Data Breaches Cry Out for Data Governance - InformationWeek
IoT
IoT
Software // Information Management
Commentary
4/25/2007
08:54 AM
Rajan Chandras
Rajan Chandras
Commentary
50%
50%
RELATED EVENTS
Data Scientists 2017 & Beyond - How to Be One, Become One & Hire One (or more)
Mar 23, 2017
In the years since data scientist was declared the sexiest job, the role itself has evolved. As ha ...Read More>>

Data Breaches Cry Out for Data Governance

The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

Data privacy issues are a growing menace. On April 20, the New York Times reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers, belonging to people who received financial assistance from the U.S. Agriculture Department, on a web site powered by Census Bureau database. The breach, coming on top of numerous similar ones reported in recent times, is a clear indication that data governance is the need of the hour.Comments appearing in the paper from the Agriculture Department officials are illuminating. To begin with, the officials say, the social security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. Furthermore, when government agencies recently began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.

Data encryption and obfuscation technologies are, of course, a critical component of the overall solution. Arguably, it would have helped if the government data were encrypted (but not necessarily - the query providing the data to the website would presumably have unencrypted the data somewhere along the way). This begs the question: could we simply use technology to encrypt every database out there by default? How would data/database encryption impact factors such as application performance, application complexity, database administration, data availability and data management?

For deeper insight on this topic, I reached out to Arup Nanda, Senior Director of Database Engineering and Architecture at Starwood Hotels (which owns chains such as Westin, Sheraton, St Regis, Le Meridien etc.). Nanda is an Oracle database expert, a frequent speaker at Oracle user forums, and the author/co-author of books on Oracle including one on Oracle Privacy Security Auditing. On a scale of 1 (greatest impact) to 5 (least impact), Nanda rates potential performance degradation and application complexity (and associated development/maintenance costs) at 1, data archival & retrieval issues at 2, and database administration, data portability and cost at 3. He rates data size inflation at a low 5, and points out that encryption is a CPU-intensive and not I/O-intensive operation.

"In OLTP, where transactions are bursty and discrete, the overall impact could be negligible," writes Nanda, "but in warehouse systems the times are really noticeable."

Pervasive data encryption - where every database is, say, encrypted by default for access as well as archiving, and data can safely be moved from source to target (e.g. data integration, ETL), all without a significant penalty in terms of performance, complexity and cost - seems unattainable just yet. Until then, we are going to have to do with existing and upcoming solutions at various layers of the data storage and communications (ISO/OSI) stacks that will protect data in various ways and with variable penalties. For example, Nanda points out technologies such as Oracle 11g Transparent Database Encryption and NetApp Decru at the database/storage layers.

Technology is a great enabler, but that's only half the story. What we need - as comments from the Agriculture Department officials clearly indicate - is governance policies and practices wrapped around the technology layers. What good is data encryption if data publication policies are not reviewed periodically to keep up with the times, or if review processes fail to identify potential for data breaches?

Compliance audits and reporting are here to stay, and in fact will only get more stringent in their demands. In the face of the rising importance and costs of protecting data privacy - in terms of fiduciary responsibilities, legal liabilities, and last but not the least consumer confidence - solid data governance policies, coupled with strong top-down management support, must become Corporate Priority Number One.

Rajan Chandras is a consultant with a global IT consulting, systems integration and outsourcing firm, and can be reached at rchandras@gmail.com.The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Success = Storage & Data Center Performance
Balancing legacy infrastructure with emerging technologies requires laying a solid foundation that delivers flexibility, scalability, and efficiency. Learn what the most pressing issues are, how to incorporate advances like software-defined storage, and strategies for streamlining the data center.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll