Risk & Compliance

Saving Gracefully

Companies of all sizes now face new pressures that dictate how long they must retain information and how readily they must be able to retrieve it. ...
Anne StuartOctober 27, 2004

Remember those virtual pets that were all the rage a few holiday seasons back? Inanimate though they may be, the still-popular toys require proper care and feeding. Fail to provide those essentials, and you soon find yourself looking for a virtual pet cemetery.

Information is much like that: each piece has a life span that must be managed properly from cradle to grave. Failure to do so can jeopardize your company’s health in a way that’s anything but virtual.

Increasingly, a key part of that management challenge involves storage. A raft of regulations that mandate how companies store and protect all kinds of data, lawsuits requiring that they produce highly specific information on demand, the need to guard data when disaster strikes, and other pressures have recast storage: it’s no longer viewed as an electronic filing cabinet that’s largely taken for granted, but has become a key aspect of IT strategy.

While some of those pressures, most notably the dictates of Sarbanes-Oxley, initially applied only to large public corporations, their effects are already trickling down to small and midsize businesses (SMBs). These firms must manage data just as professionally as the big guys, providing easy, reliable access to some records and guaranteeing the confidentiality of others. Some of those SMBs may want to go public someday, and they’ll be subject to the same regulations as the Global 1,000. And no business of any size is immune to lawsuits, major or minor disasters, or competitive pressures.

“SMBs’ storage needs aren’t really different than enterprise storage needs,” says Nancy Hurley, a Portland, Oregon-based senior analyst at Enterprise Strategy Group, a data-storage research firm headquartered in Milford, Massachusetts. “They want to effectively utilize resources, reduce total costs, and protect and recover business information like everyone else, just on a smaller scale.”

In the past, that smaller scale meant forgoing certain capabilities that large companies enjoyed. But now, an approach formerly used almost exclusively by giant companies that deal with dozens of terabytes of data is becoming available to — and critical for — smaller companies as well. It’s called information life-cycle management, or ILM.

Although ILM certainly involves storage, security, network hardware, and other technologies, it’s a process, not a product. Or, more accurately, it’s a combination of processes and technologies that manage information at every stage of its life, based on its value to the business. A true end-to-end ILM system includes a comprehensive storage infrastructure, migration software that relocates data automatically, and products for backing up, replicating, archiving, and retrieving information.

Used properly, ILM keeps tabs on data from creation to deletion. Typically, it moves, stores, archives, or removes information with little or no human intervention, based on company policies or priorities, regulatory requirements, or automatic timetables. Ideally, it’s set up so that anything that hasn’t been deleted can be easily retrieved.

Behind every effective ILM effort is a solid strategy, which Hurley says businesses can develop in three simple steps. First, set a value for each type of information. In other words, figure out what the data is worth to the business and what impact its loss might have, then assign it a priority.

Next, based on those designations, figure out how accessible, how protected, and how recoverable each item needs to be. For high-priority information, such as current financial records, “it might be important to mirror the data, and also take snapshots and replicate off of those snapshots for disaster-recovery purposes,” says Hurley. Less-critical information — marketing brochures or employee PowerPoint presentations — might get backed up once a week. Even that’s an improvement for some SMBs, says Gary Doan, CEO of IntraDyn Inc., an Eagan, Minnesota-based maker of storage products. “Fully 50 percent of them are not doing any offsite archiving at all,” he says. “They’re about as vulnerable as anybody you’ll find.”

Finally — and this step is critical — revisit those decisions regularly. Data often gains or loses value over time; as its worth changes, you may want to adjust your strategy for managing it. For instance, if the information is worth less now than it was six months ago, you may want to migrate it to less-sophisticated (and, typically, less-expensive) storage devices.

Strategies and priorities will, of course, vary from industry to industry. For example, in the media sector, data has a short life cycle. News organizations are primarily interested in gathering, guarding, and constantly updating what they know about what’s happening right now. Once they’ve published or broadcast that information, they typically archive it for future reference, but they no longer worry about instant access or zealous protection.

In health care, on the other hand, some information never loses value. Providers are bound by ever-stricter regulations governing not just privacy but also the long-term retention of patient charts, lab results, X-rays, and other information. John Halamka MD, chief information officer at the Boston-based CareGroup hospital network, notes that his organization is required to keep medical records for its 9 million patients for up to 30 years.

Beyond the basic decisions cited above, ILM efforts should reflect three other considerations:

  • The need to respond quickly and comprehensively to lawsuits. Almost all legal actions require the parties involved to produce massive amounts of data, documents, and E-mail, points out Bruce Backa, founder of NTP Software in Nashua, New Hampshire, which makes ILM-oriented storage products. The task can be a nightmare if the material hasn’t been managed well. “I’ve watched people spend several million dollars satisfying requests for [legal] discovery in what was ultimately a million-dollar lawsuit” because they had to search for information scattered across multiple desktops, servers, and storage systems, he says. Several firms have paid hefty fines for their inability to quickly retrieve old E-mails or other documents.
  • The need to jettison useless information. Many companies find themselves struggling to manage data they no longer need, if they ever did. “People put stuff in and never delete it,” says Backa, citing a Gartner estimate that 30 to 40 percent of the information in most companies’ systems is dormant, outdated, or abandoned.
  • The need to comply with regulations. Size is no excuse for failing to comply with the growing body of requirements for document handling. A midsize regional bank, for instance, is subject to the same laws — and the same fines — as a multi-billion-dollar financial institution, and a 12-person firm must keep many of the same hiring records as a corporation with 12,000 employees.

