A never-ending issue facing storage managers is trying to get the resources needed to make their systems run more efficiently. In fact, it’s almost the same situation that networking managers found themselves in during the mid-sixties. Good news for storage management has arrived in the form of new data retention laws handed down by the federal government. The bad news for storage managers, however, are those same data retention laws handed down by the federal government.
According to Lou Harvey, technical business architect with Maranti Networks, even with the compliance laws laid out, IT organizations must have both manual and automated process models in place in order to: support and secure the regulated source records; be able to retain, recover, and show explicit audit trail creation of each class of record and its lifecycle governance (retention and destruction processes); and have the ability to retrieve and manage security and access within multiple layers of storage and business processes.
“The challenge is that many source documents originate on today’s laptops or desktops through email or office application tools, and may not find their way into the data center scope for days, weeks, or months, ” says Harvey. “This creates corporate risk and liability.”
Harvey says that as a result of these challenges, IT organizations need to extend their ‘must have’ list to include multi-vendor storage management, multi-layer storage retention, and multi-application data sourced governance through the use of automated document retention and protection-based solutions.
Jon Toor, director of product marketing at OnStor, says that regulatory compliance will bring increased standardization to record keeping. “Document retention and retention of electronic communications were previously managed in very diverse ways, ranging from the very structured to the somewhat ad-hoc.” According to Toor, disaster recovery planning was viewed by some IT managers as a ‘must have,’ and by others as a ‘nice to have.’ “Compliance will drive more companies to implement robust data management to ensure that data is both protected and quickly recoverable.”
Storage Administrators Face a Multitude of Compliance Issues
There are many different types of regulatory compliance issues facing storage administrators today, and Mehran Hadipour, vice president of marketing for Kashya, Inc., says one of the most pressing concerns is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation.
“These organizations also need a solution that is flexible, providing the ability to adapt to changing business requirements,” says Hadipour. “They also require a solution that will integrate with their current infrastructure, so as to minimize disruption, leverage existing investments, and minimize costs.”
Some of the specific regulatory compliance issues organizations have to contend with are the Sarbanes-Oxley Act for all public corporations, the Health Insurance Portability and Accountability Act (HIPAA) for corporations in the healthcare industry, and SEC regulations for retention of all electronic correspondence with clients. “For storage administrators, these responsibilities are now being piled on top of everyday storage issues,” says Wayne Lam, vice president of professional services at FalconStor. The bottom line, according to Lam, is that effective management of storage is crucial to meeting compliance issues and day-to-day operations.
Although the compliance issues are now in place, there are still many folks out there who are not even sure what regulations they need to comply with, let alone how to get it done with technology. Hadipour sees three major factors contributing to this difficulty. One is the lack of clarity and understanding where data is placed across the enterprise as well as how to protect and retain it.
The second problem is due to the fact that much of today’s technology solutions are based on specific storage or server platforms, which makes deployment of consistent data protection and retention solutions across the enterprise extremely complex. The third issue, says Hadipour, is the cost. “The cost of solutions for data protection often exceeds the reach of many mid-sized organizations.” What is needed, he says, is a network- based solution that supports heterogeneous servers and storage that protects data at a fraction of the cost.
Lam agrees and says that compliance can be a complex beast. He points out that different and multiple compliance regulations are applicable to many businesses already, and even though the easiest way to comply with all of the compliances is to securely maintain and retain all corporate data, that represents a very tall order. “Knowing where and how to start tackling the beast is the [most] difficult part for many organizations, and here’s where the storage sales potential fits in.”
“Important operational data is most likely stored on a premium disk, and businesses do not want to pay premium prices to store this data,” Lam continues. “Recovery from tape may not be rapid enough for some businesses, so there’s a market now for secondary or very cost-effective storage, as well as storage appliances designed for very specific business needs in order to meet the federal requirements.”
Three Areas of Critical Data Management
Harvey identifies three areas of critical data management necessary to meet these new regulatory requirements for data protection and retention: security, sourced audit trail, and accessibility.
“Security impacts several data issues, including intellectual property and audit trail validation, which represent the crown jewels of all companies and are associated with creation and control of ownership,” says Harvey. These involve critical business records that allow a company to properly defend and protect its ability to drive revenue under existing regulatory requirements. “This brings with it the requirements to secure, mirror, protect, and recover this data for both business and (now) legal purposes,” he says.
Harvey explains that what this means is that at the enterprise level of every business, requirements have changed to include more than just common security policies for data and retention on tape. It now requires classification, retention, and management of data lifecycles beyond the traditional protection and management processes used by IT today.
Harvey adds that serious consideration must be given to multi-vendor sourced data on how they will be identified, ranked, and managed across the various storage architectures involving both legacy and open systems. This, according to Harvey, includes using production, near-line, and archival (tape and disk) storage, and must be revisited to match the new business models of governance.
In today’s ever-changing world of storage, IT managers are not only facing the day-to-day issues that have come to be expected, they now have to fulfill data permanence and retention regulations, address potential liability issues, satisfy security requirements, simplify compliance management, improve information access, and cut overall costs — all in a day’s work. As Lam says, this is a very tall order.
This is the first of a two-part article. Part two will address the following questions:
- How will compliance issues evolve over the next five years?
- What can organizations do now to get the ball rolling to be ready for data retention rules in the future?
- What current and emerging storage technologies will make satisfying regulatory requirements easier in the future?
- Why is regulatory compliance such a hot topic today? In the future, will it generate the same level of paranoia and vendor attention?