Last week I was in Dallas, TX visiting with customers and I learned about the challenges faced by a company trying to deal with a combination of HIPAA, FIPS, and PCI compliance. Zerowait has a variety of scalable and affordable storage solutions and the performance of our storage is quite good. The issue is how to affordably comply with regulations that are not clearly written or understood on security. For a company stuck in the middle the only option is to find a solution that can address all three types of compliance and then figure out how to do it affordably.
Coincidentally, this morning in Wilmington, Delaware I was at a round table discussion with Senator Carper who is the chairman of the US Senate’s Homeland Security Committee and the issue came up in his remarks and I asked a couple of questions about the cost of compliance for the business community and the lack of clarity on the requirements. Cyber security is on everyone’s radar but the unintended consequences of the regulatory environment are not well understood. And the challenge for businesses is: Since the government regulation and rule making process is deliberately ponderously slow, how can a company’s engineers quickly stop a cyber attack while waiting to figure out how to comply with government regulations that have yet to be finalized?
During the meeting in Dallas we discussed file systems and archival retention policies, and how to apply encryption that would meet or exceed the government’s regulations without breaking the storage budget. Our engineering manager had researched options and the customer’s engineers were also well-versed in the different issues concerning encryption and retention policies. Together we think we came up with an affordable solution which would address all of the regulations that must be complied with.
The biggest problem the customer is dealing with is regulatory uncertainty. Without clarity the choices are limited to finding a solution that is adaptable to changing requirements and not locked into any one encryption solution. On our staff we have an Air Force Veteran who uses the phrase “no plan survives contact with the enemy”. As we go into the future we need to make encryption decisions that are adaptable and agile enough to protect data, while meeting uncertain and changeable regulations.
A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted.