You probably have heard of the “Stuxnet” worm or the “Flame” code that was presumably aimed at machines processing radioactive substances.  (If you haven’t heard of either, you are working far too hard and need to look around at what is happening in the IT world.)  These are specially crafted pieces of code designed to perform specific cyber-attacks, such as accelerating a nuclear centrifuge way past its breaking point while reporting all was well on the management screens. You may wonder what this has to do with Data Regulatory Compliance.

Consider the tactical situation; a program of malicious code (malware) was somehow injected into a closed foreign military system that had no physical connection to the worldwide Internet.  Further, despite a high level of internal security, it was not discovered for years.  In fact, it was not identified until it escaped from the “secure” facility (on somebody’s unauthorized laptop no doubt) and started flying around the world on the Internet.

So the question arises, since your company is always connected to the Internet, and your employees use their laptops outside of your network for personal email and surfing the net; how in the world could you believe that your company network could not be successfully compromised in the future?

Criminals are after your data, not your hardware. (Well some criminals steal hardware, but these are different criminals with smaller budgets.)   Make no mistake; organized crime is knocking at all our doors all the time. Criminal hackers want to download whole databases and sort it later in their own sweet time.  They get your data and your company takes the heat.  This is bad.

You need a way to protect your most valuable, sensitive, and risky data within the corporate network even if the network is compromised. A reasonable first step is to understand the sensitivity and risks of the data you manage.

Identify which data are affected by regulations and contractual obligations (HIPAA, SOX, PCI,  EU FISMA, EU DPD 95/46, PPI, etc.), and data comprising your “trade secrets” you would not wish to be public. You can’t protect what you cannot identify.  Some data will be more sensitive than others, and some data loss will be more costly than others. You first need to know which data is sensitive, and next you will need to know one more thing.

You need to know where in your company this data resides; which servers and which databases and which laptops.  Odds are you will find sensitive data mixed through all the less sensitive information.  Thus, you should make strategic changes in these databases so that you can isolate and protect high-risk data.  Lock the gold in the vault, not the pencils.

For example, you might want to put the most sensitive data in separate tables with different access rules, or encrypt them, or place them elsewhere in your network behind an internal firewall.  This might slow down a query, but when the database is compromised the hacker will not be able to access your most sensitive data.   Effort and latency must be measured against the cost to the enterprise if the data is stolen and published on the Internet.

This is not hugely difficult technically, but is difficult politically. You see, people in your company have been rewarded for years with raises and perks for making things happen faster and will resist additional system complexity and latency. You are paying them to resist it.

To make compartmentalized data protection a success your employees need to feel secure that they will not be penalized by the extra work to secure sensitive data.  This is a management challenge opportunity.  If you develop teamwork for this program, you now have a high-performing team to tackle your next big technological challenge.  Got any of those?

Only with a good risk analysis can you determine the level of proper protection to use for Regulated Information within your data architecture.  Don’t make it easy for criminal hackers: provide protection in depth. They will get in.

Business is a complex exercise in organization and human nature.  Peter Drucker famously said “the purpose of a business is to create a customer;” yet a lot of things must be done to manage the business that at first glance do not touch the end customer.  This is a false notion; everything one does inside the enterprise has some effect which ripples outward to the end customer.

An example might be data management.  While this may appear to some to be an internal-only affair, it has a direct effect on dealings with the customer. We can see the obvious such as linking available inventory to web order pages; but links to billing, warrantee, and shipping are just as important for customer satisfaction.  When the package fails to arrive, good data handling can make this a trivial issue that makes the customer better appreciate the company; or it can cause customer irritation preventing future orders from this customer and causing angry product reviews posted on Internet sites.

The decision to not properly model a database system because of budget cuts might cause latency in customer care or support. Do product support people know the latest product models and specs? Does sales staff know that certain models have been discontinued or they now come in a variety of colors? Does procurement know what is rapidly selling in the outlets?  Does the manufacturing dept. trust sales projection data after hearing that sales has been “challenged” by upper management to increase volume 5% or else?   (Don’t bet on it.)

This last is interesting, many groups in a company do not make quick decisions on data coming in because it is late, or inaccurate, or so convoluted that using it for Business Intelligence is impossible.  Lack of access to timely and accurate information prevents business agility. When data is not trusted each manager waits for a solid trend to develop over a longer time before they make a decision. Waiting for future data, I would humbly suggest, is the enemy of market agility.

Data Governance requires that the data be examined carefully for sensitivity to external regulations and internal policies. Failure to fully understand these requirements can cause what looks like governance: but just puts unnecessary hurdles in front of people seeking data access. Often this is because sensitive data is mixed up willy-nilly with non sensitive information

Even more probably, because there is not a central system in place to identify and locate sensitive “regulated” information across the enterprise, and then a policy placing it in protected environments.

