STORAGE MANAGEMENT/MASTER:

Building an Affordable Practice for Regulation Compliance

Getting the most out of existing technology

Marc FarleyPresidentBuilding Storage, Inc.

The changing role of IT:

From data center

managers

To data stewards

The IT function will resemble a data library

Searching, archiving and retrieving data

Regulations are forcing the issue

Mandated data management

• Privacy, security

• Long-term availability

Regulation compliance adds new costs

Planning costs

• Legal interpretation, capabilities assessment,

solution designs, product evaluations

Technology costs

• Hardware and software, maintenance

Operating costs

• Day-to-day tasks, reports, audits, coordination

Hidden costs

• Obsolescence, failure, proprietary traps

Risk management

What is non-compliance?

• Missing data

• Slow retrieval

Corporate risks

• Fines

• Reputation

Personal risks

• Jail time (obstruction of justice)

• Exposure of incompetence

How to pass scrutiny

Act responsibly

Act reasonably

Act consistently

Keep records

Responsible management (Why didn’t you do this?)

Have a plan with good intentions

Integrate the plan into all deployments

Management commitment and

accountability

Managing down to IT line workers to

understand problems/opportunities

Reasonable management (2)(Why did you do it this way?)

Average to above-average efforts and staffing

Incremental change, not revolutionary change

Prioritizing areas needing improvement

Cost analysis and rationale

Consistent management (Why did you do it differently this time?)

Adherence to guiding principles

Maintaining and complying with

operations schedules

Making measurements (adding metrics

where needed)

Minimizing deviations

Document your decisions & work

Meeting notes and decision rationale

Management approval and sign-offs

Strategic initiatives and priorities

Operating plans and schedules

Operations records and logs

Known problems and severity

Getting started is a matter of willpower and words…

A mission statement for IT that includes

responsible and thorough data

management

Sponsorship from senior corporate

management

Adjust job descriptions to include

compliance and data management.

…Continuing is systematic work

Disciplined operations

Systematic documentation

Management oversight

Set reasonable expectations

Regulations are new and legal

interpretations are likely to change

Set numerous, smaller, incremental,

achievable goals

Focus area #1: Re-examining backup

Backup capabilities/conditions

Archiving role of backup

Alternative backups for archiving

Analyze backup capabilities

Analyze available backup logs

Review software releases/updates

Hardware age, errors and wear and tear

Backup metadata growth and pruning

Tape naming conventions

Archiving with your backup system

Review and adjust existing archiving

operations as necessary

• Monthly, quarterly, yearly?

• How are archives identified?

• Separate backup jobs or tape copies?

• How are restores done?

• How would regulatory restores differ?

Analyze archiving operations

Age and wear of tapes used for archiving • How are tapes selected for archiving?

Verify and document test restores from archives

Verify availability of backup metadata for restores.

Review data retention policies• How long are tapes kept?

• Is there an expiration policy?

Consider separate backup installations for archiving

• If you would consider a separate disk

archiving system…..

• Why wouldn’t you consider a second backup

installation that archives data?

Consider separate backup installations for archiving (2)

Most data exists in the system for 1 month

Most e-mail exists in the system for 1 quarter

Separate software installations may be a good idea

• Different metadata is probably a very good idea

• Different naming conventions are a good idea

• Yearly (new) re-installs may be a good idea

Additional backups can also be used for DR practice and real DR scenarios

Caveats with separate backup installations

May require different backup products

• Platform restrictions

• Application assumptions

Possible confusion during operations and

with tapes media management

• “Foreign” media could be overwritten by mistake

• Confusion during disaster recovery is not good

Focus area #2: Point-in-time snapshots on disk

PIT snapshot capabilities and coverage

Archiving role of snapshots

Purpose of point-in-time snapshots

Disaster recovery

Data versioning

Software/system testing

Backup processing

Archiving (WORM)

Snapshots for archiving

One time write (or copy)

Full snap, not partial

Secondary storage

• ATA or SATA disk drives

Can be powered off

• Keeps data from being overwritten

Quarterly operations

Final thoughts on meeting regulatory requirements

4 extra copy cycles per year

• Look for things that fall through the cracks

Integrate with other migration/expiration cycles

and policies

Redundant copies of all archives are required

• Tape copies should suffice

• Backup coverage not

Media/devices should be exercised yearly