Jun 23, 2021. By S V Aditya
Regulatory Compliance is connected to every aspect of enterprise operations. With the growing reliance of enterprise business functions on IT, IT has become increasingly important for enforcing regulatory compliance. Take the Sarbanes-Oxley Act, for instance. It mandates controls related to the integrity and availability of financial data. As practically all modern accounting is done in software and financial data stored in data centers, the regulation directly affected IT teams in 2001 as they rushed to comply by setting up new access controls and data backups, improving the security of data centers, and setting up an elaborately controlled change management process. It was a momentous task that had to be done very quickly. It affected all software purchase decisions and Since then the demands have only increased.
Governments have increased the scope and the count of regulations covering IT Operational aspects. New regulations covering data security and privacy have increasingly emerged as matters of importance. The most famous of them - the General Data Protection Regulation(GDPR) can cost up to 4% of revenues in fines for violations. In addition to the all-encompassing national and international regulations, many state-wide and local laws add increasing complexity. For example, in the US, 46 states have their data breach laws, with varying definitions of "data" and "breach". Sometimes these laws can even conflict with each other. Other laws like HIPAA or PCI-DSS are specific to the type of data stored. In effect, CISOs and CIOs have to enforce compliance policies which can vary at a granular level - from country to state, greatly increasing the level of spending on compliance and the work of IT in enforcing it.
ITOps challenges in Regulatory Compliance
Moreover, modern software architectures and deployments make it more difficult to enforce compliance at the network and software infrastructure level, where ITOps teams work to enforce compliance. Data silos are constantly broken in modern architectures, which is a conflict of many regulations. Microservices constantly pass data between each other while storing some in local small-scale databases. These microservices are usually paired with containers for better monitoring and control of operations. As enterprise needs scale up, container images are often replicated onto various cloud infrastructures with automated workflows. A single misconfiguration here means that region-locked data from the private cloud in a particular region is replicated onto the public cloud, violating several regulations. Against such challenges, IT compliance teams have only traditional enforcement tools. Most of these tools only work by enforcing approvals mechanisms which add hindrances to the smooth functioning of IT Operations and cannot keep up with rapidly changing software development and data management practices.
Finally, Information security is a key concern for regulatory compliance. Most regulations covering data privacy hold the organization responsible for breaches of data and require immediate reporting. However, breaches can take months to be discovered exposing the enterprise to more damage from fines. In 2019, one of the largest credit reporting companies in the world paid a fine of over $500 million to the FTC for exactly such a case. The company had failed to renew certificates that would allow it to monitor network traffic leading to data breaches. This highlights a failure on two fronts - compliance as well as security. Most enterprise CIOs and ITOps teams face these same challenges - the growing number of regulations, difficulty in enforcing compliance, and greater security threats. They need a new dimension to enforce regulatory compliance
AIOps for Regulatory Compliance
AIOps brings exactly this with a new approach to regulatory compliance. The core components of AIOps are built with Log and Trace Analytics which capture the data flow between all microservices and independent components in systems. Log Anomaly detection built on top of these analytics finds unusual behavior that could indicate deviation from policy. It can, for example, detect a HIPAA breach by determining that patient data is being exported outside secure data silos. When such events are detected, AI-powered automated workflows can begin immediate remediation like blocking or shutting the offending microservice. These AI-powered workflows can be built to distinguish between violations and normal transactions to make context-sensitive decisions.
Moreover, AI also offers a new approach to simplifying regulations for humans. Most ITOps teams do not have any legal background. They rely on policy frameworks only. AI can change that with advanced Natural Language Processing. NLP enables breaking down complex regulations into easily understandable guidelines that can be used to train IT teams at all levels and to help them resolve conflicts. This brings the entire ITOps team culturally on board with regulations instead of just the legal and CIO/CISO levels. Finally, an AI-powered regulation scanner can alert ITOps teams by scanning news sources and local government domains for regulations at the city and state level for regulations affecting their operations.
Most compliance violations come down to human error. In the previous example of the credit union, network traffic data analysis was prevented due to expired certificates which were not renewed. An AIOps-based solution would have caught that and shown it as an error the moment it lost access to data. In other words, AI helps eliminate human error from the equation. Moreover, an AIOps-powered automation engine can enforce region-specific compliance rules when tied with log and trace analytics effectively. It brings in an aspect of decision-making that is not found in traditional tools that rely on access controls or approvals. Finally, AIOps provides a greater level of security with anomaly detection.
AIOps platforms provide many advantages and help in many ITOps workflows. To learn more about AIOps, please visit our AIOps Platform Page.