New State Laws Equal New Compliance Opportunities For VARs

Meeting compliance regulations means having a “best-practice” policy in place, but satisfying regulations can be challenging for VARs because the laws are vague and don&'t specifically define what a best-practice policy is, said Kurtis Kreh, vice president of sales at solution provider iSmart Connect, Irvine, Calif.

“The laws and regulations for compliance are vague by nature. They might say you have to have strong authentication, but it doesn&'t list solutions,” Kreh said.

Making compliance even more complicated are new laws from different states, each with unique regulations. There currently are more than 20 states that have enacted security breach notification laws as of 2006, with more slated to go into effect by the end of the year, according to U.S. PIRG (Public Interest Research Group), Washington.

Because of these laws, companies must notify customers when their private information has been compromised or lost, which can be costly, said Sharon Ruckman, vice president of product management at security vendor Symantec, Cupertino, Calif. Not only is it expensive to notify thousands of customers, but it can be damaging to a company&'s reputation as well, Ruckman said.

“Most companies have not enjoyed having their name on the front page of The Wall Street Journal [because of security breaches],” she said.

Symantec recommends that companies not only have a best-practice policy in place, but also are proactive about how they address compliance policies, Ruckman said.

Solutions to help meet compliance regulations come in many different forms, depending on what the customer needs or what industry they are in, Kreh said. To help define best-practice policies, solution providers should first assess what an auditor would consider to be a best practice, Kreh said. Vendors now are offering a variety of options to help partners and their customers keep up with evolving regulations.

Symantec, with its recent acquisition of BindView Development, offers an agentless software solution for compliance and vulnerability management. VARs are being notified about training on the BindView technology, Ruckman said, adding that new products are coming out soon.

BindView&'s agentless technology creates a huge advantage for network administrators since they don&'t have to install software on each individual machine to run it, said Scott Caldwell, director of solutions delivery at NetSpi, a Minneapolis-based solution provider.

Other security vendors, such as San Bruno, Calif.-based IronPort Systems, offer compliance management solutions for e-mail.

“E-mail is just one component, but it is the most widely used mode of communication,” said Abhay Rajaram, product manager at IronPort. If e-mails contain certain private information, IronPort&'s appliance will quarantine it and notify the sender that the message is in violation of compliance regulations, he said.

While VARs can get specific training on e-mail compliance regulations from IronPort, Rajaram said it&'s important for resellers to understand the policy components of compliance regulations before trying to understand the technical requirements so they don&'t waste time with training they may not need. Fortunately, the compliance regulations for e-mail are defined fairly well, making it easier to train VARs, he said.

Security vendor RSA, Bedford, Mass., is addressing the compliance market by sending VARs a ready-made seminar-in-a-box to train them in compliance and the solutions that RSA offers to address it, said Michael Ross, vice president of the North American channel at the company.

“It provides answers to questions brought up by new laws and regulations. These seminars provide partners with all the sales tools they need to address the compliance market,” he said.