The heightened regulatory environment is making data classification a necessity for businesses of all sizes. Sooner or later, your clients are likely to feel the impact of industry-specific regulatory compliance rules like the Payment Card Industry (PCI)
The market is bifurcated into those IT departments that understand their corporation's regulatory compliance issues and those that are rarely involved. The former group offers an easier sales cycle because the IT buyer understands the technology and is involved with the business to solve the security, risk and legal issues. The latter group will need solutions positioned to address customer security, risk and legal leadership.
Data classification tools are available from multiple companies. Some tools are focused on information classification and management, while others are positioned to mitigate data loss and privacy violations. In either case, resellers can facilitate a solution for customers based on risk and controls as opposed to size, age and file type. Take note that in all instances, there is an element of storage optimization and operational efficiency at work.
Optimization and efficiency alone are not going to close the deal; a good value-added reseller will reach into the regulatory compliance governance issues to create a product sale and prolonged relationship. Consider the following features when selecting and recommending a data classification tool:
- Scalability. There are thousands of gigabytes of data lying around organizations. These numbers can reach into the hundreds of terabytes. Identifying software tools that can scale vertically with support for 20 TB of data as the minimum entry point is a reseller must.
- Data collection. Sensitive data can reside anywhere -- file servers, PCs, laptops, databases, tapes and USB drives -- any of which can pose a risk to clients. Organizations trying to solve their security, risk and legal issues may need to collect data from multiple storage devices, possibly requiring different software products. For example, Abrevity and Kazeon do a better job with file server data, while others like Tablus and Vontu add control of USB devices to reduce risk exposures and improve security controls.
- Centralized management. Collecting metadata into a centralized data classification system allows an organization to report, control and optimize data as information for business groups. Archiving and storage optimization tools are deployed using a centralized storage and control model.
- File systems versus email. Unclassified data exists primarily in file systems and email. Abrevity, Infoscape, Kazeon and Scentric provide tools that focus on core classification of files with archiving and optimization options. MessageGate, Clearwell Systems and Orchestria focus on core email classification with legal discovery in mind.
Customers considering several products are likely trying to solve one of two distinct challenges, so present tools accordingly. In companies where regulatory compliance or risk is not a core competency or a concern, IT groups may want classification tools to solve their storage optimization problems. The cost for a storage optimization tool must be less than the difference between the price of low-cost disk (SATA) and Fibre Channel SCSI drives, otherwise the problem can be solved by adding more storage. When presenting the information, focus on how the tool can classify data according to size, age, file type and attributes and take action on the data, optimizing its data placement. Also present an ROI analysis that can ease buyer concerns about the upfront costs of data classification tools and how they can lower costs over a period of three to five years.
In companies where regulation or legal litigation is a frequent occurrence, IT is usually familiar with classification requirements and looking to reduce its risk associated with e-discoveries. Risk exposure is evaluated based on the probability of impact, which may include financial, public or legal scrutiny to an organization, so emphasize the product features that demonstrate to your clients how they can find sensitive data stored on their networks, such as account and social security numbers.
This was first published in September 2007