Storage on the frontline of data compliance
Storage on the frontline of data compliance
March/April Edition, 2008: Although such stringent regulations have caused overseas CIOs a lot of angst over the past few years, Australian CIOs – unless they work for an Australian subsidiary of a US or European company, or an Australian company with substantial overseas interests – have not really had to ready their storage infrastructure to meet such standards.
Various vendors, particularly US-based ones, have tried hard to use the compliance angle to boost sales in the wake of SOX’s introduction but generally this marketing strategy has not proved particularly successful in Australia, says IBRS advisor Dr Kevin McIsaac.
“A couple of years ago, led by the paranoia of the SOX brigade, US vendors started selling everything around compliance. Then they realised it just wasn’t working because compliance has always been different in Australia.”
There is currently no Australian equivalent to SOX, however, there is a large number of disparate pieces of state and federal government legislation that have the potential to impact the compliance or otherwise of data storage.
“Something like 85 different pieces of legislation relate to document destruction, discovery and evidentiary onuses on it,” says Hitachi Data Systems director of consulting and solutions Australia New Zealand, Michael Cunningham.
“That includes the Corporations Act, which dictates how long financial records should be stored for, tax statutes, the Archives Act, Evidence Act, Crimes Acts, Privacy Act and Freedom of Information (FOI) Act which boil down to quite a heavy onus on government and corporate to have a records management system linked to compliant storage.”
Additionally, some actual andmooted legislative changes in Australia are set to change the compliant storage landscape in a big way according to CommVault archiving specialist – ANZ, Paul McClure. “Australia is lagging behind the rest of the world in terms of compliance but we’re having more and more conversations with our prospects and customers about preparing themselves for upcoming legislation.
“Additionally, Victoria has introduced the Crimes (Document Destruction) Act 2006 and Evidence (Document Unavailability) Act 2006 which is close in spirit to the US Federal Rules of Civil Procedure model under which American courts have fined major corporations such as Morgan Stanley for failures to produce documents at all or within a reasonable time frame.”
Australia’s privacy laws could also be due for a revamp according to Network Appliance’s Decru business development manager, Steve Bracken. “Privacy laws in Australia highlight that companies must take reasonable steps to protect individuals’ identity data. But the ramifications of losing data and the lack of any process to inform individuals [whose data has been compromised] creates an environment where those laws are easily flouted.
“There is a massive review of data breach reporting laws underway by the Privacy Commissioner and it’s likely in the next 12 months that significantly tighter data breach reporting laws [will be recommended]. If those laws do become reality people will need to look a lot more closely at the cost of losing customer data – fines, loss of reputation etc – versus the cost of the technologies available that can mitigate that risk.”
So what then are the components that comprise a compliant data storage system? Cunningham says, “the technology needs to cater for the longevity of records management by catering effectively for obsolescence of the platforms through complying with open standards - all in a cost effective way.
Records capture, is one of the most critical requirements. “Does the technology cater for different record types such as structured or unstructured data? Does it enable complete capture to allow for classification and the inclusion of meta data. Then to prove the authenticity, it needs some sort of unique identifier to each unique record.
“Contact protection is also vital. A compliant system should protect against data loss or damage due to system failure, overwrite, deletion and include features such as safe deletion. Equally, once the content is stored can you reliably search, access and retrieve it at any time? It should also provide mechanisms for monitoring and audit of when a document was registered and entered, deleted, altered and by whom.”
So how much of a compliant data storage system is hardware and how much of it is software or even process and procedure? And is there any difference between SAN, NAS, fibre channel and IP? A lot depends on which vendor you speak to. HP StorageWorks marketing manager, Mark Nielsen, says “provided the data is available, it’s largely irrelevant what tier of storage it’s available on.”
Gartner’s research director, servers and storage, Phil Sargeant is more circumspect. “[The hardware] does and doesn’t make a difference. EMC was one of the first to come out with content addressable storage and it so happens to be IP-based but apart from those more proprietary solutions I haven’t seen one favoured by another.”
And while vendors may try to position their hardware, software or combination of both as a silver bullet, the reality is that compliant data storage begins with processes and policies. “It really starts with a set of policies defining what are you going to store, where are you going to store it, who has access to it and then making sure the application has the right tools to support that,” says Symantec’s Enterprise Vault regional director APAC, Bjorn Engelhardt. “If you don’t have a structured approach to managing your compliant storage you just simply aren’t going to be compliant no matter what you do.”
There may not be mass take up of compliant storage in Australia currently but all the vendors IDM spoke with said they were talking to customers worried about exposure in this area. And with a tightening regulatory environment on the horizon, starting to address the situation now could make the difference between CIO standing for career is over or chief information officer.
Ultimately, says EMC product marketing manager, Clive Gold, “Compliant data storage is not good business practice, it’s essential business practice. Are all businesses doing it? No they’re not. But those trading offshore, coming under various legislation and the ones that are more conservative and concerned about compliance are putting in more effort. There are a lot of business drivers as to why you should do it besides keeping the directors out of gaol, but in short, it affects the bottom line because good governance leads to lower costs.”