Published: November 30 2009, 11:45 AM | no comments
by Matthew Gardiner

I recently returned from a week at Salesforce.com's (SFDC) annual user conference, Dreamforce in San Francisco.  Given the importance of SFDC to the cloud movement overall, I think some valid opinions can be drawn about that market in general and the potential impact on the traditional IT market in particular.

• The audience was generally bigger (with 19,000 attendees), younger, hipper, and skewed more toward the female demographic than your traditional IT conference. In fact the conference had a "feel" closer to people who are like the Macintosh guy versus the PC guy. Whether you like it or not, what SFDC does is considered cool. In addition the audience had what might be described as a cultish following for SFDC, with a zeal towards changing the world of IT. Lesson for Enterprise IT - Ignore this trend at your peril. While SFDC talks about "no software" this is largely hyperbole as software remains everywhere, on-premise and off-premise. The fact remains that the cloud approach has merit and must be taken (and managed) seriously by enterprise IT organizations. Don't be the IT person manning the barricades. Be the IT and security person who makes sure the cloud benefits your organization.
• Platforms-as-a-Service (PaaS) - A lot was made of SFDC's Force.com platform. The world has a lot of development platforms, now both in the cloud and on premise, so the number of options for application developers keeps going up, not down. However, while every application platform provider says something (including SFDC) like, "if everyone just used my platform for everything we could eliminate integration and other interoperability challenges," anyone in IT for more than a few years knows that this is impractical and undesirable in reality. Application platform heterogeneity almost always increases. Homogeneity is nice in theory but unattainable for most organizations. Lesson for Enterprise IT - The multitude of cloud platforms from MSFT, SFDC, & Google, to name three, in addition to the longstanding on-premise application development stacks from IBM, Oracle, Microsoft, and others, are driving greater IT heterogeneity, not less. This has significant implications for how organizations need to manage and secure IT, not whether they need to manage and secure IT. It also highlights why a vendor like CA (with no application platform axe to grind) is in the perfect position to provide cross-platform IT and security management capabilities for both on and off-premise applications and infrastructure.
• Security and privacy was mentioned, but only in passing in the keynotes. There was some general hand-waving that the platform is secure, but nothing I came across backed up this assertion. I will note that there was brief reference to SSO and SFDC's support of the SAML standard, which is certainly a step in the right direction. But there is a lot more that needs to be done to make cloud applications a seamless part of an enterprise's security fabric. Lesson for Enterprise IT - This is a critical area that hasn't been sorted out by the Cloud community and is a great place for IT security organizations and vendors to bring forward both security challenges and their potential solutions. Let's hope that massive data leaks are not needed to prod the industry into action....but given human nature I am afraid that this will need to happen.

The only gripe I have about the conference is that it started so early in the morning (7:30 a.m.).  Maybe it is easy for those young and hip folks to get up so early after retiring so late, but for us older (PC) guys that is more challenging.

Share this post:  Email

Share

Published: November 30 2009, 09:05 AM | no comments
by Sumner Blount

I have been semi-following a very interesting lawsuit over the past few months.  It’s interesting primarily because of its potential impact on the regulatory environment if it is successful.

To bring you up to speed, two men (with financial backing) have brought a lawsuit that challenges the constitutionality of Sarbanes-Oxley (SOX).   A recent article on this lawsuit can be found here.  These lawyers are nominally representing an auditor from Nevada named Brad Beckstead, who is suing PCAOB (Public Company Accounting Oversight Board) because (he says) a SOX audit was so onerous that it ruined his auditing business.  The lawyers claim that they are working on this case without payment, probably because it not only gives them very high visibility, but also because it fits into their conservative political agenda.

Their suit claims that PCAOB is unconstitutional, primarily because it has great power, but its members are not chosen by the President, but by the SEC.  In addition, they claim that the members cannot be removed by the President, despite the fact that they work in the Executive branch.  And, without the ability to remove members from this group, the President cannot effectively ensure that the “laws of the nation are faithfully carried out.”  It’s certainly a novel challenge, to say the least.

One reason why this challenge is so concerning is that due to a “drafting quirk,” if any part of SOX is deemed to be invalid, the whole statute might be in question.  And, if SOX is declared unconstitutional, it would raise questions not only about the validity of other major regulations, but it even calls into question the whole regulatory structure itself.  And, if the Congress had to go back to SOX to re-negotiate it, I can’t even imagine the fireworks that would create.

The Supreme Court will take up this case on December 7 (interesting parallel – Pearl Harbor Day).  I am hoping that the suit will be thrown out.  But, with this Supreme Court, you never know what will happen.

