Malice, stupidity and storage in the real world

Von Neumann was mostly right. His oft-quoted architecture has formed the basis of not only the arithmetic computer, but also the broader church of computing – when he defined the functions as arithmetic/control, memory and input/output he might as well have been talking about servers, storage and networking. It is an elegant, straightforward model.

Trouble is, the people who interact with IT are anything but elegant and straightforward, and this is where von Neumann’s model needs a little extra support. While the utopian ideal of a computer may be just that it has to deal with carefully crafted instructions, lovingly delivered by gentle souls, the reality is that it needs to be protected against all the vagaries of humanity: from thoughtless or corrupt hackers, to foolhardy and stupid employees, there are as many opportunities for things to go wrong as there are opportunists looking to take advantage.

The reality is, then, that computers need to be protected not just from malice but incompetence – “there’s no patch for stupidity,” as Kevin Mitnick was reputed to say. Perhaps it is a legacy from Mr von Neumann, but we know from our research as well as from anecdotal evidence that security is all too frequently left until last, something to be bolted on once the more interesting technical challenges have been dealt with. This is as true with storage, as with any other part of the IT environment (but it is rarely planned to be malicious: as an example, consider a conversation with an appliance vendor a couple of weeks ago, whose product required caching of every single data packet traversing the network. “Is the cache encrypted?” we asked. “No, do you think it needs to be?” was the response).

The good news perhaps, is that things are changing. No, human nature is a constant – it would be unrealistic to expect our race to wake up one morning in a shared, euphoric realisation that we need to do things right. In the absence of that, we are seeing a number of trends that are driving us towards being better technicians, if not citizens.

Notable perhaps is governance best practice. Governance is to carrot what compliance is to stick – while we may all be fed up of being beaten by the cudgel of compliance, it has nonetheless catalysed many organisations to consider their own internal processes and how they can do things better. In the ever-revolving waltz of best practice and standards, we can see this materialising in the recently completed UK standard for business continuity management – BS 25999, which goes back to back with ISO 27000 in terms of recognizing that not only are there things we cannot predict, but also we need to be ready in case they happen. Common sense, it would appear, is becoming more common.

These trends go some way to explaining why, in a recent Freeform Dynamics survey on information governance, three of the top four capabilities cited as “fully implemented or working on now” were to do with dealing with unexpected or untoward events (and even the fourth, dealing with archiving, could be said to have a positive impact). This is as shown in the figure below.

It’s worth distinguishing between the two major categories of risk when it comes to storing information – the first being loss/damage, and the second, breach of confidentiality. Regarding loss or damage to information, it is fair to say that the data itself is pretty agnostic. If data is rendered irretrievable by a hard disk crash, a machine room fire, accidental deletion by an overzealous operator or indeed, a team of bearded hackers on the other side of the world, the effect is the same – and to the business, the consequence becomes very quickly one of getting the data back in some form. Disaster recovery technologies such as off-site replication are never needed until the moment that they become indispensable.

The same can be said for backup/restore, which sounds more complicated than it should – we have long maintained that from the largest of organisations to home workers and indeed consumers, everyone should be in the habit of taking a copy of important data in case something should go wrong. Given the quite high likelihood of data loss, it remains quite flummoxing that many organisations still fail to implement robust backup policies, even if (as shown in the above chart) they may have already acquired the technology. Indeed – given that the survey was of organisations of 500 employees and above, it is surprising that less than 60% of organisations see backup/restore as a fully implemented or current initiative. Given that we see IT as a work in progress, we’re not too despondent but it is an indication of how far we all have to go.

Meanwhile, we have breach of confidentiality. While this can be down to foolishness or indeed, poor governance processes, it is equally possible that the perpetrator will be external and – more and more these days – motivated by money. It is telling indeed that IT security management is the third in our list, with nearly 90% of respondents seeing the need for security as part of their information governance capability. The devil, of course, is in the detail – it is one thing to have a line in the budget for IT security, but quite another to construct a secure storage architecture which successfully mitigates the risks to the business. Storage manufacturers are today taking security much more seriously – indeed, it was this that drove a number of acquisitions a couple of years ago (notably IBM/ISS, EMC/RSA, NetApp/Decru and Symantec/Veritas) which are starting to bear fruit.

Meanwhile, for a number of reasons (not least, the difficulties in constructing a viable business case for more strategic security spend), security technologies are often bought on a piecemeal basis, leading inevitably to a fragmented, rather than an integrated and sustainable result. As has been said before, is it any wonder that the IT security industry acts like a fire extinguisher industry, if its customers are only interested in fighting fires?
So, what to do? In the first instance, we should at least applaud the rising importance of business continuity planning in our organisations, as it gives us a risk-based framework with which we can better assess potential security issues, and what to do about them. Bluntly, securing an IT system against a potential threat is purposeless, if the business would not suffer as a result of the threat – or indeed, if the security measures themselves get in the way of doing business (which is why, for example, you won’t hear much talk of ISO 27001 in City of London financial institutions). First and foremost, business continuity planning requires an understanding of the business, which is also central to good security management.

While Von Neumann’s architecture was profound enough to have a lasting effect on how we construct our IT systems, it may have been too simple to take into account the vagaries of the human race. Now, it looks like we are starting to treat the latter – while storage subsystems may not always have security built in by default, the organisations that implement them are beginning to consider how to ensure the architecture as a whole can respond in the case of untoward events. We may not be there yet, but it’s progress.

The report cited in this article, “Information Governance – The keystone of a sustainable business and IT strategy” involved interviews with 495 senior business and IT leaders, from a broad cross section of industries and organisation sizes with a focus on USA, EMEA and Asia Pacific.

Click here for more posts from this author

Through our research and insights, we help bridge the gap between technology buyers and sellers.