Druva has released its latest addition to its inSync product, Druva Proactive Compliance, with the intent of making compliance simple for customers.
Proactive Compliance will enable companies to build their own search terms that will be used to scan data in real-time and identify what risks the data faces. By having the ability to identify and track data, companies will be able to map their data security risk. This is not just about the loss or leakage of data but about what data users are accessing, how they handle it and ultimate where they store or send that data.
One group who will see an immediate opportunity with Proactive Compliance are Druva’s European customers. They are already beginning to prepare for the introduction of the General Data Protection Regulation (GDPR) in 2016 which means having more stringent and auditable data control processes in place.
The GDPR is especially strong on privacy. Druva claims that Proactive Compliance will improve the ability to track Personal Healthcare Information (PHI), Personal Credit Information (PCI) and Personally Identifiable Information (PII). From a corporate perspective, companies struggle to identify and track Intellectual Property (IP) which is another area that Druva claims it will make easier.
Key capabilities of Druva Proactive Compliance
According to the press release there are five primary capabilities of Proactive Compliance:
- Centralized compliance dashboard: Compliance, security and legal teams have an easily navigable federated view by data source, compliance risk type, risk level, user as well as other pertinent information to make quick assessments and investigate infractions.
- Non-compliance reporting: Compliance and Information Security teams can subscribe to regulation or policy-specific reports, which are automatically generated and emailed to subscribers when potential data risks are discovered.
- Pre-defined, customizable compliance templates: Organizations can select from pre-defined compliance templates (ex. HIPAA, GLBA, PCI) or customize their own. inSync will automatically scan, identify and alert the organization of risks as necessary.
- Investigative searching: Companies that conduct internal investigations on behalf of a legal request or need to identify sensitive data (HR data, IP, financial records) can utilize inSync’s new deep-search capabilities to pinpoint materials across their end-user data.
- Legal authenticity and admissibility enable companies to ensure the integrity of their data for both compliance and legal needs by capturing extended meta-data and creating a unique fingerprint for every file in the system. In doing so, inSync is able to provide an auditable trail of a file’s history and a litmus test for its unmodified integrity.
Druva offering warranties around compliance templates
One of the most interesting parts of this announcement is the claim by Druva that they will back their compliance templates with warranties. According to Dave Packer, VP, Product Marketing, Druva:
“We worked with outside council, Foley, to build out these templates to ensure that they are detailed and accurate. We will warrant the fitness for use of the templates out of the box and will help the customer with our professional services to install and configure them. We’ve already signed NDA’s and different types of contracts with customers around what protection we will provide.”
This is a significant step by any company in this field. For over a decade now software vendors have talked about how their software will help customers meet their compliance needs. The problem is that few were willing to provide any warrant of fitness around those templates. This is one of those rare occasions where a vendor has gone as far as backing the quality and accuracy of their work.
Part of the reason for reticence to offer warranties in the past is that few vendors claimed to truly understand the complexities of the various pieces of compliance legislation. However, most of them had consulting practices that worked with customers to help design rule based systems for compliance. What this really meant is that the failure to warrant their work was more about their own legal teams being risk averse than their ability to deliver compliance ready products.
One of the dangers here is that companies will need to customise and configure the templates to fit their needs. Packer told us: “They will be customisable by the client. If they want to change things… they can modify and mark them. It might be IP for financial data and they can customise, build their own and create one that better meets the needs of that organisation.”
For those worried about how to manage this, there are already precedents in the software world for doing this. One way is to simply track changes and keep an audit log that will record changes and provide the basis for allocating liability. Another is to use the same approach as the tools that generate software based on specifications.
These tools use a series of guard blocks, code that cannot be changed or altered, and user defined areas where users can customise the code. It makes it easy to see the changes and to ensure that changes do not fundamentally compromise the code. While Packer would not say exactly how they track changes, this might be something for Druva to consider as it rolls out Proactive Compliance.
The ability to customise the product will change over time. Packer said: “The V1 product has fairly tight controls over what it is, what it can do, what they can customise. As we get a better understanding through engagement with the customer and their capabilities of customisation we will allow them to do more.”
Conclusion
This is a bold move by Druva but with data being stored in on-premises systems, cloud and a range of personal devices, companies have generally lost control of their data assets. As compliance and regulation continues to deliver ever tougher penalties, anything that can improve the control of data to protect the company and its employees will find a ready market.