Non-sensitive information is what most processes require yet often is hard to obtain because of this mixing.  Difficulty in getting authorization will, if not linked tightly to a quality definition of the data, result in eventually the wrong people finally getting access to data they do not need but nevertheless will download to their laptops.  These laptops are then left in taxicabs.

Understanding data implies defining its meaning, its business importance, the timeliness required by users, its accuracy, usable formats, and also sensitivity to regulatory compliance.  The world of data quality overlaps data governance; both of these activities are vital to a business so employees can have access to trustworthy information as soon as possible.

Trusted data illuminates sharp market changes that can quickly drive internal response. When employees really know what’s going on with the business and customers, they make agile decisions positively affecting sales and customer loyalty.

Don’t isolate data quality and data governance from each other; they are both doing the same thing: defining data better so that it can be managed better and easily used to create customers.

Big Data requires Big Data Centers.  When you build a place to handle Big Data, you have many computers all working together.  This raises considerations regarding using a common ground for all power cables, how much fuel to keep for the back-up generators, the air-conditioning fan duct orientation, proper heights of blade cabinets, and if you really need to run Fiber-Channel over Ethernet.

These physical considerations have usually been left to others, but if you are involved in Big Data in your Big Data Center, you are hip deep in these discussions. You are also looking for a good deal in 10 Gig switches. (If you find one, let us know.)

The reason why this is significant is that we are, as a culture, at a turning point in our hardware-software love affair.  If I may, I would like to take you on a short stroll down memory lane and reflect on the absence of 5 Gigahertz computer chips. Actually, there were precious few that reached 4 Gigahertz. The problem was not that they did not work; the problem was that chips running that fast became so hot they required a huge cooling tower and multiple fans.  Imagine a tiny Three-Mile-Island style cooling tower inside your PC.

A few computer gamers actually build such machines. They over-crank their CPUs outrageously and connect multiple video cards, each of which has one or more fans, to feed huge monitors showing HD level graphics while listening loudly to seven-channel audio.   They need loud seven-channel sound to cover the whine of more than a dozen fans spinning at top speed to cool their computer. Many of these people appear brave in their combat games, but shrink with fear when opening their monthly electricity bill.  Therein lies the problem and the direction of today.

Data Center operators became aware early of the cost of power because they pay for it twice: once to heat up the CPUs and then again to cool them down.   Manufacturers of computer chips and chipsets responded to this and began reducing chip heat-production some years previously. Each new generation of CPU coming from the foundries extracts more computing speed using less power than the previous one. This is a good and green trend.  It also means that care must be taken when purchasing equipment for your new data center. The bargain-priced blades may work well, but might eat up your savings in power costs in a short time. New energy-efficient units working at lower speeds can actually save money while allowing you to vastly increase your processing speed.  As the chips become smaller they use less power to go just as fast. Not a bad deal.

This is not a sales message for buying new computers (disclaimer, I do own stock in some High-Tech manufacturing companies, but you do also); it is a consideration to move into the future responsibly and prudently.  Also building a data center that can take advantage of cooler weather to turn off the AC is wise. Even in Phoenix, where temperatures remain above 100 f  all summer, has mild winters allowing outside air to cool the equipment.

Of equal importance is the overall stability of the area in which the center is located. Over earthquake fault lines is counter-indicated, as are areas often flooded during storms. Amazingly, Calgary in Canada and Phoenix in Arizona are considered some of the more stable areas where natural events are few and power supplies are redundant. (Outside air cooling happens more in Calgary.) With the speed of electronic connectivity being what it is, cyberspace makes physical location less important. Indeed, some people choose data centers where the utility costs are lower.

How hot is your Big Data data center?  Not as hot as it would have been six years ago and probably hotter than it will be six years in the future.

While some people still believe that data protection and information security require different skill sets (and they are correct), they further believe that each discipline does “just fine thank you” when operating in isolation.  This last belief is as wrong as believing that nobody will hack your home computer because it is not valuable. (But that’s another topic.)

In reality these are two vital elements of a Mature Information Management Model (MIMM).  Thus model, still in the process of being understood, assigns real value to the work that people perform.   At the heart of any business lies the idea of value. Barter economies understood value well.  The apple-grower exchanged food value in a bag of apples to the black smith for the value of skill putting on horse shoes.  The young woman today, receiving value for her time and skill at the Insurance Agency, exchanges part of her salary to buy an iPad ^® for the communication and entertainment value it provides.   Value transfer is a key step in any business.  Each datum in your system is a record of a process step in value transfer.

