Category Archives: compliance

AvePoint, compliance, Document Management, Lotus Notes, Microsoft, Microsoft Office 365, Microsoft SharePoint, Office 365, SharePoint, SharePoint 2013

AvePoint’s DocAve 6 Service Pack 2 Enhances SharePoint, Office 365 Support

AvePoint today announced the general availability of DocAve 6 Service Pack (SP) 2, the next generation of the management platform for SharePoint governance, with expanded SharePoint 2013 and Office 365 support.

Designed to increase business productivity without sacrificing on security and compliance, DocAve 6 SP2 will support the migration, protection, and administration of data in your SharePoint 2013 environment, whether it’s on-premises, in the cloud, or a hybrid deployment. DocAve 6 SP2 supports migration into the latest online or on-premises SharePoint release from a variety of legacy sources, including previous versions of SharePoint, file shares, EMC Documentum, Lotus Notes, and Open Text (Livelink).

Making the move to SharePoint 2013 is just the beginning. DocAve 6 SP2 extends SharePoint’s native capabilities, enabling application development, scalable storage, compliance and records management, and geo-distributed collaboration with confidence. New SharePoint capabilities such as business intelligence, eDiscovery, mobile device support, and social computing are also focuses of DocAve 6 SP2, as AvePoint continues its quest to enable customers to take advantage of the latest platform releases that Microsoft has to offer.

“As with each previous release, AvePoint is focused on ensuring that our more than 10,000 customers worldwide have all of the tools necessary to realize the full potential of Microsoft SharePoint 2013,” said George Petrou, Chief Technology Officer at AvePoint. “The landscape of business collaboration is ever-changing, and now more than ever organizations need a trusted solution to help them overcome any challenges that may arise. With DocAve 6 SP2, our customers can remove the roadblocks to enterprise-wide collaboration.”

DocAve 6 is built upon all Microsoft technologies and standards, including .NET, WCF, and Silverlight, utilizing only fully supported Microsoft methodologies and APIs. With robust protection, management, optimization, integration, compliance, reporting, and migration capabilities for SharePoint, DocAve is the enterprise-class management platform for SharePoint governance.

DocAve 6 SP2 is generally available to customers today, February 20. For more information about all of the new features and functionality in DocAve 6 SP2, please visit http://www.avepoint.com/docave6/.

Archiving & Regulatory Retention, compliance, E-mail archiving, Microsoft Exchange, Microsoft Exchange Server, Microsoft Office 365, Mimecast, Research

Mimecast: Email Regulation Issues Leaving Businesses Confused

Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, security and continuity for Microsoft Exchange and Office 365.

The research, which surveyed IT managers on their organizations’ email policies and archiving practices, found that just 20 percent of businesses (23 percent globally) retain archived email for three years or more, with one in four businesses (25 percent U.S.; 26 percent globally) admitting that they do not have a clear policy on retaining email at all.

Key findings:

  • Email retention policies are often ad hoc or based on guesswork – Just
    one in four IT departments (30 percent U.S.; 26 percent globally) have
    an email retention policy designed to comply with industry regulations:
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • eDiscovery for email is a major area of concern – Many
    businesses are not confident that they would be able to identify all
    emails relating to a specific customer in a timely manner:

    • On average, it would take a U.S. business 15 working days to
      identify all emails relating to a potential litigation
    • Eighteen percent of U.S. businesses do not think they would be
      able to comply with this kind of email eDiscovery request within a
      month
  • Forty-one percent of businesses surveyed (43 percent globally) say
    their archiving policies are based on ‘internal best practice’
    with no consideration given to industry or country specific
    regulations
  • Six percent of U.S. and global businesses admit to deciding their
    email retention policy around a ‘random future date’ with ‘no
    basis’
  • On average, it would take a U.S. business 15 working days to
    identify all emails relating to a potential litigation
  • Eighteen percent of U.S. businesses do not think they would be
    able to comply with this kind of email eDiscovery request within a
    month
  • Concern around email compliance – IT departments are concerned
    that they are leaving their businesses exposed:

    • Just one in four (24 percent U.S.; 27 percent globally) IT teams
      are ‘completely confident’ that their email policies comply with
      all relevant regulations
    • Forty-eight percent (46 percent globally) are ‘mostly confident’
      with 34 percent (23 percent globally) ‘minimally confident’ or
      ‘not at all confident’
  • Just one in four (24 percent U.S.; 27 percent globally) IT teams
    are ‘completely confident’ that their email policies comply with
    all relevant regulations
  • Forty-eight percent (46 percent globally) are ‘mostly confident’
    with 34 percent (23 percent globally) ‘minimally confident’ or
    ‘not at all confident’

“Taking fifteen days to identify all relevant emails sent and received by a client is a massive and unnecessary resource drain,” said Jim Darsigny, CIO, Brown Rudnick LLP. “For IT departments, managing and enforcing email policies can no longer be an ad-hoc approach as the risk potential and time wasted is too high to ignore. In our organization, the cloud enables our business to significantly reduce the pain, costs and resources normally dedicated to sourcing archived email data. With a solid email eDiscovery strategy in place, we are not only able to better serve our clients, but we can also more accurately assess their level of risk.”

