Minimize the Price and Pain of Compliance
IT professionals have always been concerned with keeping business systems up and running efficiently, but today’s organizations must also contend with a host of rules and regulations regarding the capture and secure storage of user information.
Because of this growing multitude of standardization and regulatory requirements, IT organizations face significant challenges in achieving sustainable compliance levels.
- There are mounting pressures to prove that necessary controls exist to help mitigate risks.
- They must ensure that compliance requirements are being met.
- Costs are rising due to ever-changing requirements placed on data center resources.
- They are concerned about degrading application performance and the affects on the user experience.
According to AMR Research, spending on compliance programs continues to increase. In 2005 spending was $15.5B, in 2006 it soared to over $27B – and the cost in 2007 is expected to be in excess of $28B1.
| While most of those funds were spent on personnel, in 2006 nearly $9B was spent on just the technology, hardware, software and integration necessary to comply with the regulations and laws that businesses face today. In the US, complying with the Sarbanes-Oxley Act (SOX) of 2002, programs topped the list for spending, accounting for approximately 40 percent, the AMR study found. |
|
|
|
|
Compliance spending is on the rise.
|
|
2005
2006
2007
|
$15.5B
Over $27.0B
Over $28.0B
|
|
|
|
|
Best Practices
In a data center operation, the best compliance practices work to balance risk versus responsiveness. They look at overall IT compliance from a holistic perspective in three areas: security, configuration and regulations. They also take into account the best ways to achieve a sustainable compliance model that is optimized for costs, risks and responsiveness.
As the network perimeter becomes porous and systems and applications are added, managing authentication, authorization and auditing (AAA) becomes very difficult. Compliance means effective internal controls, and internal controls require strong network and data security.
From Nemertes2 in one important way, the key to compliance is logging. If you don’t have sufficient audit trails in the form of logs of network, system and application activities, it is difficult to demonstrate compliance. This, along with the increasing sophistication of log analysis for security, has driven the rapid adoption of log aggregation.
About 64 percent of participants collect logs from many sources and aggregate them for analysis and retention. Just under half of that group aggregate all infrastructure-related logs — server, router, firewall — and some even collect desktop logs as well.
Approximately 90 percent of participants, whether they aggregate logs or not, do some kind of log monitoring, either manually or with a logging tool. At least a quarter of these do so only during business hours (9 to 5) though, or even less frequently. About half of participants, however, do have some kind of real-time analysis and response to logged events, running all the time.
All of these tools would greatly benefit from this detailed level of user visibility.
Moving Beyond Logging
What is needed is an easy method of capturing the deep, detailed transactional information on actual users which most logging solutions lack. Information like
- User
- Location
- IP address
- Every transaction (request and associated reply)
- Complete session details
By combining a strong monitoring and logging approach with a solution that secures the data, the business is protected and meets compliance requirements.
Inflight is a unique out-of-path network appliance that collects all online user activity. It captures and stores raw data, transforms it into business events and feeds real-time data to nearly any back-end application using Radware’s patent-pending Capture-Transform-Feed technology. This easy-to-deploy solution delivers a number of business advantages.
- Captures in-depth user activity that is identity-based which can be used immediately
- Delivers details in a business-level format, not typically available through logging alone
- Is a single source data platform for a variety of enterprise uses
- Has zero impact on production applications and users, enriching the end-user experience
1 AMR Research, “Spending in an Age of Compliance,” 2006.
2 Nemertes Research, Security and Information Protection, June/July 2007