Three Steps to Manage, Protect and Secure Data in 2016

 Jaspreet Singh<br/>Druva Jaspreet Singh

Jaspreet Singh is CEO of Druva.

To say that we live in a data-rich world is an understatement.

Every day, we create and store 2.5 quintillion bytes of data. In fact, 90 percent of the data in the world today has been created in the last two years alone, according to IBM. The amount of data created on digital information platforms daily is eight times greater than the information stored in all of the libraries in the U.S. (source: LexisNexis, 2015).

Exponential Data Creation

In addition to this exponential data creation, the mechanism for storing, managing and protecting these massive volumes of data has changed. We now live in the era of the “borderless enterprise,” a fluid and adaptable ecosystem whose resources are accessed, used and shared via mobile, social and cloud. Historically, IT had full control of protecting data, and data was centralized in a company’s data center. During the last few years, mobility and the cloud have literally pushed data out of the data center and onto various devices. Rather than remaining under control and saved on central IT systems, data is increasingly being created on mobile devices and laptops that never touch the corporate network.

According to a Ponemon Institute study, 44 percent of corporate data stored in cloud environments is not managed or controlled by the IT department. As a result, enterprises are tasked with protecting data amidst an increasingly dispersed data landscape while also keeping this data compliant with regulations, enterprise policies, global data privacy and industry-specific regulations (HIPAA, GLBA, COPPA). Also, as recently as November 2015, analyst firm Gartner found that employees would have four personal computing devices that they could use for work by 2018, over and above any corporate IT assets that might be provisioned for them.

Data Protection: More Devices, More Channels

In addition to an increasing number of devices in the enterprise, business is being conducted via more channels than ever before. Rather than email, phone and documents being the formal communication channels, there are now additional channels that have to be supported. Instant messaging and chat apps may be used for real-time communications, while text messages and social media are also used to share work-related information. These text or IM messages may never touch official company IT assets, yet they may have a material impact on company decision making.

How do enterprises then manage and protect data coming from different devices through a variety of channels? This proliferation of new devices and channels represents a huge change when it comes to handling and managing data. For companies, this move from the center to the edge – this decentralization – means that data protection and compliance have to evolve as well.

Compliance Changes

Let’s talk about compliance. In addition to HIPAA and GLBA, there are many mandates and regulations businesses need to keep top-of-mind. The recent EU General Data Protection Regulation (GDPR) on data protection clearly defines personal data and provides a common set of mandates across 28 countries, including provisions for data handling, cloud computing, data breach notification (and including mandates for companies doing business with EU companies). What does this mean for businesses? Enterprises will need to examine their approach to handling and managing customer data – both for general data protection and for more specific compliance mandates.

Data Protection and Compliance: What Companies Should Know

There are three steps that organizations can take to plan ahead and improve collaboration when it comes to protecting data and meeting compliance-related regulations:

Step #1: Recognize that data protection and compliance are two sides of the same coin. When done right, data protection practices protect the business at all times, capturing all data that employees create across the business and moving it to a secure secondary location. Compliance doesn’t work the same way; while there may be processes that have to be “compliant” in order for the business to run its operations, the team will tend get involved when there is a change in regulation or a need for an audit to take place.

This compliance investigation will normally demand a huge amount of time and effort to complete as the IT team searches across company files, emails and records for the required information. This workload can be reduced through smarter auditing and management of data ahead of any incident, particularly when it comes to data that might live on mobile devices.

Step #2 – Move from reactive compliance to a proactive approach. As I mentioned above, compliance teams tend to operate in reactive mode to audits, as many events can’t be forecasted. While there are some tasks that may come up every year – including auditors coming to check on financial performance – the most critical compliance events cannot be predicted. This is where an external incident can lead to a full-scale audit, and where the availability of all information and data is required to meet the demands of that audit. In this case, speed of providing information will be essential to that audit.

This approach requires two things: Automating the process of meeting any relevant compliance regulations, and automating how any files or data are classified as they are created across the business. To automate the overall process, it’s important to check which regulations apply to any part of the business first and then work to define how the requirements can be met. Alongside this, sensitive information such as personal health information (PHI), personally identifiable information (PII), personal credit information (PCI) and confidential Intellectual Property (IP) information may be created or used within new files or data all the time.

As new files are created, they can be automatically checked for any information that should be handled for compliance, and then put through the necessary process. By making use of more automation, the data protection and compliance teams can quickly assess and take corrective action for non-compliance on regulated or policy-managed end-user data.

Step #3 – Cover the whole enterprise, not just the center. As mentioned earlier, a great deal of computing and data creation is taking place at the edge of the organizations – from remote workers on multiple devices.

All these employees are creating data and files that have to be stored somewhere; the challenge is that there is often no official process for controlling and protecting that data. Rather than focusing on the central IT systems, the move to remote working and greater use of cloud applications means that organizations need to focus on the endpoint instead.

As we produce, access and manage data on more devices within different channels from disparate locations, proactivity will be key to organizations’ survival. Proactivity, collaboration and planning are prerequisites for getting ahead of the data protection and compliance curve – and staying one step ahead.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)

One Comment

  1. Protect and Secure Data: HIPAA, GLBA and PCI compliance extends all the way through the decommissioning process. When disposing of equipment and associated hard drives data privacy laws require companies to 1) use "reasonable" efforts, 2) perform due diligence on third party data destruction vendors, 3) use a digital media destruction method appropriate for the security level of the data itself. Ever since onsite hard drive shredding has become available - erasing and unsupervised offsite shredding may no longer be deemed "reasonable" or appropriate. See NIST 800-88 for data security levels and appropriate destruction processes.