Oct 6 ’10
It’s Time to Renew Your Commitment to Data Protection
Some data protection challenges—such as business continuity and disaster recovery—remain familiar, but still require attention. Other challenges—such as data privacy issues within data security, new compliance demands, and management of information for civil litigation purposes (i.e., eDiscovery)—are clamoring for new attention. All in all, data protection (using a broad definition of the term) requires a strengthened commitment. Failure to do so can lead to the risks associated with having gaps in data protection coverage. For example, not protecting Personally Identifiable Information (PII) properly could be costly as well as generate unfavorable publicity.
The focus shouldn’t be about attacking individual data protection problems in a piecemeal fashion, but rather assembling a comprehensive data protection program that continues to demonstrate the leadership role of a mainframe organization in an overall information technology organizational structure. That program should provide a coherent, consistent, coordinated, and complete approach to data protection. Such an approach ensures there are no holes in data protection coverage and is more robust, resilient (mandatory in any mainframe environment), scalable, manageable, and cost-effective.
Building a comprehensive data protection program requires several building blocks, including:
- An information-centric focus: Look at what actions must occur on each application data set to fully protect it for all aspects of data protection.
- A Governance, Risk management, and Compliance (GRC) framework: Although risk management is part of all data protection, a broader framework that also encompasses two other key enterprise responsibilities—governance and compliance—is necessary to ensure all data protection needs are addressed.
- An understanding of data protection objectives: Data protection coverage won’t be complete unless all data protection objectives are met.
- A data governance program: A strong data governance program helps ensure the right programs and activities are in place for data protection.
Different application data sets can have different Service Level Agreement (SLA) requirements, such as:
- Recovery Time Objective (RTO), which is the time to get an application back working after a downtime event occurs
- Recovery Point Objective (RPO), which is the maximum amount of data that might be permanently lost.
Defining specific requirements for the other aspects of data protection, such as compliance, data security, and eDiscovery, is an extension of this approach, though they may not show up as part of an SLA. This information-centric focus enables attention to be focused on all the data protection needs for a piece of data. Important details can be covered. Data preservation, a key data protection objective, ensures data is consistent, accurate, and complete; it supports business continuity and disaster recovery. When a production application needs to recover data, that data must be usable. If the data is also necessary to meet compliance regulations, it must be authentic. That means the data must follow chain of custody procedures and support auditing to verify authenticity. Compliance puts additional constraints on the data preservation process that weren’t necessary for business continuity and disaster recovery alone. That means additional work must be done data set by data set (although the approach to doing the chain of custody work may be a general one).
The GRC Framework
Data protection may be only a component or subset of some common terms such as business continuity, disaster recovery, data security, data privacy, compliance and eDiscovery, yet it’s at the core of each. When the IT department is involved, it’s all about the data. If the data is permanently lost or unacceptably corrupted, the application functions that use the data can’t do their job.
What do disaster recovery and compliance have in common? Financial records that are needed for regulatory compliance must be able to be properly restored after a disaster. However, the bigger answer is that they must fit into the GRC framework, which represents three of the principal responsibilities of any enterprise.
Among other things, governance is about ensuring accountability for the conduct of an enterprise’s business. From a data protection perspective, governance is frequently associated with finding and making available relevant Electronically Stored Information (ESI). Risk management is a structured process to manage risk; within that, data protection tries to prevent or minimize negative impacts to business processes. Compliance includes conforming to and acquiescing to requirements from a third party and that includes ESI. Together, the three pillars cover all areas of data protection.
Each area of focus of data protection contains some aspect of risk management; there’s some overlap, at times, with the two other GRC pillars. Focusing on the risk management pillar are:
- Business continuity, which aims to minimize the disruption of critical business processes
- Disaster recovery, which as a subset of business continuity, aims to minimize the impact of a disaster.
Data security has tended to focus on threats to data (such as viruses) as well as limiting access to data. Now, through data privacy initiatives, it’s also focusing on access to data and how data may properly be used; it’s in all three pillars.
Compliance is primarily the compliance pillar, but also has accountability and risk components.
eDiscovery is primarily related to the governance pillar, but also has risk and compliance implications.
Data Protection Objectives
Data should meet all six objectives of data protection for each of the three GRC pillars. The original objectives are preservation, availability, responsiveness and confidentiality, and two newer objectives are auditability and knowledge. All six apply to each distinct pool of data and for each of the three pillars of the GRC framework. Preservation of the integrity of data is the bedrock objective; failure to meet this objective means the other objectives can’t be met in one way or another. Assuming the preservation objective is met, availability and responsiveness are the usability objectives. Availability is about I/Os actually getting to the data, but responsiveness is really about performance in the sense of response time. Confidentiality is about making sure only authorized users can use the data.
These four traditional objectives of data protection have been augmented by new objectives: auditability and knowledge. Data audibility is the requirement to verify that data is always correct. That means data must be accurate, consistent, and complete. That has some implications for data preservation and the need for data quality work, too. Data audibility is critical for both compliance and eDiscovery requirements. That leads to the requirement for chain of custody to ensure the data is authentic, which means the data isn’t spoliated. The data auditability objective is an additional requirement that mainframe environments must take into account.
Data knowledge is the requirement for content awareness. An enterprise must know what data it has from a fine level of granularity. For example, PII, such as social security numbers and credit card numbers that are associated with a name, must be found before it can be managed. That data knowledge also must include where the data is. That’s important because, for example, the European Union prohibits the cross-border storage of certain types of information.
The data auditablity and data knowledge data protection objectives alone require mainframe executives to rethink what data protection requires. Failure to do so could lead to failure to meet requirements and significant economic or public exposure consequences.
When managing information in the information infrastructure, the traditional response has been to let the IT department do it. The IT department has had a major role in building the information technology infrastructure for data protection from backup/restore software to running and managing remote disaster recovery sites. And the IT department will continue to serve that vital role in data protection.
But the IT department can’t do everything. Consider, for example, the difference between data management and information management. Data management is the non-data path control and use of data, such as migration, replication, and backup and restore processes. That the IT department can do. Information management is the management of the content and relationships of information as it moves through the lifecycle of a business process. That involves the business rules and policies associated with the information; that’s a non-IT department task.
But the IT department can’t simply ask non-IT personnel to supply requirements as in an applications development project. Designing a comprehensive data protection program is a collaborative effort that involves a lot of give and take among all stakeholders as part of the overall data governance initiative. Those stakeholders include business users, domain specialists (such as Legal to determine what data can be properly deleted and what must be kept), and IT specialists (such as database administrators and information security specialists) to advise on software and hardware functional capabilities. In addition, without the ongoing and active commitment of senior management, a data governance initiative is unlikely to survive.
Enterprises need a comprehensive data protection program that’s information-centric, covers all three pillars of the GRC framework, and meets all six data protection objectives. That’s a significant workload for teams in a data governance program. We haven’t even touched on technology, but that’s a subject for another day!