Storage vendors eye compliance market

The storage market has found a new growth driver in regulatory compliance. Abhinav Singh reports

The need for storing information as per priority for long periods and then retrieving it at short notice while adhering to regulations has become an area of concern for enterprises across the world. The impact is being felt more in the West, but Indian companies are no exception.

Information storage, its management and protection has become the pressing issue across verticals such as BFSI, telecom and BPO in the country. In many cases, companies have proactively implemented solutions by interpreting some of the existing regulations. In the telecom sector, there have been specific requirements with reference to appropriate data, all dictated by TRAI (Telecom Regulatory Authority of India). Most compliance-related guidance for the banking and insurance industry is derived from Basel I and II recommendations from the BIS (Bank for International Settlements).

"Demand for compliance-related solutions is on the rise and growth is expected around storage solutions that cater to this need" - Pankaj Narayan Marketing Director Asia Pacific, Network Appliance

Many Indian companies with business dealings in the US have been mandated to comply with the Sarbanes-Oxley Act, Basel II, Gramm-Leach-Bliley Act, EU Data Protection Act, HIPAA, 21 CFR Part 11 (life sciences) and DoD 5015.2 (government). Though adherence to regulations is derived out of  business needs rather than government edicts, the situation is changing as the compliance regulations evolve. Major storage vendors such as IBM, Sun, Network Appliance, EMC and HP have designed a well-defined strategy to tap this emerging market.

Significant wins elude vendors

As of yet, storage vendors do not have significant wins in the Indian market as most of their customers are in an evaluation stage. Pankaj Narayan, Marketing Director, Asia Pacific, Network Appliance says, “Demand for compliance-related solutions is on the rise and growth is expected around storage solutions that cater to this need. The BFSI and telecom segments are expected to adopt newer compliance-based solutions in India. Many potential customers are seriously evaluating the need for such solutions as issues like corporate governance (which entails storing of data in a proper format) will be affecting companies in India too.” The recent introduction of the Cheque Truncation System by the Reserve Bank of India, which means storing the digitised images of cheques in a proper format, is expected to drive the adoption of compliance-based storage solutions in the country.

"We see an opportunity here as there has been a data explosion and organisations are being compelled to store and manage this data efficiently" - Rajesh Rege Director, Sales Sun Microsystems India

States Rajesh Rege, Director, Sales, Sun Microsystems India, “We see huge opportunity in India as there has been an explosion of data, and organisations are being compelled to store and manage this data efficiently. All the banks now need to have a Business Continuity Plan which includes getting the infrastructure ready and adhering to regulations and directives.”

Legal recognition

Technology is playing an important role in helping the average BPO outfit comply with the regulations that each outsourcing deal involves. Manish Bapat, Business Manager, NAS and CAS for EMC, India & SAARC says, “BPO service providers have to abide by regulations that their clients follow such as the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, EU Data Protection Act and HIPAA. One of our BPO customers in India wanted to store all the voice calls for a period of seven years, and archive all the voice calls as per customers’ requirements, hence they opted for our compliance-based solution Centera.” The IT Act 2000, India’s first cyberlaw, puts forth various provisions that impact information in the electronic form. As per Section 4 of this act, legal recognition has been granted to all electronic records. The act also stipulates certain requirements concerning retention of electronic records. At a global level, including India, regulatory acts like Basel II are increasingly affecting banks. RBI has specified that all Indian banks have to confirm to the Basel II guidelines by 2006.

Impact of regulations on storage

"BPOs have to abide by the regulations that their clients follow such as Sarbanes-Oxley, EU Data Protection Act and HIPAA" - Manish Bapat Business Manager NAS & CAS EMC India & SAARC

Though each compliance regulation is unique, there are three recurring themes that have a direct effect on a company’s storage strategy.

The first of these is data permanence. The concept states that data must be saved to media that cannot be altered or erased until a specified expiration date. The data permanence requirement is particularly important in the financial services industry as a result of heightened scrutiny by the SEC (Security Exchange Commission) and other law enforcement authorities. The SEC Rule 17a-4 mandates data permanence for “all communication (internal or external) related to the business as such.”

