Security, privacy and data protection

By Tony Lock

Many businesses today are faced with the challenge of rapidly fluctuating operating conditions. Beyond this, organisations are becoming ever more dependent on the data and information they hold. How can organisations best store and protect corporate data? Is cloud a possible answer, or some kind of hybrid approach?

Defining the problem

Securing and protecting data has been a major issue for organisations ever since computing took hold in business. Over twenty years ago, the rapid adoption of personal computers exacerbated the situation by forcing organisations to seek ways to protect information scattered across many machines. Often the PCs were under the control of the users themselves rather than subject to central IT management.

As laptops came into use a new challenge arose, namely how to secure and protect data that might be disconnected from the corporate network and which, by its very nature, was mobile. The fact that laptops were, and still are, easy to lose has further complicated the picture. The advent of smartphones and tablets which are now being used to access company systems and store yet more data locally has added to the burden.

Overlaid on these practical challenges is then the regulatory and legislative pressure now being put on organisations to ensure ‘sensitive’ data is properly protected. Meanwhile, user expectation of instantaneous access to business information from wherever they are working is creating a need to make data universally available, as well as ensuring its proper protection. Centralised lock down, while attractive to IT people, is therefore not an acceptable way forward from the user perspective in many cases.

Considering your options

There are many ways to protect data, especially when looking at the ‘backup, recovery and data storage’ arena. The selection of backup and recovery software depends on the precise requirements of the organisation, its existing infrastructure, along with the skills and experience available. Such product selection decisions when it comes to specific tools are beyond the scope of an article such as this, but in a broader sense, it’s useful to consider whether developments in the cloud arena can help.

When thinking about the potential role of the cloud, there are options to be considered based on where primary data and secondary (e.g. replicated/backed up) copies of data may be held. In essence the decision boils down to three choices, namely in-house, in the cloud (i.e. hosted), or a combination of both, the so called ‘hybrid’ option. But as ever, the approach chosen will vary depending on the exact requirements for speed of access, data volumes and various risk-related factors. Good old ‘personal preference’ can also be a factor, though one seldom acknowledged openly.

But how well do you know your data?

Experience indicates that when trying to make decisions on the mix of approaches to data management, security and protection that are appropriate, many organisations fall at the first hurdle because they don’t have a good handle on the data they are holding. What’s often missing is an adequate knowledge of which data exists, exactly where it is held (including copies), its importance to the business, and who, precisely, it is valuable to.

This lack of knowledge is a problem in general, but is particularly an issue when it comes to laptops, home PCs and the now the expanding array of smartphones and personal tablets being used in business. Tackling such lack of visibility is a crucial first step in making informed decisions on anything to do with data management.

Once you understand your data, you can then work through the requirements and constraints and make decisions objectively, bearing in mind that what’s appropriate for one application or data set, may not be suitable for others.

Working through what should live where

A major consideration is whether the location of data is subject to any regulatory, legislative or governance related restrictions. This is clearly important when looking at using cloud providers, especially when thinking about the storage of sensitive material such customer data, employee information, financial records or intellectual property. This is not just about whether the data lives on or off-site, but if a service provider is involved, where they will be storing it geographically on your behalf.

After legal necessities are acknowledged, it becomes a question of addressing the more practical side of things.

An important early step is to identify ‘latency sensitive’ classes of data where speed of access (response time to the user) is critical. Unless you have extremely fast and reliable communications into your service provider, it is likely that the primary location of such data will be within your own facilities. This does not, however, rule out storing a replicated or backed up copy of the data in the cloud to cater for disaster recovery, or potentially for collaboration purposes.

Having said this, for primary data sets residing in-house for regulatory or compliance reasons, or simply for comfort purposes, storing secondary copies in the cloud for backup or DR may still be a useful option, but this will necessitate the use of additional measures such as encryption.

Other data sets where latency or data sensitivity is not an issue can then be assessed to work out whether it is better to keep them in-house or move them to an external service provider or the cloud. Naturally, the selection of providers must be subject to the usual Quality of Service assessments and due diligence investigations normally carried out when looking at potential suppliers.

The bottom line

Using the cloud or external service providers for storing secondary copies of data for protection can offer significant advantages, especially in terms of disaster recovery for organisations that operate out of a single location. Such solutions may also prove attractive to store primary copies of data that may be shared by multiple users inside or outside the organisation.

Equally cloud storage could also be utilised by those wishing to access data from many different devices, potentially avoiding the need to manually move information between systems. As part of this it is important to consider the role of ‘synchronisation’ of data between the devices, as we expect requirements in this area to grow quickly over time.

What it all nets out to is keeping an open mind and considering the options in context. For all but a minority of highly sensitive/paranoid organisations, a hybrid approach to data storage and protection is likely to offer the best balance between cost, flexibility and risk management if decisions are made on a case by case basis as we have recommended. The aim is to have the best of both worlds going forwards.

Tony is an IT operations guru. As an ex-IT manager with an insatiable thirst for knowledge, his extensive vendor briefing agenda makes him one of the most well informed analysts in the industry, particularly on the diversity of solutions and approaches available to tackle key operational requirements. If you are a vendor talking about a new offering, be very careful about describing it to Tony as ‘unique’, because if it isn’t, he’ll probably know.