The services and products are designed to help companies comply with regulations mandated by the Securities and Exchange Commission, the Sarbanes-Oxley Act, the anti-terrorism U.S. Patriot Act, and the Health Insurance Portability and Accountability Act.
"Companies really still don't have the information they need to decide what records to keep, what not to keep," said Alan Stuart, a senior strategist in IBM's storage software division. "They're struggling with all these different acts."
IBM will bundle one or more of the new compliance products, said Stuart, or sell them separately, depending on what the customer wants. "They can have it all, or they can pick and choose," he said, touting IBM's open architecture, which will let companies link existing compliance applications to the vendor's products and services.
IBM's approach--pushing a broad set of compliance-related products--deserves attention, said analysts. Vendors that offer single-purpose solutions to compliance are commonplace, but IBM's holistic strategy is smarter.
"IBM certainly has the most toys for the compliance game," said Stan Lepeak, analyst and VP at research firm Meta Group. "But what's more important is that it's encouraging users to look at a comprehensive rather than a point-based solution."
The compliance offerings include several new services.
IBM E-mail Archive and Records Management Service is a hosted service initially aimed at the financial-services market, but which can be used by any company to automate the capture, archiving, and retrieval of inbound and outbound E-mail and instant messages. Powered by Zantaz, the real-time archiving service will store messages for months or years, depending on the customer's compliance needs, and separates personal from business messages to lighten the retention load. The on demand-style hosting service will charge customers only for the E-mail storage capacity they use.
IBM and Searchspace have joined forces to launch IBM Anti-Money Laundering Service, another hosted service to help companies comply with the Patriot Act, which requires businesses to put a program in place to detect and prevent money laundering schemes by terrorists and criminals. It can also be run inside a company and tied with IBM's DB2 Content Manager.
IBM also tweaked some of its management software to better handle compliance requirements, Stuart said. Both DB2 Content Manager and the Tivoli Storage Manager have been enhanced, and now come in versions with the Data Retention Compliance label.
Tivoli Storage Manager for Data Retention Compliance, for example, now offers event-based retention rules that companies can apply to insure records are kept for the required length of time, as well as deletion hold tools to make sure records that must be preserved--perhaps because a federal or internal investigation mandates that they not be erased--are preserved.
Other new solutions include a data-wiping service for retired hardware, and by April 2004, support for Write Once Read Many (Worm) tape media in IBM's TotalStorage Enterprise Tape Drive 3592.
Although only regulations from the SEC demand that records be kept on non-changeable media such as Worm, Stuart said that many of IBM's customers are looking at the format as additional insurance against claims of regulatory violations. "Worm tape costs a fraction of non-erasable disk space," he said.
IBM will continue to push the compliance envelope, concluded Stuart, with more products and services over the coming months. Next year, it will introduce a platform based on the pSeries processor and the Tivoli Storage Manager that makes use of serial ATA disk-storage systems for archiving important documents.
"There's more coming," Stuart promised.
IBM better move fast, said Meta Group's Lepeak--before the sales window for compliance closes. The deadline for Sarbanes-Oxley, the primary driver for enterprise compliance, is just eight months away.
"This quarter and the next will be the big ones for compliance," he said. "But by the second quarter of 2004, it will be too late." He expects a lull from that point until sometime after the midyear deadline, when companies will make a secondary push into compliance in order to try to squeeze some additional value from what they've already deployed.
But while he applauded IBM's tactic of bundling outsourced services, storage, and content management into a compliance initiative, Lepeak cautioned companies against thinking that the solution to the problem was to buy another product. "The situation with most users is more one of what to do with the technology rather than the need for more technology," Lepeak said. "Another way to say that is you may not need to buy some" of IBM's products and services."