessing which system resources (e.g., databases, servers, libraries, commands, IFS objects) in a self-contained knowledgebase. At a management-defined moment, after matching user accounts with system resources they're allowed to access, and verification that all user accesses are appropriate, Network Security sets the default public access to all resources to "exclude." After that, no user of any kind can access any system resources unless they're given specific permission, for example via a private authority setting.

Network Security secures more that 120 server functions, includes a data-queue server that lets PC applications work with System i data queues, a database server that enables remote SQL access and controls use of two dozen database functions, and multiple FTP servers. It also embodies a DDM server, a network file server, a remote command server, a CTP signon server, and a Telnet server. Network Security provides additional layers of auditing and security for database files and libraries, IFS files and directories, and remote commands and program calls.

Network Security shares with other products the ability to let users that require temporary special authorities swap profiles with a higher-authority account to get them rather than having them assigned permanently. Network Security's capability also enables downgrading a user's authority by this means when appropriate. Network Security also includes a forensics capability. Bytware's is server-based, however Network Server can export data to PC-based .csv or .txt files for additional analysis. Bytware's Standguard Antivirus product provides antivirus protection. Bytware's Network Security, MessengerPlus, and MessengerConsole together provide monitoring of activities, settings, and values, as well as a system of alerts for meeting or exceeding user-defined thresholds.

Tango/04 Computing Group also has multiple products that, working together, can provide many of the functions I outlined last week for compliance products. VISUAL Security Suite (VSS) offers monitoring services for system and application events that it parks in an internal database for analysis, a firewall/application/device log analyzer, a business-impact analyzer for security events, and an event navigator. VSS audits Windows servers in realtime, as well as up to thousands of users, and monitors changes in user profiles, system configurations, folders, and system objects. It identifies disconnected user profiles. For exit-point protection, VSS relies on PowerTech Group's PowerLock Network Security product.

Tango/04 DataMonitor for iSeries audits data at the record level, tracks all database transactions, let users select specific data-record fields for auditing, can incorporate data from old journal receivers, generate grouped standard reports and customized subreports, and mask confidential data in databases.

Finally, another reader raised a philosophical point I'd like to address, and that is that there isn't any such thing as a compliance product category. "Compliance is an activity . . . not something a product can deliver. . .There is no category called 'compliance,'" this reader pointed out in part.

I agree that all those statements are true. The point I only implied last week but about which I see I need to be more explicit is that I think there ought to be a compliance product category. I'm trying to set about defining one. The reason I want to do that is that the concept of "system security," in my opinion, has become too broad. Security is an umbrella term that includes such functions as diverse as data encryption, user identity management, password administration, and intrusion protection, as well as all the auditing, data-screening, exit-point protection, system value and user profile administration functions on which the group of products I call "compliance" focus. Just as products that offer system security features were once considered part of a larger "systems management product" designation, I think it's time to pull out of the security products category a set of products that, at least partially, automate those aspects of system security that specifically meet compliance objectives.

SOX, HIPAA, PCI, and all the other alphabet-soup pieces of the compliance regulation edifice are here to stay. Congress may tighten a screw here and loosen a bolt there over the years, but these requirements are here for the lifetime of our careers. So that means compliance applications need to be part of the basic set of system functions. They should be as integral as backups. And if we consider compliance to be integral, we should have a designation for products that don't simply support compliance activities, as the whole stable of security products surely do, but rather automate them. Enough IT time and energy now goes into meeting compliance objectives that the convenience and reliability of a system that lets an IT manager figure out quickly what the auditors will see when they arrive could produce a tangible ROI. We should have a category all their own for the products that can provide this peace of mind.

So here perhaps, is the debatable point. Do you agree with me that it's time for compliance products to have their own category, with its own definition, consisting of its own specific feature set? If so, what should that features list consist of?

Posted by at September 11, 2007 2:53 PM