Welcome!

Microservices Expo Authors: Pat Romanski, Liz McMillan, Elizabeth White, Stefana Muller, Karthick Viswanathan

Related Topics: Java IoT, Microservices Expo

Java IoT: Article

Compliance Issues Represent Pieces of a Puzzle

IBM's Rational Focuses on Business-Driven Development

Imagine trying to solve a puzzle without being certain what the end result should look like, much less how the pieces fit together. Now imagine trying to build the puzzle pieces themselves. Bit of a challenge? To say the least! But this is exactly the situation facing many business and IT executives when it comes to complying with the increasing number of standards and regulations in their industries today.

Why the recent surge of interest in regulatory and standards compliance? With the health and welfare of their citizens and local businesses in mind, global governments are requiring more accountability from organizations that do business within or across their borders. Since 1999, new legislation has passed in the United States that subjects business, IT, and even the software development process itself to audits. Some of the better known legislative acts, such as Sarbanes-Oxley, Basel II and the Health Insurance Portability & Accountability Act (HIPAA), have placed financial services and health care providers directly in the spotlight. These industries are spending money on ensuring compliance, but with mixed results so far. In the United States, for example, an estimated $2.5 billion will be spent annually by Fortune 1000 companies on compliance-related projects.

It doesn’t help that compliance requirements are often a puzzle in and of themselves. They are mandatory, but the steps to achieve compliance are not always outlined. In section 404 of the Sarbanes-Oxley act, for example, it says a company must have “good controls,” but it doesn’t clearly state what they are or how to achieve that. Regulatory requirements are also ever-changing, yet businesses are required to constantly demonstrate compliance. So for many businesses, well intended compliance requirements involve risk without clear guidelines for managing that risk.

Complying with regulations and standards is all about encapsulating business processes. It’s about clarifying and formalizing the way you do business – everything from taking an order to preparing goods for shipment, shipping and taking payment, and then allowing for scenarios like credit returns, faulty products or discounting – and appropriately recording that information.

Many companies have automated these processes by buying off-the-shelf IT packages and customizing them or, in many cases, by building their own custom-made applications. In either case, the modifications or new applications introduce yet another dimension to the puzzle: new pieces that must be shown to fit. This is the stage where compliance can become an even greater challenge.

In custom systems there can be a lot of people working on the development of the applications and errors can creep in, things can change. To withstand an audit – whether internal or external – a business has to be able to prove that the software system it has said it was going to build is the one it actually built, and that the software it built is the one it ultimately deployed – two separate processes. In essence, to achieve true compliance, businesses must be able to demonstrate the reliability and accuracy of any business process and show transparency throughout their development process.

It’s possible to demonstrate business process reliability and accuracy and have a transparent development process by manually compiling information at the time of an audit, but as you might imagine there is a high degree of overhead and risk associated with this reactive approach. There is a direct cost as well as the staff distraction and lost opportunity costs.

Establishing an effective governance framework for software delivery, what IBM Rational Software calls “Business Driven Development,” is a better choice. IBM Rational’s Software Development Platform provides guidance to customers with regard to best practices in developing software. Rational’s portfolio, requirements, testing, and software configuration management products provide a wide range of tools that capture information about what’s going on and what changes were made, what tests were done, what the design documents were and so on. It’s an ongoing process, so businesses can continuously capture information and maintain compliance. Using Rational’s automated workflow system for software delivery, a number of people in various locations can sign off on changes and allocate work.  Instead of one hour per day spent on compliance issues, an hour-long conference call per week may be all that is required.

As an example, various companies in the financial services industry have chosen to work with IBM Rational to strengthen their testing and requirements practices to improve traceability and compliance with regulations like Sarbanes-Oxley. One such customer, a leading provider of data processing and information management services solutions, replaced a competitive testing solution with tools from Rational to improve its application testing processes, resulting in streamlined IT governance and regulatory compliance capabilities.   

Aside from the assurance that comes from knowing the business is compliant, organizations can benefit from reduced risk and lowered costs in the long-term, improved infrastructure and project ownership, as well as better governance and understanding of business processes. With the right software delivery governance framework in place, the regulatory and standards compliance puzzle will look a lot more solvable.  

More Stories By Roger Oberg

Roger Oberg leads IBM Rational’s marketing team, including Rational’s strategy and planning, product and solution marketing, technical marketing, marketing programs, marketing operations and business partner marketing efforts.

Prior to joining IBM as director of market management in February 2003, when IBM acquired Rational Software, Roger was Rational's vice president of product marketing. He was vice president and general manager, visual modeling products from 1999 until 2002 and vice president and general manager, requirements management products from 1997 to 1999, overseeing 100%+ growth in both businesses. Roger joined Rational when Requisite Software was acquired in 1997, where he was vice president, marketing and sales. He was executive director for AIN at USWest, held vice president of engineering and marketing positions at XVT Software before that and spent nearly 10 years in sales, sales training, sales management and marketing positions for NBI, an office automation software and systems company. He has also served on the boards of two start-up software companies.

Comments (1) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
JDJ News Desk 08/09/06 12:29:42 PM EDT

Imagine trying to solve a puzzle without being certain what the end result should look like, much less how the pieces fit together. Now imagine trying to build the puzzle pieces themselves. Bit of a challenge? To say the least! But this is exactly the situation facing many business and IT executives when it comes to complying with the increasing number of standards and regulations in their industries today.

Microservices Articles
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide your business substantial savings compared to pay-as-you-go, on-demand services alone. Continuous monitoring of cloud usage and active management of Elastic Compute Cloud (EC2), Relational Database Service (RDS) and ElastiCache through RIs will optimize performance. Learn how you can purchase and apply the right Reserved Instances for optimum utilization and increased ROI.
TCP (Transmission Control Protocol) is a common and reliable transmission protocol on the Internet. TCP was introduced in the 70s by Stanford University for US Defense to establish connectivity between distributed systems to maintain a backup of defense information. At the time, TCP was introduced to communicate amongst a selected set of devices for a smaller dataset over shorter distances. As the Internet evolved, however, the number of applications and users, and the types of data accessed and...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling independent service deployments. In this presentation we'll provide an overview of the tools, patterns and pain points we've seen when implementing contract testing in large development organizations.
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, contrasted how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He showed how the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He also demoed building immutable pipelines in the cloud ...
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...