Outsourcing Storage: This Time it’s about Compliance

Enterprises once considered using a third-party to manage their off-site data on the basis of cost. The economics have shifted.

In 1999, IDC was hyping application service providers (ASPs) as the next big thing in IT. The idea was that we would purchase our applications online and source our infrastructure, including storage, through managed service providers.

The idea failed to catch on in a big way. The spoiler in the ASP arena was the scarcity of technology for things such as Web serving (many of these issues have now been resolved), as well as the ongoing threat of bad guys lurking on the Internet (which has yet to be resolved). On the managed services front, companies such as US Internetworking paid dearly, in part at least because companies didn’t like the idea of sharing infrastructure—especially storage.

In their view, sharing the same wires and spinning rust platters invited corruption of their data by the data stored by their less hygienic neighbors. While this was unlikely, even in primordial FC fabric infrastructure, vendors found themselves having to satisfy their clients’ whims and build storage on a one-off basis for each entity.

Without the "economies of scale" inherent in multi-tenancy of storage arrays or fabrics, storage services proved too costly for most service providers. Their business models went the way of the dot coms: more whimper than bang.

In my recent travels, however, I have seen a resurgence of vendors seeking to deliver managed storage services to clients. This time around, the business case is less about cost than about compliance. On this side of the Atlantic, over $70B has been spent on bringing data into compliance with retention schedules articulated in the health-care industry by the Healthcare Information Portability and Accountability Act (HIPAA), in the financial industry by new SEC rules, and in nearly all publicly traded companies by a combination of Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLB), and related state laws.

Until now, U.S. companies have scrambled to insert control and audit points into their infrastructure, to field archives for e-mail, databases, user files, and workflow data, and to ensure that data that must be retained, indexed, protected, and encrypted are being provisioned with the right services. The financial impact has been jarring for both U.S. firms and their supply-chain partners—who must also be compliant. This point was driven home several months ago when a CIO from Australia mentioned to me that it was becoming so expensive to partner with American firms, given compliance requirements, that it almost offset whatever profit the Australian company thought it would make from the relationship!

Europe, it seems, is just catching compliance fever. The European Union is busily churning out directives and initiatives designed to facilitate expeditious processing of cross-border financial transactions, while at the same time pursuing a course on e-privacy that is modeled after California state law (the one that makes GLB look like child’s play). Analysts in the U.K. are already suggesting that compliance with Financial Directives will cost somewhere in the neighborhood of £190,000 per company—an especially distressing fact given Britain’s role as the credit company for much of Europe.

Shortly, they will be asking the same questions that are being asked by nearly all American companies, who were told that SOX compliance would cost just $9000 per company, but who are now spending hundreds of thousands to retain data in a Yankee Doodle manner. The fact that another substantial sum may need to be spent shortly to discover ways to delete data that has exceeded its retention period has no one in a cheery mood this holiday season.

For a company to claim that it has a valid policy on retention and deletion, data must be deleted consistently and as a matter of scheduled routine across all of the repositories where it is stored, including primary storage, archives, and backups. Ask anyone who is plodding through the problem: this is a technically non-trivial task for which there are few good tools available today.

Cold Storage

If ever there was a business case for outsourcing, compliance—at least as it pertains to archive management and disaster recovery—is it. Two vendors I have visited recently seem to grasp this point.

Earlier this month, I visited Iceland to learn more about a service being built in that remote location. Described as a "Swiss Bank" for data archives, Data Islandia is a commercial storage service provider with solid support from Iceland’s government, its telecommunications company, and its leading IT services provider, Skyrr. Managing director Sol Squire’s goal is to establish Data Islandia as a managed vault for the data of multinational corporations and others, especially those who have had (or, in the case of European firms, will shortly have) significant long-term data storage and protection requirements thrust upon them by new laws, regulations, and directives from North American and European Community governments.

