Compliance fears may spur backup outsourcing

Compliance jitters cause companies to consider outsourcing backup.

This article can also be found in the Premium Editorial Download: Storage magazine: The 15 top storage products of 2004

Fears of not complying with regulations about data protection practices may be pushing some IT managers to outsource...

their backup and archive obligations, according to some outsourcers and industry observers.

Outsourced backup and archiving service providers, the thinking goes, are 100% focused on only those core tasks and may be better poised to fulfill compliance duties than a company whose strengths lie elsewhere.

Outsourcing your backup or archiving may also increase the likelihood that you could pass an audit--especially if that outsourcer is known to the auditing firm.

Even if your organization is perfectly capable of doing its own backup and archiving, proving that your process is adequate to an auditor is another story. "You may have a great system in place in-house, but you still have to jump through all sorts of hoops to convince the auditors," says Kevin Merritt, VP of archiving and compliance at FrontBridge Technologies, Marina del Rey, CA, which provides e-mail security and message management services, including e-mail archiving. "The burden of proof isn't on the auditor, it's on the firm," he adds.

It's hard to tell how an audit will go beforehand, says Phil Gilmour, CEO at EVault, which provides outsourced services and in-house backup software. "It's a drill-down sort of thing. If you're meeting the standard, they do a high-fly, but if they find any chinks in the armor, it can get pretty intense."

FrontBridge tells customers that archiving e-mail through its service will pass muster with the Securities and Exchange Commission (SEC) and National Association of Securities Dealers (NASD) because customers have passed their audits before.

Other outsourcers also advertise their compliance with Statement of Auditing Standards No. 70 (SAS-70), which is specific to outsourcers. "There's definitely an increase in the number of subscriber customers that ask if you are SAS-70 compliant," says EVault's Gilmour. "SAS-70 is becoming a new checkbox item for financial services companies."

If you don't go with an outsourcer, be prepared to familiarize yourself with numerous standards governing data protection, says Jerry Smith, CTO at IPR International, an online backup provider in Conshohocken, PA. Audits you may be called upon to pass include the IT Governance Institute's Control Objectives for Information and related Technology (COBIT), and the Committee of Sponsoring Organization's (COSO) Integrated Framework.

Of course, outsourcing backup or archiving isn't for everyone. "What we've seen is a significant uptick in the small- to medium-sized market," says Mark Silverman, president and CEO at Bocada, Bellevue, WA, whose BackupReport software is used by service providers and individual companies to report on the success of backups. "For companies that are very large, there are very few [outsourcing] companies that could credibly provide services to them," he adds, whereas the smaller shops may be better off leveraging the resources of a third party.

Indeed, large companies in general are well versed in documenting their policies and procedures. "For them to demonstrate competency isn't an issue," says Gilmour. But for smaller companies, "[backup and archiving] are not their core competencies and, from an ROI perspective, it may be too difficult for them to develop it."

The idea of outsourced backup and archiving assumes a high degree of comfort with third-party service providers on the part of IT managers, which hasn't always been the case. But that's changing fast, says FrontBridge's Merritt. "There's been a whole-hearted shift in peoples' attitudes toward outsourcing," he says. "Two years ago, when I'd talk to customers, I'd spend the better part of my time convincing people that outsourcing was secure. Now I spend maybe 15 seconds on it, and they say, 'I don't need to be convinced.' "

That's only natural, says Gilmour. "When they first came out with ATMs no one wanted to use them," he says. "But eventually, it got so convenient that [people] got over it."

However, the memory of the dot-bomb fallout is still fresh in many people's minds, says Doug Chandler, program director for storage software and services at IDC, Framingham, MA. "People still think 'If I'm going to let a third party do this, it'd better be a very established company,'" he says. Furthermore, when companies do decide to outsource, Chandler says, it's often a time-to-market consideration and the idea down the road, "is that they'll bring it back in-house."

That continued reserve is still reflected in IDC's numbers for the outsourced backup and archival market. In 2003, worldwide revenue for backup and archive software was $2.8 billion. The outsourced portion of that figure is still a tiny portion, Chandler says. "I'd be surprised if it cracked $100 million."

This was last published in January 2005

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.