Storage: Compliance Cuts Across Industries, Storage Products
By Mark Ferelli
Ever since the large corporate scandals involving Enron WorldCom, and the like, new government regulations ar entering the business world. Many in the mass-storag world see many of these regulations as saviors from th business strains created by cuts in capital spending i enterprise IT
It is true that compliance requirements with new federal and state regulations will result in more capital spending in storage hardware, software, automation, architectures and services. More records will be retained than ever before, and the impact will touch both structured data like databases and unstructured data like e-mails and instant messages.
What the Laws Look for
The various regulations are almost never specific on technology; they are more involved with such things as dates. For example, many of the new regulations require companies to retain records for 2 to 10 years or more, and to retrieve records quickly at a regulator's request. Other regulations require systems to keep secure audit trails of changes and deletions or to prevent changes or modifications to archived data. Audit trails will be nothing new for many corporations, since their own auditors demand such safeguards. These rules show immediate requirements for storage hardware that will meet the government's test of time as well as sophisticated software for indexing, tracking, archiving, backup and retrieval.
In point of fact, the demand for reliable storage will increase for a cultural reason as well. Very few end users want to take the time or effort to decide which files to delete, so they save everything. No one gets fired for saving everything, but you take a risk when you decide to press the "delete" key.
The securities trading industry now has some of the most stringent regulatory requirements for record retention and data storage, particularly under SEC Rule 17 for broker-dealer operations. These high-profile requirements have inspired the architectural concept of the "compliance engine."
SEC rules and interpretations were initially focused on the creation and retention of hardcopy records (paper or microfiche). However, hardcopy records and manual processes did not grow the speed and information requirements of today's global markets and trading operations. High-speed, accurate throughput is a requirement instead of an option. Hence the development of a variety of data processing tools, both off-the-shelf and proprietary.
The Health Insurance Portability & Accountability Act [HIPAA] (Public Law 104-191, 110 Stat.1936 L1996]) addresses a variety of health care reforms. Title II, subtitle F addresses "administrative simplification" and covers healthcare plans, healthcare clearinghouses that provide healthcare transactions and healthcare providers. Unlike the financial services laws, HIPAA drills down into small medical practices, medical billing areas, pharmaceutical firms and more.
Failure to comply would have the offender face significant financial, legal and business penalties including criminal prosecution. Best security practices require traditional front-end security methods such as physical access controls, data network transport protection, host defenses, system and applications authorization, and security policy. This layered defense model must extend to backend storage preventing unauthorized access to data-at-rest.
But HIPAA impact reaches across key concepts in mass storage and storage management. Storage consolidation, storage pooling on tape media, data stored remotely, data in motion and stored information leveraging third-party services have access vulnerabilities that affects compliance efforts.
PHI controls dictates where and how the data can be stored and used. PHI data protection often has related management, training, data classification and infrastructure costs that can be significant.
There are many different types of regulatory compliance issues facing storage administrators and systems integrators today. The pacing concern is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation. The hard fact is that compliance issues will be added to everyday storage issues in installations of various sizes from the SMB to the enterprise. And make no mistake, effective management of storage is crucial to meeting compliance issues and day-to-day operations.