Q: Has a data inventory been conducted?
Storage security can exist in many forms. It can exist in the back office on a server, NAS or SAN; it can exist on a local station, on a hard drive; it can exist on removable media such as an optical storage, USB flash, flash RAM; or an external storage device such as a USB hard drive or an iPod. Protecting stored data in all forms can't be achieved with a single technology.
Evaluating the client's need and pairing this need with an effective and reliable solution is essential. Concerns about data seepage and the storage of confidential information on unauthorized storage devices or locations can be addressed with data loss prevention technology, whereas the protection of files or volumes may be best accomplished with access control technologies, storage area security solutions or encryption.
We have observed a common practice where security policy, practice and technology have been deployed to address privacy compliance objectives, and subsequent to the completion of these projects, the client then proceeds on inventorying and categorizing data stored throughout the organization. Although security and data classification are two important elements of developing a responsible storage security model, approaching a storage security project by first inventorying and classifying data can simplify the process by establishing where subject data exists.