Storage policies
IT Pro Guide: Ambrose McNevin delves into the world of storage management and explains why your business needs a plan
Storage is one of those things that nobody thinks about until it runs out. End users just expect it to be never-ending, then shout and scream when capacity runs low. IT managers know it is not and face a constant struggle to provide the consistent level of service users expect without spending the earth.
Most firms simply end up stumping up extra cash for ever more storage capacity - recent figures show that 80 per cent of IT managers bought storage capacity beyond their needs. But while easy to implement this is not cost effective. In fact a recent survey revealed that three quarters of the cost of storage goes on administration and maintenance, which means that buying more capacity effectively costs businesses twice over.
There is still an issue to be addressed here, however. Data storage needs keep expanding with regulatory concerns increasingly having an impact, the stuff still needs to go somewhere. By one estimate there are currently 15,000 pieces of legislation and directives pending in the US on how information must be stored, accessed and maintained over time.
So you can see that there are some very good reasons to establish a storage policy. It will save you money. It will save you time. And it might even save your business. But how do you go about setting one up?
The main considerations in establishing a manageable storage policy are human, business and technical. For a storage policy to work it must cover everything from primary storage for active applications to archive management to disaster recovery to protocols for laptop use.
The Technology
A storage policy is as much an exercise in how to use your existing infrastructure more effectively as it is buying new hardware. Data storage policies tend to build up organically and unchecked over time in most organisations and this means that, quite often, information is stored on inappropriate platforms. If you don't need to access information instantly, for instance, why store it on an expensive storage platform such as Fibre Channel?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
So before you do anything you'll need to find out exactly how much capacity you have and which platforms make up that capacity. And while you're at it, conduct an audit of your backup procedures. A good storage policy will need to detail when backups occur, put in place procedures that verify all your data can be retrieved and will put in place plans for disaster recovery (keeping backups of all of your data secured at another site, for example).
The Business
Statistics say that businesses are generating more information than ever before, causing headaches for IT managers. But even when you know how much there is, do you know how much it's worth? Put another way, problems will arise in assigning value to the data. So the challenge surrounds knowing which data is valuable, which is critical and which is worthless. When it comes to finding out what constitutes valuable data, begin with senior management. Like the fable of the man asking the King to double the grains of rice on each square of the chess board you will now begin to see how you generate much more information than you thought possible and which outside forces will shape your policy.
The main external force is regulation. From the United States there is the Sarbanes-Oxley Act which directs how businesses must protect their data. This affects not just US businesses but also their foreign subsidiaries. In Europe there is the European Banking Capital Accord, or Basel II which requires companies to show how they can maintain operations in the event of an IT failure. There is the Data Protection Act in the UK, which governs how businesses and institutions must store personal data. There is the Freedom of Information Act which affects not just public bodies but has implications for any business trading with the public sector. And there are plenty of others. Which do you have to comply with?
Time is also a key factor in determining your policy. How long must you keep information for will depend on your industry sector. In some cases regulations state that information must be disposed of but while in others such as Health and Safety, records must be stored for decades.
Next are the legal implications of choosing to permanently store or not store information. The traditional view is that data loses its value over time. In media for example there is a quick fall-off in the value of data. In pharmaceuticals or medicine the value of data falls much more slowly. But you don't have to be dealing in life or death situations for your storage policy to have major legal implications. What happens if your company becomes involved in a legal action and someone asks you for every email that was sent in the last five years?
Your data will fall into two categories, structured and unstructured and under those headings you will need to further categorise it and decide which policies can be most effectively applied. For example do you need separate policies for structured and unstructured information? What unstructured (e.g. email) data do you need to hold onto?
Once categorised you should then be able to devise a strategy to move the data through your organisation.
The main question is when should you move data from a primary storage platform to a secondary platform? And remember all this data has to end up somewhere. Information will move to its final destination, which is most likely to be a tape platform. But even when it has arrived there issues remain such as ensuring that that sensitive data is archived securely.
Last year Bank of America famously lost the social security numbers and credit card details of over 1.2 million US public sector employees when unencrypted tape reels went missing.
The People
As ever dealing with technology would be a simpler matter if it weren't for the people using it. In this case it is up to you to decide how much data storage resource is allotted to different users. (As likely to be a political as much as business consideration.)
You need to establish some rules with your end users about how much storage resource they have access to. You will need to agree service levels with users based on estimates of how much data they will generate and attributing a value to that data. At this point you need to know things such as whether multiple copies of documents are kept, who decides which is the latest version and which one should be the permanent record.
Dealing with information storage inside your secure network is tricky enough but you will also be faced with having to question management on areas such as mobility. Who takes what information out of the company on their laptop hard drive and leaves it in the back of the taxi on Friday night? Also up for argument are subjects such as who has access to what information in the company? Is today's top salesperson tomorrow's disgruntled employee walking off with your customer database on his USB thumb drive?
It may not immediately make you popular but addressing these issues will put you on the path to establishing a sound and secure storage policy. That, in turn will enable you to plan a storage infrastructure that is cost effective and appropriate to your needs.