Posts from category "Data Security Blog"

Security May Be a Big Driver of Tape Adoption Says IBM

During our recent visit to IBM Executive Briefing Center in Tucson, AZ, we had a chance to chat with IBM big brains about the future of tape technology and drivers of the current tape renaissance.  Here's what they said about the role of security concerns in tape adoption.

 

 

Thanks to IBM for having DMI out for the briefing, and especially to Calline Sanchez, Tony Pearson, Lee Jesionowski and Ed Childers.

Data Protection and Data Security: Together at Last?

Anyone who has been around the corporate data center for a couple of decades has probably grown accustomed to seeing separate disciplines and/or departments for data protection/disaster recovery planning and information security.  Such a distinction has deep historical roots, but one must wonder whether it still makes any sense.

Data protection is part of disaster recovery planning (or business continuity planning if you prefer), which is a set of strategies and processes for preventing avoidable "disasters" (unplanned interruption events) and for minimizing the impact of disasters that cannot be prevented.  Data protection is central to DR because, aside from personnel, data is a unique corporate asset that cannot be replaced.  The only way to protect data is a strategy of redundancy:  make a copy and store the copy sufficiently distant from the original so that the same disaster event cannot destroy both the original and the copy.

 

In addition to disaster avoidance and data protection, a good DR capability also includes provisions for application, network and user recoveries, plus processes for testing, training and change management.  DMI provides a data protection/disaster recovery planning course and certification (Certified Data Protection Specialist or CDPS), by the way, if you are assigned the planning task and need some guidance.

Information security planning is very similar to DR planning.  Structurally, it aims to protect mission critical business processes and data assets, but it uses a number of interlocking strategies that are unique to security. 

 

Infosec has developed its own vocabulary and its own set of strategies for securing applications, networks and facility perimeter and endpoints, and of course, data assets.  Then, these strategies are supplemented by processes for active monitoring and periodic review to ensure that security provisions are keeping data private.

There is usually very little communication between the DR folks and the Infosec folks, except when DR needs to be concerned about recovering data that may be encrypted, or gaining access to an application or set of infrastructure in an emergency that is otherwise locked down by security's access control systems.  Conversely, the Infosec folks may only interact with the DR/data protection folks to ensure that continuous data protection capabilities are being deployed and leveraged to enable quick restore following a malware attack or a ransomware attack by "rewinding" data to a point before the attack occurred.

Both disciplines have much to learn from each other. DR, for example, has already flirted with nutty quantitative techniques for matching protection services to specific data given the threats to the organization, business unit, or infrastructure.  These quantitative methods, Single Loss Expectancy and Annual Loss Expectancy, were silly on their face and have been mostly abandoned by DR planners today.  The key problem with such techniques is that they require planners to have meaningful data regarding the probabilities of threat potentials being realized.  We have over 100 years of hurricane tracking data, but no one knew for sure when or where a hurricane was going to strike the US mainland in 2017.

Security is moving down this path, at present.  Attack surface reduction modeling techniques are the same sort of quasi-scientific quantitative-sounding methodologies as ALE and SLE in the DR world.  Some view them as an improvement over the threat/cost modeling that was used by many Infosec practitioners in the 1990s, but not by much.  Back then, we were told that the cost to protect should not be significantly greater than the cost to bad guys to circumvent the protection.  Only, the relationship was assymetrical:  the bad guys incurred little to no expense to test the security of their targets or to defeat the measures that were being taken to keep them out.

There is much more to this story, but DMI members who are interested should probably take the DMI workshop for Certified Data Security Specialists (CDSS) to get more information.

Bottom line:  DR and Infosec should be working together going forward in all aspects of data protection planning.  Moreiver, both DR and Infosec ought to be subsumed under the rubrick of cognitive data management in the future, since both data protection and data privacy/security are actually best delivered as services associated wtih data based on granular business-savvy policies. 

Welcome to the Data Security Blog at DMI

If the recently reported malware and ransomware attacks on businesses and governments have you worried, or the data disclosures following hacks of IT resources or client devices have you concerned, you are not alone.  Data security is on everyone's mind today and data security services are key to effective data management going forward.

This blog is intended to serve as a discussion area for data managers seeking to understand the nuances of data security technology, data privacy strategy and best practices.  We don't claim to be experts, and in fact we wonder if there are any real experts in this field, but it is our hope that collectively, by sharing experiences and insights, we can arrive at a better understanding of data security and data privacy services and how to apply them intelligently to our data assets.

With data security, as with other data management activities, a business focus is key.  There is no one size fits all data privacy or security service.  Effective security requires the interoperation of many layers of technology and training to eliminate potential threats that can be eliminated and to reduce the impact of threats that persist.  

We hope that DMI courseware on data security will aid in establishing a basic knowledge about security practices and we hope to reinforce that training here.  Periodically, we may conduct interviews with domain experts in various aspects of security and post those interviews here.  Plus, we are always writing articles and blog posts on security news, standards work, technology innovations, and strategy elements that will find their way onto these pages.

Please help us to make the Data Security blog successful.  Register to comment and contribute your views -- whether they take the form of product reviews, recent events, or insights drawn from your experience.  All views are respected here, though we hope to stimulate robust debate to achieve a more intelligent and critical viewpoint of security services.  Thanks, and welcome.