A critical function of any company in the 21st century is the creation of intellectual property. This proprietary data, which enables competitive differentiation, must be protected. If the data also contains customer-sensitive information, there may also be regulatory motivators such as HIPAA or Sarbanes Oxley that make data protection a necessity. As a consequence, one of the major concerns of any business is data theft. And anything that constitutes a major concern for business is an opportunity for solution providers.
But how can you capitalize on this opportunity?
To begin with, if you're offering archival or storage management solutions, you should be aware of data theft protection technologies even if you don't explicitly offer such technologies. To the extent that data protection is in doubt, many enterprises will select in-house data maintenance and management over a service. By integrating strong data protection into storage service offerings, you can offer reassurances to companies concerned over the consequences of data loss or corruption; it might even serve as the basis for additional services.
In any case, once the basic data protection infrastructure is in place, there are three potential opportunities associated with enhanced data protection that you can leverage: protecting data in transit, protecting data at rest and helping enterprises plan data protection strategies. Each of these can be offered as value-added services to storage services. Let's take a look at each.
Protecting data in transit
Data in transit probably exposes sensitive information to a greater risk than data at rest. In transit, data is subject to interception and distortion. This is typically a concern when data is being transported for backup purposes. You can capitalize on this by building strong encryption into the data transport. Generally, this involves placing software agents on the customer servers or appliances on the customer premises to encrypt the data stream as it is generated. Both require an additional investment and impose some management overhead. Since active encryption assumes that there are those attempting to break the encryption, the value of such services is often in the active management of the encryption environment. You should periodically refresh the encryption keys, update remote agents and monitor the traffic to assess the likelihood of unauthorized access.
Protecting data at rest
Data at rest is subject to hacking and corruption. Protection of data at rest is primarily associated with access controls. You can provide value to the enterprise by delivering access control solutions that interface with the enterprise's storage infrastructure or in the case of off-site archival, can integrate access control technology into the archive. Such off-site access control can be managed either by the enterprise or by you on behalf of the enterprise; if you're responsible for it, you'll need to maintain a list of persons or entities authorized to access data, under what conditions and for what purpose. This can be done with a number of automated access management tools or can be done manually for smaller customer environments. You'll also need to deliver an access log that details what data has been accessed and by whom.
Data protection planning
It's no surprise that enterprises are concerned about the influence of regulation on data protection and are seeking professional help to develop data protection approaches that will satisfy SEC and other regulatory agency-mandated audits. You can often provide a great deal of value to the enterprise simply by auditing their enterprise data protection capabilities (examining their documentation and configurations) and then making recommendations for improvements or modifications. (Frequently, the customer ends up asking the solution provider to deliver either part or all of the data protection infrastructure to them.) The audit and recommendations can be valuable to an enterprise that is attempting to demonstrate that it is seeking compliance with data protection rules and regulations. Such behavior can be important for companies being scrutinized for regulatory compliance. Sarbanes Oxley, for example, provides for lesser punitive actions for companies that are actively attempting to improve data security.
The bottom line is that enterprises, especially publicly traded ones, should be thinking in terms of data protection. Savvy solution providers will understand their customers' data protection needs and stand ready with a variety of protection services to address these needs. With data the critical driver for modern business, solution providers should begin to think in terms of the value they can offer in the protection and management of that essential resource.
About the author
Mike Jude is co-founder of Nova Amber, a consulting firm specializing in business process implementation and technology.
This was first published in March 2009