The high importance of data protection is top of mind these days – specifically in light of some high profile cases of data loss in the UK. News of some potentially impending legislation this side of the pond has again drawn attention to the issue of how companies look after customer data.
The story that caught my eye is here
– and covers news that a European Commission review of data laws will require data-breach notification from a wide range of businesses. Initially this will be aimed at telcos but there are no reasons I can see why the legislation will not be extended to other businesses.
When we talk data breaches we’re often talking about firewalls, DMZs, access control, encryption technology – the standard tools and techniques used to secure data within the corporate network. However, I also think this is very much a storage story as well – specifically in terms of how customers archive sensitive data.
If this legislation is passed we will need to find a happy balance between vigilance and pragmatism. What we don’t need is a situation where every single potential data breach is reported, causing panic every time there is the slightest possibility of information falling into the wrong hands. This will result in a situation very much like that faced by the ‘Boy who cried wolf’. People will soon turn off, and then the legislation becomes meaningless. We need a system whereby organisations have a measured approach to assessing the extent of any potential breach and what data may have been compromised.
If we are going to achieve this balance then companies will have to put in place the procedures and technologies to give them a very granular view of what data is stored where. Helping customers achieve this for archived data is one of the reasons why Spectra Logic became a founding member of the Active Archive Alliance. AAA has been set up to address some of the barriers which stop IT departments achieving the kind of satisfactory archiving architecture described above.
Much of the confusion around archiving has been caused by conflicting messages put out by vendors as well as a lack of integration between technologies at various levels of the overall archiving stack. Active archive environments are a better way to classify, manage and route data. From the point of creation, data in an active archive can be classified as sensitive (if necessary) and then managed within a framework of policies which govern where and how it should be stored, including the level of protection it should be given.
If Active Archives can help customers achieve these levels of granularity in the governance of archived data then we should be able to find a balance which makes this forthcoming legislation enforceable and valuable. Ideally we will get to the stage where data-breaches simply cannot happen but that is unrealistic. What should be realistic is having IT departments know exactly what data is where within their infrastructure and how it is being stored. This should ensure that we’re not inundated with ‘false-positive’ warnings and that when a company cries “Wolf!” the villagers lock their doors!