Iron Mountain Digital – Today's companies are challenged not only with managing rapidly growing volumes of information that are spread across many technologies and geographies, but also with heightened regulatory and legal oversight on their information management â€“ not to mention how to manage all of this amongst tightening IT budgets in a tough economy. Given this complex environment, how do companies ensure that their data can easily be recovered in the event of a disaster, but also quickly accessible and retrievable to satisfy regulation and litigation needs? How do companies determine which records they should destroy, backup, or archive â€“ and how do they manage these storage costs? Does having an efficient backup solution in place effectively meet both these demands?
The short answer is no. Backup solutions alone do not prevent regulatory trouble. In todayâ€™s world of increasing record retention regulations and demands for improved corporate governance, backup alone cannot replace the need for a true digital archiving solution. Even though backup solutions meet requirements for duplicate, tamper-free and secure records, they are not sufficient for a fully Compliant Records Management program. Destruction, for example, which is a major component of any records management program â€“ is just not possible to perform on data that has been backed up on numerous backup tapes.
Simply put, backup solutions provide for data protection and recovery, while archiving provides data retention and retrieval, as well as proof of chain-of-custody against every record. While both solutions are part of electronic storage, they address different needs. In todayâ€™s world of shrinking backup windows and regulatory requirements, enterprises need to implement both backup and digital archiving for complete digital data protection.
From document management to digital records management â€“ an integrated approach
In the past true digital archiving solutions simply didnâ€™t exist â€“ regulatory and compliance pressures were slim to none with archiving viewed solely as a records management function and the preservation of documents for historical reasons. Moreover, the speed of drop in cost for gigabytes allowed people to ignore storage management and just keep buying more storage as it filled up.
With the onset of heightened compliance and litigation, the huge increase in electronic records, combined with rising storage costs, companies were forced to realize the importance of consistently retaining â€“ and destroying their documents via automated and unbiased policies. Yet how could companies go about doing this? Document management systems tried to step in as digital records management systems â€“ but it didnâ€™t work â€“ IT was missing. Companies were forced then to reassess their document and records management policies â€“ once solely under the umbrella of legal and knowledge management alone, and implement IT. Just as backup had been fully integrated into an IT and records management function, so too was archiving.
This change â€“ of records management from being a corporate historical mechanism to being the main mechanism for legal compliance â€“ further demanded the blending of the practice of IT and records management, and the need for organizations to implement distinct digital archiving solutions separate from backup.
Backup versus archiving
As seen in the past and all too often still today, IT departments have used insufficient backup solutions to suffice as digital archiving systems. There is often confusion regarding the difference between backup and archiving. To clarify, if you are storing data with the expectation that you may need to use it or access it in the future for business purposes, then you are archiving. In other words, if you put the record away and it is your only copy, then itâ€™s an archive. On the other hand, if you are storing data for the purpose of recovering from a disaster, a system crash, data corruption, or other event, then you are performing backup â€“ youâ€™re putting the record away and there is still an online copy available to ensure disaster recovery and business continuity. Archived data is indexed data for search purposes and backup data is raw data for data recovery purposes.
There are a number of digital archiving requirements that backup cannot adequately fulfill, including the classification and categorization of information â€“ the actual organization of information rather than just storing it, and/or access to documents according to a company's retention policy. Backup also cannot perform information destruction â€“ which is an essential component of any digital records management system. Furthermore, backup does not provide the necessary management to ensure long-term future readability of documents as formats, applications, hardware, and operating systems change. Lastly, backup alone cannot fulfill compliance with regulatory archiving storage and access requirements.
The underlying truth is that tape backup solutions alone simply cannot provide easy retrieval and audit trails. Using backed-up records as official legal documents for compliance and litigation leads to spending considerable time and money to restore backup tapes, search for legally relevant material, and subject enterprises to the legal difficulties of attempting to prove that records remain unchanged â€“ all of which can create legal risk exposure. Additionally, keeping several generations of backup tapes as archives opens up the possibility of someone requesting that data for litigation purposes. Many enterprises today still keep several generations of backup tapes as archives to meet the challenges of compliance and eDiscovery, despite the escalating costs of data storage. Having hundreds of copies of the same file on hundreds of tapes makes it impossible to ever destroy information and guarantee that it cannot be â€œdiscoveredâ€ at a later date, or even begin to understand which version was used for which application. This drives up the cost of discovery, increases legal risks such as fines and lawsuits, while at the same time making it impossible to execute a policy in an unbiased and consistent manner. Simply stated â€“ backup is an inefficient mechanism to archive with and creates compliance risk exposure.
The importance of backup
So what then, can backup systems be used for?
