Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP

HP.com home

July 2005

Do the right thing: Experimental tool builds trust, tracks compliance

Research could ease transition to utility computing


HP Labs

» Research
» News and events
» Technical reports
» About HP Labs
» Careers @ HP Labs
» Worldwide sites
» Downloads

servers-in-racks-in-data center
Content starts here
The need for such assurance is growing quickly as companies increasingly work outside their own walls.

by Anne Stuart

In a word, it’s about trust.

That’s how Simon Shiu sums up the vision behind the technology his team is developing in the Trusted Systems Laboratory at HP Labs in Bristol, England. It’s all designed to help companies make sure they’re doing the right thing – and to have confidence that their business partners, customers and suppliers are doing so as well.

The team’s work creating tools and methodologies around trust involves more than simply building another security infrastructure.

“Being secure is not enough,” Shiu says. “We want to provide people with confidence about the effectiveness of the controls in their IT environment” – especially those involving shared data. A control can be a technology mechanism, but more likely it involves people and processes. To that end, they’ve developed an analysis framework that assesses the overall control based on a mapping between IT events, IT controls and a company's own business priorities.

Outsourcing, shared IT on the rise

The need for such assurance is growing quickly as companies increasingly work outside their own walls. They outsource business and IT functions, transact business over the Internet, and provide outsiders – customers, partners and suppliers – with access to their systems. And, as a larger HP Labs research initiative indicates, they’re rapidly moving toward a shared IT model where individual company boundaries become even more porous.

The Bristol team’s trust project is part of HP's work on utility computing, which aims to give companies on-demand access to a large pool of resources, such as processing power, storage and bandwidth.

Turning computing into a pay-as-you-go utility – just like electrical power or natural gas -- offers tremendous potential in terms of efficiency and savings: Companies get the desired computing capability exactly when they want it, keep it just as long as they need it, and pay only for what they use.

Monitoring compliance with Sarbanes-Oxley, HIPAA, more

But because utility computing typically involves many organizations sharing a single data center, the approach raises new questions as well. Among them:

  • How can individual companies assure the accuracy, confidentiality and integrity of important information?
  • How can they monitor their compliance with regulatory mandates such as the corporate reforms of Sarbanes-Oxley Act of 2002, the privacy requirements of Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the global banking standards of Basel II?
  • And how can they guarantee that they're providing the same safeguards to their customers, partners and suppliers?

Concerns about those potential vulnerabilities motivated the Bristol team’s work. “We’ve been talking about accountability, and being transparent, and doing good audit trails for several years,” says Shiu, the project manager. "The question became: ‘What data is required to show customers that it’s safe to take something from a shared utility data center? How do we reassure everyone involved?’”

Automated analysis

The answer, based on the team’s preliminary work, is to model the relationship between IT-associated business risks, IT controls, and the events and audit trails in systems. This approach leads to a collection of tools and methodologies that provide real-time deployment and monitoring of IT in those shared utility settings, as well as in standard IT environments.

The result of this work is an automated model-driven analysis engine that monitors and analyzes IT environments, looking for problems based on a company’s top business concerns.

“Maybe you just want to know if you’re Sarbanes-Oxley compliant,” Shiu says, referring to the stringent corporate record-keeping now required of publicly held companies in the United States. “That typically means being able to show a good controlled IT environment -- and showing that the environment is working.” Or a company might want to prove that its IT infrastructure provides high-level protection for private medical records or a partner’s valuable intellectual property.

Pilot project

In one pilot project, the team created an assurance model for the HP Labs film rendering service, (“Rendering” refers to adding light, texture and other details to computer-generated scenes and characters, which turns them into finished frames.) Not surprisingly, in the highly competitive film-animation industry, a chief worry of studios is keeping content confidential during rendering.

Researchers built a model based on, as Shiu puts it, “the people, processes and technologies” involved in rendering. The model tracked specific factors such as when computer nodes were removed and who had access to shared storage space, and then generates a streamlined snapshot of how well trust concerns are addressed.

Using a stoplight-style coding system – green meaning everything is fine, red indicating a serious problem, with several other hues in between – this so-called "trust record" lets any viewer grasp the big picture at a glance.

Web interface

Created in HTML so users can view it through a standard Web browser, the record simply lists audit results and highlights potential problems.

Users can click on any item listed in the trust record to get more details. For instance, the home page of an audit might indicate that a company isn’t meeting some aspect of its own provisions for Sarbanes-Oxley compliance. By drilling down one level, the user quickly determines that of a half-dozen compliance-related areas, just one – employee account management – is registering a potential problem.

By digging down to the next level, the user learns that – according to the trust technology audit – the company apparently isn’t moving fast enough to delete former employees from its systems. With that information, the company can move quickly to change its practices so that departing workers lose account and access privileges as soon as they walk out the door, thus bringing the organization back into line with the law’s requirements.

Auditing IT

Currently, it’s unclear when and how the HP Labs technology might be offered on the market. “We’re really still in the middle of this, and it isn’t a simple product technology,” Shiu says. “IT is being delivered as a service, and we’re creating a model-driven methodology to deal with assurance for this world.” The technology could eventually be offered as a value-added service with HP’s utility-computing solutions or sold to customers who want to build their own trust models.

In any case, it’s highly likely that, at some point down the road, many companies will use some version of the technology to address the question Shiu sums up this way: “Is my reliance on IT OK? And, if not, why not?”

Anne Stuart is a Boston-based freelance journalist who has written about business, technology, and the Internet for more than a decade. Before going solo, she was a senior writer at Inc., a senior editor at CIO and CIO Web Business, a founding editor of WebMaster, and a reporter for The Associated Press and several daily newspapers.


Related links

» HP Labs Bristol

News and events

» Recent news stories
» Archived news stories

lanes of traffic with arrows


Printable version
Privacy statement Using this site means you accept its terms Feedback to HP Labs
© 2009 Hewlett-Packard Development Company, L.P.