Software // Information Management
Commentary
4/25/2007
08:54 AM
Rajan Chandras
Rajan Chandras
Commentary
50%
50%

Data Breaches Cry Out for Data Governance

The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

Data privacy issues are a growing menace. On April 20, the New York Times reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers, belonging to people who received financial assistance from the U.S. Agriculture Department, on a web site powered by Census Bureau database. The breach, coming on top of numerous similar ones reported in recent times, is a clear indication that data governance is the need of the hour.Comments appearing in the paper from the Agriculture Department officials are illuminating. To begin with, the officials say, the social security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. Furthermore, when government agencies recently began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.

Data encryption and obfuscation technologies are, of course, a critical component of the overall solution. Arguably, it would have helped if the government data were encrypted (but not necessarily - the query providing the data to the website would presumably have unencrypted the data somewhere along the way). This begs the question: could we simply use technology to encrypt every database out there by default? How would data/database encryption impact factors such as application performance, application complexity, database administration, data availability and data management?

For deeper insight on this topic, I reached out to Arup Nanda, Senior Director of Database Engineering and Architecture at Starwood Hotels (which owns chains such as Westin, Sheraton, St Regis, Le Meridien etc.). Nanda is an Oracle database expert, a frequent speaker at Oracle user forums, and the author/co-author of books on Oracle including one on Oracle Privacy Security Auditing. On a scale of 1 (greatest impact) to 5 (least impact), Nanda rates potential performance degradation and application complexity (and associated development/maintenance costs) at 1, data archival & retrieval issues at 2, and database administration, data portability and cost at 3. He rates data size inflation at a low 5, and points out that encryption is a CPU-intensive and not I/O-intensive operation.

"In OLTP, where transactions are bursty and discrete, the overall impact could be negligible," writes Nanda, "but in warehouse systems the times are really noticeable."

Pervasive data encryption - where every database is, say, encrypted by default for access as well as archiving, and data can safely be moved from source to target (e.g. data integration, ETL), all without a significant penalty in terms of performance, complexity and cost - seems unattainable just yet. Until then, we are going to have to do with existing and upcoming solutions at various layers of the data storage and communications (ISO/OSI) stacks that will protect data in various ways and with variable penalties. For example, Nanda points out technologies such as Oracle 11g Transparent Database Encryption and NetApp Decru at the database/storage layers.

Technology is a great enabler, but that's only half the story. What we need - as comments from the Agriculture Department officials clearly indicate - is governance policies and practices wrapped around the technology layers. What good is data encryption if data publication policies are not reviewed periodically to keep up with the times, or if review processes fail to identify potential for data breaches?

Compliance audits and reporting are here to stay, and in fact will only get more stringent in their demands. In the face of the rising importance and costs of protecting data privacy - in terms of fiduciary responsibilities, legal liabilities, and last but not the least consumer confidence - solid data governance policies, coupled with strong top-down management support, must become Corporate Priority Number One.

Rajan Chandras is a consultant with a global IT consulting, systems integration and outsourcing firm, and can be reached at rchandras@gmail.com.The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.