storage search
"leading the way to the new storage frontier"

click for company profile - PlasmonThe Impact of Compliance and Risk Management on Archival Storage Strategies

Steve Tongish, Director of Marketing EMEA, Plasmon - November 10, 2005
Disk Sanitizers
Disk Sanitizers on
Editor's introduction

It's difficult enough protecting and archiving your data so that it's available to the right people at the right time (and cost). But now that's only part of the problem. With so many new rules and regulations which prescribe how you should destroy data records at the appropriate time - how do you guarantee that they stay deleted?

Archiving data on the wrong kind of media could mean you run the risk of breaking the law. Advances in the data recovery industry, and the future cohabitation of storage search-engines both mean that Compliance Officers have to pay much more attention to the ways in which data is dispersed and disposed of in different types of media. This article summarizes the strengths and weaknesses of currently available market technologies.

The Impact of Compliance and Risk Management on Archival Storage Strategies storage security
the Dangers of Removable Storage Media
Fast purge and autonomous data destruct flash SSDs
The business requirements for record archives have evolved over the last few years. Major financial scandals and a number of recent incidents involving large-scale data loss have turned the spotlight on the management of digital archives. An increased awareness of the value and liability of archive records has resulted in both industry regulation and internal operational risk management.
Today, organisations of all sizes and across all industries are subject to a wide range of local and international government and industry regulations. The most well known regulations seek to control financial records, legal information, health and safety data and access to personal or public records. In some cases these regulations can be very detailed, spelling out key criteria and procedures that must be met to ensure compliance.

Typical Regulation Criteria
  • Record types to be retained (data classes)
  • The retention period for each data class
  • Best practice and storage technology for legal authenticity
  • The final disposition or destruction of expired records
If there was a single set of unified regulations, compliance might not be very difficult. Unfortunately, this isn't the case. Regulations within a country often conflict with each other and for those businesses operating internationally, foreign regulations add an entirely new dimension to the problem.

This complexity has forced many larger organisations to create the role of Compliance Officer or Risk Management Specialist. The task for this person is to assess the burden of external regulation against the organisation's own internal risk management priorities and to set guidelines that satisfy both. This is no small task and is not without its own risk. As a result, internal policies on archival storage are often set to exceed the parameters defined by the regulations, while at the same time there is a strong desire to destroy records when legally permitted, in order to reduce corporate exposure.
SSD ad - click for more info
Balancing these demands means that the management of archive records is becoming more complex, requiring different service levels to meet record retention and disposition requirements while minimising legal liability. This creates a whole host of new IT challenges. If they are not already, the IT team must become part of the business process. Gone are the days when IT existed in isolation from the rest of the organisation. IT administration must understand business priorities as well as any other group within the organisation if they have any hope of addressing these important issues.

The requirement for tighter integration of archive policies within an IT infrastructure is creating a demand for more flexible strategies that can accommodate the new regulatory and risk management burden. This need for flexibility is particularly important in the choice of physical storage media since it will, in large part, determine the success of implemented policies. This can be illustrated by examining two common archive objectives that are tightly linked to storage media attributes: record authenticity and record disposition (destruction).

Record Authenticity

For many archived document types it is essential to establish and maintain a very high standard for record authenticity. This is the case for any record subject to legal scrutiny including financial, medical and corporate communications (including emails). This is so important that some regulations specifically call for the use of WORM (Write Once Read Many) storage technology as one means of establishing a clear audit trail to ensure that records have not been altered.

In recent years, storage vendors have developed specialised magnetic disk-based RAID archive products sometimes referred to as CAS (Content Addressable Storage) solutions. Most of these products have implemented Write Once functionality through a mix of software and/or firmware that emulates Write Once capabilities on rewritable magnetic media. CAS solutions are available from EMC, HP, IBM, NetApp and Sun, to name just a few.

Tape vendors have also responded to the demand for record authenticity by developing tape-based WORM emulation products that use firmware and physical tabs on the tape cartridge to prevent data from being overwritten. Vendors such as Sun (StorageTek) and IBM offer high-end WORM tape, in addition to more mainstream AIT, LTO and DLT WORM products.

Plasmon's UDO (Ultra Density Optical) professional optical product offers "True" Write Once technology implemented at the physical media level. The recording surface of True Write Once UDO media allows files to be written, but the media itself cannot be physically erased or modified. This technology is significantly different than magnetic disk and tape emulation since the Write Once properties of UDO are inherent to the recording surface of the media and are not a function of software or firmware controls.

