Use ILM to Store Data Properly and Securely

By Jeff Vance

(Back to article)

Consider the many different forces that pull at the storage dollar: Knowledge workers are increasingly reliant on electronic data, with almost all of it, from Word documents to Powerpoints to email and even IM conversations, stored indefinitely.

Compliance with regulations like HIPPA and GLBA requires data to be stored in a way that protects personal information. Disaster recovery means backup data must be available at a moment’s notice to ensure business continuity.

Five Questions to Ask Before Implementing ILM
  • What are your current data infrastructure problems? Are they caused by legacy equipment, lack of interoperability, or poorly defined processes?

  • Forget technology and infrastructure. If you could start from scratch, what would you do? How would you decide what data is most important?

  • Returning to reality, what will work with your existing infrastructure?

  • How will employees work differently if ILM is deployed?

  • How will ILM deliver value to your organization? Is value based on cost, efficiency, availability, recoverability, security, or all of the above?

  • The ILM "Solution"

    Is there any way to logically balance data storage requirements without driving IT mad? Information lifecycle management (ILM) vendors believe so, and they think they are properly positioned to rescue data from these storage nightmares.

    The problem, though, is ILM is more of a concept than a product, so you can’t expect to buy a solution that will solve all of your problems.

    “ILM is a catch-all that can mean just about anything,” said Steve Duplessie, senior analyst, The Enterprise Strategy Group. The first step, as usual, is planning. But, before you plan, you must clearly define your organization’s problems and search for solutions that solve those problems. “If they just say ‘we are an ILM vendor,’ close the door,” Duplessie warned.

    When talking to analysts and vendors about ILM, the overriding theme was that ILM is a process not a product. If you’ve been in IT for more than two weeks, you’ve heard this logic before. Whether it’s about security, collaboration, or ILM, you’ve been told the business process, not the technology, is the key to success.

    Okay, so it’s a process. How does that change anything? According to Duplessie, the most important process to navigate is learning how to treat data differently. Instead of asking how to store data, organizations must ask how to classify data and make it more available, reliable, and useful — at an appropriate cost.

    “Data itself is the relevant consideration, not the infrastructure,” Duplessie said. “How we treat data, secure data, and use data all have very specific tactical and strategic ramifications.”

    For instance, when TJX’s (the parent company of retail chains TJ Maxx, Marshall's and Bob’s Stores), customer data was stolen by hackers this past month, the company’s problem wasn’t that it lost data to outsiders. Nearly every credit card on the planet has fraud protection. The problem was they valued secrecy over disclosure and the public is now outraged.

    TJX had legitimate reasons involving forensics and attempts to minimize the damage, but they underestimated how customers would react to a perceived cover-up. Clearly, their incident-response process needs to be revised, and no security system in the world can protect you from public relations nightmares.

    Now, besides negative publicity and customer defections, TJX also faces a class-action lawsuit, which engenders its own data discovery requirements. It’s a tactical and strategic mess and one that won’t be solved by technology alone.

    Data is Data

    How does the TJX case relate to ILM? It illustrates how valuing the wrong thing can come back to haunt you. Hackers breaking into databases is so common now that security expert Bruce Schneier estimates everyone in the U.S. has had their personal information stored on at least one compromised system.

    How ILM can help is by transforming data from just raw information to more granular categories of information, each with its own security, availability, and recoverability requirements. Too often, data is just data, no matter its sensitivity.

    Developing data hierarchies is the foundation of ILM. The idea is that less critical data can be moved to cheaper, less available storage. Less sensitive data can have easier access requirements.

    The first step, though, is to do a data inventory and then determine value. Enterprise search tools like those from Google, FAST, or Endeca will dig up whatever data you’re looking for, while tools from Kazeon, StoredIQ, and EMC with its Infoscape product will help you figure out how to classify that data.

    That’s the easy part. The hard part is determining value.

    “This is the biggest ILM abyss,” said Brian Babineau, analyst for The Enterprise Strategy Group. Departments will bicker and personal agendas may trump true value. There are few types of data that everyone will value similarly. “Confidential customer records and things like credit card numbers will have a high value,” Babineau said. Beyond that, it’s up for grabs.

    “If it’s just a file server where people can keep old Powerpoints, you don’t need expensive infrastructure,” Babineau said. Objectively, this is true, but Babineau noted the trouble with this logic is someone in marketing or some C-level executive may disagree with archiving these files. All of their data is especially important, they believe.

    One shortcut that avoids intra-organizational feuds is to rate the data by how frequently and how recently it has been accessed. “The data resides on the optimal tier of storage based on usage and cost requirements,” said Bruce Kornfeld, VP of marketing for Compellent, an enterprise storage vendor. “You want the lowest tier possible without impacting performance.”

    This makes good sense except in those rare instances when infrequently accessed data is of the utmost importance. National defense and nuclear launch codes are good examples, said Dan Cobb, CTO of EMC’s Information Management Software Group.

    “This is an extreme example,” he said, “but if I’m in national security, I want the launch codes on the highest level possibly, and I hope that I never actually access them.” A less extreme example is your customer’s personal information. You can move it to less available storage, but never less secure storage.

    Kornfeld noted that a frequency- and time-based system can adapt quickly to changing values, dynamically moving newly important data to higher tiers. Additionally, most systems have overrides, allowing you to lock certain information to specific types of storage.

    Implementation Strategies

    Assuming your organization can agree on some data policies, what’s next? Cobb reiterated the need for articulating concrete business goals. “The most important thing to do is to meet the needs of the business, in terms of cost, service level, IT efficiency, risk management, security, and recoverability.”

    If ILM makes data more available and secure, while lowering your costs, then its value is obvious. However, Kornfeld cautioned against ignoring the implementation pains that some solutions necessitate.

    “Often, ILM doesn’t get implemented due to labor issues,” he said. Many solutions in the industry require the manual movement of storage among tiers, which can push ROI well off into the future and place too much of a burden on IT.

    Cobb warned against looking at ILM too narrowly. “Parts of the industry believe that ILM equals tiered storage. That’s not the most valuable thing to business. A holistic approach to policy is where the value is,” he said. “You need to ask ILM vendors how they store, protect, and optimize information. All of these are important and none can be taken in isolation.”