Printer Friendly

Compliance cuts across industries, storage products.

Ever since the large corporate scandals involving Enron, WorldCom, and the like, new government regulations are entering the business world. Many in the mass-storage world see many of these regulations as saviors from the business strains created by cuts in capital spending in enterprise IT.

It is true that compliance requirements with new Federal and state regulations will result in more capital spending in storage hardware, software, automation, architectures and services. More records will be retained than ever before, and the impact will touch both structured data like databases and unstructured data like e-mails and instant messages.

Not a Silver Bullet

Even though the global set of government regulations seem huge, they do not represent a silver bullet to kill the were-wolf of budgetary constraints. Jack Scott at the Evaluator Group points out that only 15% of all data is impacted by all the new regulations. What the integrator needs to do is identify whether his or her clients are part of that 15% who need to come into compliance.

Many articles and analyst reports on compliance have focused on unstructured data such as text documents, e-mail messages, medical images and other documents for such things as litigation support. This is reflective of the various laws' focus on both electronic messaging and a variety of support documents. The impact on storage is that of a new obligation on the part of the regulated business to add electronic record retention technologies in place of traditional hardcopy stalwarts, such as paper and film

In response, government agencies have been formulating new rules to regulate electronic records retention. However, while developing compliance initiatives for unstructured data, companies must not overlook the impact of the new rules on structured data. This would include relational databases, custom software for healthcare records and financial records, and more.

What The Laws Look For

The various regulations are almost never specific on technology; they are more involved with such things as dates. For example, many of the new regulations require companies to retain records for 2 to 10 years or more, and to retrieve records quickly at a regulator's request. Other regulations require systems to keep secure audit trails of changes and deletions or to prevent changes or modifications to archived data. Audit trails will be nothing new for many corporations, since their own auditors demand such safeguards. These rules show immediate requirements for storage hardware that will meet the government's test of time as well as sophisticated software for indexing, tracking, archiving, backup and retrieval.

In point of fact, the demand for reliable storage will increase for a cultural reason as well. Very few end users want to take the time or effort to decide which files to delete, so they save everything. No one gets fired for saving everything, but you take a risk when you decide to press the Delete key.

Financial Services

The securities trading industry now has some of the most stringent regulatory requirements for record retention and data storage, particularly under SEC

Rule 17 for broker-dealer operations. These high-profile requirements have inspired the architectural concept of the "compliance engine." (See the article on this topic in this issue.)

SEC rules and interpretations were initially focused on the creation and retention of hardcopy records (paper or microfiche). However, hardcopy records and manual processes did not grow the speed and information requirements of today's global markets and trading operations. High-speed, accurate throughput is a requirement instead of an option. Hence the development of a variety of data processing tools, both off-the-shelf and proprietary.


The SEC has responded with informal guidance and official rule changes to recognize and regulate the use of electronic documents and records. Unlike just about every other law for records retention, Rule 17a-4 specifically addresses computer data storage, requiring that the storage technology permanent recording that is "non-erasable and non-rewriteable." This reinforces opportunities for optical technologies, especially WORM, which offers permanence but limited capacities. It also opens up opportunities for "WORM tape" from such companies as Sony, StorageTek, and more.

Even hard disk (technologically not a WORM device) may play a role in this effort. The laws have a problem with permanence, not random access. A 2003 interpretation by the SEC cleared WORM-like hard disk for use in this space. The obvious example in this case is EMC Centera, or disk-to-disk solutions from Avamar. Additionally, Network Appliance has what it calls the SnapLock function on its filers, enabling users to support both WORM and write-many functionality in one architecture. The SnapLock software is an add-on feature that can be added to existing Network Appliance NAS filers.

The SEC guideline directs that the software or firmware elements that make each record unrewriteable must reside inside an integrated storage system (probably the controller), not in an applications server.

In addition to its detailed requirements for broker-dealer regulation under Rule 17, the SEC has defined broadly applicable rules under the Sarbanes-Oxley Act of 2002 (Public Law 107-204, 116 Stat 745 [2002]) for all companies that are publicly traded in U.S. securities markets. Unlike Rule 17, these rules do not require specific storage capabilities, they impact storage capacity demand. The amount of data that companies retain for internal audit and external reports to stakeholders and regulators..

SOX, as the law is known, requires a public company's chief executive officer and chief financial officer to certify, in each annual and quarterly report, the adequacy of their internal processes and controls for financial reporting. Originally set for enforcement in June 2004, a recent change was made, targeting November as the trigger date. The signing officers are responsible for establishing and maintaining internal controls to ensure that material information is made known to the officers and must also disclose to auditors all deficiencies in internal controls and any fraud conducted by management or employees who have a significant role in the company's internal controls. Also, any material changes in internal controls must be disclosed.

A lack of diligence in these responsibilities will result in the company being accused of making false statements of material facts in financial reports. The penalties are significant. The delay in enforcement was not a merciful gesture. I suggest that the government and regulatory bodies are giving companies "enough rope." Be on the lookout for a poster child for SOX enforcement.

Health Care

The Health Insurance Portability & Accountability Act [HIPAA] (Public Law 104-191, 110 Stat. 1936 [1996]) addresses a variety of health care reforms. Title II, subtitle F addresses 'administrative simplification' and covers health care plans, health care clearinghouses that provide health care transactions, and health care providers. Unlike the financial services laws, HIPAA drills down into small medical practices, medical billing areas, pharmaceutical firms, and more.

The compliance requirement prevents unauthorized disclosure or misuse of PHI information and is mandatory to all parties engaged in the health industry. In particular, all members associated with a transaction involving PHI data must demonstrate best practices for the reasonable protection of the data and the infrastructure that supports processing of that data. Failure to comply would have the offender face significant financial, legal and business penalties including criminal prosecution. Best security practices require traditional front-end security methods such as physical access controls, data network transport protection, host defenses, system and applications authorization, and security policy. This layered defense model must extend to backend storage preventing unauthorized access to data-at-rest?

But HIPAA impact reaches across key concepts in mass storage and storage management. Storage consolidation, storage pooling on tape media, data stored remotely, data in motion, and stored information leveraging third-party services have access vulnerabilities that affects compliance efforts.

PHI controls dictates where and how the data can be stored and used. PHI data protection often has related management, training, data classification and infrastructure costs that can be significant. HIPAA Technical Safeguards Section 164.312 suggests encryption as a means to protect PHI. Encryption can be employed to negate PHI protection costs, but can be prohibitive to implement and maintain. Two security areas promote privacy of data at rest: access control tools and, as mentioned, encryption. Software or appliance products from NeoScale, Vormetrics and Decru come to mind to meet the standard at a manageable cost.

Other Relevant Laws

There are numerous other relevant laws that impact the use of mass storage in an installation. For example, the Department of Defense has DOD 5015.2; this regulation addresses all agencies within the DoD and certifies which applications or technology solutions an agency may implement to manage records.

There are many different types of regulatory compliance issues facing storage administrators and systems integrators today. The pacing concern is that organizations are in need of a cost-effective solution that provides synchronous levels of protection with no distance limitations and with no application degradation.

The hard fact is that compliance issues will be added to everyday storage issues in installations of various sizes from the SMB to the enterprise. And make no mistake, effective management of storage is crucial to meeting compliance issues and day-to-day operations.
COPYRIGHT 2004 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2004, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Regulatory Compliance
Author:Ferelli, Mark
Publication:Computer Technology Review
Geographic Code:1USA
Date:May 1, 2004
Previous Article:The impact of compliance on storage: will you benefit from increased demand?
Next Article:Utility computing: slowly but surely ... it's coming.

Related Articles
The rise of storage process automation.
It's 2003: do you know where your data is? The government is enforcing strict new guidelines on archived data. Is your company complying?
The impact of regulatory compliance on storage: "the compliance landscape is a minefield."--Enterprise Storage Group.
The case for compliance profiling.
New ILM solutions for regulatory compliance: case study on how a customer achieves both financial and operational efficiencies.
Assessing your storage and backup for regulatory compliance.
Not Information Lifecycle Management but Information Value Management.
Archiving has nasty sting in tail.
Looking back.
Data management for compliance.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters |