© 2004 EMC Corporation. All rights reserved. 111
Service Strategies Showcase - Boston
Impact of Regulatory Compliance on Remote Support
Tom EllwoodSr. Manager - Remote Support TechnologiesEMC Corporation
11/11/2004
© 2004 EMC Corporation. All rights reserved. 22
Agenda
Remote Support – Defined EMC Support At-A-Glance Remote Support Technology –
Historical Perspective Regulatory Requirements
Fundamentals Intersection of Remote Support
and Regulatory Compliance Impact of Compliance on Internal
Policies and Product Development
Future Trends Summary and Questions
© 2004 EMC Corporation. All rights reserved. 33
Remote Support- Defined
A combination of technology, processes and people which enables the monitoring and management of devices from a remote facility.
The benefits include the following:–Increased Customer Satisfaction –Proactive response to product generated alerts–Ability to remotely diagnose and repair– Increased product availability–Lower mean time to repair–Reduced service costs–Enhanced Customer usage and product performance statistics
© 2004 EMC Corporation. All rights reserved. 44
EMC Overview
$6.24B in revenue in 2003
$1.97B in Q2 ’04 revenue– Double-digit year-over-year growth in
each business– Systems revenue up 16% from Q2 ’03– Software revenue up 64% from Q2
’03– Services revenue up 45% from Q2 ’03
$3.1B in R&D last four years
$6.7B in cash and investments
2,000+ storage-related patents
$2B+ interoperability investment
7,200+ Services professionals
21,400+ employees worldwide
Strong strategic partnerships
“[Customers] are looking for broader ‘best of breed’ solution sets and better service and support, and they are uncompromising when it comes to improving the total cost of ownership and overall returns on their IT investments. We think our strategy and our portfolio are very well suited for this challenge.”
— Joe Tucci,President and CEOJuly 20, 2004
© 2004 EMC Corporation. All rights reserved. 55
Recognized Leadership
#1 provider of storage management software in 2003 for fifth straight year (Gartner Dataquest)
#1 provider of external RAID storage in 2003 for seventh straight year (IDC)
#1 provider of networked storage (IDC) “Leader” in:
– SAN integrated solutions– SAN management software– Midrange enterprise disk arrays– High-end enterprise disk arrays
$3.5 billion in acquisitions in 2003 – Legato– Documentum– VMware
EMC leads the Industry in
best-of-breed hardware, software,
services, and solutions
EMC leads the Industry in
best-of-breed hardware, software,
services, and solutions
© 2004 EMC Corporation. All rights reserved. 66
EMC Support Services At-A-Glance 4,000+ in Customer Services 3,000+ consultants and
technology professionals 275+ Cooperative Service
Agreements 30+ Authorized Services
Partners 70+ Customer Services partners Three practices focused on best
practices for storage implementation, integration, and management
Powerlink eServices: access to over 20,000 Knowledgebase solutions and web support
Most rapid escalation practices in the industry with 4-levels of customer defined priorities
24-hour mission-critical “follow the sun” support with 11 strategically located support centers
Joint Solution Centers with leading software vendors Oracle and Microsoft for rapid resolution of joint customer events
4,000+ in Customer Services 3,000+ consultants and
technology professionals 275+ Cooperative Service
Agreements 30+ Authorized Services
Partners 70+ Customer Services partners Three practices focused on best
practices for storage implementation, integration, and management
Powerlink eServices: access to over 20,000 Knowledgebase solutions and web support
Most rapid escalation practices in the industry with 4-levels of customer defined priorities
24-hour mission-critical “follow the sun” support with 11 strategically located support centers
Joint Solution Centers with leading software vendors Oracle and Microsoft for rapid resolution of joint customer events
“EMC’s service programs and reputation provide customers with confidence that EMC will do whatever it takes to prevent problems and to fix problems when they do occur.”
