Executive Q&A: Data Management Best Practices for Changing Times
Pandemic-driven work-from-home employees have complicated data management. Fred Forslund, VP of enterprise and cloud erasure solutions at Blancco, explains why enterprises should act and offers best practices to follow.
- By Upside Staff
- August 1, 2022
Upside: The number of people who began (and may still) work at home as a result of COVID-19 has created what you’ve characterized as a very fluid and uncertain workplace ecosystem. What’s been the impact on data and data management policies?
Fred Forslund: We saw an increased awareness that more sensitive data was being processed by employees outside of the office as teams began working remotely. In fact, one consequence of “work from home” during the pandemic meant that critical enterprise data was stored in many different places -- from home and office computers to employees’ personal laptops to the cloud. With the emphasis on keeping the business fully operational and profitable during the pandemic, data management and data retention policies weren’t top of mind for some companies.
The lack of attention to these policies may come back to haunt businesses that took a more casual attitude towards data management, especially if a data breach exposes customers’ personal data. This could lead to the inability for companies in highly regulated industries, such as finance or healthcare, to meet compliance mandates.
Now that we’ve moved into a post-pandemic mindset, organizations may adopt a more flexible work environment, with some employees working from home, others in the office, and some choosing a hybrid option. Whatever the case, I predict the fluidity of the work environment will continue to create data chaos, which businesses will need to address.
What’s the impact on data security and an enterprise’s data culture?
As new processes and solutions to monitor and protect data in home offices have been implemented, we believe data classification and data protection have become more visible with enterprises investing in these solutions, which leads to greater general awareness across the organization. However, one big challenge companies must grapple with now -- as they realize that there is no “new normal” but just a continuation of an uncertain situation -- is how to balance a more flexible, agile workplace with stringent data management policies and a secure data culture. The quest for agility must never supersede the need for data security.
Organizations must also have a strategy in place to deal with the IT assets they equipped teams with which may no longer be needed as employees head back to the office. Companies must take the chain of custody of used and end-of-life IT assets seriously. A missing or stolen laptop could threaten corporate data security and compromise compliance with data privacy rules and regulations. Therefore, every single IT asset must be remotely erased and sanitized of all corporate data before it leaves the employee’s home office -- whether it is being returned for reuse or on the end-of-life disposal list. Once an asset is sanitized, a certificate of erasure ensures the data chain of custody is intact, even if gets lost in transit.
Given these changes, have enterprises spent enough time adjusting, adapting, or enforcing their data management and data retention policies? If not, why not? What will it take for them to pay attention -- a data breach?
As I mentioned, many companies put data retention and data management policies on the back burner during the pandemic. With many employees working outside the office, more files and data have been stored locally versus on the corporate network. This has led to a patchwork approach to data management which should be a wake-up call for IT managers to make modernizing policies a top priority. Ideally, the updated policies will address the hybrid nature of how we work today.
It’s true that data breaches have a way of increasing company momentum and spending on security to make sure there isn’t a recurrence, so yes, in that sense it does help companies prioritize data security. Internal audits are a worthy investment that can pay off. It’s far better for a gap to be found in advance than to identify why a gap led to an actual breach.
In your view, what are the most important components of data management?
One of the most important components is automation. If you can develop your processes to incorporate automation as much as possible so you can avoid being reliant on user interaction (for more than what’s necessary), you have a better chance of your data management policies being successful. However, even the best data management policies and procedures won’t be effective if they aren’t enforced. Enforcement has become more complicated due to the distributed workforce, but policies that would be effective otherwise will fail without enforcement. Policies should always include strict enforcement criteria, including assigning specific IT personnel to enforce the policies.
Designating the classification of data to determine how long it will be stored is also important. For example, email may not warrant lengthy retention; however, documents related to legal actions, contracts, or financial information may need to be archived for years. For companies in financial services and healthcare, compliance with a variety of regulations is critical to a company’s viability. Although the work landscape has changed, the need to comply with industry-specific regulations has not.
Most data policies seem to address “current” data users are working with. What about redundant, obsolete, and trivial (ROT) data – or what we might call “old” data? What data management policies are the most important for managing ROT data?
ROT data needs to be identified and properly classified. If that is done correctly, you can simply securely erase it and mitigate potential problems. Unless there are processes in place for active and secure data removal on the right grounds, your problem is always going to escalate over time. A few best practices that will lead to better management of ROT data.
First, there’s data identification . This includes collaborating with data owners as well as those on the data compliance, IT, and cybersecurity teams to develop a strategy that meets the organization’s specific data retention requirements, which can vary widely from industry to industry.
Second, consider data separation . This step can seem overwhelming because many organizations keep data longer than they should, but there are technology solutions that can help automate the process of data identification and data separation. The big challenge is determining what data is still useful, current, or necessary and which can be eliminated.
Finally, practice data eradication . Keeping ROT data increases the chance that PII or corporate data could be stolen or misused. The most secure method of data eradication is data erasure. Total data sanitization erases data from hard disk drives and solid-state drives in a way that makes redundant, old, or trivial data irretrievable, protecting the organization against unauthorized data access and meeting the tenets of data privacy regulations.
Data lakes have become popular, but TDWI has repeatedly warned about the tendency for enterprises to dump all kinds of data into them -- and watching them become bloated and less useful. What best practices do you have to avoid turning your data lake into a data swamp?
It’s a fact that companies are sitting on an enormous amount of data -- much of which they don’t need. Regularly weeding out ROT data can stop the data lake from turning into a data swamp. Once the lake transforms into a swamp, the determination as to whether particular data is necessary, is unstructured or structured, and so on, becomes a labor-intensive and time-consuming task which takes IT staff away from higher priority responsibilities. Keeping up with the process and ensuring unneeded ROT data is immediately securely erased significantly decreases the threat footprint and mitigates the potential for data lakes to become swamps.
The pre-planning and design of a data lake is also key. You need to know how you are going to use the data before you start gathering it. The best approach is to think about data life cycles from day one. This includes how to collect and gather as well as how to securely erase and make end-of-life data decisions.
[Editor’s note: Fred Forslund is the VP for enterprise and cloud erasure solutions at Blancco and the director of the International Data Sanitization Consortium (IDSC). You can connect with Forslund on LinkedIn.]