Develop a Storage Strategy with Compliance in Mind

How different regulatory requirements drive storage needs

David Chernicoff

February 27, 2007

9 Min Read
ITPro Today logo in a gray background | ITPro Today

IT professionals deal with dozens of regulatory and business-compliance requirements that affect storage management, yet often their companies choose storage solutions with little or no consideration for how those solutions can help meet compliance requirements. I've chosen three common regulatory-compliance areas—the Health Insurance Portability and Accountability Act (HIPAA), Securities and Exchange Commission (SEC) Rule 17a-4, and the Sarbanes-Oxley (SOX) Act—to illustrate the different compliance needs that can affect storage management. In future articles in this series, we'll delve into specific storage solutions to meet compliance needs.

The Storage Perspective
With all the compliance and regulatory issues that corporate enterprises deal with, the concerns of a storage administrator don't usually get the attention they deserve. This is because senior management considers IT from a vertical perspective. That is, management looks at IT as a discrete set of issues, where each problem and its solutions get stuck in a box, and that collection of boxes is the IT department's responsibility to handle without affecting the business workflow or user experience. This prevalent attitude among senior management has its own pitfalls, especially in the area of network storage.

What corporate management needs to accept and corporate IT needs to learn is that certain technologies such as network security and storage management cut horizontally across the enterprise. No one would argue that network security isn't important to consider across the enterprise, but the reality is that in most cases it's still treated more as a vertical responsibility: One group is responsible for perimeter security, another group is responsible for application security, and yet a third group is responsible for data security. Worse yet, each of those groups might be divided into smaller areas of responsibility, resulting in minimal coordination or cooperation between those responsible for maintaining security at the hands-on level.

This lack of coordination is especially prevalent in storage management. Everyone, from entire departments down to individual users, tends to consider the storage to which they have access as theirs. This attitude simply exacerbates the problems that IT encounters when trying to implement a comprehensive storage management strategy. Yet despite those problems, you need a strategy to address the regulatory-compliance requirements regarding data storage. You need to analyze your storage requirements in a horizontal fashion, given how storage underlies almost every corporate computing activity. Doing so will help you develop a strong storage model that can help your company meet compliance needs without sacrificing usability and accessibility.

Regulatory Standards and Storage
Consider the variety of commonplace regulatory standards, ranging from the privacy requirements of HIPAA, to the progressive archival requirements of SEC Rule 17a-4, to the compliance requirements of SOX. All impose specific explicit or implied responsibilities on corporate storage. What companies rarely consider is that the business's regulatory environment should determine the selection of storage and a storage management strategy. Rather than trying to make an existing storage solution solve problems for which it wasn't designed, it's far more practical to factor in compliance issues when you're making decisions about new or expanded storage environments.

Using our three regulatory examples (HIPAA, Rule17a-4, and SOX), let's look at the most common of storageconcerns—backup and recovery. In all three complianceareas, it's essential to have reliable backups and the ability torecover accidentally deleted information, but the prioritiesand specific details of this requirement differ with each setof regulations.

HIPAA and Storage
With the case of HIPAA, it's obviously important not to lose patient information, but the key to the regulatory coverage is protecting the privacy of that information. This means that you need to maintain careful control over who can actually read the data through the backup and restore process, not to mention who can request that IT provide data restoration. Not all data protection schemes will provide for this level of data-access security, yet in a HIPAA-mandated environment, data-access security should be one of the primary considerations in the implementation of any data protection, backup, and recovery solution.

You'll need to translate the various HIPAA requirements for administrative, physical, and technical safeguards to actions related to storage, ranging from what type of written policies and procedures you keep regarding the use of network storage to the possibilities of hardware-based data encryption done at the storage-server level. HIPAA requirements affect storage policies throughout the equipment life-cycle, from the point of introduction to the network to how equipment must be disposed of, with the goal of protecting the privacy of the potential data stored on that hardware.

In regard to storage management, a business's primary concern under HIPAA is protecting stored data from unauthorized access.Everything else is secondary, because if theprimary requirement is abrogated, the potential exists for serious legal action against thebusiness. This mandate for protection of storeddata places the added burden on administrators of making sure to clean up the tracks afile leaves within the computing environment. Temporary files, copies of files on clientcomputers, retired backup tapes, or any otherlocation where data might once have residedmust be sanitized. That is, not only must youdelete all files, but information such as all references to files, all random pieces of data ondisk, and ACLs. Although data protection fromunauthorized access is always on the mind ofthe storage administrator, HIPAA's regulatoryrequirements complicate storage practicesimmensely. Even a file deletion is no longersimple, and storage policies and proceduresmust reflect this reality.