—Gartner Dataquest: IT Vendors Offer Technology-Enhanced Remote Support Services, December 2002
Source: Gartner Benchmarking Hardware Service Operations, June 2002
Service Metric EMC Industry Benchmark
Dial home response resolved before the customer is aware of issue
94.3% 43.9%
First-time resolution 95% 89.6%
Parts available under warranty 98.5% 95.4%
Calls with four hour or less onsite response 100% 75.9%
Winner of Software Technical Assistance Recognition (STAR) award for outstanding mission-critical support
— Service and Support Professionals Association (SSPA) 2001, 2002, 2003, 2004
“Best in class service. A model for all other IT providers in project execution. A model for zero downtime…”
—General Motors, in naming EMC Supplier of the Year (Winner 1999–2003)
© 2004 EMC Corporation. All rights reserved. 77
EMC’s Support Environment
EDM
LAN
Linux
Ap
pli
ca
tio
nS
erv
ers
Pla
tfo
rms
Windows
ControlCenterControlCenter
Ma
na
ge
me
nt
CLARiiON CX Series
SRDFSymmetrixDMX2000
SymmetrixDMX1000
Symmetrix8000
ControlCenterServer
Centera
Ac
ce
ss
WebServers
Celerra
CelerraNS600
Users
UNIXMainframe
Connectrix
Symmetrixz8530
Legato andDocumentum
© 2004 EMC Corporation. All rights reserved. 88
EMC’s Proactive Support Model
EMC Product
Customer Engineerand Registered Technical
Specialist
EMC Customer Support Center
Technicians
1
e-mail home or call home(modem or I-
Net)
PSE Lab (Hardware support)
2Dial-in
3
Solutions Support Center
Problem escalation
4
Local expertise
4
Site visit
5
Engineering
© 2004 EMC Corporation. All rights reserved. 1010
Examples of Remote Support at Consumer Level
“I’ve fallen and I can’t get up”
HELP !!
© 2004 EMC Corporation. All rights reserved. 1111
Remote Support Technology – Past and Present
Focused on Hardware Platforms
Primarily Emphasis on Product Monitoring
Telephony and Modem Based Connectivity
Phone and Modem Costs Limited Use to Large Vendors
Proprietary Infrastructure
Limited Use of Remote Access or Analytical Tools
Limited Security Concerns
Focused on Hardware Platforms
Primarily Emphasis on Product Monitoring
Telephony and Modem Based Connectivity
Phone and Modem Costs Limited Use to Large Vendors
Proprietary Infrastructure
Limited Use of Remote Access or Analytical Tools
Limited Security Concerns
Hardware and Software Platforms Leveraging Technology for Value-
Added Services IP or Network Connectivity
Options Increasing Internet Enabled Widespread Use
of Inexpensive Bandwidth Open Framework Autonomic Computing Initiatives
Driving On-Board Diagnostic Tools and Self Healing
Significant Security Concerns Resulting From Use of Public Internet and Compliance Mandates
Hardware and Software Platforms Leveraging Technology for Value-
Added Services IP or Network Connectivity
Options Increasing Internet Enabled Widespread Use
of Inexpensive Bandwidth Open Framework Autonomic Computing Initiatives
Driving On-Board Diagnostic Tools and Self Healing
Significant Security Concerns Resulting From Use of Public Internet and Compliance Mandates
Past Present
© 2004 EMC Corporation. All rights reserved. 1212
Support and Service Evolution
Source: Aberdeen Group, August 2002
We are here
© 2004 EMC Corporation. All rights reserved. 1313
Today’s Support Challenges
Compliance>16,000 regulations
worldwide
Reduce Support CostsUtilization
ConsolidationSupport Automation
Increase Support Revenues
More Value-Added Services
Expanded PartnerRelationships
Sales and Support Channelsexternal from organization
Increased Complexity
Minutes=MillionsSupporting Customer’s
Business – Not just your Product
© 2004 EMC Corporation. All rights reserved. 1414
The Compliance Challenge Keeps Growing
The Privacy Act of 1974The Privacy Act of 1974
The Computer Security Act of 1987 The Computer Security Act of 1987
The Computer Matching and Privacy Protection Act of 1988 The Computer Matching and
Privacy Protection Act of 1988
The Electronic Communications Privacy Act The Electronic Communications Privacy Act
The Gramm-Leach-Bliley ActThe Gramm-Leach-Bliley Act
The Health Insurance Portability & Accountability Act (HIPAA)
The Health Insurance Portability & Accountability Act (HIPAA)
EU Data Protection Directive (95/46/EU)EU Data Protection Directive (95/46/EU)
Electronic Communications Privacy Directive (2002/58/EU)
Electronic Communications Privacy Directive (2002/58/EU)
UK Data Protection Act UK Data Protection Act
Data Protection Amendment 2002 Data Protection Amendment 2002
Law of August 29, 1997 on protection of personal data Law of August 29, 1997 on
protection of personal data
Basel IIBasel II
Promotion of Access to Information Act Promotion of Access to Information Act
DOD 5220.22-M DOD 5220.22-M
US DoD 5015.2-STD – Design Criteria Standard for Electronic Records Management
US DoD 5015.2-STD – Design Criteria Standard for Electronic Records Management
US Army Regulation 25-1, Army Information Management, May 2002; Reg 25-2, Information Assurance, Sarbanes-OxleyUS Army Regulation 25-1, Army Information Management,
May 2002; Reg 25-2, Information Assurance, Sarbanes-Oxley
© 2004 EMC Corporation. All rights reserved. 1515
Compliance Means Following the Rules…and Being Able to Prove It
SEC 17a-4
Sarbanes-Oxley
GLBA Rev. Proc 97-22
MoReq CRFB - France
BaFin – GermanyBasel II
Data Protection Act of 1998
NASD 3010
US Patriot ActHIPPA
UK Metadata Framework
Dicom
eSign Act
Freedom of Information Act of 2000
ISO 15489-2
21 CFR Part 11
DoD 5015.2
FERC Part 125
Environmental
Manufacturing
Employment
Finance
Healthcare
© 2004 EMC Corporation. All rights reserved.
© 2004 EMC Corporation. All rights reserved. 1616
“Following the Rules” Requires Common Goals
Common Compliance Information
Goals
Integrity
Confidentiality
Accessibility
© 2004 EMC Corporation. All rights reserved.
20,000 regulations – 3 common themes– Retention– Assured authenticity– Security / disaster recovery
Common IS Goals– Integrity– Confidentiality– Accessibility
How are regulations & IS goals applied – In the Information Infrastructure ???
© 2004 EMC Corporation. All rights reserved. 1717
HIPAA 45 CFR 164 – Health Care
Industries Health Care Providers Medical Insurance
PharmaceuticalsBiotechnology
HIPAA: 45 CFR Part 164Security and Privacy Rule
• 164.306 “… entity must comply with standards as provided in this section and in 164.308, 164.310, 164-312, 164.314 and 164.316 with respect to all electronic protected health information
• 164.308(a) “Risk Analysis to assess risks to the confidentiality, integrity and availability of electronic protected health information.”
• 164.312(a) “…allow access to only those persons or software programs that have been granted access rights….”
• 164.312(b) “Audit Controls -..record and examine activity in information systems that contain or use protected health information”
• 164.312(d) “Implement procedures to ensure that person or entity seeking access……is the one claimed”
• 164.312(e)(2) Transmission Security …”encrypt electronic protected health information whenever deemed appropriate.”
SpecifiedCapabilities
Integrity
Accessibility
Confidentiality
System Validation
Audit Trails
Authentication
Encryption
© 2004 EMC Corporation. All rights reserved.
Access Control& Logs
© 2004 EMC Corporation. All rights reserved. 1818
FDA 21 CFR 11 – For Pharmaceuticals
IndustriesPharmaceuticalsBiotechnologyMedical DevicesFood
FDA: 21 CFR Part 11
Electronic Records and Signatures
• 11.10 “… procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records”
• 11.10(a) “Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered reports”
• 11.10(c) “Protection of records to enable their accurate and ready retrieval throughout the records retention period”
• 11.10(d) “Limiting system access to authorized individuals”
• 11.10(e) Use of secure, computer-generated, time stamped, audit trails that “shall be retained for a period at least as long as that required for the subject electronic records …“
• 11.30 Controls for open systems…“additional measures such as document encryption …”
SpecifiedCapabilities
System Validation
Retention Mgmt
Authentication
Encryption
© 2004 EMC Corporation. All rights reserved.
Integrity
Accessibility
Confidentiality
Access Control& Logs
Audit Trails
© 2004 EMC Corporation. All rights reserved. 1919
Section 302 Section 302
CEO and CFO must certify their financial statements – no IT implications
Deadline: In effect now
Section 404Section 404
Auditors must certify internal controls and processes in addition to financial numbers
Deadline: Extended to November 2004
Section 409Section 409
Companies must provide realtime disclosure of material events that might effect performance, realtime reporting (Promote full disclosure and constant awareness)
Deadline: Coming soon
The Sarbanes-Oxley
“Certification”
“Internal Controls”
“Disclosure”
The Sarbanes-Oxley Act of 2002 has rewritten the rules for corporate governance disclosure and reporting. Good corporate governance and ethical business practices are no longer niceties – they are the law.
