Maintaining data control is an essential objective for Actifio customers. It’s much more than managing data copy counts. It’s providing data protection while managing appropriate access and assuring necessary compliance. It’s protecting the enterprise. In all of this, attaining confident data governance and control presents a broad set of challenges. It starts with clear visibility. How many data instances exist as backups, snapshots or development copies? What data is being copied or left unprotected? Who has access? Is there an audit trail? What steps are needed to improve control of enterprise data, to keep it both useful and safe?
To better understand the current state of data control, Actifio commissioned an IDC study. The objective was to recognize prevailing adherence to best practices and identify common gaps. The study focused on data access, management, masking, copy proliferation, and tracking. Beyond elements of security such as encryption and authentication, the study looked at treatment of databases, copies, locations, policies and access control for both structured and unstructured data. Participants included senior executives from 429 mid-to-large scale enterprises across five U.S. industry sectors.
With the incessant daily news of sensitive data exposures, you might expect that best practices in data control would be widespread. Based on this investigation, that’s not the case. Only about a third of organizations are at best practice for any given vulnerability. None are consistent across the full spectrum.
All maintained some number of mission critical databases (median – 15.5%). The median number of copies was 13 and more are stored off-premise than on. Data copies of mission critical or business critical databases created for test and development purposes appear to be the most at risk. When asked about scrubbing or masking of sensitive data for test/dev, analytics or non-backup copies, 77% have at least some that are not treated. Even where control policies exist the majority are in the “sometimes” or “in most cases” categories. It varies by sector, with government most secure and education the least, but even the government only protects 40% without exception.
The study also looked at how organizations deal with data access and encryption. For databases, 29% always encrypt data at rest and slightly more, 33%, encrypt data in flight. Again the majority are in the “sometimes” or “in most cases” categories. Adherence was somewhat better when asked about access control, with 39% reporting consistent best practices with “very strong” authentication, permissions and audits. Access under “strong” controls was reported by 48%. Tape is used for backup or long-term retention by 94% of respondents and all but 6% move tapes offsite. More than half of government and retail tapes are encrypted while most only encrypt certain specific data or tapes.
It is primarily CIOs who are responsible for creating and implementing data security policies, but the application of those policies varies a good deal. More than a third of the time they are applied ad hoc. Security audits are ad hoc 38% of the time – or not conducted at all.
Finally, we asked who has access rights to make ad hoc copies of potentially sensitive data, and it’s a very large group. The ten specific titles ranged from analysts to application developers, to DBAs, storage admins, and CIOs.
Separate from this study, we had a discussion last week with a large enterprise about their application test and development process. In the course of that exchange, we asked about data security and specifically practices around masking sensitive client data before they exposed it to more than 200 developers operating in 40 separate application environments. Their answer was that they don’t do masking at all. It’s too difficult. But they trust the integrity of all their staff and so had no worries. Perhaps they don’t follow the news.
Wise stock market advice tells us to “Buy low. Sell high.” Wise data protection advice tells us to assume the worst and hope for the best. So, protect our data. Back it up. Encrypt it. Control access. Apply policies consistently and regularly audit adherence to best practices. This study tells us that conventional wisdom isn’t being applied. Given the frequency of well-publicized breaches, the widespread lack of adherence is remarkable. But the good news is that we do know what to do. Experienced assistance is available. Actifio can help on several fronts and so can a range of security experts. Now that we know where we stand, it’s time to start moving.