Data Protection and Information Security – Together at Last.

Any IT professional that spent time around a corporate data center for several years has more than likely adapted to the separation of data protection and data security fields. The division in specialties has long historical roots, but does it really make sense anymore?

Data protection is a major component of any corporate disaster recovery plan. A disaster recovery plan is a set of strategies and processes put in place to prevent, avoid, and minimize the impact of a data loss in the event of a catastrophe. Data protection is essential to a disaster recovery plan as business-critical data cannot be substituted.

The only way to protect data is to make a copy of the original and store the copy adequately secluded from the primary. That way in the event of an unfortunate incident, the same disaster cannot destroy both copies.

In fact, a sufficient disaster recovery plan should also include requirements for application, network, and user data retrievals, as well as procedures for testing and training management.

Disaster recovery planning can be compared to information security planning in many ways. They both intend to protect business-critical practices and data assets. However, InfoSec uses various intertwining tactics that are exclusive to security.

Information Security

Infosec has established its own terminology and set of strategies for securing vital data assets. These policies are then enhanced by methods of constant monitoring and seasonal analysis to ensure that security precautions are keeping data confidential.

Until recently there have been few exchanges between data protection and information security fields. However, when someone in the data protection field is worried about retrieving data that is encrypted, communication with the InfoSec team is mandatory.

On the other hand, the InfoSec team might only collaborate with the data protection team to confirm that continuous data protection resources are being implemented and used. This would allow speedy restoration in the wake of a cyber-attack by basically reversing data to a point prior to the attack.

Together at Last

Believe it or not, both data protection and InfoSec fields have a lot to learn from each other. Data protection has already dipped into quantitative techniques for matching protection services to detailed data provided the threats to the organization.  These quantitative methods, Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE), were trivial at face value and abandoned by disaster recovery experts.

InfoSec is moving down a similar path.  Attack surface reduction modeling techniques are akin to the pseudo-scientific numerical looking practices as ALE and SLE. Certain experts see these methods as an upgrade over the threat modeling that was applied by many InfoSec specialists in the 90s.  Before the turn of the century, it was widely thought that the cost to protect data should not be much higher than the cost to hackers to sidestep the security. In spite of this, the correlation was lopsided as hackers suffered little to no expense in testing the protection of their targets or to rout the actions that were taken to keep them out.