Service Strategies Showcase - Boston
Impact of Regulatory Compliance on Remote Support
Tom Ellwood
Sr. Manager - Remote Support Technologies
EMC Corporation
© 2004 EMC Corporation. All rights reserved.
11/11/2004
1
Agenda
 Remote Support – Defined
 EMC Support At-A-Glance
 Remote Support Technology –
Historical Perspective
 Regulatory Requirements
Fundamentals
 Intersection of Remote Support
and Regulatory Compliance
 Impact of Compliance on Internal
Policies and Product
Development
 Future Trends
 Summary and Questions
© 2004 EMC Corporation. All rights reserved.
2
Remote Support- Defined
A combination of technology, processes and people which
enables the monitoring and management of devices from a
remote facility.
The benefits include the following:
– Increased Customer Satisfaction
– Proactive response to product generated alerts
– Ability to remotely diagnose and repair
– Increased product availability
– Lower mean time to repair
– Reduced service costs
– Enhanced Customer usage and product performance statistics
© 2004 EMC Corporation. All rights reserved.
3
EMC Overview
 $6.24B in revenue in 2003
 $1.97B in Q2 ’04 revenue
– Double-digit year-over-year growth in
each business
– Systems revenue up 16% from Q2 ’03
– Software revenue up 64% from Q2
’03
– Services revenue up 45% from Q2 ’03
 $3.1B in R&D last four years
 $6.7B in cash and investments
 2,000+ storage-related patents
 $2B+ interoperability investment
 7,200+ Services professionals
 21,400+ employees worldwide
“[Customers] are
looking for broader
‘best of breed’
solution sets and
better service and
support, and they are
uncompromising when it comes to
improving the total cost of
ownership and overall returns on
their IT investments. We think our
strategy and our portfolio are very
well suited for this challenge.”
— Joe Tucci,
President and CEO
July 20, 2004
 Strong strategic partnerships
© 2004 EMC Corporation. All rights reserved.
4
Recognized Leadership
 #1 provider of storage management software in 2003 for fifth
straight year
(Gartner Dataquest)
 #1 provider of external RAID storage in 2003 for seventh
straight year (IDC)
 #1 provider of networked storage (IDC)
 “Leader” in:
–
–
–
–
SAN integrated solutions
SAN management software
Midrange enterprise disk arrays
High-end enterprise disk arrays
 $3.5 billion in acquisitions in 2003
– Legato
– Documentum
– VMware
© 2004 EMC Corporation. All rights reserved.
EMC leads the
Industry in
best-of-breed
hardware, software,
services, and
solutions
5
EMC Support Services At-A-Glance
 4,000+ in Customer Services
 3,000+ consultants and
technology professionals
 275+ Cooperative Service
Agreements
 30+ Authorized Services
Partners
 70+ Customer Services partners
 Three practices focused on best
practices for storage
implementation, integration, and
management
 Powerlink eServices: access to
over 20,000 Knowledgebase
solutions and web support
 Most rapid escalation practices
in the industry with 4-levels of
customer defined priorities
 24-hour mission-critical “follow
the sun” support with 11
strategically located support
centers
 Joint Solution Centers with
leading software vendors Oracle
and Microsoft for rapid resolution
of joint customer events
“EMC’s service programs and reputation provide customers
with confidence that EMC will do whatever it takes to
prevent problems and to fix problems when they do occur.”
— Gartner Dataquest: IT Vendors Offer Technology-Enhanced Remote
Support Services, December 2002
Winner of Software Technical Assistance
Recognition (STAR) award for
outstanding mission-critical support
— Service and Support Professionals
Association (SSPA) 2001, 2002, 2003, 2004
“Best in class service. A model for all other IT providers in
project execution. A model for zero downtime…”
— General Motors, in naming EMC Supplier of the Year (Winner 1999–
2003)
EMC
Industry
Benchmark
94.3%
43.9%
95%
89.6%
Parts available under warranty
98.5%
95.4%
Calls with four hour or less onsite
response
100%
75.9%
Service Metric
Dial home response resolved
before the customer is aware of
issue
First-time resolution
Source: Gartner Benchmarking Hardware Service Operations, June 2002
© 2004 EMC Corporation. All rights reserved.
6
EMC’s Support Environment
Platforms
Access
Application
Management
Servers
Users
ControlCenter
Server
ControlCenter
Web
Servers
LAN
Mainframe
UNIX
Linux
Centera
Legato and
Documentum
Windows
Celerra
Connectrix
EDM
Celerra
NS600
Symmetrix
DMX2000
Symmetrix
z8530
© 2004 EMC Corporation. All rights reserved.
CLARiiON
CX Series
SRDF
Symmetrix
8000
Symmetrix
DMX1000
7
EMC’s Proactive Support Model
4
Problem escalation
Solutions Support
Center
PSE Lab
(Hardware support)
2
3
EMC Customer
Support
Center
Technicians
Dial-in
Engineering
4
Local expertise
1
e-mail home
or call home
(modem or INet)
© 2004 EMC Corporation. All rights reserved.
5
Site visit
EMC Product
Customer Engineer
and Registered Technical
Specialist
8
© 2004 EMC Corporation. All rights reserved.
9
Examples of Remote Support at Consumer Level
HELP !!
“I’ve fallen and I can’t get
up”
© 2004 EMC Corporation. All rights reserved.
10
Remote Support Technology – Past and Present
Past
 Focused on Hardware Platforms
 Primarily Emphasis on Product
Monitoring
 Telephony and Modem Based
Connectivity
 Phone and Modem Costs Limited
Use to Large Vendors
 Proprietary Infrastructure
 Limited Use of Remote Access or
Analytical Tools
 Limited Security Concerns
© 2004 EMC Corporation. All rights reserved.
Present
 Hardware and Software Platforms
 Leveraging Technology for ValueAdded Services
 IP or Network Connectivity
Options Increasing
 Internet Enabled Widespread Use
of Inexpensive Bandwidth
 Open Framework
 Autonomic Computing Initiatives
Driving On-Board Diagnostic
Tools and Self Healing
 Significant Security Concerns
Resulting From Use of Public
Internet and Compliance
Mandates
11
Support and Service Evolution
We are here
Source: Aberdeen Group, August 2002
© 2004 EMC Corporation. All rights reserved.
12
Today’s Support Challenges
Reduce Support Costs
Utilization
Consolidation
Support Automation
Increase Support
Revenues
Expanded Partner
Relationships
More Value-Added Services
Sales and Support Channels
external from organization
Increased
Complexity
Compliance
Minutes=Millions
Supporting Customer’s
Business – Not just
your Product
© 2004 EMC Corporation. All rights reserved.
>16,000 regulations
worldwide
13
The Compliance Challenge Keeps Growing
The Privacy Act of 1974
The Computer Security Act of 1987
The Computer Matching and
Privacy Protection Act of 1988
Promotion of Access to Information Act
DOD 5220.22-M
Basel II
UK Data Protection Act
Data Protection Amendment 2002
Law of August 29, 1997 on
protection of personal data
The Electronic Communications Privacy Act
The Gramm-Leach-Bliley Act
EU Data Protection Directive (95/46/EU)
The Health Insurance Portability
& Accountability Act (HIPAA)
Electronic Communications Privacy
Directive (2002/58/EU)
US DoD 5015.2-STD – Design Criteria Standard for
Electronic Records Management
US Army Regulation 25-1, Army Information Management,
May 2002; Reg 25-2, Information Assurance, Sarbanes-Oxley
© 2004 EMC Corporation. All rights reserved.
14
Compliance Means Following the Rules…
and Being Able to Prove It
Data Protection Act of 1998
MoReq CRFB - France
SEC 17a-4 NASD 3010
FERC Part 125
Basel II
BaFin – Germany
Dicom
UK Metadata Framework
GLBA Rev. Proc 97-22
US Patriot Act
HIPPA
Sarbanes-Oxley
eSign Act
Environmenta
l
Manufacturing
Employment
Finance
DoD 5015.2
ISO 15489-2
Healthcare
Freedom of Information Act of 2000
21 CFR Part 11
© 2004 EMC
© 2004
Corporation.
EMC Corporation.
All rightsAll
reserved.
rights reserved.
15
“Following the Rules” Requires Common Goals
 20,000 regulations – 3 common themes
– Retention
– Assured authenticity
– Security / disaster recovery
 Common IS Goals
– Integrity
– Confidentiality
– Accessibility
How are regulations & IS goals applied
– In the Information Infrastructure ???
Common
Compliance
Information
Goals
Integrity
Confidentiality
Accessibility
© 2004 EMC
© 2004
Corporation.
EMC Corporation.
All rightsAll
reserved.
rights reserved.
16
HIPAA 45 CFR 164 – Health Care
Industries
Health Care Providers
Medical Insurance
Pharmaceuticals
Biotechnology
Integrity
Confidentiality
Accessibility
HIPAA: 45 CFR Part 164
Security and Privacy Rule
• 164.306 “… entity must comply with standards
as provided in this section and in 164.308,
164.310, 164-312, 164.314 and 164.316 with
respect to all electronic protected health
information
• 164.308(a) “Risk Analysis to assess risks to
the confidentiality, integrity and availability of
electronic protected health information.”
• 164.312(a) “…allow access to only those
persons or software programs that have been
granted access rights….”
• 164.312(b) “Audit Controls -..record and
examine activity in information systems that
contain or use protected health information”
• 164.312(d) “Implement procedures to ensure
that person or entity seeking access……is the
one claimed”
• 164.312(e)(2) Transmission Security
…”encrypt electronic protected health
information whenever deemed appropriate.”
© 2004 EMC
© 2004
Corporation.
EMC Corporation.
All rightsAll
reserved.
rights reserved.
Specified
Capabilities
System Validation
Access Control
& Logs
Audit Trails
Authentication
Encryption
17
FDA 21 CFR 11 – For Pharmaceuticals
Industries
Pharmaceuticals
Biotechnology
Medical Devices
Food
Integrity
Confidentiality
Accessibility
FDA: 21 CFR Part 11
Specified
Capabilities
Electronic Records and Signatures
• 11.10 “… procedures and controls designed to
ensure the authenticity, integrity, and, when
appropriate, the confidentiality of electronic
records”
• 11.10(a) “Validation of systems to ensure
accuracy, reliability, consistent intended
performance, and the ability to discern invalid
or altered reports”
• 11.10(c) “Protection of records to enable their
accurate and ready retrieval throughout the
records retention period”
• 11.10(d) “Limiting system access to
authorized individuals”
• 11.10(e) Use of secure, computer-generated,
time stamped, audit trails that “shall be
retained for a period at least as long as that
required for the subject electronic records …“
• 11.30 Controls for open systems…“additional
measures such as document encryption …”
© 2004 EMC
© 2004
Corporation.
EMC Corporation.
All rightsAll
reserved.
rights reserved.
System Validation
Retention Mgmt
Access Control
& Logs
Authentication
Audit Trails
Encryption
18
The Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 has rewritten the rules for corporate
governance disclosure and reporting. Good corporate governance and
ethical business practices are no longer niceties – they are the law.
“Disclosure”
“Internal Controls”
“Certification”
Section 302
 CEO and CFO
must certify their
financial
statements – no
IT implications
 Deadline: In
effect now
© 2004 EMC Corporation. All rights reserved.
Section 404
 Auditors must
certify internal
controls and
processes in
addition to
financial numbers
 Deadline:
Extended to
November 2004
Section 409
 Companies must
provide realtime
disclosure of material
events that might
effect performance,
realtime reporting
(Promote full
disclosure and
constant awareness)
 Deadline: Coming
soon
19
Regulatory environment and security awareness lead to
new customer behavior
Hostile environment
Privacy & governance regulations
 210 million complaints reported
to the FTC identity theft
clearinghouse by year-end 2003
(source FTC)
 California law SB 1386
 56% of US corporations had
unauthorized use of computer
systems in 2002 (source FBI)
 Sarbanes-Oxley
 3,784 software vulnerabilities
reported in 2003 (source CERT)
 SQL Slammer worm caused an
estimated $1billion loss to
businesses in January 2003
 HIPAA
 Gramm-Leach-Bliley Act
New customer security behavior
 Increased awareness of financial
liabilities
 Business loss – Reputation and $$$
 Prosecution
 ENRON
© 2004 EMC Corporation. All rights reserved.
