How users address compliance, part 2

By Michele Hope

IT managers presently view compliance as just one piece of the storage puzzle they face, which includes mounting storage costs, double-digit annual data growth, a quest for more-efficient operations management, and their organization’s efforts to successfully back up and recover critical data according to pre-defined service levels. It’s just that the solutions they currently use for compliance are often deployed first for some other reason (see Part 1,, InfoStor, December 2006, p. 1).

An organization that knows all too well the impact that e-mail communications can have on a case is Stevensdrake, a law firm based in Crawley, England. The firm spends much of its time performing debt collection and recovery for large credit card and motor finance company clients.

It is that type of work that drives much of the firm’s current compliance needs, claims Gavin Pickering, one of the firm’s partners. Some would even equate much of what Pickering terms “compliance” for Stevensdrake under a broader category of “corporate governance.” Pickering says, “Our compliance issues are both internal and external, but relate more to a risk point of view than a specific regulation. E-mail was a big driver for this. We need to keep a record of all our e-mails to protect ourselves from either claims against clients or claims among our employees. We also have to back up all of our documents and servers. For some of our big debt recovery clients, we need to demonstrate that we can recover.”

In fact, Pickering sees a trend where more and more clients will require their prospective legal providers to prove they won’t lose service or access to records for any length of time if a disaster impacts their main offices.

Archiving is gaining importance for achieving both regulatory compliance and better corporate governance.
Click here to enlarge image

Pickering found his compliance solution by first solving another headache that faced the firm: E-mail storage and archiving for the firm’s employees had become increasingly unmanageable with an older Novell GroupWise application.

As he contemplated a move to Microsoft Exchange, Pickering and his team evaluated a few suppliers that might have been able to offer an alternative to the firm’s e-mail backup/archive dilemma. The law firm’s prior IT supplier introduced them to CommVault’s Galaxy and QiNetix software platform. After seeing how easily the application could help them store and recover both e-mail messages and attachments, Pickering decided to move forward with implementation.

The CommVault QiNetix suite is now set up to perform incremental backups of the firm’s data to a disk library each night, as well as an auxiliary copy to tape the next day which is then stored off-site. On the weekend, the firm also performs one full backup, which is also sent first to disk, before being copied to tape. Policies are set up to keep two weeks’ worth of backup data on disk, with another two weeks of backup data on tape.

Currently, the CommVault system is used to retain about 2GB of e-mail and 53GB of migrated e-mail attachments. Regardless of whether the backup data resides on disk or tape, Pickering and his team have grown to appreciate how easy it is to restore any e-mail or document through the system. “The system looks back over the library and gets you the file exactly as you want,” he says.

According to Brian Brockaway, senior director of product management at CommVault, what Pickering is referring to is the indexing functionality built into the solution that automatically tracks backup data as it ages, including its current storage location.

“If you do a search and the data is no longer on disk, it automatically looks into the tape, finds the data or e-mails, and pulls them back online again,” Brockaway explains. This doesn’t require data to first be restored from tape before it can be accessed.

“E-mail recovery is amazingly quick and easy-as easy as going back over your old in-box from a year ago,” says Pickering.

Backing into SOX compliance

Randy Eck is another end user who deployed a storage management software tool for one purpose before realizing how well it could also be adapted for use in compliance. A senior systems engineer performing storage management duties under contract to a major US airline, Eck is accustomed to managing and backing up about 65TB of mainframe z/OS data, along with approximately 4TB per day of open systems data derived largely from the airline’s database applications.

More than 40% of the respondents to a BPM Forum survey of CEOs claim it would take several days to several weeks to retrieve e-mail related to a particular transaction.
Click here to enlarge image

Using Symantec’s NetBackup to run a variety of incremental backup jobs at various times of the day and week, Eck found himself looking for more than what NetBackup offered when it came to assessing the overall health of his backup environment. He decided to try Tek-Tools’ BackupProfiler for NetBackup after seeing a demo of its centralized dashboard and real-time backup job success and failure reporting.

