Resolving the inadequacy of current practices
This is an Imation-supplied opinion piece, written by Nigel Clarke, national sales manager at Imation.
Rarely does a week go by without another story appearing in the national press about the mishandling of critical stored data. It’s nothing new to hear about CDs with names and addresses of members of the public getting lost in the post, or laptops containing top secret military data being stolen from cars or left in public places. Naturally, these incidents generate disparaging comment in the media, and provoke damning response from industry and enterprise on what seems to be going wrong with regard to the management of sensitive information. Clearly, despite the constraints imposed on data managers by legislation such as the Data Protection Act, the issue of securing stored data is not being taken seriously enough by the people at the heart of the matter. Nigel Clarke, National Sales Manager for Imation, examines the issues involved in effective data handling and storage, and asks if there is anything that technology can do – and should be doing – to help resolve the inadequacy of current practices.
The attitude towards taking even the most basic of data protection measures really is the core problem for data security. Any technology standing alone is going to struggle to resolve the problem without the right outlook concerning implementation. No one in their right mind would ever consider stuffing as many bank notes as possible into a jiffy bag and sending it through the post. So why is critical and confidential data, which to some organisations can be far more valuable than the same volume of cash, so readily and frequently treated in this exceptionally dismissive way?
The leadership on the issue needs to come from management. Clear and coherent policies must be implemented to govern best practice data handling within corporations and government bodies. Employees need to ensure these policies are adhered to – and fast – before they suddenly find themselves criminally liable.
Prompted by the most recent embarrassing public sector incidents, the Information Commissioner’s Office (ICO) has called for specific new legislation to ensure that the ‘reckless mishandling of personal data’ is made a criminal offence. Reinforcing the Data Protection Act with punitive measures, such an offence could carry unlimited fines and even the possibly of a jail sentence. The report from the ICO states “[The law] would send a clear message that data protection requirements can not be ignored or dismissed. They must be taken seriously by every organisation that processes personal information.”
When defining these policies on data protection requirements, two key issues require careful consideration. Firstly, how do I protect this information? And secondly, how do I go about securing it?
Stored data can be corrupted, erased, stolen, lost, copied; events which can have a catastrophic impact on a corporation, government sector, client or end user. Backing up files, encrypting data and regularly updating virus software can go some way to ensuring critical data is protected. But what happens when data needs to physically change hands; to move between rooms within a large building, or potentially travel across the country between different sites or organisations? How can a data manager ensure the safe transit of their precious cargo from A to B without it falling into the wrong hands or disappearing completely along the way?
Radio frequency identification (RFID) technology is proving to be a significant growth area in terms of tracking and logging the movement of valuable items in transport. It provides a highly flexible and adaptable solution and can be applied to a myriad of industrial uses and products, certainly not limited to stored data media. According to a recent report by IDTechEx, “The tagging of pallets and cases as demanded by retailers (mostly in the US) will use approximately 325 million RFID labels in 2008. The tagging of animals (such as pigs and sheep) is quickly taking off as it becomes a legal requirement in many more territories, with 90 million tags being used for this sector in 2008”.
RFID systems, like the Imation DataGuard Tape Tracking System, operate on a straightforward principle and are therefore easy for data centre managers to implement and initiate. An RFID tag containing a tiny chip and antenna is securely applied to the item to be tracked (be it a pig or a tape cartridge!). The chip can either then be read by a ScanStation positioned at a gateway check point, a handheld mobile scanner, or an RFID tag worn by staff to verify authorisation. The RFID readers don’t require sight lines and can detect signals within a range of approximately 3-4m. This level of functionality can be an invaluable time saver, particularly in regard to large volume archiving. Multiple items can be tagged and sealed in one container; the RFID scanner can log the multiple units without the seal of the container ever needing to be broken.
Specific tape management software, such as the VaultLedger or Vertices applications, can then be utilised to generate comprehensive reports from the RFID logs, providing detailed records of the movements of each item and ensuring full accountability in terms of a clear audit trail. When corporations are often required to provide meticulous information very quickly in order to maintain compliance, this degree of accessibility and transparency is vital.
With RFID technology, we know when a data cartridge has left a room, a building or a company, and we know when it arrives at its destination, as the same system records its entry into the new location. But in order to maintain a policy of consistent data protection, how can we ensure that this piece of data has not been interfered with along the way?
Imation is currently trialling the use of an assisted global positioning system (AGPS) to enhance the functionality of the DataGuard package and allow the entire journey of a pallet or container to be monitored precisely using cellular and GPS technology. This means that any item in transit can be located at any point in time, and any unexplained divergence from an agreed route or schedule can be instantly flagged and corrected. The data items are therefore not just protected from physical loss or theft, but the system also goes some way towards guarding the data from illicit viewing, copying or corruption that may otherwise have gone undetected.
Especially in combination with AGPS technology, RFID tagging could provide a simple answer to the problems of CDs containing critical data getting lost in the post. In the same way, it can also help to track the physical whereabouts of missing laptops.
However, although the RFID/AGPS tracking systems can provide an indication of whether data stored on hardware may have been viewed or copied, it has no inherent functionality to prevent this copying or viewing from actually happening. Therefore a consistent policy of secure data encryption is highly recommended to shore up this particular area of vulnerability; a forward-thinking approach is far more helpful than just shutting the gate after the horse has bolted.
So now our data is encrypted, and we have the ability to track the movement of the media storing that data (be it a CD, tape cartridge, laptop computer) on its journey between departments or organisations. We even have the ability to produce accountable reporting, detailing who has handled that media and where it has travelled to and from. The scope of this technology is expected to develop rapidly over the next few years, with further enhancements to the AGPS capabilities sure to broaden the range of solutions RFID can offer to the data security problem.
Printed and chipless RFID tags are already an interesting development on the market, with their strong advantages being a readable range extended to 10m, a capacity to hold 256 bits of data, and a price at around a tenth of the cost of their silicon counterparts. With a broader range of solutions on offer able to meet even more complex needs, the worldwide market for RFID is predicted to be worth more than five times its current value within ten years.
We live and work in a data-saturated world, and it is all too easy to become inured and alienated from the real power and implications of the information streams that we all process at different levels in our jobs or in our personal lives every day. As technology develops to resolve data management security issues, attitudes towards managing data securely need to develop at the same rate. It would seem then that data security is not only an issue of technology, but also of culture; one where a consensus has to be achieved across the board over how confidential data should be perceived and managed. The right signals on best practice data handling need to be communicated throughout corporations and organisations from the top-down, until sensible approaches to data protection management become a normal part of standard operating procedures in today’s organisations.