Table of contents
It seems clear that enterprise data storage compliance gets more difficult every year. The regulations seem to multiply annually. Handed down by governments and regulatory agencies, the rules governing the conduct of businesses can't help but influence how data is stored, managed and protected. Here's what IT executives should know about enterprise storage compliance.
Compliance with government regulations for data retention
One of the most crucial aspects of ensuring that your organization is compliant with the many rules affecting how data is stored is data retention. As the term suggests, organizations are often required to hang onto certain types of information for specified amount of time, typically unaltered, before it can be safely deleted, if ever.
Complicating the matter is that different types of data are subject to different types of retention periods, not to mention that fact that businesses today are collecting more information on their customers than ever. Although data compliance comes at a cost, it's much preferable to invest accordingly than cut corners.
For example, the Sarbanes-Oxley Act, often shortened to SOX or Sarbox, requires public accounting firms to retain documentation pertaining to audits for seven years. Public companies must hang onto their payroll documents for seven years but their purchase orders for five years. Failure to meet these obligations can result in fines, jail time, or both.
Of course, it's up to IT departments to ensure that their storage systems and data lifecycle management policies not only keep track of this and other vital business information in case investigators come looking for it someday, but also ensure that it hasn't been tampered with.
Let's look at some of the major regulations that may affect your business and its data compliance efforts.
- The EU's General Data Protection Regulation (GDPR)
GDPR has the IT industry abuzz, and with good reason. Not only do the European Union's new stringent data privacy regulation affect organizations based in the region, it also applies to enterprises that do business there.
GDPR compliance involves classifying, protecting and keeping track of personally identifiable information on EU users. In some cases, it also involves being able to package and supply that information to users in a timely manner and purging it from an organization's systems if requested.
This puts pressure on storage administrators. Not only must they ensure that their storage infrastructures can handle an organization's day-to-day business, but that they have the appropriate access controls and data lifecycle management capabilities to support the regulation's various provisions.
- Sarbanes-Oxley Act
The Sarbanes Oxley Act was passed by the U.S. Congress in 2002 in the wake of the Enron and WorldCom accounting scandals. Affecting public accounting firms and public companies, SOX is meant to protect investors and help ensure that the financial information and other disclosures made by a company accurately reflect how a business operates.
Privately-held companies must also keep SOX compliance in mind. Some provisions, like intentionally falsifying or destroying records to derail a federal investigation, applies to private companies as well.
- Health Insurance Portability and Accountability Act (HIPAA)
Run a doctor's office, clinic or other type of business that handles patient information? Then the Health Insurance Portability and Accountability Act, or HIPAA for short, applies to you.
Passed by Congress in 1996, HIPAA tackles many issues, including protecting health overage for workers when their job status changes. It also includes some tough privacy and security provisions that protect patient information.
HIPAA tightly governs how protected health information (PHI) is managed and shared in all its forms. Violating HIPAA's privacy rules can result in fines that climb into the seven figures. Intentionally disclosing PHI can lead to jail time.
In short, if your storage systems touch health and patient information, HIPAA compliance is a critical priority.
- Payment Card Industry Data Security Standard (PCI DSS)
Established by American Express, Discover, JCB International, MasterCard and Visa, the PCI Security Standards Council sets requirements on how businesses protect and manage credit card data. It goes without saying that credit card information is extremely valuable, both to organizations that process payments but also to fraudsters looking to line their pockets.
To prevent the misuse of this data, the group's guidelines not only call for organizations to properly secure this information, it also specifies what types of data can and cannot be stored.
For example, organizations are allowed to store primary account numbers but not the three-digit CVV (Card Verification Value) number that accompanies Visa, MasterCard and Discover cards. Nor are organizations permitted to hang onto full track data, or all the information that is contained in a card's magnetic strip or chip.
Key considerations in storage compliance
The biggest challenge facing IT organizations is that each industry is faced has its own regulations that it must adhere to. Moreover, many businesses must adhere to more than one set of regulations.
One of the most critical data compliance issues is data retention.
Consider the Sarbanes-Oxley Act, which required companies to hang onto certain types of information for years. IT professionals must not only keep track of this information in their storage and backup systems but must also ensure that the data has been unaltered. This often means using WORM (Write Once, Read Many) compliant solutions and other methods of guaranteeing that information in archival and long-term data stores are unaltered and remain accessible in case they come under regulatory scrutiny.
It should come as no surprise, then, that regulatory compliance has a major impact on an organization's overall data storage strategy.
As mentioned earlier, long-term data retention requirements may force organizations to increase their investments in tape. The GDPR's user data request and "right to be forgotten" provisions will undoubtedly have an effect on where businesses place user data and how they manage it and monitor its movement.
The data storage and security overlap
Perhaps the most consequential aspect of data compliance is how security creeps into the proceedings.
Many regulatory frameworks include breach notification rules, requiring that businesses alert their customers if their data has leaked, not to mention penalties for mishandling data. Naturally, businesses will want to avoid this altogether by ensuring that their data security and storage priorities are aligned.
Data compliance generally involves strict access control and authentication policies, ensuring that sensitive data isn't plucked off a drive by unauthorized persons or applications. Encryption is another popular method of keeping regulated information out of the wrong hands, often requiring that storage arrays and other systems support cryptography schemes while delivering acceptable performance.
Data compliance best practices
First, know your obligations. This means knowing which regulations apply to your organization and which types of data you're expected to manage (or not), how long to retain it and how to protect it. Your compliance officers should help in this regard.
Focus on data classification and data mapping. Data classification and data mapping are crucial in discovering the types of information that are being held in your storage systems and how they are being moved across the network. Not only are they essential factors in determining how regulated information is stored, but also a solid step in establishing compliant policies.
Continual monitoring. Storage compliance is not a set-and-forget affair. Continual monitoring is key in ensuring that regulated data is properly cared for during its lifecycle. Procedures must be in place to make sure this monitoring happens regularly.
More than security. Security and storage often go hand-in-hand, but storage compliance takes it to another level. Encryption will help, and many storage solutions feature support for the security-enhancing technology, giving both storage and security professionals one less thing to worry about.
Critical: Testing and audits. Testing and audits will ensure that your compliance policies and IT mechanisms are up to the task. It's best to work out the kinks now before having to explain to investigators why sought-after emails or transaction records have gone missing.