Keeping data stored safely means finding a balance between accessibility, protection and staying within the law, says Correy Voo
In business, the secure storage of data has always been essential. Modern technology has virtualised much of the traditional filing and storing function, but the principle remains the same: preserving an accurate record of business activity and ensuring that it is readily accessible to those who require it.
What has changed is corporate governance legislation, which demands that certain information is retained securely, such as that relating to the financial management of the company.
Furthermore, organisations must manage their operational risks through business continuity, which also relies on secure storage. As a result, the protection of stored data is much higher up the corporate agenda, and organisations need an effective policy for managing it.
There are three elements to any policy: people, processes and technology. It is tempting to focus almost exclusively on the IT because there are numerous technologies available for securing storage. The data itself can be secured using encryption; digital certificates and watermarks; file splitting; or even highly locked down PDFs. In addition, the storage itself can be protected by wide area and caching systems that can be used in conjunction with encryption technologies.
Record management systems and storage-specific Worm (Write Once Read Many) products are also available to enhance archiving and storage security.
No matter how intelligent and sophisticated the technology, it is still subject to the whims of users. Ignoring the people and the processes elements of the policy will inevitably compromise the security of your storage.
It must not constrict employees' ability to do their job byintroducing unnecessary red tape - people will simply bypass the security policy. If major behavioural changes are required, these need to be carefully planned and gradually introduced. Education is essential, and is the responsibility of not just the IT or risk management team, but also of business managers and HR.
When it comes to writing the policy and considering the procedures required, the business needs to answer several questions. First: what gets stored? It is clearly impractical to store everything - and it risks breaching either the Data Protection Act or the Human Rights Act. Organisations must then decide where the information will be held.
If only the essential documents are stored, the implication is that they will need to be retrieved at some point - not knowing where corporate knowledge is stored is just as dangerous as not having good data security policies.
And finally, what happens to the data once it has been stored? Who is going to look at it? And who should be barred from doing so? Security is all about maintaining the confidentiality, integrity and availability of information and proving non-repudiation. All the security technology in the world comes to nothing if there is no way of proving who has been viewing or copying saved records.
Organisations need to address this issue from two angles: classifying the information, and identifying the user. Document management and identity management technologies are therefore two of the most crucial elements of any storage security policy. Document management procedures will identify which records, files and data need to be secured, and how long they need to be saved. The next step is to allocate access privileges to individuals, based on who they are and the role they fulfil.
Electronic data is essential for modern business and information management, and security policies form the instruction set by which it will be used. This, in turn, forms one of the key foundations for best practice business operations.
Correy Voo is head of business technology for BT Global, which is exhibiting at Storage Expo