rvlsoft - Fotolia
Contemporary realities mean stored data and backups are subject to an ever growing list of regulatory and legal frameworks. These govern how data can be stored, who has access to it, and its integrity, all through its lifecycle.
So, what are the key challenges to compliance in 2015?
In this podcast, Computer Weekly storage editor Antony Adshead talks with Vigitrust CEO Mathieu Gorge about the top five challenges to compliance in storage and backup, including data growth, regulation by the EU and in the US, the threats from mobile data and the long shadow cast by legacy data.
Mathieu Gorge: The first thing I’m going to do is go over the top five issues that impact compliance around storage and backup this year and into next year. Then I’ll go over the solutions that potentially address some or all of those challenges.
Challenge 1: data growth
The first challenge is that we need to recognise that the growth of data within enterprise systems is still amazingly big. And so what’s happening at the moment is that, due to the fact that we’ve got extended networks which incorporate your traditional network behind your firewall, your mobile network, your cloud, your third parties and so on, the amount of data that any type of organisation is creating is mind-boggling. And, most organisations don’t have the capacity or the systems or the processes in place to ascertain how much they create every year.
And that is a problem from a compliance and a storage perspective.
Challenge 2: EU regulation
The second challenge is that of regulation. Firstly, we need to recognise that the upcoming EU General Data Protection Regulation (GDPR), which should go through at the end of 2015, maybe early 2016, and which every member state will have two years to implement, is going to impact greatly on compliance strategies around storage and backup.
Why is that? Well, if you look at the current structure that we have, we have data controllers, which essentially are the organisations – or the people in the organisation – that are ultimately responsible for protecting the data under the requirements of the applicable data protection act.
We also have data processors, and those are the entities or people that actually process the data on behalf of the controller.
So today the responsibility remains mostly with the data controller, but with the new regulation the data processor could be liable as well. And that includes third-party storage, so whether you are a third-party storage provider, or provide solutions around storage, or you use those solutions, you need to be aware of the changes within the regulation.
In addition, within the new EU GDPR you are required to perform a data impact assessment if the data you’re dealing with can present a high impact should it be lost or stolen. And that means that there’s a tacit understanding that you need to know where your data is and where it is stored and backed up so that you can protect that.
Challenge 3: US regulation
From the US perspective we’ve got the upcoming federal data breach notification laws, with three or four different proposed bills that are waiting to go through.
And, of course, from a storage and incident response plan/disaster recovery perspective, we’ve got HIPAA in the US, which has very strong requirements with regard to how you deal with data that is stored and with backups.
From a standards perspective, the updated ISO 270001 2013 version has a big section on storage, and PCI-DSS version 3.1 requires that you map out all of your data, your data flow, and that you talk about data at rest and in transit.
Challenges 4 and 5: mobile and legacy
The next two challenges in my top five would be mobile compliance – which probably deserves a full review of its own – and legacy data.
What do you do with legacy data you have stored? And legacy backups? Even though you may not use them they are still there, so how do you protect them and remain compliant?
Key steps in storage and backup compliance
So the advice I will provide in terms of how organisations can implement solutions to address those challenges is to start with a process of data mapping. What type of data do you have, what type of risk is associated with it, and what is the [potential] impact?
Once you’ve done that, you can start looking at technology that allows you to map the data flow to automate the data management process. There are some innovative new solutions, such as those from Rational Enterprise, that allow you to put that into practice and automate.
The second part is data encryption technology. Today we’re looking at data encryption for data at rest, for data in transit but also for data in use to prevent keylogging. There are some very innovative solutions, such as those from Strikeforce Technologies, that can help with that.
Read more about storage and compliance
- What does the CSO need to know about storage and compliance? We speak to Vigitrust CEO Mathieu Gorge about the CSO’s changing role – from firewall guardian to compliance expert
- Data classification is key to efficient storage, security and compliance. In this podcast Vigitrust’s Mathieu Gorge talks about the fundamentals of a data classification policy
Then with access to data, how do you monitor that, how do you enforce it, who’s got access to it, and to what type of data? There are monitoring tools that make sure if something goes wrong or if you see something out of the ordinary, you get an alert. That can be supported by compliance enablement tools that will reconfigure data storage access if something goes wrong.
So it’s very important to test all of that and if there’s one piece of advice to go away with today it is that you need to test, test and test again, and ideally get an independent third party to check it out – to check that the technology is working, that the data mapping is actually accurate, that you didn’t leave any type of data out, or any type of storage system, that you have really mapped it all out completely.
Really the bottom line is, will all this allow you to get going after or even during an incident that’s affecting your stored data and your backups?
So it’s not rocket science, going back to the basics – mapping the data, putting the right tools in place and making sure the overall process is tested and working and won’t let you down if you have a problem.