Feature

Hidden threats to data

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Better disaster recovery testing techniques."

Download it now to read this article plus other related content.

Getting started
It may seem as if there are overwhelming opportunities to mitigate risk. To start, list risk areas in a matrix and describe any negative outcomes that might occur from inattention to those areas. Then for each risk, describe its potential negative outcome and rank the following attributes of each as high, medium or low.
  1. What's the probability of a negative outcome occurring?
  2. What's the impact on your operation if the negative outcome occurs?
  3. How difficult is it to avoid this risk?
A score indicating remediation priorities can be derived using a numeric scale of five, three and one to denote high, medium and low risks, respectively, and then applying some weighting criteria. This is a subjective assessment, but it provides an audit trail of your rationales and can be used to seek consensus or convey priorities.

The matrix can help to quantify the risks in each category. You should develop a project plan to address the top five areas where the risk appears likely to occur and where the impact could be significant. The project plan will provide mitigation costs and define the value of the risk.

    Requires Free Membership to View

You can turn a subjective impact description into a dollar amount by identifying the business functions that would be impacted. The risk exposure can be calculated using "Value of data at risk" to better understand the impact on the organization.

The value of data is calculated by determining the short-, medium- and long-term impact on the organization if it's unable to conduct business because the data and infrastructure aren't available. This includes hard dollar amounts, as well as "softer" dollar amounts resulting from loss of reputation, customer dissatisfaction and lost opportunity. These numbers are often already available, having formed the basis for the priorities in the organization's formal disaster recovery/business-continuance plan. Understanding the value at risk allows you to make more intelligent investment decisions for risk mitigation strategies.

Data rendering: When data is archived, retrieval requirements may prevent the data from being rendered. If data requires rendering to information, risk may be incurred if the original platform application is unavailable. For example, if invoice data is archived, can the application be used to subsequently render that data back into information, i.e., the invoice? This is a critical issue that an organization's legal team needs to address. If data can't be rendered, it must be stored as information using an interchangeable format such as XML.

Data Security: Security is a major issue in every organization, but most of the focus has been on access control, intrusion detection and containment. While controlling access to servers limits access to data, there are many other paths to this data. Any management device in the Fibre Channel or Ethernet fabric provides a potential entry point for an intruder. Data in production can be at risk if these exposures aren't carefully managed. Data at rest is also significantly exposed; this has been dramatically demonstrated by recent reports of lost backup tapes containing sensitive data. Encryption techniques are touted as risk mitigation, but encryption raises its own risks related to retaining, securing and accessing the encryption key when needed. In storage environments, attention should be paid to securing data moving over the desktop LAN, the WAN, backup-based networks and specialized high-speed, point-to-point networks. The obvious issue is whether the data can be read as it travels over the link. Additional exposure comes from allowing development and test staff to have free access to live data that may include sensitive information.

Awareness is the first step in reducing data risk. By considering the internal risks outlined here, you can develop an appropriate risk profile and mitigation plan (see "Getting started," above). Sharing your risk analysis and mitigation plans (including business impact issues) spreads the responsibility around. It will also provide an empirical basis for CFO and CEO support for any necessary investments.

This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: