Hi, I’m David Chernicoff, senior contributing editor for Windows IT Pro magazine. In this post I’ll be discussing the issue of regulatory compliance and storage policies. In industries where regulatory compliance is an issue, be it regulations such as Sarbanes-Oxley, HIPAA, or SEC rule 17-4A, maintaining control over the storage used by all users and applications is critical. Failing to meet the requirements as outlined by such regulations can result in civil penalties involving significant fines, and it’s even possible, in some situations, to face criminal litigation. In general, the regulatory requirements fall into two categories: access and retention. Access control is usual the easier of the two requirements to meet. In these cases, there are specific categories of users who are authorized to access data.

This fits in well with the traditional model of network access control. Network administrators are used to setting up user accounts with limited access privileges, and features such as group policies and active directory in Windows server, are common examples of how access control policies are implemented to assure that only authorized users have access to data that is protected by governmental regulations. In small businesses however, data retention can quickly become a problem. For example, a small financial office that does a lot of communication by email may generate a gigabyte of data that falls into the regulatory retention requirement, per user, per year, and need to retain the email communications such generated by the traffic, for an extended period of time.

Now, retaining 20 or 30 gigabytes of data for a few years may not sound like much of a challenge, I suggest actually you go and try to find an email conversation generated two years ago, if you don’t have an existing backup and retention policy in place that is designed to allow you to do just that. Consider also the plight of the small to medium sized health care provider. HIPAA requirements on the security and access controls on patient data are very strict, and need to be maintained for long periods of time. This is an area where the services of a backup service provider can really shine for small businesses, especially medical, financial services, real estate, investment trust businesses, and any other that has specific storage retention requirements.

A first-tier backup service provider isn’t just going to offer to back up your server data, they will offer a complete backup lifecycle management solution, which is something that small and medium sized businesses often overlook or ignore when looking to protect their data. It gets overlooked because smaller businesses usually don’t have the IT expertise in house that can identify their storage processes as candidate for such solutions. Or it gets ignored because the cost of implementing such solutions, especially in house, can be prohibitively expensive for a small business.

By utilizing a storage service provider, implement a full scale storage lifecycle management program, a business can get the benefits of having their recent data immediately available for restoration, and older data moved to near-line or offline storage, giving them the option of less expensive storage, while still meeting the regulatory requirements, without the need for any up-front expenditures that can make a significant dent in an IT budget.

And it’s also important to note that the service backup provider can scale what the business needs, so the next customer is never in the position of being unable to meet the regulatory responsibilities due to a lack of internal hardware or backup capability. The business itself can then focus on their business model, without worrying their backup infrastructure is a potential future problem.