Data Protection Mandates

Data protection demands are rising, but technologies such as WORM and replication over WANs can offer new levels of security.

IT managers are retooling their data protection infrastructure—whether they want to or not.

For many years, IT managers have leaned on tape backups as the cornerstone of their disaster recovery and data protection infrastructure. Tape wont be going away any time soon, but changing business environments and the need to come into compliance with a variety of new regulations are forcing IT managers to rethink their strategies for data protection.

So whats wrong with tape?

Although tape is a reliable and portable media format, it does not meet all the current needs of customers.

The biggest problem with tape backups is that data is vulnerable between backups. For example, if your last backup was midnight and your storage system dies in the afternoon, any data created during the several hours between the last backup and the hardware failure event is lost.

Furthermore, tape restores (in the case of a full recovery) could take several hours—far more downtime than many companies can tolerate.

A number of continuous backup products emerged during the past year that help eliminate the data risk window of tape backups. These solutions typically mirror transactions to a local repository to provide a quick way to restore servers in the event of data corruption.

While continuous backup does complement tape by eliminating the risk window, it is typically a local solution and is not designed to transfer data over long distances. But thats exactly what many companies must now do with the recommendation or requirement for off-site data repositories.

For example, in a September 2002 white paper called "Draft Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System," the Securities and Exchange Commission, the Office of the Comptroller of the Currency and the Board of Governors of the Federal Reserve System recommend that financial services companies have between 200 and 300 miles between primary and backup sites.

A number of financial institutions balked at this because they had already invested a great deal of money in setting up their backup sites, which typically were located much closer than the recommended minimum of 200 miles.

Furthermore, from a technology standpoint, it was virtually impossible to set up data centers that far away because synchronous-mode data replication (the highest, most resilient form of data replication, required to protect transaction-sensitive applications) does not function well beyond distances of 10 to 20 miles.

As a result, the guidelines were never turned into regulations, but it has become understood that companies should, at a minimum, have some sort of backup site with the ability to replicate data between those sites.

Several new replication systems that leverage the WAN have become available, allowing companies to overcome at least some of the distance hurdles.

The changing business and security climate has made WORM-based storage more compelling for many organizations. Regulations from the SEC, specifically SEC Rule 240.17 a-4(f), and the Health Insurance Portability and Accountability Act have a number of rules regarding document retention and preservation. WORM storage systems help IT managers address many of these, including guidelines for e-mail, financial records and patient information.

Even if your company is not required to meet any of the guidelines mentioned here, its a good idea to audit your technology systems and data retention practices to see how they would measure up. New regulatory deadlines loom all the time—with the first Sarbanes-Oxley Act deadline just around the corner—and you never know when these or other guidelines will affect your industry.

Next page: Data Safety Push