System iNetwork

September 3, 2008

Straight Talk About Getting Your Company into Compliance

I visited with John Earl, CTO and VP of PowerTech, and picked up some important tidbits about how you can get your company compliant with data security regulations. So sit back and listen in as Earl shares his advice and also offers important information about the latest trends in security and compliance.

What trends are you seeing in the security space in general?

Earl: Despite the fact that these are tough economic times and we see organizations paring their budgets, security isn't something that typically can wait, because many times folks are compelled by an outside influence. Nobody jumps out of bed in the morning and says, "I'd really like to buy security software today!" What happens is that they have a problem--a rogue programmer, say, or outside regulations--and security becomes an imperative. They're looking for how to do it well and how to do it as inexpensively as possible.

Some people have bought security software and never gotten around to implementing it, or they implemented it but never deployed or configured it because they didn't have the expertise or maybe the solution provider didn't have enough staff to provide expertise. So we're seeing a real trend of customers saying, "Solve the problem; don't just fling the solution at me."

PowerTech has a service offering that I like to call the "running start," which pairs you up with an engineer who has done this with many others and can get you where you need to be in a couple of hours instead of a couple of weeks. We're primarily a software company, but what we've discovered is that a lot of customers have a need for a solution, and that requires expertise in solutions.

On the software side, the core of our business, the big buzz is compliance and being able to comply with all kinds of regulations. It's fairly common to walk into a customer site and talk about a compliance issue, and the customer won't even know about some compliance regulations. Compliance has become a big concern for customers, and one of the things I think we do exceptionally well is help automate the complexity of compliance. You don't just get compliant on a single day and forget about it; you have to prove it over and over again. Our solution shines by automatically generating exception reports that demonstrate that your system is as secure today as it was yesterday.

Otherwise, in order to be compliant, you have to go in every day and manually check that your system values are the same and that you don't have any changes to your environment. Easing the burden of compliance is an important touchstone for us. Compliance is burdensome and was inflicted on IT shops by outside organizations, and being able to prove you're compliant now is really the big deal.

Auditors love to say, "I trust you. I know you're secure. Now prove it to me." And that's the big game changer for a lot of IT shops. Just you and me knowing we're secure is no longer good enough. We have to be able to prove it on a regular basis. Compliance is really the part of security that has taken center stage. If you look at why that happened from the perspective of the auditors, it's that they don't know whether you're secure or not--they don't have the expertise--so they've turned to industry standards and said, "Using these standards, demonstrate to us that you're compliant." Mainly what those standards do is prove that you're paying attention to security.

Are there any kinds of companies that have a harder time maintaining compliance?

Earl: I think for the most part, companies are having a hard time slipping into compliance in the first place. A lot of times, becoming compliant is more about changing your processes than it is about the technology. We have lots of technology to help, but many times the problems are process related. For example, all of a company's users have ALLOBJ authority, so the company asks us how it can get secure without taking ALLOBJ authority away. These companies are not going to slip out of compliance--they're going to have trouble slipping into it. Once a company has gotten over that hump, I haven't seen a lot of evidence of it slipping back.

Can you share a bit about PowerTech's long-term strategies?

Earl: Over the long term, we want to position ourselves to be the resource of first choice for companies trying to solve security and compliance problems on the System i. The idea there is that there are levels of complexity in security that many i shops just don't have the expertise or resources to master. So when we're doing our job really well, we're going to help organizations offload the security and compliance burden, and PowerTech becomes the security expert for i shops.

We have an open-source security policy that is downloadable from our website. It's a great tool for folks who don't have a security policy at all. If you haven't thought about how you should secure your i, this is a great document to start with. We also have those same concepts embedded in our tools, and they check against that and tell you about the settings that don't meet your own standards.

Let me tell you one drawback about our policy document: I can't sit here on the phone or over the web and describe what the correct policy is for your organization. At the end of the day, somebody in your organization has to get involved. But this policy document gives you a good foundation and helps you have that conversation with yourself. Look at your settings and ask yourself if things were set for a particular reason, and then you can have an intelligent process by which you evaluate your own security. Every organization has to have a policy because you can't be compliant unless you have a policy.

Earl also discussed the recent acquisition of PowerTech by Help/Systems. For more on that topic, check out "Business As Usual for PowerTech After Help/Systems Acquisition."

--Linda Harty, security & networking/connectivity editor

Posted by lharty at September 3, 2008 5:08 PM