This article can also be found in the Premium Editorial Download "Storage magazine: Email storage lessons learned from Citigroup."
Download it now to read this article plus other related content.
Few of the regulations that compel a company to retain data actually prescribe a required type of physical storage. One prominent regulation--the SEC's rule 17a-4 for broker-dealers--says that if electronic media is used to retain records, they must be stored "exclusively in a non-rewriteable, non-erasable format," which suggests that WORM disk or tape would be required.
The vast majority of compliance rules, however, don't go that far. But as part of the process of ensuring that retained data can't be tampered with, many companies are opting for special storage systems such as EMC Corp.'s Centera, IBM Corp.'s TotalStorage Data Retention 450 and Network Appliance Inc.'s SnapLock. These storage systems effectively lock retained data, barring any modifications or deletions of records until predetermined retention periods have elapsed.
|What users want in compliance software|
The Radicati Group, a consulting and market research firm based in Palo Alto, CA, surveyed 21 companies representing nearly 400,000 employees to determine their regulatory compliance activities. This chart shows the key factors that the companies cited as motivations for selecting archiving software.
North Bronx Healthcare Network's Morreale says they took a broader approach when designing the storage system for the data that HIPAA requires they retain. Because the digital images they must retain are so voluminous, they added 280TB of various forms of EMC storage over the past two years. Morreale describes the lifecycle approach they took: "The more current stuff I'm keeping on my SAN [storage area network], and as we age it out, our intention is to move to NAS [network-attached storage], where it's not so transactional anymore, and then we're going to archive on our CAS [content-addressed storage]."
As the result of its compliance program, Harvard Medical spent about $2 million for additional storage, and also instituted a tiered-storage architecture with an eye to implementing information lifecycle management (ILM). Toward that end, Halamka put a system in place to prioritize 200 applications and their related data that started with the question, "If you take each application that we run, what are the demands for uptime, data integrity and recovery?" Based on this analysis, they were able to determine how to migrate data between their EMC Symmetrix and Clariion systems, and then to their StorageTek tape libraries. While they eschewed WORM tape, Halamka says that their medical images are stored on an EMC Centera device and then moved to tape.
State Street Global Advisors' Linden says the firm will expand its storage spending by approximately 30% to 40%. Linden sees compliance as an opportunity to implement ILM. "When I have to engage in a technology refresh, I look to use that as a funding mechanism to further our storage framework." He also figures that their increase in storage spending would have been greater without the ILM effort.
At Citigroup in New York City, meeting compliance requirements is an enormous undertaking because of the size of the company, the number of subsidiary companies and the corporation's varied financial businesses. For example, senior storage engineer Shaun
Mahoney says they've implemented an interim e-mail archiving solution using journaling and off-site storage. With 235,000 e-mail users, Mahoney says, "The scale of our e-mail environment prohibits us from using a lot of solutions at their present maturity levels." Citigroup is working with several e-mail archiving vendors to modify their programs so they can handle Citigroup's large number of Exchange users.
Of course, Citigroup's regulatory efforts go well beyond e-mail. "It's not just e-mail or just instant messaging--it's across the board," says Mahoney, adding, "I don't know of any business that has only one application that deals with financial markets." To cope with the storage requirements of compliance, Citigroup has already "a fairly sizable amount" of storage capacity to meet their interim requirements and the company expects to add significantly more, especially when a final e-mail solution is put in place.
This was first published in July 2004