IBM hopes to hit home run with 'Blue SOX'

By Heidi Biggar

Announced earlier this week, IBM's new "Blue SOX" service is designed to relieve organizations of some of the day-to-day burdens of Sarbanes-Oxley (SOX) compliance by handing off data management/storage responsibilities of certain data types to IBM Global Services.

The new service is the latest in a series of IBM services that deal exclusively with regulatory compliance-related issues. Other options include anti-money laundering and an e-mail archiving hosting service based on products from Zantaz.

While it is too early to tell if the Blue SOX service will hit a home run with users, analysts say if anyone can make this type of model work, IBM can.

"People would love to outsource SOX issues, but they don't trust most vendors for this type of service," says Steve Duplessie, founder and senior analyst with the Enterprise Strategy Group (ESG) consulting firm. "There aren't many vendors other than IBM that could pull this off."

ESG says there has been a modest resurgence in outsourced managed services, in particular for e-mail management and archiving from vendors such as Connected (which was recently acquired by Iron Mountain) and Zantaz (whose Digital Safe service IBM Global Services resells). While these types of services don't absolve users from ultimate responsibility for compliance, ESG says outsourcing compliance preparation or specific applications such as e-mail can make sense, depending on the user environment.

IBM is betting that the need for this type of service will resonate among users as they continue to struggle to meet various regulatory requirements-and as data volumes increase.

"Users are getting tired of putting in point solutions for e-mail, SOX, etc.; they just want someone to do it for them," says Al Stuart, chief strategist and business line executive for IBM's data retention solutions.

Stuart says that, unlike the defunct storage service provider (SSP) model, this type of hosting services model works for compliance data because the data is not typically viewed as critical to organizations' day-to-day operations. However, this type of data can have significant business implications for many organizations in the event it is irretrievable in a legal situation. IBM loosely refers to this type of data as "JIC" ("just in case") data.

"A lot of data is being saved just in case someone needs it down the road," says Stuart. As a result, many organizations think there is little value to this data and are okay about turning it over third parties to handle, he says.

Besides minimizing the number of applications a company must implement on-site, Stuart says Blue SOX gets rid of other headaches, such as technology migration (i.e., migrating data to new technologies as old ones are retired) and dealing with exponential data growth.

The Blue SOX service leverages IBM's Workplace for Business Controls and Reporting (WBCR) software. Data is transferred over an Internet connection (according to a schedule determined by the user) to any of IBM's hosting facilities across the US and can be mirrored to a second site for disaster-recovery purposes. A management dashboard at the customer's site provides visibility into the service, showing the current status of compliance efforts.

Initially, user data will be stored on server-resident disk. However, as demand for the service increases, IBM plans to introduce more back-end storage types, including non-IBM disk arrays, WORM tape, and optical.

Stuart says a key objective with the service is to be able to tailor it to the specific needs of customers. Blue SOX also features backup-and-restore services, as well as help-desk support. Users are charged a monthly fee for the service based on usage and the number of users. IBM did not provide pricing details.

This article was originally published on January 26, 2005