The IT infrastructure needed to ensure data protection is an increasingly thorny issue especially in an age where data is being proliferated throughout an organisation.
Private data is being sent by email, copied onto services like DropBox and moved onto smartphones and tablets.
Breaches like the recent attack on eBay, which led to the auction site asking each of its 200 million customers to change their passwords, illustrate that even the largest, net-savvy organisations can be vulnerable.
And in many ways, smaller organisations are just as vulnerable - as they expose more services online they increase their risks. Yet few can say they have experienced the level of attacks that the internet giants tackle every day.
Building an infrastructure to enable privacy and conform to data protection laws was the subject of the May CW500 Club meeting of IT leaders in London.
Keith Bucknall, head of strategy and architecture at Equity Insurance Group, who presented at the event, said: "The data protection challenge for us is that we are in the financial services sector, we hold a lot of personal data, which means we have to conform to the Data Protection Act and we are in a heavily regulated environment."
Read more CW500 articles
From an IT infrastructure perspective, Bucknall believes data protection must be built into the core of business and IT operations.
“Data protection has to start with the central datacentres. We are currently going with a major transformation programme and data protection and privacy is key," he said.
Equity Insurance is in the process of moving from old fashioned IT and turnkey systems, and has the challenge of maintaining data protection during the transformation programme, while running day-to-day business operations.
"We have challenges similar to the bring your own device trend, in the proliferation of ways people want to access more data," he said.
Security impact of transformation programmes
In essence, at a project level, large transformational programmes involve moving from system A to system B. The technical challenge boils down to marrying up the data between the old and the new system, said Bucknall.
Sometimes, however, it may not always be the best course of action to mirror data across from the old to the new system. At Equity, Bucknall used the migration as an opportunity to ask the business how much data it really needed to retain. Clearly, if less data is transferred onto the new system, there is less of a risk of something going wrong.
We had to ask the business whether it needed all the data. Do we need it from a compliance point of view? Do we need it from a regulatory point of view? Or can we start removing data
Keith Bucknall, Equity Insurance
He said: "We had to look at some very old data retention and archiving rules." From an IT perspective, this assessment of data retention policies was beneficial to the upgrade of IT systems.
"We had to ask the business whether it needed all the data. Do we need it from a compliance point of view? Do we need it from a regulatory point of view? Or can we start removing data and cleanse the data [we import into] the new system?"
Such questions may not be considered appropriate or relevant on a project by project basis, but Bucknall needed to think about data retention as part of the overall transformation strategy.
“We are a very small team and we had many challenges around time and resources. But one thing I have been keen to push is to bring up the team's awareness of this data and the awareness of the business in terms of who actually is responsible for the data within our company,” he said.
So when migrating data to a new system, less data to move means less data cleansing, and there is less data that needs to be extracted, transformed and loaded into the new system. As Bucknell’s experience shows, if certain archives are no longer needed by the business, why keep them?
Balancing openness and usability with security
“Most organisations will have a CEO, but while the University has a vice chancellor, it is largely governed by consensus and the faculties have quite a lot of independence," said Mike Cope, IT director at University College London, another speaker at the CW500 Club event. "There is also a cultural challenge for the organisation in driving change."
Describing the infrastructure and the data security challenges it poses, he said the university does not have the concept of an intranet site and internet site. There is only one site, the IP addresses are directly connected to the internet and 75% or more of the devices at the university fall into the bring your own device (BYOD) category.
We have to understand the nature of the data and acknowledge [the balance] between security and usability
Mike Cope, University College London
"Our business is scientific research, with medical research relying on medical data, patient data and geo-location. But security is all about the people," he said.
To protect data like medical records, Cope has adopted a tiered strategy and uses security zones to segment secure data from more open parts of the university’s network. So patient data for medical research resides in a secure part of the network - and Citrix is then used to gain access to it.
He said: "We have to understand the nature of the data and acknowledge [the balance] between security and usability. We try to balance the security we apply to the data to ensure we can maximise its usability."
Evolving definition of privacy
Trends like wearable technology, the internet of things and digitisation will put push the limits of IT infrastructure, according to CW500 Club speaker Mark Skilton, professor of practice in information systems management at Warwick Business School. In his presentation, Skilton discussed the impact of digitisation on security.
He said organisations that collect such data need to determine what type of data is being recorded. They should assess what is copyrighted, and determine how the data should be classified from a privacy perspective.
Having spent 30 years in IT, Skilton said he is always amazed by the speed of change in the industry. “There is a shift to online business and 80% of services run completely online. For booking a flight or going on the Tube we are using some kind of online service," he said.
Who are you buying services from? Where does the service send your data to and have you given consent for them to use that data?
Mark Skilton, Warwick Business School
But, according to Skilton, the IT department needs to appreciate the perimeter that defines its responsibilities as it relates to protecting and securing data. As businesses expose more information, they are more exposed to cyber security threats.
With surveys showing that over 79% of organisations have had some form of cyber attack, Skilton believes assurance, monitoring and disaster recover are key components in a data infrastructure. "Going forward, companies need to have a digital cyber security strategy because the threats are increasing," he said.
Social media, cloud and big data create a significant set of digital ecosystems, which have consequences for cyber security. Speaking on the recent eBay security breach, Skilton said there is an erosion of where data management occurs, and this has an impact on security.
It could be password and single sign-on or it could be to do with the storage, isolation and control of the data behind the scenes, and not all data is under the control of the business. These are all potential weak spots from an IT infrastructure perspective, in terms of security threats.
Skilton added: "Things are not quite what they appear to be. Is it fair that Google keeps all the data? Who are you buying [external] services from? Where does the service send your data to and have you given consent for [the service provider] to use that data?"
According to Skilton, companies are starting to look at the perimeters and asking questions about their responsibility in terms of the data they are responsible for. He said IT departments should ask: “What is my domain of isolation? What sort of data is being held in a device? What can it access and what perimeters does it connect with?”
Risk assessment from network to the value of data
Skilton said a key question for IT departments is how they measure risk. Due to the effects of networking, IT cannot simply measure the number of network connections.
"Companies are starting to use big data analysis to measure the value of connections. The metrics have changed from measuring the volume of data to measuring the quality and threat ratio of the relationships," he said.
Read more about data protection
- Where next for the new EU data protection regulation?
- Protect your business by encrypting the network
- BYOD: data protection and information security issues
- Computer Weekly Buyer's Guide to data security
- Essential guide: EU Data Protection Regulation
When communicating this to the board, he said IT leaders need to present a two-by-two matrix showing what measures are critical to the business and what may be considered less important.
He said: "We definitely need the IT department and a professional IT practice. The focus of a digital strategy should be about classification, service management, boundary management and legal policies." Skilton said IT needs to think about how to communicate issues such as digital risk.
IT is changing. There is a new generation of workers and IT cannot ignore this. At the same time trends like social, mobile and big data should raise questions on the robustness of IT infrastructure, especially in IT's ability to tackle unforeseen attacks. Equity Insurance's Bucknall said: "I would advise IT managers to recognise these changes and when you are looking at policies, work really closely with the business and get the buy-in."
Such collaboration across the business is vital especially when IT needs to make the best use of resources, as Equity Insurance's transformation programme illustrates. Segmentation of infrastructure, like at University College London, can be used to provide controlled access to a largely open network.
Skilton recommended that IT should understand which bits of the infrastructure fall under its control. Where external providers are used, IT needs to ascertain the provider's level of responsibility in terms of its ability to secure the infrastructure.