© 2004 EMC Corporation. All rights reserved. 2020
Regulatory environment and security awareness lead to new customer behavior
New customer security behavior
Increased awareness of financial liabilities
Business loss – Reputation and $$$
Prosecution
New customer security behavior
Increased awareness of financial liabilities
Business loss – Reputation and $$$
Prosecution
Privacy & governance regulations
California law SB 1386
HIPAA
Gramm-Leach-Bliley Act
Sarbanes-Oxley
Privacy & governance regulations
California law SB 1386
HIPAA
Gramm-Leach-Bliley Act
Sarbanes-Oxley
Hostile environment
210 million complaints reported to the FTC identity theft clearinghouse by year-end 2003 (source FTC)
56% of US corporations had unauthorized use of computer systems in 2002 (source FBI)
3,784 software vulnerabilities reported in 2003 (source CERT)
SQL Slammer worm caused an estimated $1billion loss to businesses in January 2003
ENRON
Hostile environment
210 million complaints reported to the FTC identity theft clearinghouse by year-end 2003 (source FTC)
56% of US corporations had unauthorized use of computer systems in 2002 (source FBI)
3,784 software vulnerabilities reported in 2003 (source CERT)
SQL Slammer worm caused an estimated $1billion loss to businesses in January 2003
ENRON
© 2004 EMC Corporation. All rights reserved. 2121
Intersection of Compliance and Product Support
Privacy Regulations California law SB 1386 HIPAA Gramm-Leach-Bliley Act Sarbanes-Oxley
Customers Financial institutions Public companies Healthcare …
Customer Service SLA & Support agreement On-site support Remote support
Internal controls Accuracy of audit records Security breach reporting Privacy policies Security forensics
Controls & regulations impact: Remote support infrastructure Product architecture Privacy Policy Customer Service processes
Products and Customer Products and Customer Service employees are now Service employees are now part of a regulated environmentpart of a regulated environment
© 2004 EMC Corporation. All rights reserved. 2222
Impact of Compliance on Remote Support
VendorVendor CustomerCustomer
CRMCRM
VendorNetwork
Web Servers
DataBaseDataBase
Internet
SupportEngineer
•Encryption•Firewall Rules• Privacy Policies
• Authentication• Role Based Access• Security Training• Process Audit
• Remote Access Logs• Change Control Logs• Support Logs
Customer Network
Firewall
• Host Vulnerabilities - AV & O/S Updates - Active Services• Authentication• Audit Logs• Access Control• Change Control• Media Protection
Firewall
Monitored Device
Monitored devices
Application Servers
Bottom LineBottom Line::
My Network; My My Network; My Rules!Rules!
© 2004 EMC Corporation. All rights reserved. 2323
Understanding the Rules for Remote Support - Guidelines
Engage your customers early and often– It’s more than market research – Understand Their business
• Security Policies for Remote Access• Compliance Requirements• Availability Needs• Service Level Agreements• Additional Services• “WIIFM”
– Include representative customers in design and feature requirements – Both End Users and Network Security
– Enlist Customers in messaging and deployment strategy
One size doesn’t fit all Security is a blend of process and technology Prepare to have your Remote Support processes audited Design ‘Security Friendly’ products
© 2004 EMC Corporation. All rights reserved. 2424
Product Security Policy
Defining policies to address security throughout the product lifecycle
Design & Design & ArchitectureArchitecture
Product Product developmentdevelopment
Product QA & Product QA & testingtesting
Polic
yPolic
y
Product feature policy:
Authentication & Authorization
Audit
Secure communication
Password management
Encryption
Standardization
Development policy
Prevent vulnerabilities: Buffer overflow …
3rd party product policies:
• security patches,
• default configurations
Security policy validation
Product QA in secure environment
Security scanning
Accreditation & certification
Customer Customer ServiceService
Remote support policy
Privacy policy
Customer controls
Vulnerability response policy
Security patch & antivirus
Customer role & responsibility
© 2004 EMC Corporation. All rights reserved. 2525
Future Trends in Remote Support Technology
Customers Demanding Increased Availability
– Cost of Down Time Increasing
Devices Becoming More Intelligent– RFID– Self-Healing Architectures– Autonomic Computing
Millions of Devices Networked– 500 Million by 2010 (Harbor Research)
Wireless Invasion will Increase Remote Access capabilities
Regulatory Compliance and Network Expansion will Drive Security Awareness
– Perimeter Defense– End Point Defense
© 2004 EMC Corporation. All rights reserved. 2626
Key Takeaways
Remote support model can create a competitive advantage
Remote monitoring and management capabilities will drive new product features and services opportunities
Regulatory compliance will impact your remote support model
– You will become an extension of a regulated community– Trust but verify – Are your support processes auditable?
Security must be designed into products; It can’t be “bolted-on”
– Integrate security into product lifecycle
Security policies are as important as the technology
© 2004 EMC Corporation. All rights reserved. 2727
Reference Material
• ISO-17799 ISO 17799:2000 – Code of Practice for Information Security Management
• NIST-800-70 DRAFT NIST Special Publication 800-70, The NIST Security Configuration Checklists Program (http://csrc.nist.gov/publications/nistpubs/)
• COBIT Control Objectives for Information and related Technology (COBIT) Security Baseline - IT Governance Institute (http://www.isaca.org)
• RFC2828 IETF RFC 2828 Internet Security Glossary (May 2000)• SANS ( SysAdmin, Audit, Network, Security) Institute (http://www.sans.org
)• Common Criteria for IT Security Evaluation
(http://csrc.nist.gov/cc/index.html)• OWASP Open Web Application Security Project (OWASP) Top Ten
Security Vulnerabilities (http://www.owasp.org/documentation)