Mention storage in the same breath as Sarbanes Oxley and the immediate reaction of senior management might be to hide the checkbook. Invariably a vendor is making a pitch on how the latest, and greatest, WORM-enabled, opto-magnetic, network replicated gizmo is going to solve all of their problems. SOX has become the latest in a line of vehicles to which vendors have hitched their wagons in order to sell more gear (remember the Y2K buying frenzy?). The sad truth of the matter is that you could have the greatest technology in the world and still miserably fail a compliance audit.

The Storage Manager's Dilemma
Don't get me wrong - vendors are not solely to blame. To quote that great American philosopher Pogo, "We have met the enemy and he is us." Many organizations procrastinated before giving serious consideration to SOX, particularly to Section 404's compliance requirements, and now are scrambling at the last minute to address these issues. Of course, the IT organization ends up bearing the brunt of this and, to a large extent, is unprepared to deal with it. Kept largely in the dark as finance, legal, and compliance departments met with consultants and formulated policies, it is now expected that IT will come through, in the 11th hour, with a miracle to somehow implement systems to meet the regulation's directives. The instinctive reaction within IT may be to pick up the phone and call their vendors to see if anyone has a Sarbanes Oxley solution to sell. And they do - sort of.

Within the IT infrastructure organization much of the burden of SOX is borne by the storage management group, which is responsible for data protection and recovery. Unfortunately, in many environments storage management is hamstrung by a lack of visibility into the requirements of SOX. This is symptomatic of a larger scale problem: lack of visibility into the value of data that IT manages. Most data these days is stored on disks, backed up, and sometimes even replicated. Too often, from a storage management perspective it is treated in the same manner regardless of importance or value. Data often has not been classified to differentiate high value data from low value data. And certainly, the storage manager has no idea of what data is SOX-critical. When given a directive to manage SOX data, in desperation, they turn to their vendors.

The vendors then offer technology components that could potentially be incorporated into a solution to a data retention problem. These include primary, secondary, and tertiary storage systems, robotic tape libraries with WORM tape technology, associated networking components, and software to manage all of these devices. Unfortunately, vendors typically cannot sell storage managers what they really need: a set of management and operational processes that can demonstrably ensure internal storage infrastructure controls are compliant with the specifics of the auditing framework being followed within the environment.

Next: Storage and Section 404...