Share this post:  Email

Share

Published: November 25 2009, 09:30 AM | no comments
by Crystal King

CA's Aimee Williams talks with Melissa Dederer, President, ARMA Metro New York Chapter, about ARMA, the local New York chapter and their prestigious Web award.  

Share this post:  Email

Share

Published: November 24 2009, 03:53 PM | no comments
by David Miller

The Ponemon Institute recently conducted and published a study surrounding 10 security trends and opinions of them according to IT leaders in the U.S. Federal government.  (The study was commissioned by CA and you can access the report here.)  Data Loss Prevention (DLP) solutions are relevant to much of what's revealed in the report.

The report discloses that 79% of the respondents believe that unstructured data increases security risk.   I've previously blogged about DLP's ability to protect unstructured data by leveraging flexible detection techniques.  This is a crucial aspect of an effective DLP solution, especially for the public sector where different levels of confidentiality need to be distinguished from one another.

Regarding actual data breaches, the study suggests that most of these are due to insider negligence vs. malicious behavior (see p.8).  "Insider negligence" is one of the primary uses for DLP.  DLP can prevent a wide range of inadvertent activity such as the delivery of an email to an unintended recipient or the disclosure of a sensitive file via a file sharing program by removing it from the local drive prior to the leak.

Outsourcing and the use of social networking or Web 2.0 tools are also important issues that were rated high in the study.  The use of outsourcing generally indicates a need for DLP technology as it can ensure that data sent to external resources is adequately protected while also validating the intended recipients. And, whether DLP is active at the endpoint (laptop/workstation) or the network boundary, social networking messages and posts (such as to a blog or a "wall") can be analyzed in order to block inappropriate data from leaving the enterprise.

The Ponemon study reveals that respondents believe that USB drives are the top mobile device-related risk to security.  DLP plays a critical role by analyzing content to determine whether data is allowed to be saved to a device.  DLP also can control this activity based on the device itself (first ensuring that the device is authorized for use) and based on the identity of the user.  For example, personnel with a Level III security clearance may be permitted to move a file with Level I clearance to a registered USB key.  However, DLP will block the attempts by personnel with lower clearance levels.  This combination of content and identity-awareness is a required capability for any DLP solution. 

Many large financial services, healthcare, and government contractor firms use DLP to protect highly confidential, unstructured data.  Public sector agencies of all sizes should also leverage DLP to enforce data usage protocol and to protect confidential information from loss, misuse, and mistakes.

Share this post:  Email

Share

Published: November 24 2009, 09:45 AM | no comments
by Ravi Kizakkepat

I just attended two shows that had substantial representation from records managers in the Federal space. The first was ARMA 2009 at Orlando, and the other was the CA IT Gov Expo last week, organized specifically for Federal government customers at National Harbor just outside the beltway in DC.

At both, it was interesting to talk to a number of records managers who had the same issue - lack of support from senior management in pushing through an enterprise records program. Not so much a lack of support really as a lack of a sense of urgency. Everybody has other priorities, it appears. Federal agencies are mandated to have a records program in place, and understand the implications of not having one. All of them are working on it, they consider it a priority, but they just don't put their dollars where their needs are! Interestingly, in many successful implementations, the driving reason for implementing records management has been meeting other requirements - eDiscovery, FOIA and compliance being the major lead-ins. Many records managers are therefore trying to figure out how best to get things moving.

The fact of the matter is that compliance requirements are all well and good, but nobody takes an interest if there is no enforcement. And NARA finds itself in a bind, because everybody wants them to enforce requirements, but Congress does not provide them the power to do so.

All of that will change soon hopefully, thanks to the Bush Whitehouse and Scooter Libby. Our good friend Rep Henry Waxman started the ball rolling in 2008 with HR 5811 in the 110th congress. This bill proposed to amend Title 55 of the United States Code to require "certification and reports" on the records program under both PRA and FRA. The bill got through the house and was up for a senate vote when the session of the congress ended unfortunately. And then Waxman moved to greener pastures in house committees, getting the chairmanship of  Energy and Commerce.

Thankfully, that did not signal the end of the bill. It reappeared this year as HR 1387 in the 111th Congress, session ending in 2010. It is up for a house vote sometime.

While by no means perfect (CREW has some strong objections to the bill, you can read about that at http://www.citizensforethics.org/node/39027), the bill does represent a step forward in that it requires establishment of a records program that supports electronic retrieval and minimum functional requirements. Agency heads have to report to the Archivist on compliance, and he or she in turn has to report to the congress on compliance.

All in all, exciting times ahead in the records management arena in the Federal space.

Share this post:  Email

Share