On the other hand, from Steve’s perspective, sooner or later, Margo will have to take what is a free-form edge document and check it into a central protected repository and live with controls. She can then go on to the next production phase, which might be a rev 2 derivative of that original work, or perhaps something completely different. RIEDEL You certainly have to be careful. You’re moving against the trend here, which is toward decentralization. Corporations are encouraging people to work on the beach and at home. KLEIMAN Nothing I’ve said is in conflict with that. Essentially, the distilled intellectual property has to come back to the corporation at some point. SELTZER Sometimes it’s the process that’s absolutely critical. Did I steal the code or write it myself? That information is encapsulated only on my laptop. Regardless of whether I check it into Steve’s repository, when Mary’s company sues me because I stole her software, what you really care about is the creation process that did or did not happen on my laptop. BREWER I don’t think that’s the day-to-day problem of a storage administrator. What we’re talking about is whether the first goal is to know which of the copies you don’t want to lose, which is a different problem than copies leaking out to others. KLEIMAN I do think that the legal system still counts. Technology can’t make that obsolete. You still have a legal obligation to a company. You still have an obligation not to break the law. No matter what technology we come up with, someone will probably find a way of circumventing it, and that will require the legal system to fill in the gaps. That’s absolutely true with all the stuff on laptops that we don’t know how to control right now. SELTZER I also think it’s more than just copies that we need to be concerned with; it’s also derivative works, to use the copyright term. It’s “Oh, look: File A was an input to File B, which was an input to File C, and now I have File D, and that might actually be tainted because I can see the full path of how it got there.” CREEGER Maybe what we’re seeing here is that we need to intuit more semantics about the bits we are storing. A file is not just a bunch of bits; it has a history and fits in a context, and to solve these kinds of problems, companies are going to have to put processes and procedures in place to define the context of the storage objects they want to retain.

more queue: www.acmqueue.com

BAKER You can clamp down to some extent, but it’s the hidden-channel problem, even through processes that are not malicious. Say I’m on the beach and the only thing I’ve got is a non-company PDA and I have some ideas or I talk to somebody and I record something. It can be very hard to bring all these different sources into a comprehensive storage management policy. Storage has gotten so cheap; it’s in everything around us. It’s very easy to store bits in lots of places that may be hard to incorporate as part of an integrated system.

KLEIMAN There’s not just one answer to these problems. Look at what happens in the virus-scanning world. It’s very much a belt-and-suspenders approach. They do it on laptops, on storage systems, in networks, and on gateways. It’s a hard problem, no doubt about it.

There are a variety of technologies for outsourcing markets, such as China and India, where people who are working on a particular piece of source code for a particular company are restricted from copying that source code in any way, shape, or form. The software disables that.

Similar things are possible for the information proliferation issues we have been talking about. All these types of solutions have pros and cons and depend on what cost you are willing to pay. This is not just a technological issue or a storage issue; it’s a policy issue that also includes management and legal issues. BREWER In some ways it’s a triumph of the storage industry that we have moved from the main concern being how to store stuff to trying to manage the semantics of what we’re storing. CREEGER Again, what should a storage manager be doing in the next 18 to 24 months? KLEIMAN Today people are saving a lot of time, money, and energy doing server virtualization and storage virtualization. Those two combined are very powerful, and I think that’s the next two, three, or four years right there. GANGER And the products are available now. Multiple people over the course of time have talked about snapshots. If you’re running a decent-size IT operation, you should make sure that your servers have the capability of doing snapshots. BREWER On the security side, encryption. Sometimes there are limited areas where you can do the right kind of key management and hierarchies, but encryption is an established way in the storage realm to begin to protect the data in a comprehensive way. SELTZER Backup, archival, and disaster recovery are all vital functions, but they’re different functions and you

ACM QUEUE November/December 2008 39