The second is data security. Though security requirements vary, almost every entity is subject to some regulation. For example, the health-care industry is subjected to the HIPAA security regulation. They are intended to protect patient privacy. Because of this, data security measures such as access controls and encryption are encouraged as approaches to complying with the regulation. In fact, privacy tends to be an area of regulatory focus. These regulations range from the EU Data Protection Act (affecting all European businesses) which is focussed on employee privacy, to the Gramm-Leach-Bliley Act (affecting the US financial industry), which protects the privacy of the US consumer. A successful regulatory compliance solution will be able to support privacy requirements such as authentication and access control.

The third is auditability. The life sciences industry illustrates this requirement. 21 CFR Part 11 is an FDA (Food and Drug Administration) regulation that outlines the requirements for dealing with electronic records and signatures. Having a secure audit trail is at the heart of this requirement. Every access and modification to an electronic record has to be maintained. The auditability requirement is common in regulations across industries.

Comments Subram Natarajan, Senior Solutions Architect, IBM Storage Systems, ASEAN, South Asia, “Compliance adherence will depend on the business segment that an organisation is in. Compliance and retention regulations vary between different sectors. For some data in the life sciences sector, the retention period may go up to 100 years. For banking, this could be up to 10 or 15 years. Another factor is the geographical location of the business that is taking place. Corporations that are doing business internationally may have to comply with more rigorous standards than those that deal within their own countries.” He adds that legal implications impose certain standards within the company. If it is operating in the IT space, it may dictate retention periods that far exceed those specified by the government. This it may do in order to reduce risks and protect a company’s intellectual assets from infringement.

Geared to tap potential

Storage vendors are working towards bringing in innovation in their technologies to release solutions aimed at helping enterprises adhere to different compliance and regulations.

For example, NetApp has introduced SnapLock. The solution is helping enterprises adhere to permanence, accuracy, integrity and security of data by making business records unalterable and permitting rapid online access for long periods of time. SnapLock is available in two versions. SnapLock Compliance enables organisations to satisfy strict records-retention regulations such as SEC Rule 17a-4 (broker dealers), HIPAA (health care), Sarbanes-Oxley (public companies), 21 CFR Part 11 (life sciences), and DOD 5015.2 (government).

States Narayan, “Only an act of wilful destruction, such as physically removing disks from a SnapLock system can result in record deletion or alteration prior to the specified retention date.” SnapLock Enterprise enables adherence to best practices through functionality similar to that of SnapLock Compliance, but allows administrators to delete entire SnapLock Enterprise volumes. Under no circumstances is it possible for any SnapLock Enterprise user or administrator to delete or modify individual SnapLock Enterprise WORM (Write Once Read Many) records or undermine SnapLock Compliance WORM volumes. Similarly, NetApp acquired Decru to work towards a compliance-based platform. The Decru platform allows the enterprises to encrypt data stored on all heterogeneous storage systems in an IT environment.

EMC is offering a magnetic disk-based WORM device Centera which helps compliance with externally driven regulations and internal governance requirements. The solution has advanced retention capabilities, which can take automated management of archive content to the next level of storage. It also has Event-Based Retention (EBR) feature which helps applications to set an undetermined retention period when content is written as per the policy of an organisation. The device helps in faster backup windows by actively archiving unchanged digital data.

IBM has been working towards developing compliance and regulations technologies such as tape libraries, WORM drives and software for data retention. For compliance-related to e-mail, it has the DB2 Commonstore software for Microsoft Exchange and Lotus Domino. For Databases and ERP packages it has Tivoli Storage Manager that helps customers construct a compliance solution. IBM’s NAS products play a big part in the data retention arena. With LockVault Compliance Software the NAS filers provide a capable archiving solution for compliance.

Sun Microsystems has come up with a three-site Disaster Recovery solution that helps enterprises synchronously replicate data. Unlike the two-site DR solutions, the three-site one ensures Zero Data Loss (Recovery Point Objective is Zero). If sufficient hardware infrastructure is configured at the intermediate site, then the solution can protect from local disasters. By providing zero RPO and minimum RTO it minimises the business impact. Sun has a Storage Archival Manager Filesystem (SAM-FS) Archival Solution, which helps in adhering to regulatory compliance. It combines online FC storage and tape storage into a single storage capacity. By using SAM-FS one can implement data management solutions like E-mail, Backup, SAP Archival, Database Archival and DR.

What remains to be seen is how the market evolves in the time to come and vendors create awareness about their compliance offerings. For the time being, there are serious concerns about adhering to compliance by Indian companies, which is going to drive the Indian market.

abhinav@expresscomputeronline.com