Posted by Stephanie Balaouras on December 17, 2008
In my coverage of business continuity and disaster recovery, I talk to both IT infrastructure and operations professionals as well as IT security professionals and I've found that the term "data protection" means something different to each. This comes as no surprise and I think for a long time it didn't really matter because IT operations and security professionals operated in independent silos. But as silos break down and "data protection" is a shared responsibility across the organization, it's important to be specific and to understand who is responsible for what.
For IT operations professionals, "data protection" means creating a duplicate copy of data for the purposes of restore/recovery in the event data is destroyed due to a total site failure (i.e. flood takes out your data center), system failure, drive failure, accidental deletion etc. You can create a duplicate copy of your data either locally or at a remote location via backup, snapshot, replication etc. You are protecting your data from destruction. This is why backup companies such as CommVault, EMC, IBM Tivoli, HP, and Symantec (the former Veritas) refer to their backup applications and other offerings as "data protection software." The name of HP's backup application is HP Data Protector. Ironically, these "data protection" offerings sometimes make your data less secure because it is backed or replicated to tape or over the Internet to another site in a clear text format. Which is why all these vendors now offer the ability to encrypt the data as it's backed up to tape or replicated.
For IT security professionals, the term "data protection" means ensuring that only authorized individuals have the appropriate level of access to your organization's sensitive data and that all access is tracked for audit. You deploy perimeter security, end-point secruity, data encryption etc. to "protect" your data from breaches, "leakage," crimeware/malware, physical theft etc. Thus we have security vendors and offerings such as McAfee's Total Protection For Data and Mobile Armor's Data Protection Suite.
You could argue that holistic data protection requires both recoverability and security and I would agree. Data storage is one area where IT operations professionals and security professionals need to work more closely together particularly in the area of encryption and secure data erasure. Right now, storage architects and administrators are evaluating new data storage encryption functionality available in tape drives, appliances, storage networks, disk drives, and path failover software. They're also looking at secure data erasure services from the major storage vendors. These are services that ensure the data is wiped clean before an entire storage array or individual disk drive is returned to the vendor or to an asset disposal company and refurbished.
I'd be interested to know whether the term "data protection" has led to any confusion in IT shops and also how well security professionals know about the vulnerabilities in enterprise disk storage and tape and if storage teams are relying on their expertise to solve some of the challenges.