What’s that going out the door…it’s my data!

data-walking-368x400

Had a couple of interesting customer meetings this week where the same topic arose…

Both companies where looking at how to prevent data leaking out of their businesses or as the imaginative title of this article suggests, how to stop data walking straight out the front door.

The crux of the challenge, we all decided, was that there really was no magic bullet to the problem and certainly not one solution we could think of.

The solution to the problem is a multifaceted one, there is a range of things that these companies need to consider as they try to ensure that they mitigate the risk as much as is practicable…

What’s the risk then?

A good place to start…what risk are we actually talking about?

Well pretty sure we all agree that for many of us, data is absolutely critical to our business, in some industries the intellectual property contained within our data is our business, losing that we may as well close the doors and go home…

the intellectual property contained within our data is our business

and it’s not even the loss of intellectual property that can have a dramatic impact on our organisation, in the case of the two I spoke with this week, both of these businesses where liable to regulation that if certain types of data left the business and they couldn’t show that they had taken appropriate action to stop it, then they could lose a licence to operate, risk huge reputational damage, which would lead to loss of customers and significant loss of income putting the business at risk.

data_leakage_

The stakes pretty high then, but even if the stakes in your business are not quite that high, have a think about what the impact of inadvertently having sensitive data from your business been seen by people who you rather they didn’t, employees, competitors, press – all of these can have a hugely negative impact on your business both financial and reputational.

What to do?

Well as you take the time to read this BLOG it’s only fair that I try to help you protect your business and share some of the things that we felt where appropriate steps in the businesses we where speaking to, to help them prevent leakage of data.

Well as we said back at the start – there isn’t a magic bullet or one step process. A strong data leakage prevention strategy is made up of a number of things – so below are 5 things that can hopefully get you started –

1. Get buy in

Before you embark on what is potentially a complex solution – it’s important that you have buy in from key stakeholders in your business, you need top level support of course, but also ensure that everyone understands the impact of data leaking out of the business, the impact on long term security of every ones job.

2. Understand your data and how it is used 

Once we have buy in, it’s important we understand what our data is and who has access to it.

Use data governance tools such as Varonis DatAdvantage to get a full picture on where your data is, what’s contained within it and who has access to it.

Understand the results of your governance tools and ensure you apply appropriate data security so that we begin to limit the risk and that only appropriate people in your business have access to the data they need.

Oh by the way, knowing this is not a one off task, ensure that you constantly monitor for changes in access to data.

3. Understand the points of risk

Now we have a view of who has access to what and we’ve addressed any anomalies, let’s look at where data could potentially walk out the door.

It can start with corporate tools such as email and instant messaging, but increasingly cloud tools such as Dropbox, public cloud storage solutions and of course old favourites, USB sticks, smartphones, tablets and other mobile devices, all of these are routes out of the business, understand the tools that operate within your business those you know about and of course those you don’t (remember their are two types of Dropbox using businesses, those who know they run it and those that don’t!).

4. Securing the points of exit

OK, now we have an idea how the data can get out of the business, we need to start looking at securing it.

Although we used our data governance tools to ensure only the right people have access to data, who’s to say that the right people don’t accidently (or otherwise) allow data to leak out, and of course what if the right people aren’t the right people! (what if they’ve had a password compromised for example).

Again, this isn’t a magic bullet type of solution, there’s lots of tools working together to try and secure our networks.

For example, if you are a Microsoft house are you aware of some of the tools available to you?

Rights Management for example, the ability to assign controls on your data, so that for example a word document maybe can only be read and you can assign rights to it that say, outside of that, it can’t be printed or forwarded in an email.

As we alluded to above, this rights management can be extended into applications such as SharePoint and Exchange to assign rules to data, stopping them from been used inappropriately.

We can also add solutions above and beyond this, that can monitor data traffic as it moves around the network, looking for sensitive data before it moves outside the business, there are plenty of tools on the market that do this kind of deep inspection and blocking, the likes of Entrust, Comodo, Symantec and McAfee all have common solutions that can help enforce DLP policies.

Outside of this, look at those devices that leave you network, make sure you protect them, solutions such as WinMagic for encryption or Druva for mobile device DLP, alongside the big mobile device management players, ensuring that your mobile devices are secure, minimising the risk of data leaking from these devices once outside the business.

5. Education Education Education

Last but by no means least – educate, make sure you have polices and procedures in place, but not only that, make sure your users fully understand them and that they are front and centre in there minds, not only using clever technology (something like NetConsent for example) but, ensuring as we said earlier, that the entire business understands the risk and is bought into it, in the end all the smart technology in the world won’t help if your business just doesn’t care.

All the smart technology in the world won’t help if your business doesn’t care

Don’t get me wrong, this is no exhaustive list, however in those couple of meetings these where the kind of common steps we identified as things that a business should look at as it tries to mitigate the risk of data leakage.

