KEY INsights

Alan Stuart and Gary Thomsen on Archiving and Compliance

Summary

Key's June Webinar featured Alan Stuart, IBM's Chief Strategist/Business Line Executive, and Gary Thomsen, Storage Specialist at Key, in a Web-based learning session titled IBM DR550 Storage for Regulation Compliance. Stuart covered new regulatory mandates that address the archiving of computer data. These regulations include the Sarbanes-Oxley Act, HIPAA, SEC 17a-4, FDA Part 11 and DoD 5015.2. Stuart also covered considerations for managing long-term data retention and how the new IBM TotalStorage DR550 disk storage solution addresses those considerations. Thomsen described Key's new Data Archiving Assessment offering. Computer platforms addressed in this Key Webinar include Unix, AIX, Linux, OS/400, MVS and NT/Windows.
.
Long-Term Data Retention

For long-term retention of data, Stuart said you must be able to answer these five questions:

What records to we keep?
For how long?
Why?
How will we find the data quickly and efficiently when we need it?
And what do we do with the records when we no longer need to keep them?

Stuart recommended that Key Webinar and Workshop attendees consider acquiring a Content Manager and a Records Management solution, and placing these at the core of their records retention strategy.

New Mandates

He then discussed the regulatory requirements that most directly affect data archiving, namely:

Sarbanes-Oxley (SOX) Act of 2002 - Penalties for document altering or destruction.
SEC 17 CFR 240.17a-4(f) - Records must be in non-erasable, non-rewriteable form.
Health Insurance Portability and Accountability Act (HIPAA) - Confidentiality of personal health records through administrative, physical and technical safeguards.
Patriot Act - Access to communications and records.
FDA 21 CFR Part 11 - Pharmaceutical industry rules on positive identification of records and audit trails.
Basel II Accord - Levels the playing field for central banks.
U.S. DoD 5015.2 - Standards for e-records management in the military.

Stuart went on to illustrate how some of these important regulations tell you what to do while others describe how to do it. Penalties for non-compliance include severe fines and imprisonment of the CEO, CFO and other company executives for up to 20 years. Compliance with each of the many new regulations is required if the organization falls under its jurisdiction. This can add to the total cost of ownership (TCO) for a considerable portion of the archived data in an organization.

Effects of Mandates

As a result of these new corporate governance requirements, a significant amount of data is being retained for very long periods of time, frequently seven or more years. What needs to be considered is that if you are going to keep data that long, it will probably outlive the media it is stored on, particularly if it is being kept on disk. It is important to consider the costs of preserving and managing the data over its lifetime, rather than the traditional approach to measuring the TCO of the devices.

Today's disk storage technology is typically replaced by newer technology every three to four years. Thus, at least two to three major migrations to a new technology would be required over the lifetime of data that must be preserved for seven years or longer. The costs associated with these migrations are a new part of the TCO picture for data as a result of the longer records management periods being mandated by new compliance regulations.

What is JIC data?

While the concept of an information lifecycle and associated cost of data is well-established, one aspect of it reported by Stuart is new. In studies related to the development of IBM's new data archive storage solution, IBM's TotalStorage DR550 development team ran across a new kind of data … Just In Case data. Customers told the IBM study team they were saving certain types of data "just in case" … IBM has now categorized this new type of data as JIC data. After some analysis, IBM found that data becomes JIC data typically between two months and three years depending upon the customer's particular application requirements. Most JIC data is WORN (write once, read never) or WORR (write once, read rarely). In fact, most of it is never used again.

IBM discovered that JIC data is perfect for tape…especially tape with WORM (write once read many) technology. Tape continues to be 10 to 20 times cheaper than disk. Also, as noted earlier, data archived with seven to 10 year retention requirements will outlive the disk media it's stored on. Disk drives don't last 10 years, so disk-based data will need to be migrated during the lifetime of the disk drives. Stuart suggested that when evaluating retention systems, always ask what it will cost to save the data for its life expectancy and what will it cost to migrate the data to newer technologies as the current media becomes obsolete. Stuart warned against falling into the trap of evaluating your costs on the storage device's life expectancy. Instead, do these calculations based on your data's lifecycle.

Stuart described a model that IBM built with over 100 components to determine the TCO of your data. Key personnel are trained to use this total cost of ownership tool, called TCO for DR550. Use of it will help to understand the real costs of retaining your data over the longer periods that are mandated today.

Debut of IBM's TotalStorage DR550

Stuart described IBM's new TotalStorage DR550 as a totally new storage system designed from the bottom up. DR550 is policy-based non-erasable and non-rewriteable disk storage, enabled to use optional WORM tape secondary storage. It has IBM's POWER5 processor and high-speed Ethernet for performance, and IBM SATA disks for low cost. Service levels for retrieving data with the DR550 can be set up based on the nature of the data or its age.

IBM's DR550 provides both data encryption on the fly and at rest, along with flexible key management. WORM tape is an option that can be encapsulated within the DR550 so that retrieval is much faster than normal for tape.

Specific areas where the DR550 is most useful:

Archive email, instant messages, voice mails
Archive inactive ERP and database applications
Replace an optical disk solution
Archive images, drawings
Comply with corporate retention policies, SOX, SEC and FTC regulations, other legal or regulatory rules
Preserve any kind of data based on your company's needs

A major advantage of the DR550's design is that a single I/O operation can include many objects … this is particularly important when handling emails and greatly improves performance. In addition, the DR550 with POWER5 processors can be upgraded with faster processor models and faster disk as needs increase.

In a Q & A session at the end of the Webinar, Stuart answered a number of questions. In one, Al replied that it is extraordinarily easy to retrieve data from the DR550 at sub-second response times.

Stuart concluded Key's Webinar session by saying that he believed all the major archiving offerings for compliance out there meet SEC 17a-4 and other American and European compliance regulations. However, some unique aspects of the DR550 include its hardware encryption, powerful performance and amazing scalability as data retention volumes change. Furthermore, IBM is about to release synchronous replication, iSeries Content Manager support, and a very low cost SMB offering in the near future, and other improvements are planned over time to ensure the DR550 can meet the data archiving needs of small, medium and larger organizations.

Key's Data Assessment Service

Gary Thomsen, Storage Specialist at Key, described Key's new Data Archiving Assessment service. This assessment is conducted by Key professionals to provide an analysis of the current IT environment and determine the business rules for data governance for the client. The result is a specific data archiving strategy tailored to the client's own needs. See Key Offers at the end of this newsletter for more information.

For an archived recording of this and all past KEY Webinars, go to: http://www.keyinfo.com/resources/web_arch.htm.