EMC's Next Play: Compliance As A Service

According to EMC's CTO, Jeff Nick, the company's next logical step is to move from cloud infrastructure to risk and compliance services. I know that sounds like buying your next car from Northrup-Grumman, but bear with me, because I think there's a method to Nick's madness.

Originally a data storage vendor, EMC is nothing if not agile. It has embraced a number of technologies that could have disrupted its business, such as virtualization, which allows customers to actually reduce their hardware acquisition costs by making it possible for several software systems to run on a single piece of hardware. It has also embraced cloud computing, but has proposed that companies are better off running their systems on private clouds rather than using shared clouds from vendors like Amazon, Rackspace or even Microsoft.

In addition to its majority stake in virtualization technology market leader VMware, it has also broadened its business scope through acquisitions (Internet security vendor RSA, information management technology vendor Documentum and IT systems management vendor Ionix, among many others). It has also embraced cloud computing, although not everyone would recognize the cloud EMC likes to talk about.

Nick's idea is that while companies will inexorably run more of the their systems in the cloud (whether the cloud is dedicated to a single company's business or, as cloud computing is more commonly understood, shared among many businesses to achieve greater economies of scale), businesses will nonetheless be required to comply with governmental and financial regulations. Regulators don't care where your systems sit, but they do care about your access to the information the systems contain. EMC's argument for private clouds is reinforced by the notion that only private clouds allow customers to assert that they truly control their data.

There are also, of course, two aspects to compliance: the act of compliance itself, and then the auditability of that compliance. For instance, a company has to protect the privacy of certain types of data, and it also has to be able to prove to auditors that this data is secure. All of these requirements need to be translated into corporate policies, and those policies then need to be implemented, both with respect to people and systems. "That policy needs to be instantiated in the infrastructure," Nick said during a conversation last week over coffee.

This is where Nick thinks EMC can find a new niche. He noted that between RSA, Documentum and Ionix, EMC has products to help customers create and enforce access policies for applications and data, and systems to help customers move certain IT functions from their own data centers to data centers located in the cloud.

Nick wasn't ready to announce a specific product or service, much less a timeframe for when EMC will get into the compliance-as-a-service business, but he said most of the main pieces are already in place. The one thing that's missing is an effective way of managing information as its flows through the different layers of the technology stack. "There isn't a standardized model for the information we're swimming in," he said.