Six essential storage strategies for compliance

The threat and risk of non-conformance to the many regulatory compliance requirements that burden businesses today has created a huge load on IT operations. We see the impact in many ways ranging from all the bad press of public data theft, to increased cost of operations, to substantial investment in compliance-specific storage systems and software (over 40PB installed in 2004). Achieving compliance is not simple. It introduces many new operating practices around how information is handled, protected, retained, secured and made available and searchable. The very definitions of concepts such as ‘archive’ have changed for information management, presenting new challenges for all elements of the organization.

So, what is ‘compliance’ and how does it affect storage? In this context, compliance is a legal requirement to retain, protect, keep confidential and make available information based on industry specific laws and regulations. But, there is a second dimension. Legal discovery is not regulated; it’s at the whim of whoever elects to file a suit against an organization. Thus, the need to respond in a timely manner is different than a compliance regulation to retain information. For example, SEC 17a says that the information must be ‘readily available’ and that ‘responding to a discovery request’ must be done in a reasonable timeframe.” This implies that having your information stored online, indexed and readily available where it can be searched (discovered) makes it easier to respond. It also means that when information has expired, it may be advisable to delete it to eliminate risk. Risk avoidance becomes an interesting dimension to the overall compliance methodology.

IT relies heavily on a number of essential information and storage-centric practices to achieve compliance. The following strategies deliver some useful guidelines for an IT environment with compliance requirements.

#1: Information classification
A sound regulatory compliant IT operation begins with implementing a solid foundation. Collaboratively identify the value and compliance requirements of the different types of information you have with the appropriate business groups, records management, risk management and IT staff. This is the key starting point. The classification of information (into groups if appropriate) based on compliance requirements allows polices to be uniformly implemented to support specific compliance-oriented service level objectives such as retention period, class of retention store, confidentiality and privacy, deletion and discovery. On top of these requirements, add the business and operations requirements such as performance, availability, class of protection and operational recovery. Once classification, policies and service requirements are developed, implement practices to support those requirements – including tiering your storage and deploying appropriate data and information services to support the compliance requirements.

#2: Retention using compliant storage systems
Today, various classes of storage systems that can support all the requirements of specific compliance regulations are available. In some cases compliance requires long-term retention only. Traditional archive-class storage products, such as magnetic tape or optical storage may suffice. However, in other cases specific features are needed to meet the more stringent requirements such as immutability, data integrity, search and discovery, protection, confidentiality, assured deletion and auditing. When these types of requirements are specified (or deemed appropriate in order to ‘comply’), new cryptographic-based storage systems (called content aware storage or capacity optimized storage) offer benefits.

#3: Privacy and confidentiality
Information at-rest and in-flight are at risk as proven by the many data loss and theft incidents reported in the press over the last few months. This will only get worse. Protect your information from theft, loss or intrusion as dictated by their class requirements (value, risk and regulations). Strong encryption continues to be the safest method. Compliant storage systems and thorough information assurance (security) practices are required at all stages.

#4: Discovery
As noted, a request for legal discovery can be a serious event. The difficulty arises when companies are asked to produce material that has not been tracked or indexed according to criteria aligned with the discovery request. Solving the discovery challenge requires two classes of tools, search tools that will do content filtering and storage that can be searched. For example, content filtering allows classification of information to preset criteria and establishes indices for that content. When coupled with appropriate search mechanisms, rapid and seamless discovery of information is enabled. Application-specific mechanisms, such as tools to index, search and retrieve email messages and attachments, are useful tools that will reduce costs associated with discovery and improve accuracy.

#5: Assured deletion
When the retention life expires, risk management or compliance polices may say ‘delete’. How do you do it with confidence? Assured deletion is the equivalent of digital purging, not only the deletion of a file, but of all of its copies and versions wherever they may reside in the organization’s repositories. Providing for assured deletion becomes a challenge if information is poorly managed and not controlled. Information must first be found (discovered) and then approved for deletion. For example, how do you locate and then erase a file or a set of messages in the middle of a tape and on 100 different backup tapes in 10 different facilities? Not easily and not without comprehensive indexing, media management, cataloging and key management control. Unfortunately, no single control discipline addresses all dimensions of digital purging today. This is also where complaint storage can help. At least inside that domain, deletion capability is enhanced by cryptography because all you have to do is destroy the encryption key and the data is no longer readable.

#6: Policies and practices
The single most important thing that companies can do to enable better compliance to sometimes confusing regulations is to develop operational practices that are sound, repeatable, bulletproof, and documented. Policies for assured deletion, retention, information access, risk avoidance, operational recovery, etc. should be coupled with policies for supervision, monitoring and auditing. Information Lifecycle Management provides a methodology to develop the best practices and policies required for compliance to various regulations. Begin with classification, then set polices and service requirements. Next, tier your storage, implementing secure and compliant storage, protection, and archive repositories that can support your compliance, discovery, and risk management requirements. And in parallel, put in place tools that can give you the supervision, auditing, monitoring, search/discovery and deletion capabilities you need.

The Storage Networking Industry Association’s Data Management Forum (DMF) is working with a number of industry groups to provide guidance for end-users as they wrestle with the challenges of regulatory compliance. DMF provides education with respect to the strategies listed above, and including the policies, practices and technologies that will enable IT to better work with both lines of business and compliance officers to assure solid compliance to the myriad of regulations facing corporations today.