When I traveled to Reykjavik, like many people, I held a view of the country drawn mostly from postcards. I expected a rugged landscape mixing frozen glaciers and active volcanoes, the stuff of Jules Verne novels, punctuated here and there by quaint fishing villages and sheep farms. What I found was a full-fledged economy engaged in everything from agriculture, fishing, and construction to aluminum manufacturing, retail sales, the arts, and—of course—information and communications technology.

Despite the relatively passive attitudes of the people I encountered as I cleared customs, I was later told that security is far from lax. My picture was taken by concealed cameras as many as eight times before I exited the airport. My behavior was, no doubt, monitored throughout my visit, if only as a function of a society that is as suspicious as it is curious about foreign visitors.

After a quick visit to the hotel, I was whisked into a meeting with representatives from the Prime Minister’s and Ministry of Finance’s offices to discuss technology options related to Iceland’s national archive and e-government initiatives. That they sought to leverage my presence so promptly after my arrival contributed to my view of the industrious, waste-nothing ethic that permeates the national character.

My visit to Skyrr, where the redundant-data centers will be leveraged by Data Islandia to provide a secure home for foreign-client data (Skyrr will continue to provide services exclusively in the domestic market), confirmed the last essential ingredient of a competent data-archive management play. In addition to security and efficiency, the Icelanders also evidenced enormous capability in the technology. Skyrr hosts the IT departments of most of major users, both commercial and governmental, on the island. Their facilities are every bit as well-equipped and technologically "leading edge" as any I have encountered in the U.S. and Europe.

Moreover, from CEO Thorolfur Arnason and CIO Torvaldur Sigurdsson down to technical sales, services, and project management personnel, Skyrr staff showed a genuine pride in delivering quality services that is too often missing in Global 2000 tech shops.

As far as I could tell, the table was set for Data Islandia to deliver its services, which range from helping companies identify their data compliance and archive requirements to providing secure outsourcing services at a below "do-it-yourself" price point. The question was whether U.S. and European firms would elect to come to the table. I learned yesterday that Squire had closed a deal with British Telcom and two other major companies in the European market. His value proposition is resonating with the Europeans and with international law firms based in the U.S..

As compliance deadlines loom in Europe, hard choices will need to be made between building out new and costly infrastructure (and overlaying it with new people and processes) and pursuing the alternative of outsourcing this infrastructure and overhead to a service provider. Data Islandia is available to support the second option.

Go Store it in the Mountain

A similar tack to the problem is being taken by the operators of The Mountain, a facility of nearly 160 acres hollowed out of one of the Ozark Mountains in the Show Me State near Branson, MO. With what can only be described as "prescience of foresight," the owner of the company that began mining the mountain in the early 1960s for its deposits of a mineral akin to marble used in highway construction elected to use some unconventional methods. He bored into the mountain laterally at its base and created orderly rows of 30-foot-wide pillars of supporting rock, each stretching from floor to ceiling, as he dynamited. He had his crews reinforce the roof of the structure with seven-foot-long expanding bolts about every five feet—exceeding the required safety codes. It was almost as though he intended the space for future uses.

This magnificent man-made cavern is water tight and is now being partitioned into spaces suitable for both records storage (artworks, as well as the salvaged remnants of the Titanic, are currently stored there) and IT service offerings. The Mountain is fast becoming a multipurpose facility with the help of CenturyTel, which has wired it with dual redundant SONET ring networks that connect the facility to the core carrier networks of the U.S. telephone system.

Bottom line: If plans come together, The Mountain might just become a place where U.S. firms will be able to set up their disaster recovery hot site, establish their off-site storage and e-vaulting capability, and outsource their archive storage for management by a disciplined cadre of IT professionals. The only question that remains is how the operators will staff the facility given the high demand virtually everywhere for skilled IT personnel. With multiple feeder colleges and universities in the Springfield, MO area, that problem might take care of itself.

The economics of this burgeoning crop of managed-storage service providers might make sense to companies that do not want to incur the acquisition or operational costs of building archiving infrastructure. It will only make sense in the long run, however, if Data Islandia and The Mountain can get clients to share common infrastructure.

Your comments are welcome at jtoigo@toigopartners.com.