Cracking the compliance whip

Cracking the compliance whip

Being a pack rat isn't such a bad thing - particularly when it comes to keeping critical business data. But how do you manage it all and keep it properly tucked away, appropriately categorising the documents from cradle to grave?

Containing the data bulge is critical for companies. But with compliance a major concern overseas, particularly in the US, is the local market interested in this legalese?

As the US cracks the corporate whip, analysts believe compliance and data retention is becoming more topical. Key benefits include financial reporting, IT governance and business process improvements.

Locally, many businesses were looking for a range of storage solutions that help capture, manage and reuse business data - but they weren't necessarily looking to improve the storage infrastructure for compliance or regulatory reasons, independent analyst, Kevin McIsaac, said.

"While compliance is an important issue, it's not the holy grail that vendors portray it to be," he said. "Vendors love to have a big stick or carrot to dangle."

HP Australia CFO, Jack Gargano, suggested many businesses were approaching compliance as a necessary tick-box activity.

"They are singing the right song but not really understanding the words," he said. "This can be the difference between success and failure for a business."

The financial services industry was more open to compliance, Gargano said, but most companies had incomplete alignment of corporate and IT governance strategies despite the fact they were well aware of the issue.

A lax local regulatory environment is part of the reason for the compliance lull, according to independent analyst, John Brand.

Except for Corporate Law Economic Reform Program (CLERP 9) - which aimed to ensure clear guidance on appropriate corporate behaviour and effective enforcement where breaches occur - there was not much else on the plate, Brand said.

The corporate law reform took into account audit regulation and a wider corporate disclosure framework, he said.

"CLERP 9 is a vague attempt at Sarbanes-Oxley," Brand said. "The reason it exists is because the global hype was so noisy. And unless we looked to be doing something, people would be getting nervous. But it's unlikely we'll create a local version of Sarbanes-Oxley."

If anything, the top end of corporate town would most likely be affected by overseas legislation.

"Large organisations [those dealing in the US market] are required to fulfill certain obligations and recognise Sarbanes-Oxley," Brand said. "This is just one of the triggers to help them drive better information management practices."

And while the local regulatory environment is not strict, businesses can look towards regulatory compliance as a reason to improve the overall data management strategy.

"With firms struggling with document management and records management, the regulatory environment is driving many companies to revisit data storage projects," Brand said.

According to a recent StorageTek survey, the data retention period required for most Australian organisations was 5-10 years, with a significant proportion needing to keep data for a decade or more. StorageTek managing director, Philip Belcher, said storing and managing critical business information was a growing market for resellers.

"This is a hot button at the moment," Belcher said. "There are massive amounts of data flying around but how do you manage it all?" The company recently launched an archive solution, dubbed IntelliStore, which assigns data to the appropriate tape or disk storage system based on specific performance and cost needs.

"The idea that increasing regulatory compliance is only a problem for US organisations or those with an international reach is a fallacy," Belcher said. "The volume of red tape that Australian organisations have to deal with will only get worse - it won't get better."

But don't get lost in the vendor hype associated with pushing compliance-related products, McIsaac warned resellers.

"We hear a lot about how compliance is important, but there are more pressing issues to contend with," he said. Getting the data storage house in order in terms of the network infrastructure is a more realistic pursuit, McIsaac said. "Most companies still have relatively unsophisticated networks," he said. "And many are still at a basic level in terms of storage."

More importantly, containing the reams of content as data volumes explode is a top requirement - and a good starting point for keeping on top of things.

Information Lifecycle Management (ILM) is one way to categorise the reams of data, according to industry proponents.

IBM's Francois Vazille said ILM provided the hardware, software and services that could help an organisation understand the value of data and deal with compliance issues. With ILM, users could categorise data, add different tiers of storage and mix in archival and usage policies, McIsaac added.

"But many companies aren't doing the ILM strategy because it is tricky to decipher who owns the data and who coordinates the policies," he said.

Moreover, the ILM mantra was yet another vendor stick - a pipedream at the moment, McIsaac said.

"I don't quite understand the ILM concept," he said with a chuckle. "When I say ILM, don't I sound smart? It sounds fantastic, but when you peel back the layers, what do I do. How does it all work?" Offering tiered storage was not good enough, he said, unless it was somehow tied into the business requirements.

"Let's just say people are so far away from that today - they struggle with the basic level of storage management," McIsaac said. "With that, they need to consider the processes around storage and the services they need to deliver?"