We first replaced the bag of apples with a handful of paper bills.   We then replaced the paper money with electronic money in the form of data.  And here is where the problems begin. While there is a long historical record of securely handling gold and money, data management has a different perspective.  Business rewards IT workers for low-cost, high speed and operational stability.  While these are good goals, not adding Information Protection into primary business requirements causes data loss, and added costs for security remediation later.  We spend more and get less. I humbly suggest this is not an optimal approach.

Collaboration is not easy because the security folk, alone in their isolated cubicles, wearing black T-shirts and listening to Trance music whilst drinking Red Bull^®, live in a battlefield world where malicious hackers and organized crime attack the enterprise relentlessly.  Further, they may have been told that meddling with business processes lies outside their duties.   They are often unwanted guests at meetings. Thus, their Red Bull and nighttime game-playing involving military attacks on an enemy, may or may not, represent in their mind a person who gave them a difficult problem that day.

To link security expertise to the business at the right time, here’s an approach that might just be crazy enough to work.  Get the project teams and security together to discuss requirements before they are finalized.  I know this sounds wild, but we need to free our minds and jump over the street to the other skyscraper….. no, wait, that was in The Matrix;. We must be willing to get together in a non-confrontational manner and talk about risks and dangers.

It has been my experience that at this stage of a software or business process development, eliminating security issues can be easily managed with small changes in system design or operations, with no loss in speed or productivity. (Italics mine, since I wrote it in the first place.)   Such meetings happening before project requirements are finalized also generally result in process improvements.  Socrates said, “The unexamined life is not worth living.” I say “the unexamined business process is full of stupid.”

At first glance it may not seem apparent that data governance has much to do with security posters in the halls of your enterprise. At second glance it also is not apparent; which is why I am writing this piece.  They are connected and Data Governance can make it better.

First, Data Governance (with capital letters indicating a program in your enterprise) must cover the entire risk landscape to be effective. The risk landscape is your network environment, your web servers, your data centers (or data centres in England) and the equipment carried by the people who will access your information.  We are talking about authorized access, not the other kind.

Workers (employees, contractors, outsourcers, and that new guy down in shipping) all have some sort of access authorization to your information.  Naturally, there are limits to this authorization and a number of safeguards within your network to keep the bad guys out. That’s well and good. But!

If a worker does something foolish with the computer they carry around, such as download a game from the Internet, or plug in a USB stick they found in the parking lot, or even click on a link in an email that promised them a chance to win a free set of Elvis Costello CDs, they may have allowed malware to enter their computer. Some of this malware is very new, very stealthy, and may not be picked up readily by the resident antivirus program.  You see, (truth alert!) antivirus programs are very good but not perfect.  In that narrow gap lie Trojans (programs that look like horses); Keyloggers (copy your keystrokes and email them to Elbownia), and resident evil.  (Not the movie.)

Resident evil would be a class of malware (“evil programs” if you did not study Latin.) that just sits and scans with no action taken until a specific set of circumstances causes it to make its move.  An evil “helper” program in your web browser might only scan your text entry for one specific URL. If you never type it in the program never does anything. If you do type it in, the program slips in some extra code of its own when you hit the “enter” key and you are then “owned” by another party henceforth.  They are working on your machine unbeknownst to you.  Once there, they can use a great number of tricks to escalate authorization to steal data.

So it pays to keep the workers informed of computer dangers and limit their risky and ill-considered behavior. Workers need continual reminding and training. Each new worker needs to learn it all from the start.  This is a sustained process that never ends because new and clever attacks are always appearing. The posters are certainly not sufficient, but they provide a highly visible reminder.

Further, if Governance supports it, the security folks will have the budget to change them each month (a good idea) because it informs all workers that somebody in the company believes this is very important. When the posters stop changing, it signals that the danger is past because management no longer cares.   Keep the posters up, keep them changing, and integrate them into an overall Information Governance security training program.  Oh, and don’t click on strange email links.

Traditional Database Management Systems have ways to make sure that not everybody can see everything.  Thus, the clerks in the sales office cannot see the personal health history of the CEO (if the CEO complains loudly about the cost of Viagra at office parties however, confidentiality in the computer system is moot).

We remember that in the past we kept sensitive documents locked in file cabinets in locked offices.  There often was an older employee who had been there since the company founding and who was very much in charge and gave us hard looks when we came in asking for certain information.  Those of us who were fresh out of school were daunted and stammered out our requests. We were handed a sheet of paper to look at, but warned not to take it out of the room.  Then we dropped it and it slid under the receptionist’s desk and we were afraid to ask for it and afraid to go under her desk and were miserable. Often we changed jobs and became disk jockeys.

