servers

Case study: The Gap and employee access controls

Jim Kim — Fri, 01 Aug 2008 07:37:58 -0400

Retailers spend a lot of time worrying about PCI and Sarbanes-Oxley. As CIO notes, passing an audit means showing definitively that you can control employee access to customer and other data. Unfortunately for Gap Inc. Direct, which has to control for the online operations at Gap, Banana Republic, Old Navy and other stores, the IT environment was decidedly heterogeneous. So for PCI and Sarbox audits, server logs had to be manually collected to show who accessed files and when for hundreds of servers. The process required up to 10 people working at least part-time on every audit. The remedy: an identity management solution (this one from Likewise Software). The implementation cost: $400,000. You've likely heard such success stories from vendors, but in this economic environment, it is not fait accompli that the benefits will outweigh the costs. Some of you may have developed some scripts that are good enough. Automation in many cases will make sense--as long as you can truly afford it.

For more:
- here's the CIO article

Data center growth to explode

Tue, 20 May 2008 06:59:59 -0400

We've been talking a lot about the growth of data centers, a market that has skyrocketed because of Sarbanes-Oxley and other regulations, as well as the need for better disaster recovery options. Large companies are set to boost the market again in 2008. According to a survey by Digital Realty Trust, nearly 90 of 300 large US firms said they "would definitely or probably expand their data centers over the next 12 months," notes CBR. Almost half say they will expand to three or more data center locations. Square footage is expected to grow by 50. All this at a time when IT budgets are under pressure. Some are warning that this growth looms as a nightmare in terms of the costs of running and cooling all those servers. Energy's not cheap these days. But what choice do companies have?

For more:
- here's the CBR article
- here's a CIO Insight article on the looming problems

Time to embrace thin clients?

Tue, 29 Jan 2008 06:59:59 -0500

Thin client computing--basically the use of scaled down front-end machines that connect workers to servers that hold all the data and apps--may be in for a revival of sorts. The concept has come into and out of vogue in cycles over the last decade or so. But now people are talking about the use of such clients as a way to produce a stronger compliance program. It makes sense. Would it not be safer to simply make it impossible for data to be stored on a workstation? Let a central server in a secure data center do all that. Makes it much easier to control. And compliance is all about control. We're seeing more vendors hit this angle in their marketing. HP is certainly on the bandwagon.

For more:
- here's an article on HP's latest initiative
- here's some background

Stateless computing a Sarbox benefit?

Mon, 09 Jul 2007 20:01:39 -0400

We've noted that just about all vendors have put together a list of Sarbanes-Oxley-oriented features and benefits. You would be remiss if you didn't. It can get overwhelming for buyers. But we were intrigued by the claims of the stateless computing crowd that any data stored on a desktop is at risk. They have a point. And it will be interesting to see if the corporate world will really transition back to a mainframe model of thin clients attached to powerful servers running all the applications and storing all the data. It makes some sense. There are those who would like to run all their apps off of Net servers (Google apps). But from a security point of view, stateless computing hardly seems like a panacea. It might make it harder for the rogue element to acquire data. But most breaches stem from good old human stupidity. But you've got to market, and Sarbox remains a hot-button issue.

For more:
- here's a release

Don't overlook data destruction issues

Mon, 16 Apr 2007 20:01:39 -0400

Many people assume that Section 302 control requirements cover not only data storage but also data destruction. So as you retire old servers and other IT assets, you have to start worrying about how to securely destroy all the data. The last thing you want is for stray information to end up in the wrong hands--or in the news. Chances are you haven't thought much about this. Clearly, an ad hoc policy is dangerous in this era, so you may want to put together a firm policy. Most people say that true data destruction goes beyond hard-drive wiping. Some prefer to wipe hard drives and then deliver them to a third-party and actually witness the pulverization. Some firms will allow customers to watch the destruction remotely over various links. Some rely on "storm cases" to house the drives in transit. All this is worth thinking about--and it could be fun for the IT team.

For more:
- read this InfoWorld article

Sarbox effecting IT policies

Mon, 21 Aug 2006 20:01:39 -0400

You've probably heard a bit about the positive consequences of Sarbox, such as renewed investor confidence. Well, there may be positive side effects on the IT side as well. For example, fewer accounting firms are bidding for IT-related projects and as a result, the IT consulting field has opened up. Internally, there seems to be a larger wall separating accounting and IT. However, the broader picture has to do with IT governance, the model by which firms manage far-flung technology deployments. Some have successfully created efficiencies as they have sought to more tightly control IT processes.

For more on Sarbox's effects on the IT side:
- here's some perspective from Enterprise Networks & Servers