Putting security on the map: How geography affects your data

We already know that one of the most common issues in every security breach is that organizations don’t always know what’s in their data. However, for many companies, another risk factor plays a major role in security: physical and geographic location.

For the same reason it’s impossible to fully protect data if you’re unsure of its content, to guarantee security you also need to know where your data is physically located. When organizations utilize remote servers, secondary storage sites, and cloud services, pinpointing data location can become fuzzy – not to mention frustrating.

To put your data back on the map and prevent a geography-induced breach, ask the below questions of your company, your system and your data:

Is our data at risk of geographic isolation? 

Once, while working at a bank in Bermuda, I detected that an HP-UX server required patching, only to find my efforts blocked. As I learned, the consultant providing support for the storage system in question was on vacation and applying the requisite patches to the server in his absence was a risk the business was not willing to take – putting our data at risk of geographic isolation, and exposing it to a wide range of security threats.

Data isn’t a static presence on your server. Files move around, folders get changed, and every user’s actions can affect the security of the data in question. Before making a major change like a server upgrade, be sure you won’t open a loophole in your security plan.

Are we working with regional compliance regulations?

Data needs to comply with the regulations of the region where it’s stored or migrates to, not where it’s created. If a cloud services provider moves your data to the U.K., it’s likely to encounter different data protection and privacy requirements than it would in America. This situation has been the driving force for Microsoft’s multi-year lawsuit (which the Supreme Court recently weighed in on) regarding emails being stored in an Ireland-based data center. Other countries, such as Italy and Germany also have privacy-centric laws in place, which make it difficult for international organizations to share data or operate infrastructure in those regions.

Do we have enough context to investigate a data breach?

Context is key to understanding and protecting data. Solutions that help track contextual clues – such as user access timelines, patterns and changes between backup copies – give users the power to strengthen their visibility into data using associated information. With a catalogue of metadata at hand, security teams can pinpoint the location of data, prevent geographical factors from exposing sensitive information, and identifying any changes in data as it moves from point A to point B.

Follow @DataGravityInc on Twitter for tips and insights about data security.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.