Andrew's Blog

EMC to Acquire Kazeon Systems, Inc.

2009-09-02T19:05:44-07:00

EMC today announced the signing of a definitive agreement to acquire Kazeon. I'll have the honor of running the Kazeon business, which will be placed under the EMC SourceOne brand, and will be part of EMC’s Information Governance strategy.

To say that Kazeon is a differentiated technology is an understatement. Kazeon has built a scalable, but fast to deploy software that allows for the indexing, collection, analysis and review of content from across the enterprise, allowing customers to bring eDiscovery in-house, and advance their longer term information governance strategies. Other players in this market have pieces of this puzzle, or collections of products that they call "end to end" solutions, but in fact are hard to deploy, integrate and maintain. Only Kazeon offers true "end to end" in-house eDiscovery in an integrated architecture and fast to deploy appliance model.

eDiscovery is one of the most acute information governance pain points for organizations because: eDiscovery is mandatory, it is risky, and it is being done today in reactive and wildly expensive ways. The economics are simple - the less automation, the more an organization over-collects (by manually collecting whole backup tapes and whole disk drives - rather than collecting only the information that is relevant). The larger the collection, the more information that is sent to outside parties for processing and charge-by-the-hour legal review, and in turn, the more money that is spent. It makes no sense to spend hundreds of thousands or even millions of dollars on a single case, and when the case is over, to have nothing to show for it - that money will need to be spent anew when the next lawsuit or investigation hits.

Kazeon doesn't just solve the in-house eDiscovery problem, it advances information governance in a tangible way, by federating the collection of metadata - allowing customers to do in-house eDiscovery and apply other policies, and take other actions, on content that is "in the wild" - in fileshares, desktops, Sharepoint and other places across the enterprise.

When I was a law firm attorney – a long time ago;) – I handled a case for a gas company, and I remember one of my witnesses making the comment that natural gas in a controlled state is the safest most efficient energy source in the world, but in an uncontrolled state, it explodes. So too with information. When we have ways to apply policy to information – to gain insight into it, take action upon it based on its value, to govern it - information is one of the most critical assets of an organization, as or more important that any other asset, other than the people within an enterprise. However, when information is left to pile up with no controls, policies or management, it can turn into a costly liability - like natural gas in an uncontrolled state...

Information governance remains an elusive goal at essentially every organization in the world. The reason is that information is getting created faster than individual human beings, or even existing systems, can possibly organize it. Many companies, large and small, have promised to deliver on the vision of true information governance – most by asking customers to put all their information in a single monolithic repository or single monolithic indexing platform. In theory, this could work, but in the real world doing this can take years, it is costly, and involves the creation of duplicative infrastructures.

EMC’s SourceOne strategy, with the addition of Kazeon, is different and simple. We are taking a practical and modular approach. Rather than asking customers to put everything in one repository, we provide them with building blocks that allow them to quickly deploy a solution to solve an immediate problem, save money and advance the longer term information governance strategy – “enterprise strategy, digestible pieces”.

EMC is already the leader in information storage, and as a result, we’re already managing the world’s most sensitive and important information. We’re taking Kazeon and integrating it tightly to EMC storage, making it one of the most mature, secure and scalable solutions on the market. Moreover, EMC is first to the market with the modular but integrated combination of archive technologies, records management technologies and Kazeon's unique fast to deploy index in place technologies. We now have the ability to apply policy to, and conduct in-house eDiscovery on, electronically stored information (ESI) both within and outside managed repositories ("in the wild"). No one else can do this in the same way, and the value to customers is tremendous.

More to come, but for now I'll just say how excited we are about what EMC can do for our customers with Kazeon, and the other stable of EMC and SourceOne offerings.

