Much has been written about the subject of Data Protection & Privacy. A number of scholarly works have been published in the last one year alone. There is general awareness of its importance; new positions of Chief Security Officers have been created with fairly high budgets to make sure corporate data is sufficiently secure to minimize operational risks and ensure compliance to all regulations. There cannot be any complaint from anyone that data security technologies are not available. In spite of all this, breaches continue to occur – sometimes with very serious consequences. And I have wondered – why?
I think I have an answer, but I would come to that later. I would start with two sets of analogies – of data with money and a Data Center with a bank. I would try to draw out a commonality on the objectives for security of both money and data and if there are principles to be derived from the security issues of banking – or other financial institutions – that could be translated for use in Data Centers. After the banking crises of the 1980s, they have emerged far stronger and we do feel far more secure with our money now in trusted banks compared to what we feel about our data in the Data Centers.
First, the kind of security I wish to achieve for my money in a bank is similar to that the enterprises would want to have for their corporate data.
I need to ensure that I maintain the net worth of my money against thefts (operational risks), risks of inflation, and exchange rates (market risks). I therefore entrust my money with financial institutions rather than hoard it in a secure locker in my home. Similarly, an enterprise needs to preserve data against operational and market risks. If there is litigation, the enterprise needs to have the data to protect itself. It also needs enterprise-wide data for business intelligence to compete better in the market place. For this purpose, computing has moved away from isolated departmental servers to Data Centers.