IT professionals deal with dozens of regulatory and business-compliance requirements
that affect storage management, yet often their companies choose storage solutions
with little or no consideration for how those solutions can help meet compliance
requirements. I've chosen three common regulatory-compliance areas—the
Health Insurance Portability and Accountability Act (HIPAA), Securities and
Exchange Commission (SEC) Rule 17a-4, and the Sarbanes-Oxley (SOX) Act—to
illustrate the different compliance needs that can affect storage management.
In future articles in this series, we'll delve into specific storage solutions
to meet compliance needs.
The Storage Perspective
With all the compliance and regulatory issues that corporate enterprises deal
with, the concerns of a storage administrator don't usually get the attention
they deserve. This is because senior management considers IT from a vertical
perspective. That is, management looks at IT as a discrete set of issues, where
each problem and its solutions get stuck in a box, and that collection of boxes
is the IT department's responsibility to handle without affecting the business
workflow or user experience. This prevalent attitude among senior management
has its own pitfalls, especially in the area of network storage.
What corporate management needs to accept and corporate IT needs to learn is
that certain technologies such as network security and storage management cut
horizontally across the enterprise. No one would argue that network security
isn't important to consider across the enterprise, but the reality is that in
most cases it's still treated more as a vertical responsibility: One
group is responsible for perimeter security, another group is responsible for
application security, and yet a third group is responsible for data security.
Worse yet, each of those groups might be divided into smaller areas of responsibility,
resulting in minimal coordination or cooperation between those responsible for
maintaining security at the hands-on level.
This lack of coordination is especially prevalent in storage management. Everyone,
from entire departments down to individual users, tends to consider the storage
to which they have access as theirs. This attitude simply exacerbates the problems
that IT encounters when trying to implement a comprehensive storage management
strategy. Yet despite those problems, you need a strategy to address the regulatory-compliance
requirements regarding data storage. You need to analyze your storage requirements
in a horizontal fashion, given how storage underlies almost every corporate
computing activity. Doing so will help you develop a strong storage model that
can help your company meet compliance needs without sacrificing usability and
accessibility.
Regulatory Standards and Storage
Consider the variety of commonplace regulatory standards, ranging from the privacy
requirements of HIPAA, to the progressive archival requirements of SEC Rule
17a-4, to the compliance requirements of SOX. All impose specific explicit
or implied responsibilities on corporate storage. What companies rarely consider
is that the business's regulatory environment should determine the selection
of storage and a storage management strategy. Rather than trying to make an
existing storage solution solve problems for which it wasn't designed, it's
far more practical to factor in compliance issues when you're making decisions
about new or expanded storage environments.
Using our three regulatory examples (HIPAA, Rule
17a-4, and SOX), let's look at the most common of storage
concerns—backup and recovery. In all three compliance
areas, it's essential to have reliable backups and the ability to
recover accidentally deleted information, but the priorities
and specific details of this requirement differ with each set
of regulations.
HIPAA and Storage
With the case of HIPAA, it's obviously important not to lose patient information,
but the key to the regulatory coverage is protecting the privacy of that information.
This means that you need to maintain careful control over who can actually read
the data through the backup and restore process, not to mention who can request
that IT provide data restoration. Not all data protection schemes will provide
for this level of data-access security, yet in a HIPAA-mandated environment,
data-access security should be one of the primary considerations in the implementation
of any data protection, backup, and recovery solution.
You'll need to translate the various HIPAA requirements for administrative,
physical, and technical safeguards to actions related to storage, ranging from
what type of written policies and procedures you keep regarding the use of network
storage to the possibilities of hardware-based data encryption done at the storage-server
level. HIPAA requirements affect storage policies throughout the equipment life-cycle,
from the point of introduction to the network to how equipment must be disposed
of, with the goal of protecting the privacy of the potential data stored on
that hardware.
In regard to storage management, a business's primary concern under HIPAA is protecting stored data from unauthorized access.
Everything else is secondary, because if the
primary requirement is abrogated, the potential exists for serious legal action against the
business. This mandate for protection of stored
data places the added burden on administrators of making sure to clean up the tracks a
file leaves within the computing environment. Temporary files, copies of files on client
computers, retired backup tapes, or any other
location where data might once have resided
must be sanitized. That is, not only must you
delete all files, but information such as all references to files, all random pieces of data on
disk, and ACLs. Although data protection from
unauthorized access is always on the mind of
the storage administrator, HIPAA's regulatory
requirements complicate storage practices
immensely. Even a file deletion is no longer
simple, and storage policies and procedures
must reflect this reality.
Simply put, HIPAA requirements change the standard corporate storage management
mindset and affect all network-attached computing activities. Given the nature
of the modern medical environment, this means that storage management policies
and practices apply horizontally across a broad variety of vertical applications.
Previous
