First came Tyco and Enron, then Sarbanes-Oxley. The federal regulations imposed in the wake of the corporate corruption scandals of the past few years have left the front pages of newspapers to become front-burner concerns on the corporate IT agenda. Corporate managers frequently give lip service to the demands that the Sarbanes-Oxley Act will put on the corporate storage infrastructure. However, Sarbanes-Oxley is only the tip--although admittedly a very large tip--of a huge regulatory compliance iceberg that could force a major realignment of the storage infrastructure in companies of all sizes.
According to a study by Gartner, large and midsized companies will spend $2 billion through 2005 just to become Sarbanes-Oxley-compliant. Some estimates are that companies will spend $6 billion by 2007 on the storage infrastructure necessary to accommodate all relevant regulations.
Those numbers are so big for one simple reason. Enterprises will have to comply with a lot of rules and regulations, and those rules and regulations have a lot of information associated with them. Sarbanes-Oxley, which takes effect in November, requires organizations to retain all relevant audit documentation for 7 years. The Securities and Exchange Commission's (SEC's) regulation SEC 17 CFR 240, which came into effect in May, mandates that all communication between stockbrokers and their clients, including email and Instant Messaging (IM) messages, be retained for 3 years and be easily accessible for the first 2 years. And the Health Insurance Portability and Accountability Act (HIPAA), which takes effect in April 2005, requires that all patient information, authorizations, policies and procedures, and contracts with business associates be retained for at least 6 years. Furthermore, the information must be stored in a robust data center that provides minimum guaranteed uptime and very high security.
And those regulations are just the beginning. The Enterprise Strategy Group (formerly the Enterprise Storage Group) estimates that as many as 15,000 laws and regulations have IT compliance components. Although may of these laws and regulations target large companies, small organizations will also feel pressure as compliance best practices emerge.
A storage infrastructure that can meet compliance mandates has five characteristics:
1. It must be able to protect the integrity of the individual records for the entire retention period. Companies must store primary records in a way that prevents them from being altered and must be able to demonstrate that records haven't been altered.
2. Primary records must be accessible within a reasonable period of time.
3. Companies need to maintain a duplicate set of records for disaster recovery. The disaster recovery duplicate is typically more than simply a backup copy. It should be maintained offsite and retain all elements of the original records.
4. A migration strategy must address what happens when media, storage subsystems, or applications become obsolete.
5. An audit trail must exist. Companies have to be able to document a record's chain of custody and track all events that could delete, migrate, modify, or take any other action related to the record.
Building storage infrastructures to fulfill those requirements is burdensome. But not surprisingly, the challenge has already led to some interesting innovations. In July, both Quantum and Sony announced new write once, read many (WORM) tape technology that can help meet compliance requirements. Quantum's contribution is DLTIce, a tape drive for the midrange market. DLTIce uses a standard Super DLT II media cartridge that can't be overwritten or reformatted but to which data can be appended. DLTice integrates with DLTSage, Quantum's tape management software, for archive tape verification, tamper verification, and time and date signature.
For its part, Sony debuted WORM functionality as part of its next-generation AIT-4 technology. WORM tape technology offers several advantages over the market-leading optical alternatives. "It is fast, simple, and easy to implement," said Steve Berens, senior director of product marketing and strategy at Quantum. WORM applications could ultimately represent 25 percent of the overall tape market, according to Brett Schechter, senior national manager of tape technologies at Sony.
Although innovative products will help, meeting compliance standards will require more than just new technology. It will require that companies of all sizes train end users and overhaul processes. Furthermore, companies now need to seriously address regulatory compliance. Not only does it help companies manage themselves better, but it can also keep corporate executives out of jail.
First came Tyco and Enron, then Sarbanes-Oxley. The federal regulations imposed in the wake of the corporate corruption scandals of the past few years have left the front pages of newspapers to become front-burner concerns on the corporate IT agenda. Corporate managers frequently give lip service to the demands that the Sarbanes-Oxley Act will put on the corporate storage infrastructure. However, Sarbanes-Oxley is only the tip--although admittedly a very large tip--of a huge regulatory compliance iceberg that could force a major realignment of the storage infrastructure in companies of all sizes.
According to a study by Gartner, large and midsized companies will spend $2 billion through 2005 just to become Sarbanes-Oxley-compliant. Some estimates are that companies will spend $6 billion by 2007 on the storage infrastructure necessary to accommodate all relevant regulations.
Those numbers are so big for one simple reason. Enterprises will have to comply with a lot of rules and regulations, and those rules and regulations have a lot of information associated with them. Sarbanes-Oxley, which takes effect in November, requires organizations to retain all relevant audit documentation for 7 years. The Securities and Exchange Commission's (SEC's) regulation SEC 17 CFR 240, which came into effect in May, mandates that all communication between stockbrokers and their clients, including email and Instant Messaging (IM) messages, be retained for 3 years and be easily accessible for the first 2 years. And the Health Insurance Portability and Accountability Act (HIPAA), which takes effect in April 2005, requires that all patient information, authorizations, policies and procedures, and contracts with business associates be retained for at least 6 years. Furthermore, the information must be stored in a robust data center that provides minimum guaranteed uptime and very high security.
And those regulations are just the beginning. The Enterprise Strategy Group (formerly the Enterprise Storage Group) estimates that as many as 15,000 laws and regulations have IT compliance components. Although may of these laws and regulations target large companies, small organizations will also feel pressure as compliance best practices emerge.
A storage infrastructure that can meet compliance mandates has five characteristics:
1. It must be able to protect the integrity of the individual records for the entire retention period. Companies must store primary records in a way that prevents them from being altered and must be able to demonstrate that records haven't been altered.
2. Primary records must be accessible within a reasonable period of time.
3. Companies need to maintain a duplicate set of records for disaster recovery. The disaster recovery duplicate is typically more than simply a backup copy. It should be maintained offsite and retain all elements of the original records.
4. A migration strategy must address what happens when media, storage subsystems, or applications become obsolete.
5. An audit trail must exist. Companies have to be able to document a record's chain of custody and track all events that could delete, migrate, modify, or take any other action related to the record.
Building storage infrastructures to fulfill those requirements is burdensome. But not surprisingly, the challenge has already led to some interesting innovations. In July, both Quantum and Sony announced new write once, read many (WORM) tape technology that can help meet compliance requirements. Quantum's contribution is DLTIce, a tape drive for the midrange market. DLTIce uses a standard Super DLT II media cartridge that can't be overwritten or reformatted but to which data can be appended. DLTice integrates with DLTSage, Quantum's tape management software, for archive tape verification, tamper verification, and time and date signature.
For its part, Sony debuted WORM functionality as part of its next-generation AIT-4 technology. WORM tape technology offers several advantages over the market-leading optical alternatives. "It is fast, simple, and easy to implement," said Steve Berens, senior director of product marketing and strategy at Quantum. WORM applications could ultimately represent 25 percent of the overall tape market, according to Brett Schechter, senior national manager of tape technologies at Sony.
Although innovative products will help, meeting compliance standards will require more than just new technology. It will require that companies of all sizes train end users and overhaul processes. Furthermore, companies now need to seriously address regulatory compliance. Not only does it help companies manage themselves better, but it can also keep corporate executives out of jail.
