Mitigating the Risk of a Data Breach - Part 2
In the first part of this two-part blog, I looked at the importance of understanding your unstructured data from a General Data Protection Regulation (GDPR) perspective – what you have, where it is, its content and what its lifecycle should look like. All of this is extremely difficult with unstructured data, due to its very nature, and it’s the area of concern with regard to GDPR that CIOs and Risk Officers raise with me most frequently. Many of these individuals feel that their applications and underlying databases are in a much better state – but are they?
In reality, I find it to be more of a mixed bag. From a security perspective, applications are a million miles from how documents and files are treated, and they certainly get the attention from a security budget perspective. There are physical security measures, network security, encryption, threat management, access controls and much more applied. Then there is often the addition of active security measures, such as Intrusion detection, and processes don’t go unnoticed either, with change control, patch management and more.
All good then? Well, no.
Not all of these things are always in place and they aren’t all always done to the same degree. On top of this there will always be mistakes in the form of human error (you can’t ‘patch people’), plus a few corners cut in the name of speed. One of biggest issues for me though, centers on one particular role: that of Database Administrator, or DBA.
I probably won’t make many new DBA friends after this, and I certainly don’t want to tar all DBAs with the same brush, but in many businesses DBAs have an elevated status, which they use to exert control. As masters of their domain they will demand the use of backup tools that aren’t part of corporate standards and also use custom scripts that complicate, and not simplify, application protection and management. These scripts perform functions that are difficult to monitor; they help to protect the DBAs position, and for this reason they have both business and governance implications.
I’ll deal with the GDPR impact of this first. Despite the application specific backup tools, DBAs will still often create their own copies of databases "just in case" or because they don’t trust other departments, and also for their own experimentation outside of the normal development processes. This in itself is a breach of GDPR principles. If that copy found its way to an insecure cloud storage bucket (as has happened too many times in recent years), you are again at high risk of a breach as it could easily be picked up in a Shodan search.
Allowing this level of individual control also has a big business impact. At Commvault we’ve seen traditional combinations of snapshots, scripts and application-vendor tools lead to excessive recovery times versus just minutes with our software, which also doesn’t need specialist staff to be present, either. The same Commvault software that performs this rapid recovery to help you to meet the availability and resilience requirements of GDPR can also get the latest data into dev and test cycles faster, which will benefit your time to market for new apps and services. This is an important consideration and a business benefit over merely helping you become compliant.
More important, if you want run these dev and test processes in a hybrid cloud, Commvault software will encrypt and efficiently shift the relevant VMs and data wherever they are needed, using its built-in workflow automation. This process will also replicate your security settings, further minimizing the potential for a data breach. Did I mention it will also automatically clean up dev and test copies and has role-based security and is audited, so you can demonstrate compliance?
All of this reminds me what a great thing GDPR is. Whether you’re worried about your unstructured data or application related processes, getting ready for GDPR is making businesses take a look at all this with fresh eyes. It’s not just about GDPR either. There are new privacy and breach regulations springing up around the world. Why would you apply a "GDPR sticking plaster" that looks only at compliance, when you could improve your governance AND cut your storage costs and cloud billing, while improving productivity and accelerating your time to market?
It’s these sorts of benefits that align GDPR readiness to the efficiencies that business looks to gain from digital transformation. Learn more about the details of our application data management solutions, or you can contact us to better understand how Commvault can help your GDPR governance with regard to enterprise applications.