SourceOne - In-House eDiscovery and Governance In and Out of the Archive

2009-06-28T06:29:20-07:00

As a Fortune 200 company that is the world's leader in information storage and management, one of the largest software companies in the world, as well as a leader in information security, EMC has a differentiated ability to solve the eDiscovery challenge. The Electronic Discovery Reference Model (EDRM) reflects the reality that the eDiscovery challenge is, at its core, all about "Information Management" - how is the organization managing its (especially) unstructured content, and what policies are in place and being enforced, if any, in the first place? Then, when a new eDiscovery case hits - what processes and tools does it have, if any, to automate an otherwise reactive and expensive eDiscovery process, especially for collection, hold, analysis and review?

With EMC SourceOne, EMC is delivering a differentiated family of solutions to the marketplace - that allows organizations not only scalable enterprise archiving (and eDiscovery within the archive), but also fast to deploy appliances for in-house eDiscovery functionality to index 100s of types of content outside managed archives - "in the wild" - (for example on desktops, file shares, sharepoint, and many other content types). Once the index is created, robust eDiscovery functionality can be applied to the underlying content (for forensically sound collection, hold, analysis, and review) to drive significant cost out of the process, provide insight into huge volumes of information that was otherwise growing without being leveraged, as well as the ability to apply policy for classification, retention, deletion, privacy and security of the content.

EMC is already the company that the best organizations in the world trust to manage their information assets. Now, EMC's ability to securely and at massive scale deliver the above functionality - BOTH within and outside of archives and BOTH for proactive policies and for in-house eDiscovery - is differentiated and unique.

For more information, please see the following link: SourceOne Discovery Collector

Video Interview Discussing eDiscovery, Compliance and SourceOne

2009-04-03T09:48:03-07:00

The attached link is a brief interview of me discussing eDiscovery challenges that customers are facing, and how SourceOne can address those challenges.

Download SourceOne-Andy

How are we going to fund compliance?

2008-11-03T06:16:50-08:00

With the roiling of the financial markets, the almost unprecedented incursion of government into the marketplace, and with a strong consensus that there has been too little regulation in the past decade, one thing is certain - government investigations, lawsuits and new regulations are on the rise. At a macro level, many fiscally conservative people worry that too much regulation will stifle investment and innovation. When you take it down a level, the businesses and other organizations that are subject to regulation - and the people within those orgs responsible for meeting the requirements - wonder how this is going to be funded, especially in recessionary times.

The answer to this challenge is that compliance solutions need to a business case justification; a showing that the solution will - in the real world - save the company money.

If this sounds like tired high tech marketing, please keep reading; it is not. The reason that there is money to be saved through the deployment of the right compliance solutions is that current approaches to some of the key information compliance challenges are today wildly inefficient. Specifically, organizations fail to properly manage their electronic files, they don't enforce their retention/deletion policies, and they respond to eDiscovery in reactive and expensive ways.

Every single organization in the world - and I've been to a lot of them;) - needs to (i) classify emails and files, (ii) delete the junk, and (iii) bring eDiscovery in-house. These are not trivial problems. Human beings are in the best position to classify their own emails, IMs, files and other content that they create, but there's so much of it, that they simply don't or won't.

EMC offers an indexing solution from StoredIQ that is closely integrated to EMC's market leading infrastructure. The solution can be rolled into a data center and it can index terabyes of information a day. Once the index is created, there are 2 critical use cases that we see customers attacking. First, the indexing appliance is purpose built for eDiscovery, and a allows the customers to bring eDsicovery in-house. Putting the tools in the hands of the IT, Security, Compliance, and/or Legal departments to do their own focused collections, litigation holds, and exports means less content is pushed through the eDiscovery process. Rather than collecting and preserving huge volumes by media type - tapes of drives - (much of which is definitively irrelevant), more focused collections and preservations are made. Less is processed and reviewed on the back end, and money is saved. The current processes are so inefficient (due to risk aversion) that there is a strong business case justification for this type of solution.

