When you think of compliance, what comes to mind? Maybe regulatory compliance, a challenge that elicits dread across the business?
Or perhaps service-level agreement (SLA) compliance? If you deal with cloud or network services, for example, meeting your SLAs can be as mission critical as regulatory compliance, as a failure may adversely impact customers, and with them, the bottom line.
In fact, compliance spans both these areas, and many more in between. You can think of compliance as an onion – an onion that has more layers than you might expect, as compliance means different things to different people. Even the regulatory context means something different for the CFO vs. the IT organization.
Beyond the Network SLA
From the perspective of the network, compliance typically refers to SLA compliance. SLAs predictably focus on network-oriented metrics: latency, jitter, and bandwidth in particular.
When wide-area networks (WANs) are included in the mix, balancing the SLA with the cost of delivering network services can exacerbate compliance challenges.
Such challenges, in fact, are one of the main reasons for the growth of the software-defined WAN (SD-WAN) market. SD-WANs can make policy-based routing decisions to maintain SLA compliance while simultaneously choosing the least expensive route – which today often means broadband Internet.
There’s more to compliance, however, than the network ‘speeds and feeds’ that network operations teams have been focusing on up to this point. Regulatory compliance, after all, centers on the business context for IT service delivery – and even beyond regulations, business key performance indicators (KPIs) are more important than network metrics.
Nevertheless, IT performance always boils down to getting the right bits to their destination, as any network ops person will point out. The network is always where the rubber hits the road.
The network context for compliance, however, is insufficient for achieving the business’s compliance objectives. What’s missing is the application context.
The Layers of Application Awareness
When you peel the onion of compliance, new layers appear beyond the network context.
Compliance may be at the protocol level, for example. The Payment Card Industry Data Security Standard (PCI DDS), for example, requires the migration from SSL and TLS 1.0 to TLS 1.1 or better – recognizing two protocols that the industry knows are insecure.
The next layer of the onion: transaction-level compliance. Sales or VAT tax compliance lives at this level – and anyone who has worked on an ecommerce site knows how challenging sales tax compliance can be. Credit card companies and banks also require merchants to take steps to prevent credit card fraud at this level.
Generally speaking, organizations have transaction SLAs that may include aspects of network SLAs, but require the application context across networks in order to establish and enforce such policies. SD-WAN vendors like CloudGenix offer this capability.
Beyond transaction-level compliance is data-level compliance. Data governance concerns apply at this level and include, for example, privacy and confidentiality policies – in particular dealing with personally identifiable information.
With the European General Data Protection Regulation (GDPR) compliance deadline looming, data-level compliance is top of mind for many organizations. The Health Insurance Portability and Accountability Act (HIPAA) in the US also requires data-level compliance for information in electronic health records.
Above data-level compliance (or perhaps a special case of it) is content-level compliance. Compliance with copyright law and the prevention of plagiarism, for example, fall at this level.
In reality, of course, all of these layers are integral parts of the compliance challenge. Forgo any of them at your peril.
The Intellyx Take
From one perspective, network traffic is nothing but packets of zeroes and ones. From the business perspective, however, network traffic is the lifeblood of the organization.
Compliance presents a multifaceted, complex challenge for any organization, going well beyond network SLAs. If we consider the application context, then many more layers of our compliance onion become part of the broader network compliance story.
Whether it be content, data, transactions, or protocols, virtually all the information we deal with travels over the network. Visibility into network traffic, therefore, gives us visibility into the business itself – but only if we apply the application context.
Remember, it’s not sufficient simply to be compliant with regulations, policies, and SLAs. You must be able to demonstrate compliance. Such demonstrations require visibility into audit trails, logs, records of transactions, and all the other traces that day-to-day business generates on an ongoing basis.
Without the application context, all you might be able to turn over to an auditor are a pile of device configurations – far less information than auditors require to judge compliance over time. SD-WAN technology can address this shortcoming, but only if it is application-aware.
Copyright © Jason Bloomberg, Intellyx LLC. CloudGenix is an Intellyx client. At the time of writing, none of the other organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content of this paper. Image credit: Michael Coghlan.