hamburger icon close icon

Data Movement and Data Privacy Regulation: Compliance-Informed Data Tiering

April 12, 2020

Topics: Cloud Tiering Advanced6 minute read

For traditional firms with existing investment in data centers, there can be vast amounts of data that is rarely touched, but critical for certain business practices. Storing data is expensive as it scales, and certain storage technologies do not remain viable over time. That’s why data tiering technologies such as NetApp Cloud Tiering for NetApp AFF and SSD-backed FAS storage systems are becoming widespread solutions for on-prem storage users. But how does using a capacity tier in the cloud affect data that has to be stored for compliance purposes or data sets that contain sensitive personal information that falls under data privacy regulation?

In this post we’ll take a look at how these regulations affect data stored between on-prem systems and the cloud, specifically through the use of NetApp Cloud Tiering.

Compliance Storage Requirements

Regulations such as HIPAA, SEC, CCPA, and GDPR require organizations to maintain certain data processing behaviors, including some that apply to data security, data privacy, and the data lifecycle.

This means data must be identified and protected in both active and dormant states, and sometimes requires techniques to ensure protection of data over its retention and lifespan: from capture, indexing and, ultimately, to disposal. For example, SEC Rule 17a-4 is a regulation issued by the US Securities and Exchange Commission that requires data retention and indexing of financial securities transactions. The California Citizen Privacy Act, or CCPA, does not state specific data security requirements but does establish penalty and impact actions that direct companies to implement secure data practices.  

For storage system users, these demands can be a new added pressure. In data center storage systems that rely on highly performant devices such as NetApp AFF or SSD-backed FAS, these retention requirements can seriously impact storage usage: more storage space consumed for retaining data means less that can be used by applications. Expanding an array’s capacity by rolling in a new machine means significant CAPEX investments, which doesn’t make it a cost-effective solution.

For the compliance and security teams addressing the regulations from a different part of the enterprise, the storage challenge is different. For them, the common complaint is that by the time the compliance requirements are understood, the systems are already in place, and somewhat difficult to modify. The result is that security or compliance solutions are “bolted on” rather than designed into the application or system. Regulatory concepts also impact the data lifespan/lifecycle and are still relatively new to many compliance professionals, who never thought much about where, when, or how data would be expunged, much less the risk to data owners.

The risk for many organizations is that by the time a non-compliance event has taken place, there is little to do but start paying out for assessments, remediation and fees. This is a terrible situation which hurts the business and can draw enormous resources away from improving the core assets of the business, including its system and data.

Compliance Requirements and Cloud-based Data Tiering

The advent of cloud-based data tiering has changed some of the compliance issues with traditional data processing systems. Working on the data in the cloud tier in most systems can be done without specifically impacting the core systems and can therefore offer a means to expand functional capabilities without the systems development team being asked to change or re-design the core application. Data tiering services, such as NetApp Cloud Tiering can provide continuous access and security to the data stored in the cloud.

Specifically, cloud-based data tiers can provide some features of data processing security and compliance that were not designed into an original application. Here are a few clear value points: 

  1. On-Prem Footprint Reduction: Since compliance requirements will frequently demand data retention for indefinite periods of time, the cloud tier offers an inexpensive way to house this infrequently accessed data without consuming space on highly performant storage arrays.
  2. Data Security - As data is initially identified and stored, a cloud-based data tier can provide default data security settings such as encryption to protect data in storage.
  3. Data Location – Compliance requirements can make it important to know specifically where data is maintained. A cloud tier can be used exclusively to store such data, making sure that it does not migrate, stays in a secure and low-cost state, and is rapidly available for data processing as needed.
  4. Data Resilience – Regulation tries to address the risk of data loss through mandating business continuity and disaster recovery (BC/DR) programs. A cloud-based capacity tier makes this process relatively simple to set up and maintain.
  5. Data Disposal – The end of the data lifespan for data can be assured and automated for a cloud-based data tier using the disposal of encryption keys and clearing of memory and disk as part of cloud management hygiene.
  6. Compliance Auditability - Because the data processing requirements of GDPR and HIPAA include being able to account for classes of data over a data lifecycle, data tiering provides evidence that the organization can account for the security and location of the data. Designing data storage based on your compliance requirements could result in an improved compliance and security reporting process.


Conclusion

As an organization is pressured to examine cost reducing technologies, they should consider the value proposition of cloud-based data tiering, even if currently they don’t have any existing engagement with cloud technologies. But with all the advantages of cloud-based data tiering, don’t forget about the benefits to meeting increased and complex compliance requirements.

While there is an advantage to moving systems and data to the cloud for traditional data needs, such as expandability and availability, these are not the only value propositions that make sense. As many large data processors have learned, the cost of migration to the cloud due to reworking the system to be “cloud aware” and to use cloud storage effectively can be very expensive. So, for cost and complexity management, a hybrid cloud approach makes sense using data tiering technology.

NetApp Cloud Tiering, moves secured cold data to low-cost object storage on AWS, Azure, or Google Cloud from performant on-prem NetApp storage systems automatically. The advantage for many organizations is that the AFF or SSD-backed FAS system requires minimal adjustment to handle almost unlimited storage through the use of a cloud tier, reducing requirements for new hardware. This is also a way to get a foot in the cloud without having to risk legacy systems, benefiting a number of unique use cases.

The value for many organizations will be rapid ROI along with help in meeting difficult and sometimes expensive compliance controls. Working with the compliance and security team may result in even more value for a particular application or compliance regime. 

To try out Cloud Tiering for your NetApp storage system click here.

Oded Berman, Cloud Evangelist

Cloud Evangelist

-