The second use case that we see is use of the indexing appliance to gain insight into emails and files that reside "in the wild" - on file shares, psts, desktops, SharePoint and so on. Without this type of solution, organizations are saving all their files (despite that fact that many of them do not have any value) because they cannot classify the important content and separate it from the junk. The goal of these projects is what I call defensible deletion (or to delete the junk). The idea is simple. With no insight into files on files systems and other places, organizations have no way to separate the needles from the haystacks. With insight into those files and the ability to "remediate" the subset of important content (ie. copy and collect it or move it) into more controlled environments, the organization can reduce the risk of applying automatic purge policies to the rest of it. There is clearly a risk to deleting content, but there's also a risk to saving everything. A reasonable, risk adjusted process for defensible deletion, like in-house eDiscovery, creates a strong business case justification for the solution (you save money through better management of the content.)

For many years, the belief has been that with better search technology, all content could be saved because we'd have more and more efficient ways to find it. In the compliance and information governance context, search is not nearly enough. You must also be able to "take action" upon the identified content (ie move it to a more efficient or appropriate place, copy and collect it - such as for litigation hold, delete it, change the security controls on it, and so on.) For more information about EMC's eDiscovery solution,including a 10 minute on line demo, please go to EMC eDiscovery Solution.

Bringing eDiscovery In-House For Dummies

2008-07-31T06:39:50-07:00

Jake Frazier -- who is a senior member of my compliance practice, as well as having an extensive background in the eDiscovery space (Sedona Conference, EDRM, executive experience at a number of eDiscovery firms, etc.) -- has recently published "Bringing eDiscovery In-House for Dummies". This is a great piece of collateral and it can be downloaded at eDiscovery for Dummies Download.

Step 2, Step 1

2008-07-18T12:49:27-07:00

If you're reading this blog, you may already be familiar with the Electronic Discovery Reference Model (www.EDRM.net), which is a one page eDiscovery process model. It is becoming a widely adopted standard for displaying and articulating the steps of the eDiscovery process, beginning on the far left hand side of the model with "Information Management" (the current state of how an organization is, or is not, managing its electronic information), and then as you move from left to right, the model reflects the various steps of the eDiscovery process ("identification, collection, preservation, analysis," etc.)

When organizations consider how they want to address eDiscovery, they often determine that they should start with better information management. It is logical to "clean up" the IT environment, set logical policies, and get control over information, as a proactive way to attack at its core the challenge of eDiscovery. I think of this as a "step 1, step 2" approach - step 1 involves efforts to bring information under policy management in a proactive way (including with archiving and content management), and in step 2, aspects of the eDiscovery process are moved in-house and made more efficient and repeatable.

EDRM Model - Step 1, Step 2, or Step 2, Step 1?

In fact, what I often see in the marketplace is that many organizations are proceeding "step 2, step 1" or attacking both steps simultaneously. The reason has everything to do with the speed of deployment and the time to value of a chosen solution. An archiving project that takes months to implement may well provide a significant return on investment, but that return will occur in the future. Moreover, most eDiscovery involves the collection and preservation of historic content. If that historic content does not reside in the newly built repository (or if it is not migrated in), then relief for ongoing eDiscovery challenges will not only wait for the new repository to be built, but also for additional years after it is deployed, as content gets populated in the repository over time.

It is for this very reason that EMC is delivering "plug and play" solutions in the eDiscovery space. The EMC Solution for eDiscovery Collection includes a StoredIQ appliance that can be deployed in hours, and that indexes terabyes a day. That appliance is bundled with EMC's infrastructure (such as Centera storage for litigation hold and Documentum for content and records management), as well as EMC services. The result is that the solution can begin to provide immediate step 2 relief, AND importantly, it can be leveraged to identify critical record content that resides in file shares, desktops and other unmanaged locations, and then move or duplicate such content into managed repositories as part of an efficient step 1 strategy for proactive information management. Demo of EMC Solution for eDiscovery Collection

In sum, over the last several years, I have seen the launch of many grand compliance projects, but the ones that are most successful typically involve 'an enterprise strategy broken into digestible pieces' where the digestible pieces are scoped in a focused way and involve deployments of process and technology that lead to a very fast and measurable return on investment because they fix acute information management challenges. The eDiscovery business process remains so broken that, for many organizations, it makes sense to prioritize projects that enable 'in-house eDiscovery' even before (or at the same time as) the larger IT clean up projects are addressed.

What is GRC, and how are information policies set?

2008-06-12T18:33:56-07:00

The phrase “Governance, Risk and Compliance” or “GRC” is a common catch phrase with corporate customers, analysts, technology vendors and consultants. It is often used in the context of organizational struggles to meet legal obligations associated with information management. But what does GRC really mean?

“GRC” is a complicated concept because it encompasses such a broad scope. Take just the “C” in GRC. Compliance can involve everything from the rules for electing members of a corporate board of directors, to how executive compensation is derived and reported, to financial audits, to integrity training, to data collection and preservation for lawsuits, to protection of the environment, and much more. Many analysts, vendors and customers (across disparate functions such as Legal, Finance, HR, Compliance and IT) struggle to define what they mean by “compliance”. Indeed, different groups within the same organization may define it in completely different ways.

Similarly, the term “GRC” has some historic baggage because of the way the term has been used by vendors and analysts. For example, some analysts apply the term “GRC” to refer exclusively to workflow tools that track compliance with the Sarbanes Oxley law, others use “GRC” to mean only those products that monitor and log IT system activities, and so on. This article seeks to clarify the meaning of GRC as it relates to information management, because once understood, “GRC” captures a powerful reality about how organizations set information policies.

GRC: The Process of Setting Information Policies

GRC is a way of understanding how organizations, and departments within them, assess risks, determine priorities, allocate assets and investments, and ultimately set policy. It is helpful to start by breaking down and defining the elements of GRC.

Governance is the act or process of setting policy for an organization.

Compliance is the act or process of adhering to those policies and being able to prove it.

Risk management is a disciplined way to address uncertainty, to allocate resources, and to balance risk and opportunity based on organizational goals and tolerance for risk.

The set of activities reflected in the term “GRC” is typically implemented by a management team with a charter to set policy (“governance”), assess risk and determine priorities (because there will never be enough resources to do everything, risk cannot be eliminated and it must be embraced to achieve business goals) (“risk”), and to ensure the organization’s policies are understood, followed and enforced (“compliance”).

“Corporate governance” refers to the way that public corporations are run. It typically includes “governance structures” that set the policies (such as a Board of Directors to represent the interests of shareholders, and executive committees to set the strategy and run the business). It often also includes a mission statement and supporting ethics training and communications to set a cultural tone (so that employees within the corporation will be more likely to act within the policies even when they don’t know precisely what all the policies say). Since information is so critical to every organization, GRC processes are often applied at the corporate level to seek to maximize the value of information, and minimize its costs and risks. Many organizations have begun setting up cross-functional committees of executives (often the General Counsel, Chief Information Officer, Chief Financial Officer, and others) who are tasked with assessing key security, compliance and information management opportunities and challenges. These compliance committees often assess a range of information management choices, triage based on which categories information are the most critical and the most sensitive, and then sponsor information management and protection projects based on business priorities, and return on investment (“ROI”) justifications.

For example, a “Corporate GRC” process may lead to a policy decision that the personally identifiable information (“PII”) of a company’s customers – such as names, addresses, account numbers, social security numbers and the like – must be segregated, securely managed, and that certain statutory obligations to protect such information must be met or exceeded. This policy decision might be driven by a combination of legal requirements, the desire to reduce public relations risk, the opportunity and differentiation created by offering privacy protections to customers that are superior to the competition, and an organizational desire to do the right thing.