“We could take a quick look at the dashboard and determine how well our backups performed overnight, and whether we needed to look at any issues immediately,” says Eck. However, when talk turned to how best to comply with some of Sarbanes-Oxley’s backup-related requirements, Eck was first to admit that his team pretty much stumbled on the prospect of using Tek-Tools’ BackupProfiler to address some of the airline’s SOX compliance needs.

Among the SOX backup requirements they had to prove was that the airline performed adequate daily backups of servers running financial applications, or those storing financial system data. They also had to prove the airline was maintaining adequate off-site storage for this financial data and that any source code associated with financial applications had been adequately protected.

Internal and external audits are conducted regularly at the airline, a factor that began to eat into the time of a storage team engineer who had to sit with the auditor and manipulate a handful of utilities and NetBackup commands to show the successful backup of certain data sets on randomly selected days.

In an effort to free IT time on this task and automate the audit process, Eck starting thinking of ways to use BackupProfiler’s historical database of backup information and built-in reporting functionality to satisfy SOX audit requests. “I determined we could just run a report at the start of the month that shows the previous month’s [backup job] history. Then we put it in the central repository where all the SOX-compliant documents need to go,” Eck explains. “Now, auditors can go straight into that directory and look at the specific report they need. By automating the reporting, it took us out of the loop for the time needed to sit down with the auditor.”

The various applications and management teams just let Eck know up-front when a server is associated with a SOX-targeted financial application or financial data. From there, he and his team maintain a monthly report for each application, with backup information related to the various file systems or database servers associated with it.

Eck’s advice for others facing these types of issues: “Identify what it is that you need to comply with and how you need to report that. Then, if possible, find a way to automate it. Find a tool that can help you report on those issues in a proven, repeatable manner.”

Archiving platform addresses regulation

Another healthcare environment currently girding itself for the impact of current and future compliance legislation is the University Hospitals Leuven, one of Belgium’s largest hospitals with a strong heritage in medical research.

Reinoud Reynders, IT manager for infrastructure and operations, the hospital had decided early on that its “internal compliance” policy would involve keeping virtually every piece of data forever, so that as much data as possible could be made available for medical research. “We now have electronic patient records going back more than 20 years,” says Reynders, a policy that has helped the hospital keep up with the mounting regulations Belgium has begun to impose on healthcare organizations with regard to retention of patient data.

Much of this type of data is now required to be kept for more than 30 years. Legislation regarding retention of digital X-ray images within a PACS system is also sure to follow soon, says Reynders.

But Reynders is confident that his current storage and archiving infrastructure will allow him to handle any new compliance requirements. A long-time Network Appliance customer, the hospital already had a few NetApp FAS clustered storage systems in use to support its primary application databases such as SQL Server and Sybase, where Reynders boosts performance by storing data and database logs on separate NetApp systems to accommodate the high transaction rates required by 1,500 simultaneous users.

When the hospital began its digital X-ray imaging PACS project four years ago, it decided from the start to both store and archive initial PACS images online, directly on ATA disk systems-specifically, NetApp’s NearStore R200 and R50 storage systems, which store 50TB of digital cardiology and radiology images (which grow by about 15TB each year).

In terms of compliance, Reynders readily admits: “There’s no regulation on PACS currently in Belgium, but we know this will come. But with our NetApp systems, we are ready.” Reynders also sees NetApp’s optional WORM functionality (available via NetApp’s SnapLock software option) being useful in the future for compliance restrictions related to e-mail. A Symantec Enterprise Vault customer, the hospital archives e-mail for nearly 6,000 Microsoft Exchange mailboxes onto the NetApp NearStore platform. Primary Exchange mailbox stores, which amount to almost 200GB, are housed on a NetApp FAS 3050 cluster. Reynders estimates the Enterprise Vault archive will likely grow to approximately 1TB by year-end.

This type of platform mix suits Reynders for a couple of reasons. “All of our users will have an unlimited mailbox, and I have an Exchange Server I can restore very fast,” he explains. “Secondly, when I want to initiate journaling and WORM functionality on my archive, I can do it very easily.”

Michele Hope is a freelance writer covering enterprise storage and networking. She can be reached at mhope@thestoragewriter.com.

This article was originally published on January 01, 2007