Work needed to be done before the ILM concept becomes mainstream, Quantum country manager, Craig Tamlin, said. The hardware piece of the ILM puzzle was in place, but there was work to be done on the software front in terms of integration.

"We need to integrate backup and recovery software with archive technology, and also integrate virus scanning," he said.

House in order

While compliance is not yet a heavy hitter in the local market - despite oodles of vendor hoopla - resellers can still help organisations get the data management house in order.

And companies needed help, StorageTek's Belcher said. The major concerns in terms of compliance and long-term retention of information include manageability and cost. Other challenges associated with long-term data retention include retrieval, complexity and technology refresh concerns.

The majority of the cost attributable to storing and protecting data was often the result of management overhead: the less time spent managing the data, the lower the cost of ownership, Belcher said.

Taking these factors into consideration, partners can build an archival strategy, which includes providing retention policies and data classification. Other facets of the archival strategy include storage infrastructure selection, management processes, deletion policies, movement between storage tiers and a technology refresh plan.

McIsaac recommended resellers help customers sort out IT processes with an eye on storage management, architecture and implementation; along with a focus on an end-user solution including email management and compliance.

"Companies need to look at storage as a capability or a service. One technology won't do everything. You may need two or three or four classes of storage," McIsaac said. "Resellers shouldn't push a SAN a NAS or merely the technology view, but the business view: what storage infrastructure processes and policies are needed to maintain and categorise the data?"

Compliance mandates required changes in business processes, which in turn required changes to business-critical applications, he said. Resellers can help customers assess compliance requirements with the underlying principles of privacy and information governance.

"Companies need help identifying risks to information security resulting from missing or inadequate controls, and provide recommendations for action," Belcher said.

Sun Microsystems storage business manager, Dan Kieran, said partners could architect and design data policies once the business case is all sorted out.

"The channel can provide recommendations for archiving that enables infrastructure and operations that support both compliance and business goals," he said.

Taking things back a notch, determining what constitutes a business record is the first step, with email being a good starting point, according to Brand.

"In most cases, documents aren't managed at all," he said. "Companies need to do a much better job of understanding what the business does, appropriately define a business record and know how business records are managed."

This was where the partner could jump in, Brand said: "Resellers need to stop focusing on compliance as a compelling event and rather focus on it as a business requirement. Think of helping customers in this area because it just makes good business sense."

Victorian-based reseller, Perfekt Com, is doing just that.

Technical director, Abie Gelbart, agreed compliance and regulatory worries weren't a top priority, particularly in the SME and government arena. But, disaster recovery and business continuity were growing.

"We have found those segments of the market haven't bitten the regulatory compliance bone," Gelbart said. "Realistically, we are years behind the US. People are concerned about it, but they're just not buying solutions because of it."

Often, the data isn't stored in the right place and many companies, particularly at the SME level, aren't aware of how much storage they actually have.

"Storage consolidation gives companies much more flexibility in the way they move storage capacity around the network," Gelbart said. Write Once, Read Many (WORM) was an example of a technology addressing the compliance question because it allowed information to be written a single time and prevented the data from being erased, Quantum's Tamlin said.

Tape has traditionally been the most popular type of storage for archiving data but it's not the only mechanism for backup and restore protection. Primary disk, secondary disk, optical, microfilm, content-aware storage and WORM/tape round out the list. Serial ATA is also increasingly being used by companies looking for an alternative to tape backup storage.

Long-term play

Analysts suggest it all boils down to companies needing to implement IT governance strategies and software that establish a sustainable approach to making changes and lowering the cost and risk associated with the business.

And there are a range of solutions designed for long-term archiving and compliance. Backup, recovery and archiving technologies underpined the ability to maintain data availability, achieve compliance goals and successfully implement ILM, Tamlin said.

"With a focus on compliance, resellers can help clients step up to the plate and implement best practices," he said. "Going with the corporate mood, the right thing to do is implement disaster recovery and backup strategies so companies can restore service levels."

Resellers should focus on compliance, Tamlin said, because it was good for business even if the laws are something of a toothless tiger.

"Be realistic," he said. "Don't act like the sky is falling in - sell it to clients on the basis that it is good for business practices and service levels."

Need to know

  • Vendors are touting regulatory compliance as a reason for organisations to address storage environments
  • Analysts insist it is not a major driver here but agree companies would benefit from better data management
  • More work needs to be done before Information Lifecycle Management is accepted as mainstream technology
  • Resellers need to mix storage technologies to suit business requirements of each individual customer
  • Even if compliance isn't a big issue here just yet, implementing a strategy will improve business process

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments