In all things data, resilience is a real thing. The current business focus on data includes big data, moving data to a cloud and a drive for mobile data. Each of these approaches addresses a different view of the same data by first adding context to understand what the data means, then processing and storing it efficiently, and finally making the contextualized data accessible everywhere. All of these actions sound good and look good in a presentation, but they also introduce security and system failure points. To reduce the failure points as you do something big, something cloud and something mobile with your data, you need to add resilience to your data systems.
Thinking about data resilience is just one part of a Resilient X practice that includes the processes and analysis required to ensure X (any collection of systems) operates as designed across a variety of circumstances and continues to produce specific outcomes. Resilient practices can be found in data center design, disaster recovery planning and telecommunications systems including the Internet. Driven by moves to big, cloud and mobile, data security practices have also gained a resilience focus.
In data security, recovery is a bad word – as in disaster, event or breach recovery. The preferred outcome in data security is disaster avoidance, which is the goal of all resilient systems thinking. A simple analogy is that resilient data security is like a flu shot for your security practices. While it cannot guarantee the health of your data security, it can protect you from the most common threats.
Designing, building, implementing and maintaining resilient systems requires knowledge, practice and an awareness of changing trends. Resilient systems also require an understanding of business process, customer needs and available skill resources. The knowledge required to create resilient systems lives in accounting, finance, operations, HR, sales and all of the other departments that IT supports. That is, IT cannot do this alone. Therefore, the training required to create resilient and secure systems is more than one IT course or one business analyst certification. Resilience comes from understanding planned outcomes as well as organization and customer needs and then architecting systems to fulfill those needs in a variety of ways so that no one link in a system process chain can cause a need to go unmet.
Applying the knowledge from your business community to secure data requires an “in-the-mirror” perspective to view needs and threats from the outside in. This outside-in approach helps identify each potential threat to data and to customers. Once identified, each threat can be mitigated to create resilient systems that allow access while preventing or containing threats. This process might be referred to as a ringed approach, an onion strategy, layered defenses or many other multilevel security descriptors.
This type of resilient system works by connecting many “and conditions” through more than one process. Requestors receive data or access when their ID and password are valid, when their device is authenticated, when the data request is valid for their account type, when some number of system watchers agree that the request is appropriate, and when the connection is secure, etc. When enough of your organization’s conditions are met, data is delivered or access is granted.
What is the right number of conditions for your organization? Only you can answer that question. How do you determine your safe percentage? Good training in data security, business processes, external standards implementation and planning can create the right foundation to secure your data and ensure that all of your systems are resilient.