||Add To My Personal Library
July 17, 2009
Vol.31 Issue 19|
Page(s) 1 in print issue
Scrutinize Your Storage
Smart Storage Strategies Include Extensive Examinations Into What Data Should Be Kept
For modern organizations, data is like snow in a Colorado winter: It just keeps coming. But although snow eventually melts, data can hang around eternally, consuming huge amounts of storage and leaving managers scrambling to find yet another spot to squeeze in more. Huge enterprises with limitless budgets can address data storage simply by keeping everything, but smaller data centers often must be increasingly picky with the data they back up.
• To best determine what data you should be storing and how long you should store it, determine what data is critical to your organization.
• The type of business will play a role in deciding which data must be stored, with regulations and other legal guidelines often clearly defining those parameters.
• For most organizations, there exists a core set of data types that must be stored, including financial, administrative, customer, and similar data.
“Organizations very much struggle with this issue today,” says Mike Holland, systems engineer for Eternus CS at Fujitsu America (www.fujitsu.com/us). “It is important to remember that backup and archiving are not always the most important items in a CIO’s annual plan, and, as a result, lack of emphasis and/or lack of budget influences activity in this area.”
According to Carl Herberger, vice president of information security and compliance services at Evolve IP (www.evolveip.net), even the best-run companies with access to world-class analysis and assessment talents can struggle with decisions surrounding data storage. In general, he says, data centers either keep all data for the same amount of time and treat all data the same or adopt a differentiation policy for varying types of data and designate separate retention periods for them. However, even though the latter process inherently implies a data classification schema, a closer look often exposes a lack of a formal system.
For most organizations, the question of how long to keep data is very personal, Herberger explains, leaving each data center to negotiate unique answers. However, certain organizational attributes can help to identify the appropriate guidelines for retention. For example, what kind of data does the organization provide? What kind of corporate structure does the organization maintain? In what industry does the company primarily operate?
Organizations should also identify what information they use on a daily basis, says Stephen Kolbe, president of Analysys (www.analysys.net), as well as what information—if lost—could lead to bankruptcy, legal action, and possibly even the organization’s end of existence. The answers to these and other questions can help organizations identify the type of data to back up and accompanying retention policies.
“Ideally, an organization would be able to keep their data perpetually, but that is usually not possible. What drives the need to retain data is contingent upon compliance with industry regulations, industry-specific tolerances, data relevancy, cost, and physical location size limitations. The more an organization invests in their disaster recovery and business continuance solution, the longer they will be able to retain pertinent data in offsite locations that do not have space limits,” Kolbe says.
Breaking It Down
Storage strategies can vary widely depending on the industry because one organization doesn’t necessarily need to keep the same type of data as another. Fujitsu’s Holland notes that although the fundamentals of data storage are similar across industries and between sectors, a large difference exists in the regulatory compliance that is applied to these varied organizations.
For every organization, Kolbe recommends storing key financial, administrative, historical reporting, and marketing material. From there, the type of business or activity can provide additional guidance for data storage: education (teacher and administrative staff data, curriculum, student records, resource management, and scheduling systems), financial (full disaster recovery and business continuance required to maintain reliability, stability, and accreditations with relatively little downtime), health (patient management systems, medical records, credentialing and licensure data, and pharmacological systems as well as other data required to meet regulatory guidelines), publicly held companies (data required to meet federal, state, and local requirements), and privately held companies (data required to ensure viability and customer satisfaction).
Herberger adds that the following data categories should be targeted by most organizations for storage: contracts, insurance, employment/employees, general business/organization material, demand/lead/sales/marketing generation materials, research materials, regulatory and standards research, client/customer information, and business partner/vendor materials.
Examine Server Workloads
The strategy of storing everything can require a hefty storage architecture, but according to Brace Rennels, it’s the best strategy. Rennels, a certified business continuity professional at Double-Take Software (www.doubletake.com), says that data is no longer the most critical component of the server workload, because the operating system, applications, and configuration settings of the server have increased in importance.
Rennels believes that when it comes to preserving data, even though it can be a pain to go through files and determine your data’s value, it’s better to have it and not need it than to not have it when you do need it. He points to solutions that back up all changes to a server’s data and allow IT managers to sort through the data later, at the point of recovery.
For organizations that choose to store specific data, he recommends paying particular attention to the function of the server workload. For example, databases and associated log files are critical for Exchange and SQL servers, content management system backups will require the latest revisions of the file server documents, and Web server backups will need the Web database and associated HTML content and graphics.
Don’t Shrug It Off
Herberger warns that in his experience, most IT personnel don’t seem to think storage is their responsibility. As a result, they seek direction from legal counsel (whether internal or external) when looking for advice on what to store and how long to store it. However, that shouldn’t be the case, he says.
“The updates to the [U.S. Code of Federal Regulations] is explicit in defining certain roles and responsibilities and heavily suggests that internal corporate IT executives have direct responsibilities for understanding these laws and complying with them—with or without legal counsel,” Herberger says. “Moreover, many legal counselors are not IT-savvy enough to understand much of what needs to be done technically to comply with many of these retention laws. There are some simple readiness assessments which are widely available and can help you to quickly understand your individual organizational needs.”
by Christian Perry
Top Tip: Construct A Storage Policy |
Data retention and archiving should never be taken lightly, especially when legal, customer, and industry requirements for data have a heavy bearing on an organization’s standing and success. A storage policy can help ensure those requirements are consistently fulfilled, and Carl Herberger, vice president of information security and compliance services at Evolve IP (www.evolveip.net), recommends the following simple steps for developing such a policy.
Quickly assess the minimum requirements being defined by local, state, federal, and international laws that apply where the company is operating.
Assess any incremental requirements above these legal requirements, including industry- and customer-driven minimums.
Define a corporate data retention policy that not only details retention periods based on the requirements discovered in the previous two steps but also defines the following types of information: data record (Herberger notes that recent updates to U.S. Code Title 26 include metadata as part of an official record), exception processes to the policy, discussion of privileged or confidential documents, and discussion of indexing or labeling requirements.