Tip

Be safe, not sorry -- addressing the business side of storage security

Dr. Vijay Ahuja
Founder and President,

Requires Free Membership to View

Cipher Solutions Inc.
Dr. Vijay Ahuja is the president and founder of Cipher Solutions Inc., a professional services company that assists its clients in implementing storage security and offers customized seminars on storage and network security issues. Dr. Ahuja has been an industry leader in network security and more recently in storage security.

Just like any other investment, storage security must be evaluated as a part of company's business model. Corporate management often encounters difficulties in justifying such investments that have no direct addition to the bottom line. There is no simple answer to this complex issue. Quite often, storage security is presented as a solution against a variety of potential threats and risks. Various studies have touted a variety of risks and threats, varying from virus attacks to theft of critical assets. But management needs more than "what if" scenarios.

This column outlines some approaches to address the business side of storage security. It addresses the business issues that management should consider when deciding on investment in storage security.

There are some approaches out on computing Return on Security Investment (ROSI). One simple approach for estimating ROSI is to first identify the critical assets of the corporation. Next, compute the estimate of damage (of an attack) on each asset, times the likelihood (or probability between 0 to 1) of its occurrence. In a simplistic approach, this number should not exceed the amount of investment to prevent this attack.

So, what are the other non-financial business issues that should also be considered when deciding on storage security investment?

First is the issue of recent legislative moves aimed at protecting privacy. This includes: Healthcare Industry – Health Insurance Portability and Accountability Act and Financial Services – Graham-Leach-Bliley Act. Businesses may be exposed to legal risks resulting from any privacy thefts. Protecting privacy entails encrypting (personal) data while in flight or at rest.

Second, there may be certain security issues resulting from corporate audits, third party audits (such as by audit firms) or government audits. Such audits may mandate the need to protect certain data while in flight or rest. Any use of storage security technology to address the audit issues will have a better chance of getting the funding.

The third consideration is to consider the impact of downtime resulting from any of the attacks such as denial of service. Based on such impacts, storage security investments may be funded as part of the emerging need for business continuity initiatives. Most large businesses are deploying comprehensive plans to support disaster recovery.

The fourth aspect relates to corporate mandates. For large corporations, there may be a corporate mandate that may include funding for data protection.

Finally, often businesses, when talking of storage environments, translate data protection to data backup. The storage industry has done little to differentiate data security vs. data availability. This confusion has led, at times, to sidelining storage security investment in favor of data backup and restore services.

So, in summary the business executive should:

1. Treat the investment in storage security just as any other business investment.
2. Do not simply focus on technical risks to justify investment in storage security.
3. Consider the above business issues to support your justification for investment in storage security.

This was first published in June 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.