Disk or tape WORM emulation may be acceptable depending on the authenticity requirements of the organisation, but only optical media provides unquestioned physical authenticity and is named explicitly as a preferred archive media by some regulations. The selection of the storage media can play a critical role in establishing the admissibility of digital records in a court of law.
Steve Tongish - Plasmon - the author
About the author:-

Steve Tongish has more than 20 years of storage industry experience with a particular focus on the management and archival storage of business information. Having worked for both software and hardware storage vendors, he has a broad perspective on the storage requirements of customers across many industries.

Steve is the Director of Marketing (EMEA) for Plasmon and is based in Cambridge, UK.

Steve is a US citizen, has a civil engineering degree from The University of Colorado and has been living and working in Europe since 1995.

See also:- Storage People
Record Disposition

The issue of digital record disposition is emerging as a major consideration for many archives. Exactly how and when data can be destroyed is governed by some regulations and is at the heart of operational risk management. An archive strategy must find a way to balance regulatory requirements to retain records and a corporate desire to destroy them for both practical and liability motives. Here too, the choice of storage media plays a key role.

Some regulations define retention periods that allow data to be deleted after expiration and some go further by actually mandating record destruction and specifying the nature of destruction. Detailed destruction specifications are most common with documents related to security or personal information and typically call for the physical obliteration of the data. In these cases, deleting pointers to files or deleting keys to encrypted files is not sufficient. The records must no longer be physically present on the storage media.

If archiving on a typical RAID system, a simple delete operation does not remove the data from the disk. The only way to physically destroy records is by repeatedly overwriting the targeted sectors with a patterned sequence to ensure no residual trace of the document remains on the media. Depending on the source of the recommendation, targeted sectors should be overwritten between 3 and 35 times. The US Department of Defence has an often-quoted specification for data shredding on magnetic disk media (DoD 5220.22-M). This type of operation is not a standard file system feature but has been implemented in some of the specialised CAS products in the context of a record retention policy.

The destruction of records in an archive using magnetic tape is particularly difficult. The sequential data format used in writing files combined with the physical wear and tear on the media makes individual file destruction impossible. While full tapes can be erased and re-used, discrete records cannot be physically destroyed without totally rewriting the media. For similar reasons, consumer CD and DVD optical formats suffer from the same limitations as magnetic tape. In both cases, references to archived data can be deleted, but the actual records remain on the media. If assured data destruction is a key archive requirement, the use of magnetic tape, CD or DVD could be extremely impractical.

By contrast, UDO offers a Compliant Write Once media format designed specifically for data disposition requirements. Compliant Write Once UDO operates like standard WORM media, but has the ability to physically destroy targeted files through the use of a special "shred" operation. This is a one-pass function that provides full verification and unlike the erase pass on magnetic disks, the shred procedure on UDO media leaves no residual traces of previously written files. Compliant Write Once UDO media enables record level retention management with an extremely high standard for physical record destruction.
Sun and other Unix compatible DVD burners
Solaris and Unix compatible DVD burners
from StorageHeaven
Archive Attribute Summary

Record authenticity and disposition are just two of many possible storage attributes to be considered when designing an archive. Others include access performance, capacity, media longevity and Total Cost of Ownership. The priority of these attributes will vary between organisations and among record types within the same archive. Given these diverse demands, it is vital to have an operational understanding of external regulations, internal risk management and the physical storage technology. The rapidly evolving nature of today's record archives demand products and strategies that enable the greatest possible flexibility.

Archival Storage Attributes

True Write Once Media No No Yes Yes
Data Destruction Yes No No Yes
Removable Media No Yes Yes Yes
Professional Quality Yes Yes No Yes

Media Longevity
Low Medium High High

Media Capacity
Med/High High Low Medium

Seek / Access Performance
High Low Low Medium

Total Cost of Ownership
High Low Low Low
click here to read article by Association of Storage Networking Professionals click for profile
Privacy and Security Regulations - How Do they Impact Storage Systems? - article by ASNP

What are the legal regulations covering the type of storage system, backup and disaster recovery and encryption mandated for companies operating in the US?

This article answers those questions and is a sound starting point for anyone having the duty of care and responsibility for their corporate data. Because regulations change so quickly it's worth considering the impact of these best practises on your own organisation even if you think you are currently outside the scope of these laws. That will reduce the level of panic when they creep up on you. the article , ...ASNP profile, Backup software, Disk to disk backup, Optical Storage Libraries, Tape libraries, Web based storage
...Plasmon profile

You may also be intereseted in some of these articles:-

the Top 10 SSD Companies
Increasing Flash SSD Reliability
Data Recovery from Flash SSDs?
How Solid is Hard Disk's Future?
Can you trust your flash SSD specs?
Is the SSD Market Recession-Proof?
30 Years of SSDs - SSD Market History

storage search banner

STORAGEsearch storage manufacturers storage news online storage iSCSI Backup software
STORAGEsearch is published by ACSL