How to offer data theft protection services to customers

Solution provider takeaway: Solution providers can tap into customer's data theft protection needs in three areas: protecting data in transit, protecting data at rest and data protection planning.

A critical function of any company in the 21st century is the creation of intellectual property. This proprietary data, which enables competitive differentiation, must be protected. If the data also contains customer-sensitive information, there may also be regulatory motivators such as HIPAA or Sarbanes Oxley that make data protection a necessity. As a consequence, one of the major concerns of any business is data theft. And anything that constitutes a major concern for business is an opportunity for solution providers.

But how can you capitalize on this opportunity?

    Requires Free Membership to View

More on data theft protection
The importance of access control

Data security: Alternatives to data leak prevention

To begin with, if you're offering archival or storage management solutions, you should be aware of data theft protection technologies even if you don't explicitly offer such technologies. To the extent that data protection is in doubt, many enterprises will select in-house data maintenance and management over a service. By integrating strong data protection into storage service offerings, you can offer reassurances to companies concerned over the consequences of data loss or corruption; it might even serve as the basis for additional services.

In any case, once the basic data protection infrastructure is in place, there are three potential opportunities associated with enhanced data protection that you can leverage: protecting data in transit, protecting data at rest and helping enterprises plan data protection strategies. Each of these can be offered as value-added services to storage services. Let's take a look at each.

Protecting data in transit

Data in transit probably exposes sensitive information to a greater risk than data at rest. In transit, data is subject to interception and distortion. This is typically a concern when data is being transported for backup purposes. You can capitalize on this by building strong encryption into the data transport. Generally, this involves placing software agents on the customer servers or appliances on the customer premises to encrypt the data stream as it is generated. Both require an additional investment and impose some management overhead. Since active encryption assumes that there are those attempting to break the encryption, the value of such services is often in the active management of the encryption environment. You should periodically refresh the encryption keys, update remote agents and monitor the traffic to assess the likelihood of unauthorized access.

Protecting data at rest

Data at rest is subject to hacking and corruption. Protection of data at rest is primarily associated with access controls. You can provide value to the enterprise by delivering access control solutions that interface with the enterprise's storage infrastructure or in the case of off-site archival, can integrate access control technology into the archive. Such off-site access control can be managed either by the enterprise or by you on behalf of the enterprise; if you're responsible for it, you'll need to maintain a list of persons or entities authorized to access data, under what conditions and for what purpose. This can be done with a number of automated access management tools or can be done manually for smaller customer environments. You'll also need to deliver an access log that details what data has been accessed and by whom.

Data protection planning

It's no surprise that enterprises are concerned about the influence of regulation on data protection and are seeking professional help to develop data protection approaches that will satisfy SEC and other regulatory agency-mandated audits. You can often provide a great deal of value to the enterprise simply by auditing their enterprise data protection capabilities (examining their documentation and configurations) and then making recommendations for improvements or modifications. (Frequently, the customer ends up asking the solution provider to deliver either part or all of the data protection infrastructure to them.) The audit and recommendations can be valuable to an enterprise that is attempting to demonstrate that it is seeking compliance with data protection rules and regulations. Such behavior can be important for companies being scrutinized for regulatory compliance. Sarbanes Oxley, for example, provides for lesser punitive actions for companies that are actively attempting to improve data security.

The bottom line is that enterprises, especially publicly traded ones, should be thinking in terms of data protection. Savvy solution providers will understand their customers' data protection needs and stand ready with a variety of protection services to address these needs. With data the critical driver for modern business, solution providers should begin to think in terms of the value they can offer in the protection and management of that essential resource.

About the author

Mike Jude is co-founder of Nova Amber, a consulting firm specializing in business process implementation and technology.

This was first published in March 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.