In the end both of these businesses realised that they could only take practical steps to a reasonable level, if someone was absolutely determined to steal data and leak it out of the business it would be almost impossible to stop, however it was crucial that they took the appropriate steps to reduce the chance of data leakage apart from in the most extreme and determined cases of theft.

I hope some of these steps I’ve shared you find some practical use, I’ve listed a few resources from solution providers I’ve mentioned if you want to check out some further details on DLP for yourself.

If you’ve got some comments you think can help, please post them on here or of course you can contact me on twitter or Linkedin.

Good luck and don’t let your data walk out the door!

Links to some of the solution providers mentioned in this article;

Varonis

Microsoft Rights Management

WinMagic

Druva

Techtarget data leakage prevention article

Data Data Everywhere and it’s all the same

We’ve all heard the stories of how our data is growing exponentially and let’s face it our storage spend is probably backing that up, well certainly that’s what the CFO will tell you!

But how often do we stop and really think about why it’s growing and how to control it?

I had some of the traditional thinking about this challenged in an interesting way a couple of weeks back by an old friend who has just undertaken a new role with Actifio (www.actifio.com) and, as people from solution providers do, he was sharing some information on what they do and the value they provide, then he threw up the following information;

Copy Data

It certainly struck a chord with me, the numbers where based on some IDC figures and the basics of the graph are that a staggering 80% of the data in many organisations storage architectures is in fact copies of the production data sets.

according to IDC figures around 80% of data in production storage is copies of the production data set

As you can see from the graph above lots of that data is there for all the right reasons, dev & test, Backups, DR, so it’s not that the capacity is wasted or shouldn’t be there, its not all Johnny in accounts and his holiday snaps!

holiday-snaps

Well if all the data has a place and is valid, then what do we do about controlling it?

Firstly there are definitely  a number of technology solutions out there that can help – for example, I’ve worked with NetApp storage for around 9 years now and their message has always been incredibly strong about storage efficiency with some of the industries leading efficiency technologies around snapshots, de-duplication and compression, thin provisioning etc… many other vendors now bring these technologies to market, some do it well..some not so much…but the option is there…

What else can we do to control the growth of data in our organisations ? – I did a little research and came up with 5 tips that you can follow and then one thing you can look at as an emerging trend that may change the way you look at managing data in your business;

  1. Classify and understand your data – know where it is, who has access to it, even if anyone does access it
  2. Store it in the right place – we hear lots about automated tiering etc.…but maybe more importantly ensure you understand what storage tier your data should sit in and place it there at the outset
  3. Look at an archiving policy – if you’re applying pressure to your production storage, look at what is filling it and does it really need to be there – if no one has accessed data for 5 years does it need to sit on your production storage
  4. Manage data retirement – How much data is in your organisation that no longer has an owner, look at how a strong governance solution can identify this data and help you to remove or archive it
  5. Storage efficiency – earlier I mentioned NetApp and their storage efficiency technology, make sure if your storage solution can dedupe and compress then use it where you can.

Back to the start of this article and my meeting with the chaps at Actifio, where do they sit in this, well those tips are all great if the data we are talking about is no longer needed or can be shifted out of the production environment, but what if the data you need is still key and critical, if you think about the graph I showed, most of that data is key to the business, it’s part of DR and Backup, it operates in QA and Dev environments, so it is needed within that production environment.

How do we deal with that then? and that’s how this emerging trend of copy data virtualisation can help

Copy data virtualisation is an emerging trend for managing storage growth

what’s copy data virtualisation? – it’s the ability for a solution from companies like Actifio or Catalogic (www.catalogicsoftware.com) to take a copy of production data and store it outside of the production environment, but unlike archiving or traditional backups, the data is housed in such a way it can be manipulated and presented back to the business instantly for a range of uses, not only a really efficient model for backup and recovery but great for presenting test and dev environments, or presenting data to a data analytics solution or maybe extracting data and moving it to the cloud. All in all providing a hugely efficient and flexible way of handling the challenge of so many copies of our data sitting in production storage systems and as we all know, efficiency and flexibility is all part of the future for business IT.

Copy Data Virtualisation certainly addresses the data growth challenge in a new and interesting way, but don’t rule out the more traditional approaches we listed as well, data growth is only going to continue to be a massive challenge for all of us charged with delivering business IT services, regardless of size of organisation, don’t fear though there is plenty of tech out there to help, some great traditional approaches which are still hugely valid, but also some clever new emerging solutions that can change the way we manipulate and handle our data in the future.

Any questions please feel free to contact me on twitter or hunt me down on LinkedIn

Backups are broken…they are you know!

A bit of a statement I know – but for many businesses, it’s true, even if they don’t know it. To be fair, it’s not necessarily the techies fault, or even the fault of the solution, it’s normally broken because it was never really right in the first place…

Why wasn’t it right in the first place?

