Storing Data in Compliance with Government Regulations | Storage Networking Fundamentals: An Introduction to Storage Devices, Subsystems, Applications, Management, and File Systems (Vol 1)

The matter of complying with government regulations for retaining data is certainly related to the topic of historical file archiving, as discussed in the preceding section. However, under the microscope of audits and investigations, the matter of storage practices is likely to be opened to external scrutiny in a way that most IT workers are not necessarily comfortable with.

This section discusses some of the aspects of storing data in an environment that includes accountability to external auditors and investigators.

Risks of Noncompliance

There is a long history of government investigators using data records in their cases against corporations and individuals. The Enron securities fraud case, the Frank Quattrone obstruction of justice case, and the Martha Stewart insider trading case are all examples of court cases in the United States where e-mail records were gathered by federal prosecutors to build cases against the defendants.

The government also uses technology in investigations of its own operations, as evidenced in various 9/11 investigations, the Iran/Contra hearings, and even the Watergate scandal in the early 1970s, when tape recordings made and saved by President Richard Nixon became pivotal pieces of evidence against him.

Some regulations have heavy fines associated with the inability to provide information asked for in a timely manner. That means that retained data needs to be easy to locateeven after several years (something that most IT workers have limited confidence in).

IT workers should not make the mistake of thinking they will not have a role in possible legal proceedings against corporate managers who are being investigated. The unfortunate result of these new regulations for IT workers is that it opens the door for obstruction of justice charges for IT workers who do not execute data retention policies and practices properly.

NOTE

The possibility of personal legal risk may seem a bit far-fetched, but unfortunately the risk exists. The regulations are public documents, but unfortunately, they do not come with a legalese interpreter. IT organizations should get legal opinions as to how to interpret the regulations. Like most legal language, there is significant room for interpretation. Whatever the case, there is a CYA factor to consider: ignorance of the law has been proven many times to be a lousy defense strategy.

Immutable Data

Auditors and investigators understand that data can be tampered with. Proving that stored data is immutable, or in other words, not altered after its creation is more difficult than it appears. The date and time stamp associated with a file can be falsified unless special provisions are taken to prevent the erasure and overwriting of historical data.

Write-Once Storage

Regulations may specify the characteristics of storage and media used, but they seldom specify the technologies that can be used. In general, it is likely that investigators will want to see proof that stored data has not been tampered with, especially if they have reason to believe that there was motivation for doing so.

Write-once, read-many (WORM) media has been used for many years for this purpose. WORM media and devices allow companies to create immutable copies of data that can be read but not overwritten. Recently, companies have developed other types of write-once technologies that can be used to prove data stored on them has not been altered. For instance, there are WORM disk subsystems that use file system technology that prohibit file updates after the file is written to disk the first time. There are also new WORM tape technologies that write data to tapes for permanent storage.

Content Addressable Storage

Another new technology that could be useful for government regulations compliance is content addressable storage (CAS). The idea of CAS is to create a unique identifier for a file that is generated from the contents of the file. One method to create this identifier is to use encryption, or hashing technology and create a unique identification key from the bit contents of the data. With a sufficient algorithm, a sufficiently large identification key can be created that ensures the identifier will be unique. That means changes to the file would generate a different key. A comparison of keys would indicate the data was changed.

Content addressable storage is useful as a way to prove data has not been altered. The trick is proving that a given key was created at a given time and was not fraudulently created. One way to do this would be to write key identifiers to WORM media and archive them.

E-Mail Archiving and Indexing

E-mail data is one of the primary areas of interest in regulations compliance. Backup companies may have specialized products or agents that work with particular e-mail systems for backing up and archiving e-mail data. More importantly, email indexing technology that facilitates the litigation discovery process (also referred to as e-discovery) will be extremely important to IT professionals in years to come. Once data has been extracted from an e-mail system, it can be stored using any storage techniques or technologies, including WORM storage.