Data Protection Mandates

By Henry Baltazar  |  Posted 2003-10-20

Data Protection Mandates

IT managers are retooling their data protection infrastructure—whether they want to or not.

For many years, IT managers have leaned on tape backups as the cornerstone of their disaster recovery and data protection infrastructure. Tape wont be going away any time soon, but changing business environments and the need to come into compliance with a variety of new regulations are forcing IT managers to rethink their strategies for data protection.

So whats wrong with tape?

Although tape is a reliable and portable media format, it does not meet all the current needs of customers.

The biggest problem with tape backups is that data is vulnerable between backups. For example, if your last backup was midnight and your storage system dies in the afternoon, any data created during the several hours between the last backup and the hardware failure event is lost.

Furthermore, tape restores (in the case of a full recovery) could take several hours—far more downtime than many companies can tolerate.

A number of continuous backup products emerged during the past year that help eliminate the data risk window of tape backups. These solutions typically mirror transactions to a local repository to provide a quick way to restore servers in the event of data corruption.

While continuous backup does complement tape by eliminating the risk window, it is typically a local solution and is not designed to transfer data over long distances. But thats exactly what many companies must now do with the recommendation or requirement for off-site data repositories.

For example, in a September 2002 white paper called "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," the Securities and Exchange Commission, the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System recommend that financial services companies have between 200 and 300 miles between primary and backup sites.

A number of financial institutions balked at this because they had already invested a great deal of money in setting up their backup sites, which typically were located much closer than the recommended minimum of 200 miles.

Furthermore, from a technology standpoint, it was virtually impossible to set up data centers that far away because synchronous-mode data replication (the highest, most resilient form of data replication, required to protect transaction-sensitive applications) does not function well beyond distances of 10 to 20 miles.

As a result, the guidelines were never turned into regulations, but it has become understood that companies should, at a minimum, have some sort of backup site with the ability to replicate data between those sites.

Several new replication systems that leverage the WAN have become available, allowing companies to overcome at least some of the distance hurdles.

The changing business and security climate has made WORM-based storage more compelling for many organizations. Regulations from the SEC, specifically SEC Rule 240.17 a-4(f), and the Health Insurance Portability and Accountability Act have a number of rules regarding document retention and preservation. WORM storage systems help IT managers address many of these, including guidelines for e-mail, financial records and patient information.

Even if your company is not required to meet any of the guidelines mentioned here, its a good idea to audit your technology systems and data retention practices to see how they would measure up. New regulatory deadlines loom all the time—with the first Sarbanes-Oxley Act deadline just around the corner—and you never know when these or other guidelines will affect your industry.

Next page: Data Safety Push


Data Safety Push

Business practices and regulations have evolved in such a way that it is now necessary not only to have geographically dispersed copies of data but also to have nonrewritable and nonerasable media to protect it. Here are examples of regulations that suggest or require better data retention and protection.

Where does WORM fit in?

  • The SECs Rule 240.17 a-4(f) calls for organizations to store business documents for no less than three years while keeping data in an accessible place for two years.

  • HIPAA has a number of guidelines for document retention and security. Although WORM is not specifically named, it is very often the best choice for preserving the integrity of data for several years.

    Why data replication over WANs?

  • The "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System" suggests, but does not require, that organizations have a 200- to 300-mile separation between primary sites and backup sites.

  • HIPAA calls for IT managers to make sure that, in the event of a disaster, data is protected and that the backup site can become operational in a short amount of time.

    Next page: Replication Choices


    Replication Choices

    A wide variety of data replication technologies are available to suit the needs and budgets of many organizations.

  • Array-based solutions are rock-solid and well-trusted, but they are also expensive and proprietary. IT managers who are trying to protect transaction-sensitive applications and who already have investments in compatible storage systems should investigate these solutions. Examples: EMCs SRDF, Hitachi Data Systems TrueCopy

  • Host-based solutions are fairly inexpensive, but they use up valuable memory and CPU resources on servers. Host-based solutions are best used for asynchronous replication of data and would be good for protecting file servers and some database and e-mail servers. Example: NSI Softwares Double-Take

  • Network-based solutions, among the newest classes of replication technology, typically use intelligent appliances to replicate data over WANs. These systems will be a good choice for organizations that want to replicate from expensive storage systems at their primary site to less expensive storage at backup sites. Example: Kashyas KBX4000

    Discuss this in the eWEEK forum.

    Senior Analyst Henry Baltazar can be reached at

  • Rocket Fuel