Compliance in a Web 2.0 World

Web 2.0 technologies provide a plethora of places that data can reside. These present substantial compliance challenges. For example, it will be hard to know where all of your company’s data is, and whether and how intellectual property has escaped your organization today.

Fast-forward five years. Imagine hosting some of your email with Microsoft Exchange Online, some with Gmail, some being sent PIN-to-PIN on BlackBerry devices, and some in an on-premises email system. Add to that SharePoint hosted with a third-party hosting provider; layer in hosted, backup in the cloud, and storage with Amazon S3; and season it with a bit of Live Mesh. And keep in mind that data could be in any of hundreds of file formats, including voice, video, or even purposely encoded messages within other documents.

To complete the picture, add one or two rogue executives or other employees with data that they feel a need to hide. In addition to the plethora of data silos on the Internet, data could be "hidden" on USB drives, in PSTs, even (gasp) in offshore data havens such as Havenco. And finally, those hiding their tracks and data may resort to any number of encryption technologies to make detection more difficult.

What does compliance and data control mean in this context? Think of the challenges this brings. Think of how laws around data protection will evolve in the coming few years. Regulations today-–such as the European Commission’s 1995 Directive on Data Protection (Directive 95/46/EC)--stipulate that certain types of data must only be transferred to countries meeting specific criteria. Other regulatory regimes or laws may prohibit certain types of data leaving the company, leaving the country, or being shared with individuals in certain restricted countries.

To address these challenges, organizations must:

  • Decide between the following starting points around security:
    • Anything not explicitly denied is permitted.
    • Anything not explicitly permitted is denied.
  • Establish realistic, enforceable, and well-implemented policies around appropriate and inappropriate use of corporate data.
  • Have the will to enforce breaches of policy, without showing favoritism.
  • Carefully screen all hosting and software as a service technologies from the perspectives of searchability, data access, data protection, and applicable laws and regulations.
  • Evaluate technologies that help establish safeguards against data leakage.
  • Track the plethora of new social media and collaboration technologies emerging on the market and understand how much of this is in their environment.
  • Define discovery requirements and implement technologies that enable discoverability within acceptable time frames.

... David Sengupta

Post a comment

You must be logged in to post a comment. To comment, first join our community.