Simply put, HIPAA requirements change the standard corporate storage management mindset and affect all network-attached computing activities. Given the nature of the modern medical environment, this means that storage management policies and practices apply horizontally across a broad variety of vertical applications.

SEC Rule 17a-4 and Storage
Now let's look at SEC Rule 17a-4. In this case, although data privacy is important, the regulation focuses on data accessibility, specifying what types of data must be kept available and for how long. Therefore, data-storage requirements depend on the type of data and its particular set of requirements.

Time periods for data retention under 17a-4 fall into four categories: two years, three years, six years, and for the life of the business enterprise. It's therefore crucial that you're able to classify your data and how it will be stored. Additionally, the regulation uses the phrase "easily accessible place" to describe where much of the covered data should be stored.

Given these requirements, it's clear that your backup strategy must be one of the driving factors in the storage implementation plan. And given that the regulation covers communication between broker and client and requires the storage of that communication, integration of the data backup and recovery scheme with a business's email software is required, to meet the regulation's "easily accessible" clause.

To comply with 17a-4, a business will need to implement a multi-tier storage architecture that comprises online, nearline, and offline storage, depending upon the point in the information life cycle where each piece of affected data currently resides. To meet this requirement, then, when you evaluate storage solutions, look for a comprehensive hardware platform that includes a suitable storage management component, which addresses information life-cycle needs while requiring minimal work on IT's part.

Compliance with 17a-4 also requires tight integration of email with backup storage. The ability to reliably and easily recover email that could be as much as three years old is a requirement that could cause serious problems with email servers for a large business that needed to retain its messages online as part of the active mail store. Maintaining email-server performance at a high level is generally at odds with keeping huge amounts of archival email online, so the ability to migrate email data to an accessible, but not primary, storage location becomes another motivating factor in the data management plan.

In this storage environment, capabilities such as self-recovery and online backup and restore go a long way toward fulfilling regulatory requirements. But you need to maintain complete and thorough data backups, because simply clicking the delete button on an email in a user's inbox can violate the applicable rule. You need to maintain storage on the network, or on any location that's kept backed up and current, to avoid inadvertently violating regulatory requirements. Complying with 17a-4, therefore, will require large amounts of storage, for which you'll need to have practices and processes to keep it backed up and technology and processes to keep that backed-up data easily accessible.

SOX and Storage
Storage compliance under SOX is both easier and more difficult than the other compliance areas we've examined. It's easier because, at its simplest, SOX requires everything involved in corporate activity to be stored somewhere for possible retrieval. This requirement makes large amounts of physical storage (e.g., NAS, enterprise SAN setups) a practical way to store masses of data in a manageable fashion. Add in the capability to securely back up and restore that data, and you've probably covered all the bases. The difficulty in determining a SOXcompliance strategy lies in determining what to save and what to discard.

Auditors who specialize in SOX compliance can give you the information you need to build the type of storage network that's appropriate for your environment. Without this type of careful analysis, businesses can end up storing everything, which not only can become a network-storage–management nightmare but can have unexpected consequences in the event of regulatory litigation. IT has a responsibility to make sure regulatory requirements are met, but because this is such a specialized area, determining applicable due diligence should be done with the assistance of the appropriate auditors.

Compliance Needs Drive Storage
It should be clear by now that regulatory compliance should be a primary driver when you select storage hardware and storage management software. After you determine what storage environment can appropriately handle the applicable regulatory constraints, you'll find it's a much simpler task to manage that storage so that you minimize any chance of a failure that might expose the company to litigation. Although regulatory requirements are well defined, the solutions for complying with them aren't. Therefore, you need to carefully analyze business needs as well as business workflow to determine how best to use a storage model while maintaining regulatory compliance. (For a checklist to help you evaluate your storage compliance needs, see the sidebar "Steps in Designing a Storage Compliance Strategy," page 56.) Keep in mind that you can meet storage requirements by using a horizontal solution that provides appropriate storage to all parts of the corporate enterprise while solving the regulatory storage problems.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like