The IT department typically has responsibility to implement many of the information policies set through corporate GRC processes. IT also has its own charter to properly manage the information infrastructure. In the example above, a set of “IT GRC” policies and supporting processes might be applied to help implement the “Corporate GRC” policy. Thus, a corporate policy (“secure the PII and meet or exceed applicable regulatory requirements”), results in a series of IT implementation policies (e.g. “access to customer systems and applications containing PII will be strictly limited, multifactor authentication will be required, PII content will be automatically encrypted”, and so on).

Conclusion

Despite some of the confusion about the meaning of GRC, it is a powerful concept because it captures and summarizes a reality about how organizations set priorities, manage risks, allocate assets and set policy, including information management policy. The term GRC is best understood when each of its elements is broken down (G, R, and C), when the domain to which a policy is being applied is articulated (e.g. information), and where there is an understanding of the organizational context (e.g. “corporate”, “IT” or other company department).

EMC Solution for eDiscovery Collection

2008-05-22T18:43:35-07:00

During the last week, EMC formally launched the Solution for eDiscovery Collection. The Solution combines the StoredIQ indexing appliance with EMC's compliance infrastructure. The technology is finally mature enough to really deliver a return on investment; it really works. The following is a link to a 10 minute demo of the solution. If you're spending too much on eDiscovery, and/or if you're at all interested in "bringing eDiscovery in house" I recommend you spend a few minutes and view it: EMC Solution for eDiscovery Collection Demo. EMC will also conduct free proof of concepts (POCs), where you can use the solution on your own data sets to test for yourself how well it works.

The StoredIQ indexing appliance is rolled into a data center, pointed at servers, and almost immediately it will index terabytes of content a day, thus allowing Legal to "ping" the index for robust searching, and providing IT with tremendous insight into the content of the information that they are managing (without impacting users of the content).

The solution can greatly reduce the costs of eDiscovery by making files share, emails and other content subject to efficient search and "quick peek" early case assessment, collection with chain of custody, de-duplication, Rule 26 "topology reporting", secure litigation hold on Centera, records remediation on to Documentum, and export of potentially relevant content in common formats such as Concordance Load Files. The core value proposition is simple - rather than reactively paying third parties each time there is a new case to collect all content by media type (e.g. backup tapes and hard drives), you can leverage repeatable processes and in-house tools to collect content intelligently, de-duplicate it, and send less outside for processing and attorney review; the less you send out, the less money you spend on eDiscovery.

I note that to balance efficiency and functionality, the solution allows for full text indexing of the files, emails and other content on servers, or alternatively, a "Thindex" of only certain metadata (such as creation dates, and custodians). Think of the following analogy: compare the files, emails and other content on the servers at your organization to Federal Express envelopes; a "Thindex" would index only the labels of the FedEx envelopes, and the full text index would index the labels as well as all of the contents within the FedX envelope. I note that today, IT and Legal have neither - they might know the total volume of FedEx envelopes that they have (most large enterprises have 100s of millions or billions of such files), but it is as if each envelope has no label, nor does IT have any visibility into the contents of those envelopes. It is no wonder that traditionally the eDiscovery process has been so broken and inefficient - you blindly collect huge volumes and then pay expensive attorney hourly rates to sort it out on the back end. That will change. (This insightful analogy was recently described to me by Keith Zoellner.)

For more information, please see the launch materials on EMC.com: EMC Solution for eDiscovery Collection Launch Materials

Information Compliance

2008-05-03T07:55:20-07:00

I am going to begin a series of posts dealing with "Information Compliance" (aka "Governance Risk and Compliance - GRC").

To kick it off, I'm attaching a storyboard that shows, with pictures, some of the challenges that organizations face in putting policy management discipline around their information so that they can achieve the three (3) core goals of information management - reduce cost, reduce risk, and extract value from organizational information.

http://andrewsblog.typepad.com/Compliance_Series.pdf

Faux eDiscovery

2008-03-11T11:40:01-07:00

The following is a new article, entitled "Avoiding Faux eDiscovery" recently published by Jim Shook and myself. Jim is an attorney, eDiscovery expert and member of Sedona Conference.

Download faux_e_discovery.pdf