Sized to Fit

Given all those considerations, CFOs at small and midsize companies might reasonably conclude that ILM is some monstrous undertaking that takes years to implement, but that’s not the case. The storage industry’s biggest players, including 800-pound gorilla EMC Corp. in Hopkinton, Massachusetts, have begun aggressively pursuing the midtier market, tailoring their jumbo-size solutions to meet SMBs’ needs and budgets (EMC strengthened its offering recently when it acquired Documentum and Legato Systems). Meanwhile, smaller competitors battling for a piece of the pie include NTP; IntraDyn; CaminoSoft Corp. in Westlake Village, California; Storage Technology Corp. in Louisville, Colorado; and Evault Inc. in Walnut Creek, California.

Both the Davids and the Goliaths are winning business from SMBs. Rick Ellingson, president of Ellingson & Ellingson, a 10-person certified public accounting firm in Edina, Minnesota, used to manage all of his company’s information on storage tapes that worked much like music cassettes. To recover something, “you’d roll through the tape until you got to the information you needed,” he recalls.

Now he uses IntraDyn’s RocketVault, which automatically backs up all company documents — accounting documents, tax returns, spreadsheets — onto a hard disk in a shoebox-size device. Finding files is vastly easier now. “You look at the directory, click ‘restore,’ and within seconds, it’s restored,” says Ellingson. The company’s ILM strategy also involves replicating all information offsite and, after four weeks, moving data to CDs for long-term storage. Ellingson, who handles all the technology in his 26-year-old company, learned to use the device in less than half an hour, thanks to its Web browser interface.

MidAmerica Bank, which has about 70 branches in Chicago and Milwaukee, uses EMC’s Centera system to capture images of customers’ checks, which the midsize institution retains for seven years. Not surprisingly, finding one of hundreds of checks from one of thousands of customers banking in 70 branches in nearly a terabyte of data had always been a frustrating, time-consuming process. The only other option was to burn the information to CDs or DVDs, which could still take minutes to retrieve, not including the time spent trying to find the right disk, notes Paul Stonchus, the bank’s first vice president and manager of data-center operations. With Centera, he can locate and retrieve a check in half a second.

The bank’s ILM strategy also calls for automatically archiving duplicate check images at multiple offsite disaster-recovery centers. “We’ve been able to eliminate the need for an outside company to pick up our tapes and store them at their site,” says Stonchus. The ILM system has been so successful that he expects to eventually begin using it to manage much larger documents, such as reports and loan agreements.

It’s essential to note that while many vendors are offering ILM products and consulting services to the midmarket, this is an evolving area and not all the pieces are equally robust. Software tools that move data from one form of storage to another based on its declining value, for example, need work. Some experts say that to date there are no soup-to-nuts solutions and that the ambitions of ILM outpace its current capabilities. But if your data is worth storing at all, it’s worth storing well, and ILM provides a useful way of thinking about and dealing with the growing complexities of information management.

Anne Stuart is a Boston-based freelance writer whose specialties including business, technology, and law.

ILM at a Glance

While information life-cycle management requires both software and hardware, at its core it is a management process, not a technology. The Enterprise Strategy Group advises a five-step process for project success.

Assessment: First, take stock of your information. Weed out the obvious waste, and then ask hard questions about what remains, such as: How important is each type of data to your company’s survival, operations, service capabilities, and growth? Do compliance regulations apply in terms of retention, public access, reporting, and confidentiality? Might the information ever be needed for a lawsuit? Who uses it and how often? How will that change over time? How secure must it be at each stage? How accessible? Will it ever lose enough value to warrant deletion? If so, when?

Socialization: This is the first of two steps requiring human finesse. “Everybody thinks their data is the most important,” says ESG senior analyst Nancy Hurley. “It becomes very political to say, ‘We’re going to deem this data more valuable than that data.’ ” Instead, project leaders should emphasize that ILM decisions will be based on facts and numbers, such as assessment results, current and future storage usage and capabilities, and cost.

Classification: In this second manually intensive step, ILM administrators formally categorize data based on its type, age, value, and other considerations mentioned above. Then they can set policies for where each type of data should reside at each stage in its life and when, if ever, it can be purged.

Automation: Next, ILM administrators can apply automated data-migration (ADM) tools that move data from place to place without human intervention. Such software “migrates information based on its value to the business at the time,” says Hurley. ADM systems can archive data that hasn’t been used for a certain period of time, flag it for a compliance deadline, or delete it once it’s outdated.

Evolution: Change is constant, and information is no exception. As needs and priorities change, expect to constantly revisit, reassess, and revise. —A.S.