Changes in both the executive and legislative branches of the U.S. government are likely to result in changes to many existing regulations. And in turn, that means that governance, risk management, and compliance will be a big challenge for many tech companies. In fact, many experts warn that IT organizations are going to have to pay more attention to compliance issues.
Major regulations that are likely to be altered include:
- The Dodd-Frank Act. Designed to provide more transparency into financial services firms, the Trump Administration has already signaled that scrapping key provisions of this act is a high priority.
- The Health Insurance Portability and Accountability Act. While much of the current focus is on repealing and replacing the Affordable Care Act, it’s only a matter of time before provisions of this act are re-examined as well.
- The Environmental Protection Agency (EPA). As the EPA struggles to justify its existence, many of the rules the agency had put in place are being relaxed or abandoned.
- The USA Patriot Act. Set to be renewed any day now, this Act has profound implications for any data stored by an international company on a device or in a data center located in the U.S.
While many of these changes promise to make compliance simpler, there are still a dizzying array of laws, regulations, and standards that will continue to make governance, risk management, and compliance (GRC) a major challenge.
Whether it’s a Payment Card Industry Data Security Standard (PCI-DSS) enforced by credit card companies or the way personally identifiable information (PII) needs to be handled under the provisions of the Gramm-Leach-Bliley Act, organizations of all sizes will continue to spend a significant amount of time and energy figuring out how to comply with every possible nuance or interpretation.
Plus, companies that operate globally will likely encounter stiffer regulations outside the U.S. And states such as New York and California are adding new regulations to make up for a perceived loss of regulatory zeal at the federal level. This all adds up to more complexity.
But compliance issues don’t just stop with the letter of the law. According to Bruce Davie, CTO of Networking at VMware, as IT infrastructure becomes more programmable in the age of virtualization, developers that don’t have the greatest track record with security or compliance are exercising more influence. Because of this, Davie said IT organizations in 2017 will need to pay much closer attention to how policies get enforced across self-service IT environments where IT operations teams are not going to be as physically hands on as they once were.
Judith Hurwitz, principal analyst for Hurwitz & Associates, adds that as IT becomes more complex, organizations will need to rely more on automation to achieve compliance. Rather than thinking of compliance in terms of an audit that needs to passed, Hurwitz said IT organizations need to embrace technologies that make it possible to treat compliance as an ongoing process vs. an occasional event.
Obviously, network virtualization technologies have a role to play in enabling compliance processes by making it possible to micro-segment network traffic by application. That approach may wind up increasing the number of applications that have to be tracked from a compliance perspective.
But Serro Solutions CEO Nitin Serro said network virtualization also provides a lot more visibility into the overall IT environment. Serro said that shift requires as much cultural change as technological. Instead of implementing compliance policies across a horizontal class of technology services, organizations need to adopt a more application-centric approach in which security and compliance policies travel with an application workload regardless of where it winds up running. That becomes a lot easier to accomplish when network traffic is segmented by application, said Serro.
It is unlikely compliance will ever completely go away as an issue. Enthusiasm for enforcing one set of rules vs. another may ebb and wane, but there will always be regulations. The good news is that a lot of controls called for in one regulation often wind up being applicable to another. That suggests there is a lot of opportunity to create a base level of compliance that can be extended as necessary. In fact, with that goal in mind many savvy organizations are starting to engineer compliance into their IT environment using software-defined policies that are relevant across multiple compliance scenarios. That doesn’t eliminate the need to go through the actual compliance process. But it does take considerably less time.