How users address compliance, part 1

Hint: It’s often an afterthought

By Michele Hope

Given the amount of vendor hype surrounding compliance, you would think IT managers spend (or should spend) most of their time sorting out how best to comply with the latest spate of federal and state regulations, or how to prepare their data to be ready for the threat of looming lawsuits. Yet, a glimpse into the practices of IT managers tends to reveal a more balanced emphasis on compliance as just one piece-and often an adjunct one, at that-to many of the more-pressing storage issues they face, such as mounting storage costs, double-digit annual data growth, a quest for more efficient operations management, and their organization’s efforts to successfully back up and recover critical data according to predefined service levels.

That’s not to say such users ignore compliance issues. It’s more that the solutions they currently use for compliance are often deployed first for some other reason. The fact that they are now being used (or soon will be used) for compliance is seen by many as an added bonus to an already-proven technological investment.

E-mail archiving solutions

In several cases, managing the storage required for their company’s growing volume of e-mail became the impetus for initial change.

Compliance requirements were introduced later in the process. Deploying more-advanced backup-and-archival solutions for the job tended to introduce not just a way to shrink the number of costly e-mail production servers required, but also a way to usher such users into a more compliance-oriented IT framework.

According to an AIIM organization survey, legal staff is more likely to drive compliance-related investment and policy decisions in the US vs. executive staff in the UK. IT comes in third behind these two groups.
Click here to enlarge image

A case in point is Cedars-Sinai Medical Center (CSMC) in Los Angeles. According to Jim Brady, the medical center’s senior e-mail administrator and messaging architect, CSMC had begun to suffer the aftereffects of an early decision to provide Exchange users with ongoing access to old e-mail, regardless of its date or frequency of access.

It didn’t take long before message stores began growing at 100% per year. CSMC soon found itself needing to buy more and more costly Exchange servers, which were soon filled to maximum capacity.

Like many organizations facing the same problem, Brady first tried “going the PST route” for the group of power users whose mailboxes tended to use the most storage space. That proved too problematic and time-consuming for IT to troubleshoot users’ subsequent PST access issues.

Brady’s next move was to get the e-mail storage off the medical center’s Exchange servers by consolidating it into a Fibre Channel SAN. That move didn’t work out as planned, either. As Brady puts it, “We constantly had to upgrade the disks and swap them out. Plus, we were still reaching sizes that were way too large.”

Brady subsequently focused on how to reduce the size of Cedar-Sinai’s growing message stores prior to an upcoming migration to Microsoft Exchange Server 2003. This is when Brady began looking seriously at e-mail archiving vendors. He soon honed in on Symantec’s Enterprise Vault (marketed at the time by KVS), which quickly edged out competitors at the time due to what Brady saw as its perceived ease of use for those trying to locate previously archived messages and attachments.

CSMC now boasts an IBM-based 4Gbps Fibre Channel SAN infrastructure that supports Exchange, Oracle, and SQL Server. An IBM DS-4300-with both SCSI and SATA drives-houses the Symantec Enterprise Vault e-mail archive.

All e-mails older than three months are now archived automatically to Enterprise Vault. A small archive icon appears in the user’s mailbox, which makes it easy for him or her to access and view previously archived messages. Links to archived attachments also are easy for users to navigate. The number of Exchange servers has gone from 15 to 5, with as much as 75% of the total e-mail storage capacity soon to be handled by the Enterprise Vault archive.

US survey respondents are just as likely to retain data for two to three years as they are for eight years. More of their counterparts in the UK, however, tend to favor retention times from five to nine years.
Click here to enlarge image

Because Enterprise Vault’s core functionality also offers the ability to perform basic searches of the contents of archived e-mail, the system proved useful for a recent lawsuit and e-discovery request related to 20 mailboxes. “It just so happened all the mailboxes had been archived with Enterprise Vault, going back five years,” says Brady. “Even though we didn’t have some of Enterprise Vault’s more compliance-specific pieces set up yet, such as Compliance Accelerator or Exchange Journal Archiving, we were able to find a lot of the e-mails they were looking for doing just a Google-type search off-site from a Web ­interface.”

According to Brady, responding to potential litigation requests is a much more immediate risk to safeguard against than the oft-touted HIPAA legislation aimed at protecting patients’ personal data. “HIPAA doesn’t really have any teeth to it, especially in the area of compliance regarding electronic communications. The fine you’d get is $25,000 if you’re totally flagrant, and the worst you could get is $250,000,” says Brady. “It hasn’t been a motivating factor in this case. …There are very few regulatory things they can really do to a large organization that has things halfway in place.”

Brady says a more likely risk for the medical center-and a large portion of healthcare organizations-is the prospect of getting hit with a class-action or defamation lawsuit. For these scenarios, he believes Enterprise Vault addresses the medical center’s needs. CSMC has already begun to implement several of Enterprise Vault’s more compliance-centric options, including acquiring licenses for 1,000 PST Migrator options, and a handful of licenses for options such as Exchange Journal Archiving, Compliance Accelerator, and Discovery Accelerator. Brady’s goal with these newer Enterprise Vault options is to start involving members of the medical center’s human resources and legal teams to “test the waters” for discovery, internal, or external compliance auditing, and the development of future retention policies.

Brady consults closely with corporate compliance personnel, the medical center’s legal counsel, and the chief security officer. Yet, despite the medical center’s forward-thinking approach to archiving and electronic communications, he’s first to admit the process of developing e-mail retention policies around compliance is still very much in the infancy stage. “We’re still at the stage where we’re trying to define how long we want to keep e-mails and the kind of mechanisms we want to use to go back and do discovery,” he says.

In the January issue of InfoStor, a UK-based law firm, a major US airline, and a Belgian hospital discuss how compliance is just a bonus to already-proven technological investments in corporate governance policies, internal and external audits, and upcoming regulations.

Michele Hope is a freelance writer covering enterprise storage and networking. She can be reached at mhope@thestoragewriter.com.

This article was originally published on December 01, 2006