Policy and technology: the belt and braces of data protection

By Antony Adshead, UK bureau chief 24 Jan 2008 | SearchStorage.co.uk

Digg This!     StumbleUpon     Del.icio.us

At present there is little in law to force organisations to better look after data. The Data Protection Act is vague about the obligation to not let data fall into the wrong hands, with a breach only considered to have occurred if the lost data is misused. Unlike the US, British organisations do not have to disclose data losses either, although most do to lessen the negative effect on their public standing that is likely to occur if they don't. Public sector organisations are also free from the threat of prosecution under Crown Immunity.

I don't think there should be mandatory encryption...in all circumstances Guy Bunker Chief scientist, Symantec

So, do we need a change in the law? Should encryption of data or disclosure of losses be enforced? It is difficult to find anyone in the industry that thinks so.

Guy Bunker, chief scientist with Symantec, says mandatory encryption would impose an intolerable overhead on British business.

"I don't think there should be mandatory encryption for these types of media in all circumstances," he says. "Managing keys is very time consuming and needs good processes to avoid problems. We don't want to be making it more difficult to do business than necessary."

Neither should disclosure be made mandatory, says Hamish Macarthur, chief executive of analyst group Macarthur Stroud International.

"We don't need a change in the law to enforce disclosure," he says. "Naturally it is good to see egg on the faces of organisations that lose data but we don't live in a perfect world and if disclosure was enforced insignificant cases could be blown out of proportion with more damage than is warranted to the business, its customers and business partners."

The key to best practice is a combination of good processes and culture plus technological solutions, with the emphasis on the former.

Fundamentally the responsibility needs to be placed on the CIO and from there down to all employees who handle data that is in any way sensitive, says MSI's Macarthur.

"The CIO needs to be very clear about the level of responsibility that needs to be shown towards the organisation's information assets," he says. "And that point also needs to be made to individual employees."

MSI research has found that where staff members know they are responsible for data and that their reputation and credibility and their chances of getting a job in future will be affected, they take it seriously. That is also the attitude of Dave Lipsey, infrastructure manager with the Ordnance Survey.

If people are stupid enough to download information they don't really need from central servers they should be sacked Dave Lipsey Infrastructure manager, Ordnance Survey

"If people are stupid enough to download information they don't really need from central servers they should be sacked," he says. "It's not to do with security or encryption but with bad work practices. Data is held on central servers for a good reason - because there is a lot of it and it needs to be held securely, and it needs to be managed and backed up."

There's no doubt that individuals taking personal responsibility for data would have meant some recent losses were avoided. But is the threat of career-limiting sanctions enough? Such awareness among staff has to become part of an organisation's culture, and cultures aren't created overnight, especially in workplaces where contractors come and go. Best then to add technological braces to the cultural belt, says, Quocirca service director Clive Longbottom.

"It's easy to say that IT or the business should put in place policies that forbid employees from taking out such information," he says. "However, employees are renowned for paying no attention to policies, and therefore, something more technically efficient has to be put in place."

In fact what's needed is a carefully blended set of people-oriented policies that can begin to form a culture that treats sensitive data with the care it deserves, allied with appropriate technology. The latter can be quite simple things, such as using the internet to access central repositories of information rather than carrying data offsite.

In circumstances where a culture among staff is a difficult thing to bring about, perhaps where there is a high turnover of contractors, such as in large public sector organisations, then making copies of data – as happened at the Revenue – needs to be made more difficult. A federated database architecture, such as the master data model, can effect this.

Of course there will always be a need for some roaming users to have access to data off-line and IT departments should have policies and procedures in place that dictate what information can and can't be taken off the premises, says Donal Casey, security consultant with Morse.

"Businesses need to put measures in place to make certain that all devices are not only password protected but also that any sensitive corporate information is encrypted, ensuring that if a mobile device does go missing, any sensitive information contained within is still protected," he says.

This can range from full disk encryption for laptops through to password-protected USB sticks that can be disabled if lost.

Such technologies are widely available, and the policies needed to make people responsible for sensitive data are not rocket science. Clearly though the awareness that these need to be implemented is taking some time to sink in, says Jon Collins, service director with analyst group Freeform Dynamics.

"Technologies exist to protect people from their own behaviours, and policies need to be implemented to ensure the risks of such behaviours are minimized," he says.

"This is not new, but clearly, there are still plenty of organisations that are yet to emerge from the primeval swamp when it comes to implementing appropriate levels of security practice," says Collins.

Tags: Secure data storage,  Remote data protection,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure data storage Data storage compliance in the UK Encryption key management is vital to securing enterprise data storage Continuity Software adds disaster recovery service-level agreement management to RecoverGuard Avoid data migration project failure: Five best practices Storage encryption technology options for UK storage managers Encryption key management challenges Using continuous data protection (CDP) for data backups Explaining RAID levels and RAID data protection Council uses continuous data protection to protect sensitive files The difference between continuous data protection and snapshots Remote data protection SunGard adds EMC Data Domain deduplication to Secure2Disk cloud data backup service Cloud storage success depends on trust Symantec injects data deduplication into NetBackup 7 and Backup Exec 2010 i365 makes cloud data storage connection with CA Recovery Management Is cloud data storage right for your IT infrastructure? Rackspace's Jungle Disk preps cloud data backup Server Edition Explaining RAID levels and RAID data protection The role of remote replication in enterprise data storage Iron Mountain Digital to add e-discovery features to PC cloud data backup service Formulating a remote-office data backup and recovery plan

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary