Data exists in many forms in most organisations and, as IT managers find to their annoyance when they start trying to archive that data in a coherent manner, its sheer volume can often be overwhelming. This should not be that much of a surprise, however, as research firm IDC has identified that as much as 80 per cent of a firm’s data is stored on shared network storage facilities.
The problem facing IT managers when looking to store this data is the duplication involved and it is for this reason that a growing number of storage vendors now offer de-duplication facilities before the data is actually archived. The problem facing the public sector is that this information comes in a variety of guises: patient records within the Health Sector; benefit applications within Social Services, right up to draft government policies in Downing Street.
These various forms, documents, emails, conference call recordings and draft legislation are unquestionably vital in the day to day running of these departments yet are routinely stored as file data (the 80% we talked about) and left to fend for itself on the network.
It is desirable by malicious insiders and external hackers who recognise its worth, even if you currently don’t. Imagine if an outsider accessed these files the damage they could do with this sensitive information and also the damage that would be caused to the reputation of the department involved! Many organisations protect their databases but fail to afford their unstructured data the same protection – is yours one of them?
In case you need evidence that this isn’t pure fabrication but does actually happen in the real world, the case is still ongoing against former MI6 worker, Daniel Houghton, who pleaded guilty to stealing top secret material but also claimed he made copies of the electronic files and attempted to sell them for #2 million to Dutch intelligence agents.
Documents containing details of secret information gathering software Houghton devised and is thought to have copied are still missing. Also this month the US Military confirmed that more than 90,000 classified military documents had been copied including battlefield and intelligence reports – one of the biggest leaks in US history.
Regulators are increasingly concerned of the potential damage sensitive information contained in files can cause in the wrong hands and are creating and enforcing data security requirements for unstructured data. Compliance can be expensive and it’s not optional.
Take HIPAA (Health Insurance Portability and Accountability Act), for example, the US Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR) recently announced significant proposed changes to the act including compulsory breach notification expected to become law later this year – not a cheap exercise just contacting everyone involved let alone the knock on effect to public confidence. A little closer to home lapse security policies and procedures could result in a breach of the Data Protection Act and could incur a financial penalty of up to #500K from the ICO (Information Commissioners Office).
So, hopefully now you recognise the importance of protecting your unstructured data, the question you need to answer is where is all this valuable file data coming from? Here’s a quick checklist of sources to consider as you survey your own file data landscape, as well as thoughts on protecting these files:
Applications and Databases
Whether your applications and databases are running in-house or in the cloud, mid-level managers are probably using them to export interesting data for analysis, reporting, presentations and other legitimate activities. The US military breach mentioned above is one very public example of the damage that can be caused, and the far reaching consequences when spreadsheets, documents and presentations containing exported information are stored on shared file systems for enhanced communications and collaboration, poses a credible data security risk that needs to be mitigated.
For other government departments that data may include credit card information, an individuals details or medical records could add compliance requirements such as HIPAA, SOX, PCI and/or Data Protection (DPA) to the list.
Copious amounts of file data never experiences the safe confines of a database or an application, instead it goes straight from the mind of knowledge workers into a file stored somewhere on the network. Software source code is an obvious example, as are legal documents, draft policies, employment records and various research projects.
These files often contain intellectual property and a wealth of information and rich detail about opportunities, partnerships, business operations, future plans and strategic advantage. Sharing this information on file servers and network attached storage devices can be critical for mobilising your company and uniting distributed project teams, but it’s just as critical to ensure that the data is protected from intentional or even inadvertent harm.
Application communication and storage
When applications need to communicate with each other, but don’t speak a common language, using intermediate files on a shared file system can serve as a form of enterprise application integration. For example, a doctor’s surgery with a legacy application running on a mainframe, and another medical department application running on Microsoft servers, can use files on a shared file server or NAS device to exchange information between the disparate systems.
While only the applications should have access to those shared files, it’s highly likely that the file servers or NAS devices where the files are stored are accessible by many users. So, care has to be taken to safeguard access and prevent sensitive data from being compromised.
An even more basic, and more common, use of shared file systems by applications is when applications simply store their output or intermediate results in files. Applications can generate a lot of file data, and once this application-generated file data exists on shared storage, it needs to be protected against excessive access.
No, were not talking about employees who store their movies and music on your enterprise file servers. Instead, think: digital recordings of calls between departments and external teams, video from security cameras, and even training and education materials such as podcasts and videos. Media files can be large, and when they are generated through ongoing business operations like contact centre recordings and surveillance videos, there can be a lot of them.
If, for example, your department is processing pharmacy refills or purchases made with credit cards, your media files are governed by regulations such as HIPAA and PCI, and must be protected. Similarly, you will want to make sure only those with a need-to-know can access your surveillance video.
Informal business processes
Files are sometimes just more practical, functional or convenient than formal systems. For example, despite the widespread deployment of contact centre software, your representatives may keep documents or spreadsheets to track ongoing cases, details that don’t fit in standard forms, or other information they want to have readily at-hand. These types of informal process files are often stored on shared file systems so that teams can communicate across work shifts and geographies. While these files facilitate more efficient business, they can expose sensitive or regulated data to too many users, depending on the nature of your business.
From this it can seen that a shared file data on a typical IT resource can be generated by a number of different people and departments, whose business functions can be almost as diverse as the data they create. The problem facing management, however, is how to manage that data on a cost-effective basis, and without impacting the overall security of the data concerned.
The task of effective – and secure – data storage is made more difficult by rising worries about rogue members of staff who, for various reasons, are prepared to break the security of their employers, and leak data to a third party.
Whether this is for altruistic or mercenary reasons is actually irrelevant, as the end result is still the same – an infringement of the Data Protection Act. Bottom line? IT managers need to understand the role that data plays in their organisation, before they plan their data handling strategies.