Backups are for user error recovery, disaster recovery, and business continuity. They are used to recover data loss resulting from data corruption, server failure, and site failures, as they contain a snapshot of the system to restore it to its last known business state. Backup systems are critical for enabling IT to quickly recover data in the event of a site failure, whether itâ€™s a power outage, or a catastrophic natural event like a hurricane. Backup solutions also reduce the risks and costs of data loss and minimize recovery time for distributed PCs and laptops - even when a laptop is stolen or damaged from a remote employee, which is even more critical given todayâ€™s on-the-go work and lifestyle. Despite disasters being closely associated with data recovery, over 70% of the data recovery performed is due to user error and data corruption.
A backup and data protection program is built based on Recovery Point Objectives and Recovery Time Objectives to ensure there are no gaps in your records management history. The goal is to rely on backups to recover lost data to the most current point in time possible. Itâ€™s simply not acceptable in todayâ€™s business climate to incur large data loss. Therefore itâ€™s wise for every organization to have a disaster recovery and business continuity plan that is documented and regularly tested. It is also good practice for electronic data to be backed up and protected off-line and off-site.
When backup just isnâ€™t enough
The massive amount of digital data present today has taken away the ability of backup to work efficiently and correctly without a digital archiving solution in place as well. Without an efficient data protection and compliant records solution in place businesses expose themselves to more disaster recovery and business continuity risks, not to mention legal and business risks such as revenue loss.
While backup systems can provide for wholesale data recovery from the closest point in time if the computing environment suffers failure or disaster, as indicated previously, they are not suitable for quickly searching data and retrieving individual items of data needed for compliance. Backup data is not indexed, and, consequently, is not easy to search. The most efficient and effective way to respond to litigation requests involving backup data is with a complete data restoration and digital archiving solution. Additionally, most traditional backup processes do not provide an audit trail of actions on a backed-up record, as required for compliance and legal discovery. When companies save the last full backup of the month and/or year as archives they are losing that trail of actions, and a lot of information, and transitions of that information is lost, exposing companies to even more legal risk.
It is much too hard and expensive to fulfill the needs of compliance and regulations with backup tapes, after-the-fact when intent of information has been lost. Unfortunately this is all too often the start of the market today. Once litigation strikes many companies are forced to recall backup tapes from a time period involving thousands upon thousands of tapes â€“ and then restore them one by one with a large team of specialists hired to review all the information and determine (after the fact) what it was for and if it was important. The cost of eDiscovery is directly related to the number of documents that must be reviewed, so without the correct solution in place, this can clearly become very expensive. Proactive management, including implementing both an efficient backup and digital archiving solution, not only lowers costs by not having to do this reactive digging and analysis, it becomes an advantage â€“ because if you are prepared, once litigation strikes or a disaster hits, your information is protected and easily retrievable, in a cost-efficient way.
Backup alone does not protect your business â€“ in fact backup alone can actually increase business risk â€“ making a copy of all your data and ignoring whether it is active or inactive puts your company at legal risk. By separating inactive data from the data set and storing it once in an archive can remove 65 percent or more of the amount of data that needs to managed day-to-day. This not only shrinks the backup/restore windows, it also lowers the total overall cost of running the infrastructure.
Whereas backup is for disaster recovery purposes, the archiving process is part of a records management program. Digital archiving helps companies meet their long-term need for storing data with a searchable index for easy retrieval, if the need arises. To clearly understand digital archiving, industry analyst firm Enterprise Strategy Group defines archiving as the longer term retention of historical data that is no longer needed for current business operations, in order to satisfy regulatory compliance, corporate governance, litigation support, records management or other information management requirements.
Many enterprises must comply with an increasing number of regulatory requirements affecting their business â€” or face stiff penalties for non-compliance. The new requirements include a long list of mandates such as HIPAA, Gramm-Leach-Bliley, and FACTA, which protect a range of business, financial, patient, employee, and customer data - regardless of its format or medium. Other regulations such as Sarbanes-Oxley Act of 2002 (SOX), SEC Rule 17a-3 and 17a-4, and Rule 26 of the Federal Rules demand that organizations disclose corporate information to the government during compliance audits and for the courts during litigation. For all of these different regulations, enterprises must follow different retention rules for different types of archived data.
When implementing a digital archiving solution companies need to assess this and many issues, including a comprehensive evaluation of what specific data is governed by which specific record retention regulation. IT also needs to determine which technology can actually retain that data type, whether itâ€™s an e-mail, x-ray, or a financial document. Companies can then create a retention period, and store the data where it can still be easily accessed, for as long as legally required.
How do companies begin to manage what information needs to be retained for how long, and what needs to be destroyed?
True digital archiving, retention systems, and services ensure that enterprises can find and access any given record, whenever and wherever required. Solutions today offer secure, compliant, cost-effective, and long- term archiving of electronic records. These solutions and services consolidate electronic records â€“ e-mail, images, statements, and more â€“ into a unified, browser-accessible archive for fast and easy search, retrieval, and management. They also record any action taken on archived records, providing a secure audit trail to prove that the records are free from tampering. This trail is essential in compliance audits and in cases where records appear as legal evidence.