by Sali Earls
Data storage and business continuity plans are no longer the reserve of big business. With security risks ever prevalent, and new legal implication associated with audit trails and storage, there has never been a more critical time for SMEs to think about storage solutions.
Storage Expo is the only UK event dedicated to data storage and takes place in London Olympia from 12-13 October. Sali Earls spoke to exhibitor, Dave Gingell, VP Marketing EMEA of EMC Software to find out what SMEs need to consider.
For many small businesses, data storage may be as simple as archiving to CD, or backing up to tape on a daily or weekly basis. Most would not have a business continuity plan to put into practice should things go wrong. In your opinion how should companies approach the issue of data storage?
Data is usually stored either as direct
attached (within the server environment), on a primary store (usually a Network Attached Storage environment, A Storage Area Network environment or a
Content Addressable Storage environment) and/or in secondary store (tape, optical etc). That is fine as long as nothing goes wrong.
The reality in IT environments is that things do go wrong and therefore some preventative action needs to be taken. This is usually in the form of back-up and recovery technologies and can be seen as analogous to an insurance policy. You don't really want to pay for it but when things go wrong you'll be glad you did.
Like an insurance policy, the amount of cover you take out will depend on circumstance. The value of the asset you wish to cover (life, a car, house etc), the amount you are prepared to spend (premium) and the commensurate value of it to you to have it back exactly as new or not.
This is the same with your data in your business, even for small businesses. How vital is the data to the running of your business? What would be the cost if you lost it - both financially, resource-wise (recreating it etc) and possibly legal and regulatory exposure, should you have to submit it through a discovery process.
So data protection and data storage needs to be treated somewhat like an insurance policy - understand the sensitivity of your data and create an environment which meets the levels of expectation of the business.
To answer the question simply: These are some of the things a company needs to consider at a high level to cover the requirements outlined above.
So organisations need to look at the criticality of the operating environments and scenario plan for unforeseen events. In situations like those described, how quickly could data be restored? What if it couldn't with the flooding of the data centre for example? Planning for this type of event is called a Disaster Recovery strategy. Usually this will involve identifying business critical data and replicating that data to another site. That could be instantaneous replication of transaction level data from one physical site to another, allowing immediate switch over should one data centre be taken out of action and allowing work to continue uninterrupted; it might be an end of day back-up replicated every 24 hours to an off-site back-up, meaning data restore can happen instantaneously but the data may not include up to the last 24 hours worth of work, or variations in between.
Technologies are available to allow immediate replication, timed replication, back up to tape for off-site storage etc etc. It maybe that a window server crashes and needs to be restarted immediately back to the point at which it crashed, including the applications that were running. The bottom line is that organisations, even SME organisations, need to analyse their sensitivity to disasters and plan data protection policies that are commensurate to this.
The way to avoid this and become far more efficient is to establish an Archival strategy. Identify the data which needs to e kept for regulatory, legal or business longevity purposes; identify the data that has not changed or is fixed and archive it, thus reducing the size of the data sets and improving overall efficiency of the back-up and recovery processes. Again, technologies are available to help with archiving and archival strategies.
The key thing to remember is that back up and archiving are different disciplines - the former is a copy, the latter, a move.
How should SMEs approach data security internally and externally?
Organisations today are faced with many security threats and are dealing with them with point solutions, generally effectively. These include authentication, digital rights management, threat detection, vulnerability assessment, data encryption, anti-virus, spy-ware etc. These threats cover the applications, people, information and systems. Whilst many organisations feel they have many of these areas covered, they are concerned about the piecemeal and reactive approach they have been forced to take, as each new threat has surfaced.
What they are looking for today is to see how security can be built into the
infrastructure so that common tools and common ways of dealing with threats, new and old, can be employed. We see
the need for "end to end security management" being where companies are headed. When one looks at security of information (data), it will be the infrastructure vendors like EMC, who understand
information management, who will be able to provide a framework for managing information security through the IT infrastructure. Aligning security to information-type will be a step forward. Thus, an
understanding of the value of the information asset will allow a security profile (consisting of specific services such as encryption, DRM etc etc) to be assigned to an individual data or information asset -
such that the appropriate security profile is assigned to the piece of information, based on its value to the business and where that piece of information is in its lifecycle. It security requirements and
needs change as its value to the business changes.
Once the data is stored safely and securely, how can companies ensure that it remains accessible and useable on an ongoing basis?
This should be part of the Archiving strategy. An on-line archive store can deliver data integrity, data immutability and data availability for data that has been archived. In this case the term "archive" is a bit of a misnomer as it implies it is shut away but in fact what's required is an on-line archive when information or data that is not changing can be stored in a secure but very accessible environment - with commensurate price/performance.
It is a case of mixing the right platforms with the right archiving technologies for email archiving; file system archiving; and database transactional archiving.
What guidelines would you suggest a company adopt to ensure that all copies of data remain under their control, and that backup or personal copies do not circumvent the storage?
This is a question of Policies, Procedures and Best Practice.
Companies need to educate their workforces in how they work with data and their responsibilities towards the data they produce. There are technologies to ensure data remains under the control of the organisation depending on the data type. This can be email management to eliminate the need and use of PST (Exchange) or NTF files (Lotus) - stopping the growth of local email silos; Centralised back-up of data eliminating the need for individuals to do their own back-ups and centralised data stores for unstructured content, preventing the ability to download content and store it locally.
Above all it is a question of defining policies and communicating those policies to the workforce.
While companies are generally aware of the need to manage information, many are still not aware of the legal requirements associated with information management. What do SMEs need to know?
I think you can look at this in terms of regulatory compliance and legal compliance. In the former case it is often industry driven and specifies how a particular organisation must operate in its industry. For Financial Services companies it might be dictats from the FSA and cover anti-money laundering or operational risk (Basel II); for the Life Sciences industry it might be regulated data pertaining to the New Drug Admissions process and for Government institutions it might be adherence to the Freedom of Information Act. All these are heavily data-centric and information-centric and SME's need to understand their obligations in the storage and management of compliant information.
From a legal compliance aspect this is often focused around Discovery or, as it is often termed these days, eDiscovery. What are the processes that are required to provide information to a court for a court-case - which could be an employment tribunal, a fraud case or any other case which requires the admission of evidence in the form of information or data held. Companies are spending millions of dollars around the world in trying to find data relating to court cases. Often this is in email format but has been backed up a long time ago and cannot be accessed. However the court demands it to be admitted. A sensible archival strategy can take the sting out of the requirement and indeed a lot of the cost.
EMC Corporation is the world leader in systems, software, services, and solutions for information storage and management. The company helps organisations of all sizes implement information lifecycle management (ILM) strategies that enable them to better and more cost-effectively manage, use, protect and share their information.
Find out more about EMC at www.uk.emc.com , or visit them at stand 340 at Storage Expo.