Storage pros already had plenty to do, but in an age of ever-expanding regulations, their to-do list keeps growing. Laws, including GDPR, Sarbanes-Oxley Act, HIPAA, PCI DSS and CCPA, make ensuring compliance an even bigger challenge.
However, whether storage pros take on more compliance responsibilities relative to others in their organization varies widely by industry and company size. In less regulated industries such as retail, it's more common to see storage pros taking responsibility for a wider range of requirements when it comes to security rules and compliance operations, said Andrew Smith, an IDC analyst. On the other hand, in highly regulated industries such as healthcare companies, there's usually a higher prevalence of dedicated teams responsible for security and compliance, sometimes supported by a chief data officer.
For most organizations, the biggest compliance drivers include the following.
GDPR. The General Data Protection Regulation controls data protection and privacy relating to citizens of the European Union (EU), limiting data movement and how data can be used. Because of its broad definitions and painful penalties, GDPR is a top concern for all data stewards, who must be extremely careful to avoid its snares.
Sarbanes-Oxley. Sarbanes-Oxley is a U.S. financial regulation dating back to 2002 that applies strict data retention rules to U.S. public companies. Storage pros must be mindful of what data is covered by the regulation.
HIPAA. The Health Insurance Portability and Accountability Act of 1996 is a complex statute that covers more than just data. However, its most relevant feature aims to protect the privacy and confidentiality of medical information relating to individuals. So, it concerns itself with both retention and access controls on data.
PCI DSS. The Payment Card Industry Data Security Standard aims to protect consumer credit card information wherever it exists -- both to prevent fraud and to support privacy. Organizations handling this type of data are subject to various kinds of regular audits.
CCPA. The California Consumer Privacy Act is a state law similar in concept and consequence to the EU's GDPR.
The biggest issue with all these regulations, according to Christophe Bertrand, an analyst at Enterprise Strategy Group, a division of TechTarget, is understanding what data the organization has and which regulations apply to it. Once that's settled, compliance is more manageable.
Storage compliance roles and responsibilities
"Often, we see storage pros responsible for the basics of data management and record protection, regardless of the data type," Smith said. That could include making sure data is available and protected -- replicated and backed up -- regardless of type, providing appropriate access controls and processes and ensuring regulatory compliance.
Smith said the relationship between archiving and e-discovery is often a good illustration of the intersection of disciplines. Storage administrators are usually responsible for data archiving, data policies, metadata and access. Compliance pros will then access this data for surveillance or e-discovery purposes using tools native to the archive or with the help of integrated apps. "The roles performed are very distinct, but they are both integral to the goal of information governance," he added.
Typically, data is still managed by storage or data managers in the IT organization. "For SaaS apps, this becomes much more varied, where you might often see line-of-business app owners taking on data management tasks within the confines of a specific SaaS app they are using," Smith said.
However, he said in conversations with both vendors and buyers, it seems the lines between storage, data management and data security and compliance are starting to blur. Over the past few years, the market has shifted to delivering platforms and services for data management, data resilience and data platforms, he added.
Smith said a large part of the reason the market is going in this direction is storage pros are having to "do more with less." Storage capacity continues to grow exponentially as businesses digitize larger portions of their operations, products and services. This puts additional burden on storage pros and IT admins to ensure enterprise data is stored cost-effectively, and that it's easily accessible to a wider range of application and business units considered "mission-critical." And when the prevailing themes of the day are tropes such as data is the new oil and data is your most valuable asset, enterprises are pressured to capture and retain more data than ever before in the hopes that this data can be monetized in novel ways. "In many cases, it falls on the storage admin to cost-effectively manage storage systems; it's a tough position to be in," he added.
Although storage and IT pros might not have all the tools and knowledge they need to meet every compliance requirement or thwart every attack, they are absolutely the first line of defense, and "an integral part of an enterprises data strategy," Smith said. "When we ask storage managers about privacy laws and compliance, the majority say they are concerned about their organization's ability to comply." The same people typically focus on challenges such as performance, management and security -- security, particularly for cloud storage services.
Storage compliance best practices
Smith and other analysts suggested half a dozen tips or best practices for storage pros concerned about mastering compliance challenges, including:
- Document actions. Be prepared to justify policies and practices. According to Bertrand, all the regulations are subject to interpretation and some are deliberately vague, specifying in effect the use of modern, up-to-date practices. This implies the desirability of having some sort of explanatory information regarding storage policy to support the appropriateness of choices, if ever audited.
- Leverage tools. Lindsay Hohler, principal at Grant Thornton, said she recommends using tools to implement and automate governance of data -- and to ensure everyone understands their roles and responsibilities. "It isn't just a program led by IT; it has to engage stakeholders across the organization," she added.
- Store data cost-effectively. Making sure the data is stored on the most cost-effective and performant tier available is a top best practice, Smith noted. And make sure basic policy and access requirements are met -- e.g., who can access what files/buckets and the time period specific data should be retained before it is tiered off or deleted. "We see all of this often under the control of storage pros," he added.
- Use effective products and services. One way storage and IT pros can avoid being the "fall guy" when things go wrong is to do more comprehensive vetting and discovery of vendor products and services when it comes to regulatory compliance and security, Smith said. Ask the right questions to understand customer versus provider and shared versus individual responsibilities when it comes to data privacy and compliance, he added.
- Take advantage of automation. At the heart of these services is the traditional storage system, but, increasingly, IT buyers expect more than just a file system or object storage repository. They expect advanced data management tools built in that go beyond basic provisioning and replication. As a result, according to Smith, they're looking for management tools that help them automate access controls, predict physical equipment failure or identify performance bottlenecks, as well as track and audit data logs and identify malware or ransomware.
- Anonymize data. In some cases, Hohler noted, data that is subject to regulation can be anonymized, so it no longer runs afoul of regulations such as GDPR and CCPA, enabling retention to continue but with less risk.
The corollary to implementing good data protection and compliance practices, according to Hohler, is making sure the organization also has sound and active data disposal practices. "For many years, companies have been focused on making sure to keep data to meet a variety of legal requirements, but now, we are seeing more of a shift toward disposing of data as soon as it makes business sense, assuming you have met the legal thresholds for retention," she said.
Bottom line is be aware that security and compliance programs can take time to implement, Hohler added.