But not to dwell on our past, today we have all this data stored as magnetic pulses which can be turned into electronic signals and sent around the world faster than a purchase order can slide under a desk. Our safeguard systems for confidentiality and privacy, however, have not yet evolved to that level of speed.  Rising levels of lost and stolen personal information indicate that.

Yet, even as we face increasing numbers of laws, ordnances, guidelines, contractual restrictions and red-tape, we lose huge amounts of personal data each year (http://datalossdb.org/statistics).  This may partly be because we have more data to lose each year, but it is also certainly partially due to the fact that we do not yet have the mind-set to build IT systems with information protection as a major requirement.

Wait!  Before you huff and puff at me in anger claiming this is alarmist, please check the reference in the previous paragraph and then come back. The writer will wait. [Pause]

There, you see proof that we, as a population of people in the world, are doing a poor job of protecting information. So let’s see what we can do to make sure that our company does not lose data.

First, all DBMS should have some sort of viewing restriction capability. Sometimes it is as primitive as a View, other times it is sophisticated and multi-leveled. The most sophisticated systems allow the operator to distinguish between permissions that only allow users to look at the data, and other permissions that allow them to write to or change the data.  The best schemes only allow users to download small subsets of sensitive data rather than entire databases. That way, your stolen laptops only contain small parts of the company records.  (Hey, better than all of them!)

Unfortunately, some of the new Big Data management systems have not yet implemented good Confidentiality or HIPAA or PCI types of protection.  Truthfully, it is a little early for them to have figured it all out, so the owner of the information (you!) need to build in these limitations before you send all this information off into a cloud somewhere.

A way reduce risk is to limit the amount of sensitive information you send to the Big Data Center.  Encryption is a useful tool, but why are you sending encrypted data out? You cannot manipulate encrypted data.   Not sending it out will keep it safer from loss or theft, and also speed up processing: A win-win for all. And yes, you will not be able to use the Government ID number or Credit Card number as the primary key! You will have to (gasp!) use an auxiliary surrogate key to send with the data; but I am sure you will find this easier than explaining to the boss why all your company purchase orders are now lost under the receptionist’s desk.

With the arrival of the Internet everything changed.  Not just the introduction of email, SPAM and selling ice-cream makers via websites; not even eBay™ and massive multi-player games; no, the thing that changed was that all along the broadband connection there sits a word full of people.

Once upon a time all we had to worry about was an infinite number of monkeys typing Shakespeare on an infinite number of typewriters.  Now we have teenagers in Tampa and geeks in Greece who are sending us data to somehow manage.

And, if it were only a few teens and geeks we could handle it; but a typical web-fronted enterprise counts its customers in the millions,, and the Marketing Dept. will segment them into almost uncountable configurations.  Well, they would be uncountable but banks of servers now capture and count every bit and byte then store it on an ever-expanding array of spinning disk drives.  Does this sound like your place?

Traditional database management systems were designed to handle data generated by business processes in place during the time they were invented.  That certainly makes sense, but just as dirt roads evolved into super highways when the car replaced the horse, the Internet replaced folks standing behind cash registers making sales one at a time with sleepless web servers capable of thousands of transactions a second.  Sales data now exceeds many legacy data systems’ ability to calculate marketing analysis before conditions change and make the marketing responses redundant.

To solve this some very bright people arrived with some sparkling logic and new data handling ideas to cope with this huge data flow.  They believed that by leveraging the low cost of commodity computers and then playing fast and loose with rigidly formatted data, they could improve data processing throughput two orders of magnitude. (That’s 100X for you non-Star-Trek-watchers.)

Yes, these are the same computers that you use to read email at home and play Solitaire during meetings at work.  Turns out they move fast when stacked real high using an architecture that asks many small computers to do lots of short and simple jobs. (Just like my grandfather used to say, “Many CPUs make light work.”)

Breaking up may be hard to do, but that’s precisely what Big Data systems do to your data. Each processor chips in a few cycles and information flows quickly.  But, there’s a catch.

Getting answers quickly is more than just about speed; just like a banana-split is more than just a split banana.  Big Data is about speed utilized to make prompt business decisions. You need to first reflect on your business process and determine what decisions are pivotal for success and which data you require to improve them. Getting responses from your sales efforts in near-real-time and being able to tie your inventory to manufacturing without faulty long-term estimates gives your business a competitive advantage.  .

What you still need, after that technology expansion into Big Data, is a sharp mind, an innovative business eye, and working to provide your customers with the best experience you can provide.  That has not changed because people have not changed. We are still all people, even if we’re now sitting, cybernetically, in a cloud.