News Stay informed about the latest enterprise technology news and product updates.

Data retention rules demand a group effort

Users are facing a rash of new federal regulations -- SEC Rule 17a-4, the Sarbanes-Oxley Act, the USA Patriot Act, HIPAA. And all of them make data retention just another big old headache for the data center manager.

In this interview, Peter Gerr, an analyst with the Enterprise Storage Group Inc. (ESG), Milford, Mass., addresses how to avoid the bureaucratic red tape and devise a storage technology road map that satisfies regulators over the long haul.

How do you see those issues evolving over the next five years?
IT and business professionals are quickly headed towards a future where less time and cost is spent managing storage systems and more time is spent managing, accessing and protecting information. Information, now more than ever, is seen as a vital corporate asset with intrinsic value. Much like other assets, the value of information changes over time. When discussing the value of information, it is important to remember that the intent of regulatory compliance is to protect some of the most valuable and potentially dangerous information from improper use. A lot of storage admins we've spoken to aren't sure what regulations they need to comply with, let alone how to get it done with technology. What makes regulatory compliance so difficult today?
The most challenging aspect of addressing compliance, regardless of which regulation or industry you look at, may be that it requires collaboration and cooperation from a different set of stakeholders. Addressing compliance is not the storage or network administrator's job, it's not the CEO or CFO's job, and it's certainly not the job of the scientist in the lab or stock trader on the floor of the NYSE. It actually involves all those parties working in concert with the appropriate technologies and processes to make it work effectively. What are some of the regulatory compliance issues facing storage administrators today?
The storage industry, meaning the technology vendors, along with IT and business professionals, are just experiencing the first waves of what will be a significant change in how information is managed. It's important to remember that compliance is one facet of a bigger trend, which is what ESG has defined as 'reference information' -- that is, information that is retained for active reference and value over a period of time. A compliant record, or information retained for compliance-related purposes, is just one type of reference information. What current and emerging storage technologies will make satisfying regulatory requirements easier in the future?
A new generation of storage solutions, some specifically designed to address compliance, are still just beginning to emerge. Paper, optical and WORM technologies have been used for years in the financial services and other industries to satisfy regulatory issues, but what we see now is the emergence of disk-based solutions that employ a combination of software and hardware functionality to meet some of these requirements. We've seen vendors such as EMC and Network Appliance come to market with disk-based systems that are specifically positioned to meet regulatory compliance regulations and, from what we have seen, the IT and business people we've spoken to welcome these systems as being easier, more flexible, and less costly to manage than legacy solutions. We will also see other vendors come to market in the next six to 12 months with disk-based solutions with integrated or third-party software to allow for a variety of solutions. What can they do now to get the ball rolling to be ready for data retention rules in the future?
The end users we spoke [with] that were the most confident that they could efficiently and quickly address compliance were those that removed the internal barriers between IT and the lines of business and took a proactive approach towards compliance. Reacting to compliance or to an audit of your e-mail system means that it is too late. This doesn't mean that you have to throw out your entire IT infrastructure and start fresh, but it does mean that you have to understand the requirements that affect you, that you identify the data and content types that are required to be retained, and for how long, and that you develop auditable processes to ensure that these information assets are being protected as outlined in the regulations. Why is regulatory compliance such a hot topic today? In the future, will it generate the same level of paranoia and vendor attention?
Compliance is not new. In fact, some of the original regulations are decades old, and organizations have been meeting the requirements in different ways for some time. And that is the root of the problem: The complexity that compliance presents today stems from the fact that the business world and technology has evolved ahead of the regulations. Most of the regulations don't address the use of electronic records and computer output; they were written to address the use and retention of paper, film, X-rays and other legacy media. I've heard some say that Sarbanes-Oxley is like Y2K, except it never ends.

Let us know what you think about the story; e-mail: Kevin Komiega, News Editor

Compliance buying decisions -- the right way, the smart way

New data regulations: How to achieve compliance

Sarbanes-Oxley reading list

HP and Legato partner for e-mail regulatory compliance

Businesses fail to meet SEC rules on e-mail archiving, risk fines, imprisonment

Dig Deeper on Data storage strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.