Idan Shoham, Chief Technology Officer at Hitachi ID Systems (www.Hitachi-ID.com), says:

Statement: “And with the government using its funds to boost the economy and businesses in particular, more government regulations and restrictions are sure to follow.” Agree/disagree? Why/whynot?

Absolutely. It’s all about optics, unfortunately. Citizens want to see that their hard earned tax money isn’t wasted, so they demand regulation, and politicians are more than happy to oblige.

Regulation is often a good thing, but only if it’s focused on real issues and not too intrusive.

For examples of regulations that came too quickly, and probably caused more harm than good, you need look no further than Sarbanes-Oxley (hugely expensive to implement, and yielding only dubious transparency) and Gramm-Leach-Bliley, which apparently enabled some of the financial shenanigans that led to the current mess.

When you consider the major government regulations, including HIPAA and Sarbox, what impact these regulations are having on enterprise data centers?

The impact on IT is actually fairly positive — various regulations demand strong internal controls, to support governance and privacy protection programs. Internal controls depend on sound IT security, and that’s exactly what IT departments have been spending on.

The impact outside of IT, it seems to me, is not so uniformly positive…

What changes have these data centers had to put in place as a result of new regulations? What requirements are they being asked to meet?

Lots of things are being handled in a more robust manner these days than in the past. Some examples:

* Better processes to deactivate access when employees and contractors leave.
* Stronger passwords that change more often.
* Periodic reviews of and corrections to user security privileges (i.e.,
access certification).
* Regular changes to privileged passwords and controls over disclosure
of those passwords.

The common threads here are to ensure that sensitive access is hard to “hack into” and that legitimate access matches a least privilege policy.

Are data centers meeting minimum guidelines or going “above and beyond”?

Well, most regulations are extremely ambiguous when it comes to IT security requirements. As a result, data centers are taking an “industry best practices” approach, which I think actually raises the bar substantially from where legislators may have placed it.

About the only widespread regulation I’m aware of that’s specific with regard to IT security is PCI, and I’d say that most organizations make a pretty strong effort to comply with the guidelines in PCI, in part because they really are common sense measures.

How are these regulations impacting data centers in the health/education/government arenas?

Pretty uniformly, I’d say. The main business driver in each of these is privacy protection — of patients, students, staff, employees, citizens, etc. That depends on internal controls, which depend on IT security.
That’s a pretty strong theme..

Feel free to add anything that you think our readers (IT/data center managers; 275,000+ readership) might want to know.

The real difference today, as compared to a year ago, is that while security remains important, budgets are shrinking. Companies have to continue to deliver results, but with fewer resources.

My advice to readers is to keep pounding on TCO. If you’re going to buy a privileged password management system, or an access certification product, or whatever, make sure you understand license costs, maintenance, implementation services, hardware requirements, training costs, ongoing support, etc. For some products, there is also an ROI to be had. For example, if you automate password reset processes, you can reduce help desk costs while improving password security.