“IT departments can and should be doing more to protect their organizations by adopting a more rigorous approach to email archiving,” Eliza Hedegaard, Account Director Legal, Mimecast. “However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organizations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organizations fall foul of the rules.”

 


compliance, LogRhythm, Payment card industry, Payment Card Industry Data Security Standard, Qualified Security Assessor, Regulatory compliance, VMware, VMware vSphere

LogRhythm Partners with VMware to Automate Regulatory Compliance in Virtualized Environments

LogRhythm today announced that it has partnered with VMware to contribute to its newly introduced VMware Compliance Reference Architectures, a set of resources including solution guides and design architectures intended to simplify compliance for business-critical applications in the cloud era. As part of this initiative, LogRhythm has published the LogRhythm Solution Guide for Payment Card Industry (PCI), an addendum to the VMware Solution Guide for PCI. The LogRhythm solution addendum is a QSA-reviewed guide that outlines how the company’s SIEM 2.0 platform complements existing VMware security capabilities to help customers assure PCI compliance when virtualizing mission-critical business applications with VMware vSphere®.

“Security and compliance are top concerns for organizations seeking to virtualize critical business systems such as PCI payment processing,” said Parag Patel, vice president, Global Strategic Alliances, VMware. “We’re committed to helping customers address these concerns on their journey to the cloud, and partners like LogRhythm extend our native security capabilities to make this possible. Through our solution guides, VMware and LogRhythm are delivering a validated roadmap that details how organizations can achieve PCI compliance in virtualized environments.”

LogRhythm’s SIEM 2.0 platform delivers the visibility and insight needed to detect, defend against and respond to increasingly sophisticated cyber threats, efficiently meet compliance requirements, and proactively respond to operational challenges. The company provides out-of-the box compliance solutions that enable organizations to meet their requirements for log data collection, review, archive, reporting, and alerting under mandates such as PCI, HIPAA, NERC-CIP, GLBA, Sarbanes Oxley, GPG 13, and other regulatory regimes. LogRhythm’s PCI compliance package features specific investigations, alarms and reports designed to meet PCI reporting requirements, and directly addresses or augments at least 80 individual PCI controls. With fully integrated file integrity monitoring, advanced multi-tenant support, robust reporting, and rapid search and drill-down capabilities, LogRhythm is an ideal solution for addressing PCI compliance requirements in virtual environments. LogRhythm can ensure that sensitive data, such as credit card account information, is not inappropriately accessed by shared virtual resources or unauthorized individuals. LogRhythm is field-proven in numerous deployments where the solution is being used to automate and assure regulatory compliance in virtual environments.

“We’re very pleased to have been selected by VMware to help address the compliance requirements of customers moving their critical systems to virtual and private cloud environments,” said Matt Winter, vice president corporate and business development at LogRhythm. “LogRhythm has a significant track record helping customers meet their regulatory compliance obligations in virtual, physical and hybrid environments. Our compliance capabilities dovetail well with VMware’s native security offerings to create a robust and comprehensive solution. With the VMware Solution Guide for PCI and LogRhythm’s addendum solution guide, organizations can have confidence that there is a detailed, validated path to maintaining PCI compliance in virtualized environments.”

The LogRhythm Solution Guide for PCI has been reviewed by Coalfire, an independent Qualified Security Assessor specializing in IT audit, risk assessment and compliance management, and is available for download on the LogRhythm website and VMware Solution Exchange.


Cloud computing, compliance, Virtualization

A More Practical View of Cloud Brokers

#cloud The conventional view of cloud brokers misses the need to enforce policies and ensure compliance

cloudbrokerviews During a dinner at VMworld organized by Lilac Schoenbeck of BMC, we had the chance to chat up cloud and related issues with Kia Behnia, CTO at BMC. Discussion turned, naturally I think, to process. That could be because BMC is heavily invested in automating and orchestrating processes. Despite the nomenclature used (business process management) for IT this is a focus on operational process automation, though eventually IT will have to raise the bar and focus on the more businessy aspects of IT and operations.

Alex Williams postulated the decreasing need for IT in an increasingly cloudy world. On the surface this generally seems to be an accurate observation. After all, when business users can provision applications a la SaaS to serve their needs do you really need IT? Even in cases where you’re deploying a fairly simple web site, the process has become so abstracted as to comprise the push of a button, dragging some components after specifying a template, and voila! Web site deployed, no IT necessary.

