Popular Policies: Keeping Storage Secure
Secure storage of data has always been essential for any organisation, of whatever size. In the past this involved accurate filing of paper records, and then keeping the physical archive secure – whether it was simply locking a filing cabinet, or guarding an entire building. Modern business technology may have virtualised much of this function, but the principle remains the same: preserving an accurate record of business activity, and ensuring that it is readily accessible to those who require it.
What has changed, however, is the regulatory environment within which many organisations now operate. Corporate governance legislation demands that certain information is retained securely, particularly when it relates to the financial management of the company and the manner in which it interacts with customers. Furthermore companies are required to manage their operational risks effectively through business continuity, which also relies on essential information being securely stored. As a result of recent high-profile cases of infringements, the regulators have become more vigilant, focusing on preventing any breaches, rather than post facto investigations. As a result secure storage and the protection of stored data has zoomed up the corporate agenda, and organisations need an effective policy for managing it.
There are three elements to any policy: people, processes and technology. It is tempting to focus almost exclusively on the IT, at the expense of everything else, and it is easy to see why. There are numerous technologies available for securing storage that operate at several levels. The data that is being stored can itself be secured through the use of encryption; digital certificates and watermarks; file splitting; or even highly locked down pdfs that prevent records being tampered with once they have been created and saved. In addition, the storage systems themselves can be protected. A new generation of wide area and caching systems can be used in conjunction with encryption technologies to preserve data when at rest, in transit or at presentation. Record management systems and storage-specific WORM (Write Once Read Many) products are also available to enhance archiving and storage security.
But, no matter how intelligent and sophisticated the technology, it is still subject to the whims of users. It’s much harder to change human behaviour than it is to install systems. Ignoring the other two elements of the policy – the people and the processes – will inevitably compromise the capability of the technology to protect stored documents, databases and other information. Any policy must therefore take into account the way that employees currently work and should not constrict their ability to carry out their day to day tasks by introducing overly complicated procedures, and unnecessary red tape. People will simply find the easiest route to carrying out their job: and if that means bypassing the security policy then that is what the majority will do. If major behavioural changes are required, then these need to be carefully planned and gradually introduced.
Consider this scenario: a busy senior executive gives his PA his password to check his email, and with it all his access privileges to stored data. It’s not an uncommon event, but it does present a potential security risk. Even if a policy forbids this, the chances are it will still happen, simply because it is the most convenient way for the senior executive to fulfil his role.
When it comes to writing the policy and considering the procedures required, the business needs to answer several questions. First of all: what gets stored? Clearly it is impractical to store everything – indeed it runs the risk of breaching either the Data Protection or the Human Rights Acts. So choices need to be made. Organisations also need to ask themselves where the information will be held? If only the essential documents are stored the implication is that they will need to be retrieved at some point. Accessing it in the future is going to be much more time consuming and inefficient if their whereabouts isn’t planned and recorded – not knowing where corporate knowledge is held is just as dangerous as not having good data security policies.
Which leads to the next question: what happens to the data once it has been stored? Who is going to look at it? And, equally important, who is not? Security is all about maintaining the confidentiality, integrity, and availability of information and proving non-repudiation. All the security technology in the world come to nothing if there is no way of controlling who can access the archives. And, with the increased need for reliable audit trails in mind, the enterprise also needs to prove who has, and hasn’t been viewing saved records and indeed, who has made copies.
Organisations need to address this issue from two angles: classifying the information, and identifying the user. Document management and identity management technologies are therefore two of the most crucial elements for any storage security policy. Most businesses underestimate how much data they produce: technology, especially email, has enabled unprecedented levels of duplication and filing anarchy. Unless a company has been exceptionally meticulous in its IT use there is usually little or no knowledge of what information has been created. Document management procedures will identify which records, files, and data need to be secured, and how long they need to be saved for.
Identifying and classifying the information involved is the first step to ensuring that only authorised personnel have access to it. The next is to allocate access privileges to individuals, based on who they are and the role they fulfil. User authentication, based on comprehensive identity management, therefore plays an essential role in keeping storage secure and will be able to provide the three As of any security measures: authentication, authorisation and audit. Furthermore, by making it easier to integrate data storage with desktop access, identity management assists the organisation to fulfil the first criteria of its security policy: making it user-friendly.
The final consideration for the storage policy is that it must be communicated to the user group. There’s no point in having a carefully drafted plan of action if no one knows about it. Education is essential, and is the responsibility of not just the IT or risk management team, but also business managers and HR. But with everyone involved, and an effective programme of communication in place an appropriate policy for secure storage will ensure that investments made in data encryption and the like will be maximised, and that an organisation need not fear a visit from the regulators.
Electronic data is now essential for modern business and information management, and security, policies form the instruction set by which it will be used. This in turn forms one of the key foundations for best practice business operations.