As the deadline for EU Data Regulation compliance passes, and many member states opt to postpone, Ross Brewer warns telcos not to underestimate the amount of work involved in addressing the regulations
The original deadline for the European Union Data Regulations - namely September 2007 - has been and gone. Instead of telecommunications companies across Europe retaining data to support the crime fighting efforts of regional security forces, most member states, including the UK, have chosen to postpone the application. It is expected that the laws in the large member states will start to be implemented from the beginning of 2008. If this is the case, large enterprises will need to have solutions in place around the middle of 2008.
While extending the deadline may buy additional time in which telecommunications companies can get their data retention house in order, the reality is that too many organisations are dragging their heels in addressing the regulation and don't have an appreciation of the sheer amount of work needed to ensure compliance. Industry estimates put achieving Data Directive compliance at anytime up to 18 months. With this in mind, if organisations are to be fully compliant in time for the new deadline, then they can't delay a moment longer.
The European Union (EU) formally adopted Directive 2006/24/EC on 15 March 2006. The directive related to the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. In other words, communications providers need to retain - for a period of between six months and two years - all data that will allow relevant local authorities to trace and source communications to investigate, detect and prosecute serious crime.
The directive - which applies to fixed telephony, mobile telephony, Internet access, Internet mail and Internet telephony - covers every single aspect of a communication including its source; destination; date, time and duration; the type of communication; the type of communication device and the location of the mobile communication.
In putting the regulations off until the last minute, organisations risk facing additional pressures in a bid to fast track achieving compliance within the imposed deadline - if they can achieve compliance in the first place. There is also the added risk that crime fighting abilities of regional security forces will be detrimentally affected as the EU Data regulations have been designed to help the security services in the fight against crime.
With over 41 billion text messages alone sent last year, not to mention the millions of calls made every minute of every day, telcos will face enormous challenges. These don't just relate to storing the data securely, but being able to, should an investigation be required, locate and retrieve the data as quickly as possible so as not to hamper proceedings.
The amount of audit and logging of information required by the Data Directive has the potential to overload storage capabilities of even the largest and most technical savvy organisations. But in an ever more competitive industry, what can telcos do to put a necessary compliance solution in place which will not detrimentally impact the day-to-day operation of the business in anyway?
The good news is that the information that needs to be retained by the Data Directive already exists within the organisation in the form of log data. This log data provides a fingerprint overview of every action that occurs across the enterprise and importantly, across a telco's network. However, as it is generated at a rate of millions of bytes per second, being able to capture it to provide forensic reports across the enterprise in a timely fashion as mandated in Article 8 of the Data Directive will be a challenge.
As such, when looking for a solution to manage this problem, organisations need to find a product that has its roots in scalability and can run a single search across all devices across the organisation to help minimise the impact of locating the data in the first place.
This is where log management solutions can step in and provide a means of searching log data and producing reports.
Steps to compliance
Installing an off-the-shelf compliance solution a couple of weeks before the deadline will not be sufficient. Any solution will need to be tailored to meet the specific challenges of each organisation and go through a rigorous testing procedure to ensure that it is robust enough and capable of storing and retrieving information within the recommended guidelines.
Getting started with any enterprise-wide strategy for compliance requires an understanding of the requirements particular to each industry and business. Policies should then be put in place for collecting, alerting, reporting on, storing, searching and sharing data from all systems, applications and network elements. This creates a closed-loop process that governs the life-cycle of enterprise data and ensures the compliance programme is successful.
It sounds an obvious first step, but without taking time clearly to understand the specifics of the EU Data Retention Directive, there is a risk that some controls or requirements may fall through the net, which will have serious implications further down the line. For example, minimum requirements for the Directive include that the solution must be enterprise scalable and distributed; fault tolerant and ensure no loss of data; be able to prove that the logs are immutable so that they can be used in a court of law and be able to produce forensic reports across the enterprise in a timely fashion.
Once the specifics of the Directive have been clearly understood, the next step is to put in place the IT controls and frameworks to help govern compliance tasks and keep the business on track for complying with the mandate.
Goals should then be defined and key tasks for successful compliance identified, agreed and set. Then specific tasks relating to each goal can be set. Once these tasks are complete, configuration of network elements, systems and applications can then be addressed.
Alerting mechanisms and scheduled reporting will advise IT personnel when any part of the solution isn't complying with the policies. Early reporting of any problems will ensure that they can be addressed in a timely fashion with minimal impact on the rest of the operation. Alerts and schedules can also demonstrate compliance to auditors.
Alerting and reporting on logs must be substantiated with immutable log archives. It's therefore critical to store logs centrally with a long-term archival solution that preserves the integrity of the data, as required by the EU Data Directive. Immutable logs require time stamps, digital signature, encryption and other precautions to prevent tampering - both during transit of the data from the logging device to the storage device, as well as during archival - if they are to stand up as evidence in any legal proceedings.
It's easy to view the EU Data Directive as yet another piece of Brussels bureaucracy, but unlike many other regulations, this Directive isn't about preventing or identifying financial regularities within big business. Instead, the EU Data Directive has been designed to help the ever complex fight against crime - at an individual country, European and global level.
Telcos shouldn't feel daunted at the compliance task that lies ahead of them, after all, they already hold all of the data that is needed by the EU Directive. Instead of viewing compliance as an isolated IT project, they should instead look upon it as a business issue that requires a cross-functional approach, involving people, processes and technology across the enterprise. Taking the steps necessary to understand, define and implement the appropriate IT controls and frameworks for the business will simplify compliance and reduce the costs and resources involved in completing compliance related tasks in line with the Directive's deadline.
Ross Brewer is Vice President and Managing Director, EMEA, LogLogic