Resolving Corporate Compliance and eDiscovery Fire Drills Provide Impetus for New CommVault-McAfee Alliance

If there are any two disciplines within corporate IT that should be in the process of becoming best friends, if not inextricably linked, it is security and storage. Storage management teams routinely send data offsite on tape or optical media, grant administrators or users permissions to search production or archived data stores during eDiscoveries or change backup policies on the fly with minimal or no supervision. The problem that emerges is that when companies are asked to prove that they can comply with certain laws or to respond to a legal eDiscovery, it turns into a corporate fire drill with security and storage scrambling to prove they managed corporate data according to preset corporate policies. This begins to change with today's announcement between CommVault and McAfee, Inc, as it creates a new mechanism for companies to proactively monitor corporate data while preventing corporate data leakage.

Anyone who is even remotely close to the data storage management and enterprise security management disciplines within companies knows that about the only overlap that often occurs between these two departments is during internal meetings. There is mutual respect for each other and sometimes even high-level discussions about working more closely together but, to date, cooperation between these two teams remains at the surface level simply because there are no internal forces working to make this a reality.

Now, new forces for these two disciplines to cooperate have emerged, primarily driven by corporate legal departments. Revisions in 2006 to the Federal Rules of Civil Procedure have necessitated changes in the scope, speed and thoroughness of how companies perform eDiscoveries as well as retain data subject to legal holds. Furthermore, increased enforcement of laws such as HIPAA, Sarbanes-Oxley, and SEC Rules 17-a3 & 17-a4 is creating a new onus for security and storage to work as one.

The pressure is largely coming from corporate legal departments. When government auditors or third party legal counsels show up at corporate offices, they of course go first to the corporate legal departments to ask for proof of compliance or specific electronic records, not corporate security or storage departments. In order to respond to these requests, the company legal department immediately turns to its company's IT security and storage departments who are often ill-equipped to produce the data, where it currently resides, or any type of common audit log that documents how they have managed the data or who has had access to it over the last few years.

Avoiding these types of corporate fire drills is the initial impetus behind the strategic partnership that CommVault and McAfee have now formed. In order to produce audit logs and dashboards depicting how their data is managed, CommVault and McAfee are going to integrate their two products with the first level of integration to occur using the McAfee ePolicy Ochestrator (ePO) interface and scheduled for release in early 2009.

ePO was chosen as the portal to present this information based on feedback that CommVault and McAfee independently received from their respective customer bases. Legal departments initially look to corporate security software such as McAfee ePO to track information on corporate data movement and changes to data security policies even if it is the storage management team doing the data movement and setting the security policies. The McAfee ePO will take advantage of CommVault APIs to obtain auditing and policy metadata from the CommVault® Simpana® software suite so that companies can use ePO as a common portal to monitor and report on such tasks as: the success and failure rates of backup jobs; changed backup and/or storage management policies; identify backup jobs that ran when they should not have; confirm tapes are taken offsite and returned; and, identify servers that are not being backed up.

Corporate legal departments are under increasing pressure to produce information quickly that is reliable and authoritative that can satisfy external compliance and eDiscovery requests and internal fire drills do not cut it anymore. To meet these emerging requirements, corporate storage and security teams need to actually work together in a more formal way and produce the information that is needed to satisfy these requests without breaking either corporate budgets or processes. This new strategic partnership between CommVault and McAfee and the forthcoming integration between their respective software products will provides a new mechanism for this to occur. Security and storage teams can now efficiently and effectively meet the expectations of internal legal departments while still allowing these two disciplines to maintain a high level of autonomy within their company.