The elements of a compliance-oriented architecture

Clive Longbottom offers a full data protection game plan for enterprises dealing with an increasing amount of sensitive data -- and an increasing number of regulations.

The stakes for non-compliance are high, and rising.

Take, for example, the U.K.'s Data Protection Act (DPA). Although the actual fine for non-compliance is capped at £5,000, the impact of other sanctions from the Information Commissioner's Office (ICO) could far outweigh the penalty. For example, once a company has broken the DPA, it can be forced to create a plan to ensure such a breach does not happen again. If a company breaks the DPA twice, the ICO can assign a government auditor who will investigate and create a legally binding arrangement which the organisation has to put in place within agreed timescales. Reputational damage can also be serious if customer records are breached.

The biggest problem for many organisations is in layering the needs of one set of regulations against the needs of another -- without breaking the previous one.
There are ways to make sense of the various regulations, based on structured data storage and a concept called a compliance-oriented architecture (COA). In this tip, let's look at how the various parts of a compliance-oriented architecture come together, and the sort of tools that an organisation will need to have in place to ensure that a COA actually works.

Video: Start your compliance framework

Richard Mackey of SystemExperts offers expert advice on how to zero in on your compliance needs.
Identifying users and their context
The process of building a compliance-oriented architecture starts by being able to identify users properly. " Challenge and response" systems, based on usernames and passwords, are not sufficient these days, and some form of two-factor authentication should be used instead. Whether this is in the form of a one-time token, such as RSA's SecurID or CRYPTOCard Inc.'s offerings, a biometric device, such as AuthenTec Inc.'s fingerprint readers, LG Electronics Inc.'s iris recognition technology or Voice Security Systems Inc.'s Voice Protect voice recognition system, you need to have a means of creating a trusted link between the system and a validated individual.

Next, you need to know if the user is sitting at a desk within an organisation, or in a public café. And what kind of device he is using. That contextual information will dictate the sort of data that an employee should have access to at that point. Increasingly, systems management software from the likes of IBM, CA Inc., BMC Software Inc. and Symantec Corp. is capable of picking up this type of data and making it available to other systems.

Such contextual knowledge needs to be pulled together in one place, such as a directory service like Microsoft's Active Directory or IBM's Tivoli Directory Server. The use of a configuration management database (CMDB), which is provided with the majority of systems management tools, will enable information from multiple sources to be pulled together and validated rapidly, also allowing for pattern recognition engines, such as Cisco's and Sourcefire Inc.'s intrusion prevention systems (IPS), to rapidly identify patterns of traffic and end-user behaviour that are not normal and could therefore be a threat.

Guard the data
It is important that information is, in itself, secure. Wherever possible, all data should be centrally stored, with a minimum amount being allowed to be held locally. It should be the case that all information at rest is encrypted, using technology such as WinMagic Inc.'s SecureDoc or the free and open source TrueCrypt, which provide full disk encryption. Information on the move should also be encrypted, using technology provided by companies like AEP Networks Inc. or PGP Corp. It is important, though, to keep encryption methods as simple for the user as possible -- no screens, for example, giving options of "what form of encryption do you want -- AES, 3DES, Blowfish or other?" Data being transferred between one storage medium and another, say, for snapshots, backup/restore or mirroring needs, must also be encrypted. Tape-based systems should use encryption such as what is seen with LTO-4 tape systems.

Next, as users carry out their work, defenses must be in place to secure against accidental information leakage. Here, data leak prevention (DLP) systems from the likes of Clearswift Corp., Code Green Networks Inc. and TrendMicro Inc. can ensure that certain types of documents have constraints on usage (such as emailing, forwarding, printing) applied on them. Some of these products use advanced content inspection technology to make sure that the content of specific documents does not compromise an organisation's defined security. Again, the arrangement tends to be predicated on the main data being stored centrally, such that access and usage keys can all be stored and managed centrally as well.

Guard the user
Users increasingly need to have access to centralised systems when they are on the road. If it is possible to ensure that users can only access data centrally, and don't carry it around with them, the chances of data being lost or misused are minimised. Virtualised desktops and thin client computing from the likes of Citrix Systems Inc., Microsoft and VMware Inc. are prime contenders here. However, many workers will need access to information while on the road, and may not have an "always on" connection capability. For these people, along with information encryption, there will also be a need for the use of digital rights management around the documents or data being stored. Here, vendors offer solutions such as Adobe Systems Inc.'s LiveCycle Enterprise Suite that provide means of ensuring that documents can be read only by those who have the correct rights in place. They can also apply time limits on how long a document can be stored before the user has to touch the corporate network again, ensuring that ex-employees and thieves have only a short period of time to try and break through all the security features before the information is destroyed.

Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Alongside the products, standard security approaches, such as the use of antivirus, antispam and virtual private networks (VPNs), need to be applied to the compliance-oriented architecture as well.

Taken together, all of the above provide an overall security platform. The focus can then shift to a governance, compliance and audit (GCA) product that lies over the top. A large portion of the data produced by these products will be based on the use of business reporting and business intelligence tools against the different storage systems that are active. The functions will also require the capability to aggregate different data sets, often held in dispersed storage systems, and provide technical and management reports on the environment. Here, the likes of IBM with Cognos, Oracle with Hyperion and SAP with Business Objects all have technology that can be applied to meet the basic needs.

The above recommendations may seem very complicated, but many of the products and tools mentioned will have a degree of overlap with others. The main effort in putting together a compliance-oriented architecture is in the planning -- ensuring that the basic policies and procedures are in place before any technology is thrown at the problem. Only then can a Venn diagram be drawn up with the various vendor names in place along with what their technologies promise to deliver. By investigating the overlaps, many niche vendors can be removed from the equation, simplifying the overall mix of vendors in the final COA solution.

As deperimeterisation continues and the need to deal with external partners grows, the need for a COA grows. These data protection tips should enable an organisation to approach the architecture with a greater deal of knowledge and understanding, and create an effective, efficient and flexible system that enables, rather than constrains, the organisation.

About the author:
Clive Longbottom is co-founder and service director at IT research and analysis firm Quocirca Ltd.

Read more on IT risk management