20
Intersection of Compliance and Product Support
Privacy Regulations




California law SB 1386
HIPAA
Gramm-Leach-Bliley Act
Sarbanes-Oxley
Products and Customer
Service employees are now
part of a regulated environment
Customers
Customer Service
 Financial institutions
 Public companies
 Healthcare …
 SLA & Support agreement
 On-site support
 Remote support
Internal controls
Controls & regulations impact:








Accuracy of audit records
Security breach reporting
Privacy policies
Security forensics
© 2004 EMC Corporation. All rights reserved.
Remote support infrastructure
Product architecture
Privacy Policy
Customer Service processes
21
Impact of Compliance on Remote Support
• Host Vulnerabilities
- AV & O/S Updates
- Active Services
• Authentication
• Audit Logs
• Access Control
• Change Control
• Media Protection
• Remote Access Logs
• Change Control Logs
• Support Logs
CRM
Data
Base
Bottom Line:
Vendor
Network
Internet
Firewall
Monitored
Device
Customer Network
Firewall
My Network; My Rules!
Web Servers
Support
Engineer
•
•
•
•
•
Privacy Policies
Authentication
Role Based Access
Security Training
Process Audit
Vendor
© 2004 EMC Corporation. All rights reserved.
•Encryption
•Firewall Rules
Application Servers
Monitored devices
Customer
22
Understanding the Rules for Remote Support - Guidelines
 Engage your customers early and often
– It’s more than market research – Understand Their business
•
•
•
•
•
•
Security Policies for Remote Access
Compliance Requirements
Availability Needs
Service Level Agreements
Additional Services
“WIIFM”
– Include representative customers in design and feature requirements
– Both End Users and Network Security
– Enlist Customers in messaging and deployment strategy
 One size doesn’t fit all
 Security is a blend of process and technology
 Prepare to have your Remote Support processes audited
 Design ‘Security Friendly’ products
© 2004 EMC Corporation. All rights reserved.
23
Defining policies to address security throughout the
product lifecycle
Design &
Architecture
Product feature
policy:
Policy
Authentication &
Authorization
Product
developm
ent
Development
policy
Product
QA &
testing
Security policy
validation
Audit
Prevent
vulnerabilities:
Buffer overflow …
Product QA in
secure
environment
Secure
communication
3rd party product
policies:
Security
scanning
Password
management
• security
patches,
Encryption
• default
configurations
Standardization
Accreditation &
certification
Customer
Service
Vulnerability
response policy
Security patch &
antivirus
Customer role &
responsibility
Remote support
policy
Privacy policy
Customer
controls
Product Security Policy
© 2004 EMC Corporation. All rights reserved.
24
Future Trends in Remote Support Technology
 Customers Demanding Increased
Availability
– Cost of Down Time Increasing
 Devices Becoming More Intelligent
– RFID
– Self-Healing Architectures
– Autonomic Computing
 Millions of Devices Networked
– 500 Million by 2010 (Harbor Research)
 Wireless Invasion will Increase
Remote Access capabilities
 Regulatory Compliance and Network
Expansion will Drive Security
Awareness
– Perimeter Defense
– End Point Defense
© 2004 EMC Corporation. All rights reserved.
25
Key Takeaways
 Remote support model can create a competitive advantage
 Remote monitoring and management capabilities will drive
new product features and services opportunities
 Regulatory compliance will impact your remote support
model
– You will become an extension of a regulated community
– Trust but verify – Are your support processes auditable?
 Security must be designed into products; It can’t be “boltedon”
– Integrate security into product lifecycle
 Security policies are as important as the technology
© 2004 EMC Corporation. All rights reserved.
26
Reference Material
• ISO-17799 ISO 17799:2000 – Code of Practice for Information Security
Management
• NIST-800-70 DRAFT NIST Special Publication 800-70, The NIST Security
Configuration Checklists Program
(http://csrc.nist.gov/publications/nistpubs/)
• COBIT
Control Objectives for Information and related Technology
(COBIT) Security Baseline - IT Governance Institute (http://www.isaca.org)
• RFC2828
IETF RFC 2828 Internet Security Glossary (May 2000)
• SANS ( SysAdmin, Audit, Network, Security) Institute (http://www.sans.org)
• Common Criteria for IT Security Evaluation
(http://csrc.nist.gov/cc/index.html)
• OWASP
Open Web Application Security Project (OWASP) Top Ten
Security Vulnerabilities (http://www.owasp.org/documentation)
© 2004 EMC Corporation. All rights reserved.
27