Compliance cuts across industries, storage products.
It is true that compliance requirements with new Federal and state regulations will result in more capital spending in storage hardware, software, automation, architectures and services. More records will be retained than ever before, and the impact will touch both structured data like databases and unstructured data like e-mails and instant messages.
Not a Silver Bullet
Even though the global set of government regulations seem huge, they do not represent a silver bullet to kill the were-wolf of budgetary constraints. Jack Scott at the Evaluator Group points out that only 15% of all data is impacted by all the new regulations. What the integrator needs to do is identify whether his or her clients are part of that 15% who need to come into compliance.
Many articles and analyst reports on compliance have focused on unstructured data such as text documents, e-mail messages, medical images and other documents for such things as litigation support. This is reflective of the various laws' focus on both electronic messaging and a variety of support documents. The impact on storage is that of a new obligation on the part of the regulated business to add electronic record retention technologies in place of traditional hardcopy stalwarts, such as paper and film
In response, government agencies have been formulating new rules to regulate electronic records retention. However, while developing compliance initiatives for unstructured data, companies must not overlook the impact of the new rules on structured data. This would include relational databases, custom software for healthcare records and financial records, and more.
What The Laws Look For
The various regulations are almost never specific on technology; they are more involved with such things as dates. For example, many of the new regulations require companies to retain records for 2 to 10 years or more, and to retrieve records quickly at a regulator's request. Other regulations require systems to keep secure audit trails of changes and deletions or to prevent changes or modifications to archived data. Audit trails will be nothing new for many corporations, since their own auditors demand such safeguards. These rules show immediate requirements for storage hardware that will meet the government's test of time as well as sophisticated software for indexing, tracking, archiving, backup and retrieval.
In point of fact, the demand for reliable storage will increase for a cultural reason as well. Very few end users want to take the time or effort to decide which files to delete, so they save everything. No one gets fired for saving everything, but you take a risk when you decide to press the Delete key.
The securities trading industry now has some of the most stringent regulatory requirements for record retention and data storage, particularly under SEC
Rule 17 for broker-dealer operations. These high-profile requirements have inspired the architectural concept of the "compliance engine." (See the article on this topic in this issue.)
SEC rules and interpretations were initially focused on the creation and retention of hardcopy records (paper or microfiche). However, hardcopy records and manual processes did not grow the speed and information requirements of today's global markets and trading operations. High-speed, accurate throughput is a requirement instead of an option. Hence the development of a variety of data processing tools, both off-the-shelf and proprietary.
The SEC has responded with informal guidance and official rule changes to recognize and regulate the use of electronic documents and records. Unlike just about every other law for records retention, Rule 17a-4 specifically addresses computer data storage, requiring that the storage technology permanent recording that is "non-erasable and non-rewriteable." This reinforces opportunities for optical technologies, especially WORM, which offers permanence but limited capacities. It also opens up opportunities for "WORM tape" from such companies as Sony, StorageTek, and more.
Even hard disk (technologically not a WORM device) may play a role in this effort. The laws have a problem with permanence, not random access. A 2003 interpretation by the SEC cleared WORM-like hard disk for use in this space. The obvious example in this case is EMC Centera, or disk-to-disk solutions from Avamar. Additionally, Network Appliance has what it calls the SnapLock function on its filers, enabling users to support both WORM and write-many functionality in one architecture. The SnapLock software is an add-on feature that can be added to existing Network Appliance NAS filers.
The SEC guideline directs that the software or firmware elements that make each record unrewriteable must reside inside an integrated storage system (probably the controller), not in an applications server.
In addition to its detailed requirements for broker-dealer regulation under Rule 17, the SEC has defined broadly applicable rules under the Sarbanes-Oxley Act of 2002 (Public Law 107-204, 116 Stat 745 ) for all companies that are publicly traded in U.S. securities markets. Unlike Rule 17, these rules do not require specific storage capabilities, they impact storage capacity demand. The amount of data that companies retain for internal audit and external reports to stakeholders and regulators..
SOX, as the law is known, requires a public company's chief executive officer and chief financial officer to certify, in each annual and quarterly report, the adequacy of their internal processes and controls for financial reporting. Originally set for enforcement in June 2004, a recent change was made, targeting November as the trigger date. The signing officers are responsible for establishing and maintaining internal controls to ensure that material information is made known to the officers and must also disclose to auditors all deficiencies in internal controls and any fraud conducted by management or employees who have a significant role in the company's internal controls. Also, any material changes in internal controls must be disclosed.
A lack of diligence in these responsibilities will result in the company being accused of making false statements of material facts in financial reports. The penalties are significant. The delay in enforcement was not a merciful gesture. I suggest that the government and regulatory bodies are giving companies "enough rope." Be on the lookout for a poster child for SOX enforcement.
The Health Insurance Portability & Accountability Act [HIPAA] (Public Law 104-191, 110 Stat. 1936 ) addresses a variety of health care reforms. Title II, subtitle F addresses 'administrative simplification' and covers health care plans, health care clearinghouses that provide health care transactions, and health care providers. Unlike the financial services laws, HIPAA drills down into small medical practices, medical billing areas, pharmaceutical firms, and more.
The compliance requirement prevents unauthorized disclosure or misuse of PHI information and is mandatory to all parties engaged in the health industry. In particular, all members associated with a transaction involving PHI data must demonstrate best practices for the reasonable protection of the data and the infrastructure that supports processing of that data. Failure to comply would have the offender face significant financial, legal and business penalties including criminal prosecution. Best security practices require traditional front-end security methods such as physical access controls, data network transport protection, host defenses, system and applications authorization, and security policy. This layered defense model must extend to backend storage preventing unauthorized access to data-at-rest?
But HIPAA impact reaches across key concepts in mass storage and storage management. Storage consolidation, storage pooling on tape media, data stored remotely, data in motion, and stored information leveraging third-party services have access vulnerabilities that affects compliance efforts.
PHI controls dictates where and how the data can be stored and used. PHI data protection often has related management, training, data classification and infrastructure costs that can be significant. HIPAA Technical Safeguards Section 164.312 suggests encryption as a means to protect PHI. Encryption can be employed to negate PHI protection costs, but can be prohibitive to implement and maintain. Two security areas promote privacy of data at rest: access control tools and, as mentioned, encryption. Software or appliance products from NeoScale, Vormetrics and Decru come to mind to meet the standard at a manageable cost.
Other Relevant Laws
There are numerous other relevant laws that impact the use of mass storage in an installation. For example, the Department of Defense has DOD 5015.2; this regulation addresses all agencies within the DoD and certifies which applications or technology solutions an agency may implement to manage records.
There are many different types of regulatory compliance issues facing storage administrators and systems integrators today. The pacing concern is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation.
The hard fact is that compliance issues will be added to everyday storage issues in installations of various sizes from the SMB to the enterprise. And make no mistake, effective management of storage is crucial to meeting compliance issues and day-to-day operations.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Regulatory Compliance|
|Publication:||Computer Technology Review|
|Date:||May 1, 2004|
|Previous Article:||The impact of compliance on storage: will you benefit from increased demand?|
|Next Article:||Utility computing: slowly but surely ... it's coming.|