This article can also be found in the Premium Editorial Download "Storage magazine: Email storage lessons learned from Citigroup."
Download it now to read this article plus other related content.
Desktops and beyond
As companies scurry to meet compliance requirements, the immediate pain points are usually e-mail and corporate accounting systems, as these systems typically house the data that is required for retention. However, a growing amount of corporate data subject to retention regulations now resides outside the data center on desktop computers and at remote storage sites.
ESG's Gerr points out that applications such as Oracle Financials and PeopleSoft have internal auditing capabilities to keep track of documents produced by those applications. But data that's produced or altered outside the applications represents "an area that is woefully underserved." Gerr adds, "It's very, very difficult to protect the edge."
However, there are ways to address the desktop issue, including backing up all network-connected desktop systems using a product such as Connected's DataProtector/PC. DataProtector can be launched locally or set to periodically back up desktop machines; it only backs up changed data and doesn't store data duplicated on multiple machines, so its effect on performance should be minimal.
Some companies protect desktop data by enacting policies that use logon scripts to ensure that all documents are saved to network drives rather than locally. It's company policy at Citigroup, according to Shaun Mahoney, to store desktop data centrally and they're now addressing the issue of remote PCs. "We're looking
The Florida Department of Health takes a similar approach. Says CIO Taylor: "We don't permit, to the best of our ability, people storing any data locally--it's all on their own network shares." For laptops, they rely on users copying their data to central storage when they reconnect to the network. As part of their HIPAA compliance effort, North Bronx Healthcare Network has also banned desktop storage, diverting all data to networked storage in a physically secured data center.
In the future, the question of what to save will undoubtedly become more problematic, especially when considering new and emerging technologies. For example, will digitized voice mail messages saved by VoIP systems fall under the same rules that govern the retention of e-mail and instant messaging (IM)? With the growing popularity of VoIP, it's a good bet that this technology will have an impact on regulatory compliance at some time. Mobile devices also pose some unique challenges, such as device-to-device messaging that skirts the corporate e-mail or IM systems.
But a more immediate concern is turning a compliance plan into action. In addition to expenditures for additional storage, companies should expect other costs such as training staff to help ease the impact of compliance. In some cases, compliance will expand storage operations to the point where additional staffing is required.
Harvard Medical School's Halamka created the storage manager position to help facilitate compliance activities and to advance the organization's ILM implementation. Halamka says the new position is just part of the repositioning of storage as a strategic asset to the organization.
At Citigroup, the extensive compliance effort required adding staff. "Your existing staff is going to have to devote more time to documentation, compliance training, certification and audit," says Shaun Mahoney.
For companies just starting down the regulatory compliance path, it's important for IT--and particularly storage managers--to step up and take a lead position. "IT people have to realize that they play a very important role in enabling compliance," says ESG's Gerr. But he adds that "IT managers have to change [their] frame of mind from a box-centric or systems-centric to an information-centric perspective."
This was first published in July 2004