In-Depth
PSS Systems Provides Common Sense Data Management Policy Scheme
Recent legislation doesn't mandate changes to your storage infrastructure, but it does mean you'll have to manage your data more effectively.
Economist Milton Friedman once wrote, “Perfection is not for this world. Pursuing the unattainable best can prevent achievement of the attainable good.” More than philosophical rumination, this statement captures the essence of the current challenges confronting companies that need to manage their data in a way that complies with legal and regulatory requirements.
As discussed in a previous column, the burgeoning legal regime around data retention, privacy, and nonrepudiability does not mandate any changes to enterprise storage infrastructure per se, despite the hyperbolistic marketing of many storage vendors on this point. However, it does impose a significant burden on companies to manage their data more effectively—beginning with the creation of data.
The central question of compliance is simple: How do you get all of your employees to cooperate with policies on data naming so you can distinguish the data that needs to be retained for compliance reasons from the data that doesn’t require such retention? Is there a perfect solution to the problem, or must we settle for some attainable—less than perfect—fix?
To Deidre Paknad, President and CEO of PSS Systems, the question is one that confronts her customers every day. Paknad is in the business of selling data management solutions for regulatory compliance. She agrees that regulatory compliance is, at its core, a people-and-process issue and not a technological one. However, she notes that getting personnel to comply with policies establishing what, when, and where files are to be saved and stored is a daunting exercise for most companies.
“Most businesses,” she says, “use committees and consultants to define and audit retention policies. They rely on hope to apply and enforce the policies they develop.”
The reason is simple: it takes years of consistent auditing and enforcement for a global company to get all employees into sync with retention policies. With current laws and regulations, this exposes the company to huge risks. Evidentiary integrity is at the heart of regulatory compliance, Paknad observes, “and destroying evidence has become a new federal crime under SOX 802.”
The compliance solutions offered by most vendors are based on workflow and document management systems. However, these take an enormous amount of time to construct and deploy and still confront problems of user compliance. To a large extent they rely on the cultivation of fear to obtain buy-in from recalcitrant users. Somebody, maybe many somebodies, need to be publicly disciplined—or even fired—to get everyone singing on the same sheet of music.
PSS Systems offers an alternative to a document or workflow management system that can be deployed without resorting to Draconian enforcement techniques. The difference? Think anti-virus software: a central repository of virus profiles is established and downloaded to client systems each time the user logs onto a network to keep local protection up to date.
PSS Systems borrows from the anti-virus software model to centralize document retention policies rather than data. The company’s product, PSS 2, consists of a Policy Authority Server, where a rules system is created and managed, and a client-side “enforcement agent,” which operates transparently and automatically to ensure that relevant documents created by end users are identified, classified, and earmarked for policy compliance. Companies work in committee and with legal consultants to define rules on retention, then PSS automatically converts the rules into the industry-standard XACML (XML Access Control Markup Language) syntax and pushes them out to user systems.
The Policy Authority Server embeds an Oracle9i database to store and manage the policy details and user information. The server can also be distributed to enable policy definition at the business unit or departmental level, delivering a solution that can flex to corporate governance strategies rather than forcing companies to change their workflow to fit software—a common complaint with document management systems. Paknad adds that another benefit of the distributed, three-tier architecture is the 99.9 percent availability it delivers, meeting the needs of even the largest corporations.
The client-side agent component of PSS 2 is invoked automatically and transparently, says Paknad, “so that policies are automatically enforced without changing the work or productivity of users. Documents can be accessed and manipulated by their native applications. Users can classify documents or their classification may be assumed from the workgroup or user role, the document type, or by a default policy.”
Like anti-virus profiles, the enforcement agent performs policy caching to ensure policy integrity even for mobile workers. The end user classifies a file with a simple right-click of the mouse and drops a final version into a folder that is to be “published” to a centralized repository the next time he connects to the corporate net. Paknad says that the solution is complementary to document management systems, rather than directly competing with them.
We like the idea and consider PSS 2 to be a product that is well worth a look. We are interested in your experience with the solution. Write us at jtoigo@intnet.net
About the Author
Jon William Toigo is chairman of The Data Management Institute, the CEO of data management consulting and research firm Toigo Partners International, as well as a contributing editor to Enterprise Systems and its Storage Strategies columnist. Mr. Toigo is the author of 14 books, including Disaster Recovery Planning, 3rd Edition, and The Holy Grail of Network Storage Management, both from Prentice Hall.