Compliance advice: Keep it simple

By Dave Simpson

The vendor hype surrounding regulatory compliance is reaching a feverish pitch this year, but some vendors and consultants are advising users not to over-react.

“There’s a hysteria around compliance that may be more vendor-driven than reality-driven,” says Buzz Walker, vice president of marketing and business development at Arkivio. “It’s a lot like the Y2K issue. There are too many Chicken Littles running around saying ‘The sky is falling.’ ”

Walker argues that compliance basically boils down to good corporate governance but that, unfortunately, companies have become much too lax in their corporate governance policies.

Of course, in addition to sound corporate governance you’ll need the appropriate hardware and software. For some regulations, technologies such as write-once, read-many (WORM) disks or tape may be advantageous, although not required. (For more information on WORM tape options, see “Tape market WORMs its way to new growth,” InfoStor, April 2005, p. 1.)

Click here to enlarge image

WORM functionality is available via optical libraries/drives (vendor example: Plasmon’s UDO); tape (e.g., IBM, StorageTek, Sony, and manufacturers/resellers of LTO-3 tape drives/libraries/media); and specialized disk arrays and software (e.g., EMC’s Centera Compliance Edition and Network Appliance’s NearStor with SnapLock software).

However, despite the newfound interest in technologies such as WORM, most regulations do not dictate the use of specific hardware or media.

“All of the regulations stipulate levels of data protection and ways of ensuring authenticity,” says Jim Damoulakis, CTO at consulting firm GlassHouse Technologies, “but most of the regulations don’t dictate specific technologies such as WORM.”

Software is key

Compliance does require data management tools, which are available from a wide range of vendors. (More than 60 vendors offer software tools that address compliance in some way.) Typically, this software performs functions such as scanning data, files, and file systems to see who “owns” files, when they were created, and when they were last accessed, modified, etc., and then determining where data should be stored, for how long, and when it should be deleted.

Arkivio, for example, has a number of compliance-related functions in its auto-stor data management software suite, including tools for data organization/classification, automated data movement, and data deletion.

In addition to those types of functions, GlassHouse’s Damoulakis notes that you’ll also need tools for data retrieval and accessibility.

However, before you rush out to buy compliance-specific software, check your existing inventory, because you may already have the requisite tools. A survey by the Aberdeen Group research and consulting firm showed that approximately two-thirds of the respondents planned to address compliance with software they already have.

Based on his company’s compliance-related IT consulting engagements, Damoulakis says that the number-one application that users are deploying for compliance today is e-mail archiving, followed in some cases by document management and records management software. (E-mail management/archiving is sometimes included in the records management software category.)

Damoulakis’ view is from a storage applications perspective. If you look at the larger IT picture, users are focused primarily on security-related products in addition to document/records management software. For example, according to an AMR Research (www.amrresearch.com) survey of IT professionals earlier this year, security (26% of respondents) and document/records management (25% of respondents) top the list of technologies that companies plan to purchase to meet the requirements of the Sarbanes-Oxley (SOX) regulation.

Damoulakis points out that compliance should focus largely on business process (specifically, defining, documenting, and improving processes), and that’s borne out by AMR’s research: Business process management ranked third (17% of respondents) on users’ priority list for technologies to meet SOX requirements.

Arkivio’s Walker notes that compliance-related software tools may include storage resource management (SRM), but that many SRM tools are still “passive” rather than “active” (e.g., the software can report on data and storage resource usage but cannot act on it, such as moving certain data to a secure repository). Walker says compliance will eventually meld SRM, hierarchical storage management (HSM), and information life-cycle management (ILM).

However, compliance need not be complex. “From a storage perspective, all the regulations really say is that you have to retain data for a certain period of time and not change it,” says Walker.

To meet compliance requirements, Walker advises users to first dust off their corporate governance policies as they relate to retention of data and then evaluate tools that can help you automate and police the process as it relates to your specific compliance requirements.

(For a look at how your colleagues are addressing regulatory compliance and what tools they’re using, see “How users are addressing regulatory compliance,” InfoStor Special Report, February 2005, which provides case studies of small, medium, and large IT organizations.)

In the end, it may be more important that you be able to show regulators and auditors that you are trying to comply, rather than being able to prove that you are compliant. “It’s important to show that you’ve considered the regulations and can demonstrate activities that show you’re attempting to comply, particularly with Sarbanes-Oxley’s Section 404,” says GlassHouse’s Damoulakis. “That means having written policies and processes and evidence-reports, logs, etc. Regulators and auditors will be more forgiving if you can show that you’re working within the spirit of the law.”

NTP Software adds compliance software

Known primarily as a vendor of user-focused, policy-based storage management software, NTP Software last month began shipments of its QFS Compliance Vision software, which provides compliance-related data classification, monitoring, and control functions.

Compliance Vision is available as a stand-alone product or can be integrated with NTP’s flagship Quota & File Sentinel (QFS) and Storage Investigator software. NTP demonstrated Compliance Vision at last month’s Storage Networking World conference.

The compliance software can be used to meet the requirements of all regulations (e.g., Sarbanes-Oxley, HIPAA, SEC 17a-4, etc.), according to Dave Crocker, NTP’s president. The software includes a Risk Assessment monitor that can be used for monitoring compliance requirements and risk exposure.

Compliance Vision includes the following feature sets:

  • Overview: Provides “at-a-glance” reports regarding security, compliance “concern” issues, changes, a risk index, exception audit, and space audit.
  • General Audit: Displays access configuration and reports for group classes.
  • Operational Audit: Shows configuration and access reports by server, last report date, risk indexes by server, exceptions by server, total disk space, managed space, total groups, and managed groups.
  • Detailed Investigation: Provides the ability for users to drill down into the environment to see what permissions are set, file details, and change history reports by zone, group, or user.
  • System Status: Provides problem reports for servers.

For compliance-related functions such as data movement/migration/deletion, administrators can use NTP’s QFS and Storage Investigator software in conjunction with Compliance Vision.

This article was originally published on May 01, 2005