Enterprise storage and government mandates

Charles Bennett was in a storage predicament. By Securities Exchange Commission mandate, all business records at the full-service brokerage Hornor, Townsend & Kent, where he is director of compliance, needed to be stored on nonerasable, nonrewritable storage media. His dilemma was how to meet the requirements and do so quickly.

“We’re sending and receiving 6,000 e-mails per day,” Bennett says. “Our choice was to print e-mails and put them in a file — which would be impossible to index, and we’d need a team of bodies to respond to any SEC request — or go electronic.”

Not surprisingly, he chose the electronic route. More and more, other enterprises are also seeking new data storage solutions in the face of government mandates. Compliance is a problem that has taken center stage in many companies due to a host of new government regulations addressing everything from privacy concerns to document retention and the astronomical rate of data creation.

With many new and complex regulations on the books, IT managers are desperate for solutions and advice. These regulations include HIPAA (Health Insurance Portability and Accountability Act), which addresses medical documents to ensure patient privacy; SEC Rule 17a-4, which requires brokers and dealers to preserve communications with clients; U.S. Department of Defense (DoD) 50515.2, which requires all agencies associated within the DoD to have a certified application or technology solution to manage records; and the Sarbanes-Oxley Act, which holds members of companies accountable for the financial information they report.

These regulations raise several tricky enterprise storage issues. New regulations stipulate that electronic records must be saved in a nonerasable, nonrewritable format, commonly referred to as WORM (write once read many) disk technology. The regulations also require different lengths of data retention. That means IT managers must now tag and create retention periods for data. Additionally, they must be prepared to respond to requests for data in a short period of time. And the problems are made more complex because each regulation has different storage requirements.

Storage vendors IBM, Hewlett-Packard, EMC, Network Appliance, and Hitachi Data Systems are addressing these new mandates with dedicated appliances, bundled solutions, and data management and retention strategies. But there is no panacea, primarily because each company has different needs when it comes to regulatory compliance. However, new solutions addressing specific regulations are arriving more rapidly and new technologies promise to make compliance faster and cheaper.

Nonerasable Media and Retrieval

Enterprises need solutions that meet stringent storage media requirements. Although tape and optical media met past WORM requirements, they do not meet some of the new retrieval guidelines. For example, one of the tenets of SEC Rule 17a-4 is that “every such broker and dealer shall preserve [data] for a period of not less than three years, the first two years in an accessible place.” This means that stored data must be available instantly if required.

In the near future vendors will lean on emerging disk technologies including SATA (Serial ATA) and SAS (Serial Attached SCSI). As successors to current parallel disk drive technologies — ATA and SCSI, respectively — the new disk formats offer speeds up to 30 times faster than those of parallel technologies; smaller connectors; and compatibility between the two new drives.

Vendors and analysts alike envision these new drives, particularly SATA, as an optimal storage means for e-mail or other unchanging data that is accessed very rarely, but that needs to be readily available for compliance checks. Expected to be more cost-effective than other disk formats such as Fibre Channel or SCSI, SATA will also benefit from its ability to connect to SAS connectors. This means an SAS-enabled solution can also contain the less-pricey SATA drives.

Retention Solutions

One of the chief concerns about regulatory compliance is data retention. The issue is complex because each regulation’s retention requirements are different. HIPAA, for example, requires storing patient records for a patient’s lifetime, while the SEC requires business records to be kept for six years. To address this, vendors are developing point solutions that fulfill the requirements of a particular regulation.

For example, in October, Network Appliance announced it had achieved U.S. Department of Defense 5015.2-STD certification for an electronic records-management application with partners KVS, MDY Advanced Technologies, and Decru. The solution features Network Appliance’s SnapLock software technology, which Mike Marchi, senior director of marketing at NetApp, explains is an add-on to NetApp’s existing line of NAS systems, including NearStore, a disk-based storage solution that often sits between a back-up server and a tape library. Marchi explains that with SnapLock, a WORM-based disk volume can be created on NetApp’s NAS appliance. Along with KVS’s e-mail archiving software and MDY’s document management software, and in conjunction with Decru’s DataFort security appliance, the solution ensures compliance with DoD 5015.2.

EMC has taken a similar approach with its disk-based appliance Centera. EMC has qualified a number of e-mail-archiving and medical imaging software solutions to work with Centera. EMC and partner Documentum (a company EMC has announced its intentions to acquire) have combined Documentum Records Manager V3.1 with EMC Centera to provide a solution that meets DoD 5015.2 requirements.

Retrieval Built for Speed

Both NetApp’s SnapLock technology and Centera address not only retention of data, but also quick retrieval. Coupled with a disk-based appliance, Centera uses a CAS (content-addressed storage) technology that assigns each saved object a unique address, which is returned to the application that created that particular piece of data. The object’s address is saved to disk within Centera and when the application wants to retrieve a particular object, it simply requests it by using its unique address.

This system also allows users to define the period of time a particular document must be saved and when it can be destroyed. Both Centera and SnapLock can “shred” electronic documents when they expire.

A Government Seal of Approval

In attempt to make compliance easier, vendors are seeking approval for their solutions from the government bodies responsible for overseeing each regulation. EMC and NetApp have already received certification for some of their bundled solutions, including the aforementioned DoD 5015.2. Mike Marchi believes that by getting technology bundles approved, NetApp and others can provide solutions to address individual customers’ needs, depending on which regulations apply to their business.

However, enterprises that choose to use a government-approved solution need to keep in mind that the responsibility for meeting government mandates still rests with them — not the vendor.

Combination Approach

Beyond providing certified bundles, other vendors including Hewlett-Packard and IBM are combining new and existing products with consulting services to help enterprises meet regulatory requirements (see “The Outsourcing Alternative, right).

Bennett, director of compliance at Hornor, Townsend & Kent, solved his storage predicament by outsourcing his e-mail archiving responsibilities to Iron Mountain, which provides off-site storage services. He decided it was wise to outsource the work because of the high volume of e-mails and because a majority of the company’s employees are remote.

Looking Ahead

Many of the storage solutions on the market today are short-term measures designed to help companies deal with immediate storage needs created by the onslaught of new regulations. But the market for comprehensive solutions to address the complex regulatory environment is still maturing. Those in IT charged with overseeing storage strategies need to have both long-term and short-term plans in place.

One thing is certain: The regulations are putting IT to the test on a high-profile issue.

“This is really a backroom process that has become a boardroom problem,” says Sean Lanigan, director of product marketing at EMC’s Centera division. “Corporations are now taking a more corporatewide approach to deal with regulatory compliance, rather than just an IT approach.”