Much has been written about the subject of Data Protection & Privacy. A number of scholarly works have been published in the last one year alone. There is general awareness of its importance; new positions of Chief Security Officers have been created with fairly high budgets to make sure corporate data is sufficiently secure to minimize operational risks and ensure compliance to all regulations. There cannot be any complaint from anyone that data security technologies are not available. In spite of all this, breaches continue to occur – sometimes with very serious consequences. And I have wondered – why?
I think I have an answer, but I would come to that later. I would start with two sets of analogies – of data with money and a Data Center with a bank. I would try to draw out a commonality on the objectives for security of both money and data and if there are principles to be derived from the security issues of banking – or other financial institutions – that could be translated for use in Data Centers. After the banking crises of the 1980s, they have emerged far stronger and we do feel far more secure with our money now in trusted banks compared to what we feel about our data in the Data Centers.
First, the kind of security I wish to achieve for my money in a bank is similar to that the enterprises would want to have for their corporate data.
I need to ensure that I maintain the net worth of my money against thefts (operational risks), risks of inflation, and exchange rates (market risks). I therefore entrust my money with financial institutions rather than hoard it in a secure locker in my home. Similarly, an enterprise needs to preserve data against operational and market risks. If there is litigation, the enterprise needs to have the data to protect itself. It also needs enterprise-wide data for business intelligence to compete better in the market place. For this purpose, computing has moved away from isolated departmental servers to Data Centers.
I need to ensure that my accounts are not divulged to unauthorized persons. And I trust my bank ensures this. Similarly, the enterprise needs to ensure that its data does not fall in the hands of its competitors or individuals who may compromise on the privacy of its customers’ data. And CXOs trust their Data Centers to ensure this confidentiality.
I need to ensure a certain degree of liquidity; when I need it. I trust that the bank near my office or home will not run out of cash or I can borrow when I need, against my collaterals. Similarly, a business user needs current and archived data and trusts that the Data Center has practices in place to ensure this.
I may need money at midnight during a weekend and therefore rely on an ATM. Similarly, the business user relies on the Data Center to ensure that the systems are tuned to deliver the data in acceptable time frames at any time. Withdrawals from an ATM have limits. So I am prepared to wait and later visit a Bank for borrowing against my CD or my investments. A business user expects the most current data to be immediately available and is prepared to wait for an acceptably longer period to retrieve archived data.
There have been bank failures in the past. Stringent regulations by central banks in each country were born out of them. The foremost concern of a bank had been “Availability”. That’s why we have Statutory Liquidity Ratios and Bank Insurance Funds. However, increased competition and reduced interest rates led banks to hedge in speculative markets with high risks, particularly in developing countries. And as banks became global, Basel II guidelines on capital adequacy were framed, helping to protect the financial system and its depositors globally. So money protection by banks had to be weighed not just in “availability” terms, but also in “risk mitigation” terms – operational risks, credit risks and market risks.
Against this background, let’s examine what Data Centers have done to meet the four security objectives stated above. Like banking regulations, in recent years, there have been country-specific (like Sarbanes-Oxley in US) or industry-specific (like IRDA in India for Insurance) regulations to preserve data. While Data Centers are also becoming global (with global single instances), they are primarily relying on country-specific and industry-specific regulations. While Basel II-like international guidelines are still not there for global Data Centers, that has not yet been the reason for any major scandals in recent times. But it could soon become, and I flash a red card here.
* Data Preservation: Due to regulatory and compliance needs, most enterprises now have a data retention policy and are implementing data archiving. Archived data is retained for the minimum period of time required by law, and perhaps longer, with provisions to retrieve them when required.
* Data Responsiveness: Besides implementing an Information Life Cycle Strategy for Information Governance, enterprise search technologies are enabling responsiveness to business users.
* Data Confidentiality: There are certain privacy regulations, like HIPAA for healthcare, that mandate data security. Those not governed by any specific regulations still adopt best practices for data security at least for their production systems. The area that comes up for concern is in the non-production environments.
A Data Center makes an average of 8-10 copies of a production database for testing, development, training, and QA purposes. They typically take 2-3 days to make each copy and then leave this data in its raw format for testing and QA. Studies have shown that maximum breaches take place through insiders. As production data is mostly secure, the breach typically takes place through these non-production copies. This is an area where enterprises need to focus more.
*Data Availability: As data centers are increasingly becoming 24x7, the need for “high availability” has become overwhelming and maximum investments with respect to data protection have taken place in this area for business continuity.
Ironically, both Banks and Data Centers have focused primarily in the “Availability” perspective of security at the cost of other aspects. The first banking crisis of the Great Depression era forced banks to ensure that they were well protected against any possibility of a “run” against them. Recent natural and man-made disasters, – including Internet related security threats like virus – have forced Data Centers to invest on high-availability technologies like fault-tolerant and disaster recovery systems. As Banks have realized that investment in credit and market risk management systems are equally important, Data Centers too need to invest more in technologies that ensure hundred percent confidentiality, responsiveness, and also auditability of data.
I now come to what I started with – the puzzle as to why data breaches should be allowed to occur at such frequent intervals, and of such horrific magnitudes? It rarely happens with personal money in a bank. My hypothesis here is that we as individuals take responsibility of our money, even while we have entrusted it to a Bank or a financial institution. For example, we determine, not the bank, how much to keep in Savings and CDs, how much to invest in Treasury Bonds or capital markets. Unfortunately, the same is not true of corporate data. The business user signs an SLA – and that’s it. There seems to be total abdication. The entire onus with respect to data protection lies on the Data Center. My position here is that the Data Center can only be the custodian of data. The owners of such data are the business users and they need to take responsibility of their data and ensure, in equal partnership with the CIO, that their data is truly secure. Mr. CIO, break down that SLA wall.
The author is President & COO, Solix Technologies Inc