That’s partly down to people like me and a bit of the fault of the technology.

How this should really work is a business looks at it’s model of operation and looks then at the key systems and data that support it. It then looks at the costs associated with those systems becoming unavailable and makes a judgement on two things;

“How long can i do without that system?” and “How much data am I prepared to lose?”

Most  businesses have had backup solutions in place for many years and of course the problem with that, is historically the IT industry never really asked those questions.

What happened was, us technical folk would look at the data and then we’d look at the solutions, basically these solutions comprised of software that would move data off of primary storage to some secondary and even tertiary storage devices, these devices often would be taken from site (on a tape normally) and stored anywhere from the techies bedroom to some huge warehouse by the side of a motorway!

That sort of worked, it gave you secure backup copies of you data and got them away from your production environment, so in the case of a catastrophic failure you could recover your data to shiny new hardware when it became available.

So far so good you say… However the problem was the technology for doing this, was (is) so slow that straight away it starts to dictate your strategy.

How did that traditional approach let us down?

Our approach was based on a bit of software and a storage device to hold a copy of your data. The software would run a backup job and move data from the production environment to the storage device and your backup was done.

However these backups would often take many hours, because that’s how the technology worked, they had a high impact on the performance of the system been backed up as well, which meant running them during production time which meant systems became slow and unusable, so you’re then limited to running them outside of business hours.

However for many businesses hours have lengthened, which of course means the backup windows have shrunken, this has led to an issue where companies can no longer backup all of their data in the window available and many customers I’ve spoken to end up having to pick and choose which systems are important to backup and deal with the risk of “less critical” data and what happens if that gets lost.

So what we end up with is a solution that dictates the answer to the questions we posed earlier

“How long can i do without that system?” and “How much data am I prepared to lose?”

If we look at an example where we can backup our key data once a night and it takes 8 hours to run (rule of thumb is a restore takes around 3 times as long as a backup) – then the answer to the two questions above is;

I’m prepared to be without a key system and its data for around 24 hours and I’m prepared to lose a complete days worth of data (going back to the previous nights full backup – assuming it works of course!)

That is really the crux of why backup is broken for many organisations, many businesses I meet with are still in a situation where their business recovery strategy is dictated by the technology they deploy and not dictated by the needs of the business.

And if that’s the case for you, then your backup is not only broken it’s pretty much next to useless.

Let’s look at the example again, what if in that backup, they had a system that was hugely critical, the business assessed the risk and came to the conclusion that the business could not afford to be without this main system for more than 2 hours and could not afford to lose more than 15 minutes of data – so if that is the case then for them a solution that delivered the backup and recovery capabilities we outlined above is a complete waste of time.

What’s the answer then?

This is not a sales pitch, don’t worry – It’s safe to say at Gardner we have presented solutions to a whole host of differing businesses with very different recovery needs and there is a whole set of solutions out there to meet the most extreme of data protection and recovery needs, be that NetApp carrying out snapshots and backups at the storage layer, or the new breed of instant copy virtualisation based data protection vendors such as Catalogic or Actifiio, or technologies such as clustering and geographic replication, there are lots of technical ways to address the problem, what I wanted to leave you though was a couple of practical tips on how you can fix your backup.

Technology aside(just go with it exists to solve the problem) the starting point I always have when discussing this with a business exec, is carry out a few simple steps;

1. Identify your key systems and data

Know what’s important – understand what the systems and data repositories are and why they are important and what there loss means to the business.

2. Prioritise them

Understand the most important systems and put them in order of priority – your budget is probably not endless – so define the systems that need protecting first – often you can benefit from the solution that protects them, can probably protect all the other apps to.

3. Understand the impact

See if you can put a cost against the impact of losing the key systems you have defined – this will help in defining a budget for an appropriate solution.

4. Understand your recovery time objective (RTO)

If you lose a system, then based on its importance and the cost of the systems lack of availability, define how long as a business you can “stand” that application to be down.

Also define what you mean by recovery, take email for example, recovery can mean the ability to just send and receive email again and not necessarily have historic emails returned, that can possibly come later.

5. Understand your recovery point objective (RPO)

When the system is back, define how much data you are prepared to lose – think about our example, if you are happy to lose a day, then nightly backups are fine – however if you can only afford to lose 15 minutes – you need to think again!

I think once you have defined these 5 key areas, you can then start looking for an appropriate technical solution to your business problem, firstly look at does the system you have meet your needs and if not  find one that does. And when you’re looking, don’t get lost in the technology, just ask yourself the question, does the solution i’m considering meet by business data protection needs?

Hopefully this helps and you can ensure that your backup and recovery procedures work perfectly and your company data is secure and you’re not exposed because “your backups are broken”.