While from a technical difficulty perspective this may be true (and if we say it is, it is for only the smallest of organizations) there are many responsibilities of IT that are simply overlooked and, as we all know, underappreciated for what they provide, not the least of which is being able to understand the technical implications of regulations and requirements like HIPAA, PCI-DSS, and SOX – all of which have some technical aspect to them and need to be enforced, well, with technology.

See, choosing a cloud deployment environment is not just about “will this workload run in cloud X”. It’s far more complex than that, with many more variables that are often hidden from the end-user, a.k.a. the business peoples. Yes, cost is important. Yes, performance is important. And these are characteristics we may be able to gather with a cloud broker. But what we can’t know is whether or not a particular cloud will be able to enforce other policies – those handed down by governments around the globe and those put into writing by the organization itself.

Imagine the horror of a CxO upon discovering an errant employee with a credit card has just violated a regulation that will result in Severe Financial Penalties or worse – jail. These are serious issues that conventional views of cloud brokers simply do not take into account. It’s one thing to violate an organizational policy regarding e-mailing confidential data to your Gmail account, it’s quite another to violate some of the government regulations that govern not only data at rest but in flight.

A PRACTICAL VIEW of CLOUD BROKERS

Thus, it seems a more practical view of cloud brokers is necessary; a view that enables such solutions to not only consider performance and price, but ability to adhere to and enforce corporate and regulatory polices. Such a data center hosted cloud broker would be able to take into consideration these very important factors when making decisions regarding the optimal deployment environment for a given application. That may be a public cloud, it may be a private cloud – it may be a dynamic data center. The resulting decision (and options) are not nearly as important as the ability for IT to ensure that the technical aspects of policies are included in the decision making process.

And it must be IT that codifies those requirements into a policy that can be leveraged by the  broker and ultimately the end-user to help make deployment decisions. Business users, when faced with requirements for web application firewalls in PCI-DSS, for example, or ensuring a default “deny all” policy on firewalls and routers, are unlikely able to evaluate public cloud offerings for ability to meet such requirements. That’s the role of IT, and even wearing rainbow-colored cloud glasses can’t eliminate the very real and important role IT has to play here.

The role of IT may be changing, transforming, but it is no way being eliminated or decreasing in importance. In fact, given the nature of today’s environments and threat landscape, the importance of IT in helping to determine deployment locations that at a minimum meet organizational and regulatory requirements is paramount to enabling business users to have more control over their own destiny, as it were. 

So while cloud brokers currently appear to be external services, often provided by SIs with a vested interest in cloud migration and the services they bring to the table, ultimately these beasts will become enterprise-deployed services capable of making policy-based decisions that include the technical details and requirements of application deployment along with the more businessy details such as costs.

The role of IT will never really be eliminated. It will morph, it will transform, it will expand and contract over time. But business and operational regulations cannot be encapsulated into policies without IT. And for those applications that cannot be deployed into public environments without violating those policies, there needs to be a controlled, local environment into which they can be deployed.

Related blogs and articles:  
 
lori-short-2012clip_image004[5]

Lori MacVittie is a Senior Technical Marketing Manager, responsible for education and evangelism across F5’s entire product suite.

Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

She is the author of XAML in a Nutshell and a co-author of The Cloud Security Rules

 

F5 Networks

clip_image003[5]clip_image004[5]clip_image006[5]clip_image007[5]clip_image008[5]

read more

Cloud computing, compliance, risk management

Avoid the Security Umpire Problem

Have you ever been part of a team or committee working on an initiative and found that the security or compliance person seemed to be holding up your project? They just seemed to find fault with anything and everything and just didn’t add much value to the initiative? If you are stuck with security staff that are like this all the time, that’s a bigger issue that’s not within the scope of this article to solve.  But, most of the time, it’s because this person was brought in very late in the project and a bunch of things have just been thrown at them, forcing them to make quick calls or decisions.

A common scenario is that people feel that there is no need to involve the security folks until after the team has come up with a solution.  Then the team pulls in the security or compliance folks to validate that the solution doesn’t go afoul of the organization’s security or compliance standards. Instead of a team member who can help with the security and compliance aspects of your project, you have ended up with an umpire.

Now think back to when you were a kid picking teams to play baseball.  If you had an odd number of kids then more than likely there would be one person left who would end up being the umpire. When you bring in the security or compliance team member late in the game, you may end up with someone that takes on the role of calling balls and strikes instead of being a contributing member of the team.

Avoid this situation by involving your Security and Compliance staff early on, when the team is being assembled.  Your security SMEs should be part of these conversations.  They should know the business and what the business requirements are.  They should be involved in the development of solutions.  They should know how to work within a team through the whole project lifecycle. Working this way ensures that the security SME has full context and is a respected member of the team, not a security umpire.

This is even more important when the initiative is related to virtualization or cloud. There are so many new things happening in this specific area that everyone on the team needs as much context, background, and lead time as possible so that they can work as a team to come up with solutions that make sense for the business.