Data Breaches Cry Out for Data Governance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Information Management
Commentary
4/25/2007
08:54 AM
Rajan Chandras
Rajan Chandras
Commentary
50%
50%

Data Breaches Cry Out for Data Governance

The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

Data privacy issues are a growing menace. On April 20, the New York Times reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers, belonging to people who received financial assistance from the U.S. Agriculture Department, on a web site powered by Census Bureau database. The breach, coming on top of numerous similar ones reported in recent times, is a clear indication that data governance is the need of the hour.Comments appearing in the paper from the Agriculture Department officials are illuminating. To begin with, the officials say, the social security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today. Furthermore, when government agencies recently began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.

Data encryption and obfuscation technologies are, of course, a critical component of the overall solution. Arguably, it would have helped if the government data were encrypted (but not necessarily - the query providing the data to the website would presumably have unencrypted the data somewhere along the way). This begs the question: could we simply use technology to encrypt every database out there by default? How would data/database encryption impact factors such as application performance, application complexity, database administration, data availability and data management?

For deeper insight on this topic, I reached out to Arup Nanda, Senior Director of Database Engineering and Architecture at Starwood Hotels (which owns chains such as Westin, Sheraton, St Regis, Le Meridien etc.). Nanda is an Oracle database expert, a frequent speaker at Oracle user forums, and the author/co-author of books on Oracle including one on Oracle Privacy Security Auditing. On a scale of 1 (greatest impact) to 5 (least impact), Nanda rates potential performance degradation and application complexity (and associated development/maintenance costs) at 1, data archival & retrieval issues at 2, and database administration, data portability and cost at 3. He rates data size inflation at a low 5, and points out that encryption is a CPU-intensive and not I/O-intensive operation.

"In OLTP, where transactions are bursty and discrete, the overall impact could be negligible," writes Nanda, "but in warehouse systems the times are really noticeable."

Pervasive data encryption - where every database is, say, encrypted by default for access as well as archiving, and data can safely be moved from source to target (e.g. data integration, ETL), all without a significant penalty in terms of performance, complexity and cost - seems unattainable just yet. Until then, we are going to have to do with existing and upcoming solutions at various layers of the data storage and communications (ISO/OSI) stacks that will protect data in various ways and with variable penalties. For example, Nanda points out technologies such as Oracle 11g Transparent Database Encryption and NetApp Decru at the database/storage layers.

Technology is a great enabler, but that's only half the story. What we need - as comments from the Agriculture Department officials clearly indicate - is governance policies and practices wrapped around the technology layers. What good is data encryption if data publication policies are not reviewed periodically to keep up with the times, or if review processes fail to identify potential for data breaches?

Compliance audits and reporting are here to stay, and in fact will only get more stringent in their demands. In the face of the rising importance and costs of protecting data privacy - in terms of fiduciary responsibilities, legal liabilities, and last but not the least consumer confidence - solid data governance policies, coupled with strong top-down management support, must become Corporate Priority Number One.

Rajan Chandras is a consultant with a global IT consulting, systems integration and outsourcing firm, and can be reached at [email protected].The New York Times on April 20 reported yet another significant data breach: the inadvertent public disclosure of tens of thousands of social security numbers belonging to people who received financial assistance from the U.S. Agriculture Department. The breach, coming on top of numerous others recently, is a clear indication that data governance is the need of the hour.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
News
Time to Shift Your Job Search Out of Neutral
Jessica Davis, Senior Editor, Enterprise Apps,  3/31/2021
Commentary
Does Identity Hinder Hybrid-Cloud and Multi-Cloud Adoption?
Joao-Pierre S. Ruth, Senior Writer,  4/1/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll