Belt tightening continues to shift budgets away from security and information management.
AT GLASSHOUSE, we're interested in how the current concerns about compliance and well-publicized examples of data loss would affect IT priorities for the coming year. Our recent security survey revealed that little attention has been paid to storage security at most companies. A follow-on budget priority survey found that companies continue to focus on unit cost reductions and utilization improvements rather than on security. Backup, archiving and disaster recovery are also given short shrift.
What's happening here? Storage managers know these areas are sorely lacking their attention, yet they admit to placing little emphasis on them, instead focusing on the bottom line. Even though information lifecycle management (ILM) is the No. 1 topic for 2006 in our survey, respondents are thinking about it in terms of tiered storage (as in cost reduction), rather than information management.
My reading of the current state of affairs is that storage professionals (and all of IT) continue to play the hand they're dealt, focusing on bits and bytes and dollars. In IT, we're pigeonholed as techies; as such, we can't campaign for high-level business changes to address classification and information protection issues. We need to elevate our profession before a catastrophic collision occurs between data growth and an unclear understanding of its requirements.
What storage security?
In the fall of 2005, GlassHouse surveyed hundreds of storage managers around the world about storage security and threats. We found a widespread understanding of security risks, but little response to these threats. When asked, "What grade would you give your storage department for security readiness?" 24% of respondents said "good," while 52% rated it "fair." However, only 20% regularly encrypt backup data, and more than half have no security procedures in place.
|Top priorities for 2005 and 2006|
This seeming contradiction is easy to reconcile--storage managers are simply not tasked to address security concerns. We all know the risks of losing backup tapes and allowing thieves access to confidential data, but we're unable to articulate these risks in such a way that gets the attention of the non-techies we work with.
I spoke with an IT staffer at a large bank that was recently embarrassed by a news account of a missing backup tape. This engineer had been suggesting that the company investigate encryption for years, yet no one placed a high enough priority on the issue. In addition, he felt that he couldn't put together a plan on his own. Therefore, data went out unencrypted and the bank had to notify its customers that their personal information was at risk.
Respondents to our survey were evenly split on whether losing private customer data or intellectual property was more important. Fifty-one percent felt that losing internal intellectual property was more critical than losing customer data, even though the latter is certainly more pressing to most businesses because of disclosure laws and the risk of bad press. This is a disturbing example of misplaced priorities--the company's legal priority (protecting customer information) isn't filtering down to the level of those who can act to protect it.
Priorities for 2006
We followed up our security survey with a similar survey on budget priorities. The first thing we noticed when analyzing the data was that ILM was the No. 1 priority for all respondents for this coming year (see "Top priorities for 2005 and 2006"). When we contrast this with the priorities for last year, and segment the answers by company size, we see that ILM has pushed virtualization and security down a rung or two on the priority scale.
|Where do you try to save money?|
This would seem to be a good thing; perhaps IT is waking up to the value of classifying information rather than just bits. Indeed, as I discussed in my December 2005 column ("Is ILM for real?"), ILM is the grand unifying principle that can elevate all of IT into a key business strategy component. But it doesn't seem as if this is what this finding actually means.
Looking at the areas in which storage managers are seeking to save money, we find utilization and unit costs to be the most common, with archiving placing third (see "Where do you try to save money?"). This points to a focus on simple tiered storage rather than on understanding a true information lifecycle.
Growth of storage environments continues unabated, even though many companies have no idea what all of this new data is. Our survey found that a majority of online data is protected with one or more mirrors, each doubling the total capacity used for storage. In addition, a majority of companies replicate more than 25% of their data offsite, multiplying the amount of storage used yet again. And with less than one-third of respondents looking at data retention, it seems that the looming iceberg of uncontrolled data growth is getting little attention.
|how many backup tapes do you currently have stored offsite?|
As a follow-up to our previous question about tape encryption, we asked about offsite tape storage. As expected, there are many tapes out there, even at smaller companies (see "How many backup tapes do you currently have stored offsite?" this page). There was little correlation between the amount of data and the number of tapes stored for each individual business, which indicates a wide variety of retention policies in place. With the largest companies polled storing more than 50,000 tapes offsite, it was surprising to find that data retention and archiving weren't the No. 1 priorities for cost savings. Tape storage is one of the most expensive choices a business can make, and it snowballs with monthly recurring costs. Today, a company with 10,000 offsite tapes would likely spend $100,000 for storage each year; however, continual growth doubles this amount every 18 months or so. We found that even some of the smaller companies (those with fewer than 100TB of storage) had 10,000 to 50,000 tapes stored offsite--a major expense for a small shop.
A skeleton in the closet
How can we rationalize this lack of response to the real business needs for security and customer data protection? It's simple. Storage managers focus on what they feel they have control over: improving utilization, reducing unit costs, and technologies like archiving and tiering storage.
As I wrote in my December column, ILM can't truly transform storage without the ability to understand data requirements. Because storage managers don't understand the data they have and what should be done with it, they're unable to tackle this core issue.
At the same time, there's a lurking sense that we must not reveal the true insecurity of data protection today. These are the skeletons we all keep in the closet: lax data security, data protection that often fails, and policies that are applied with too broad a brush and too little an understanding of the data's value.
This situation must change. Businesses will continue to be embarrassed by lost customer information, storage requirements will grow and data protection will be misaligned with requirements as long as storage remains at the bottom of the IT pyramid. We must seize the opportunity and move ourselves upward into the business, asking tough questions about data classification. And we can't be shy to admit the limitations of our current approach to data protection.