Thanks to EDD Blog I just read an article that makes me think legal forces will drive the adoption of this strategy: Opinion: Data Governance Will Eclipse CIO Role by Jay Cline. He writes:
In response to the new U.S. Federal Rules on Civil Procedure regarding legal discovery, for example, several general counsels have ordered the establishment of centralized "litigation servers" that store copies of all of the companies’ electronic files. They think this is the only way to preserve and cheaply produce evidence for pending or foreseeable litigation. It’s a very small leap of logic for them to propose that all of their companies’ data, not just copies, should be centralized...
Data must soon become centralized, its use must be strictly controlled within legal parameters, and information must drive the business model. Companies that don’t put a single, C-level person in charge of making this happen will face two brutal realities: lawsuits driving up costs and eroding trust in the company, and competitive upstarts stealing revenues through more nimble use of centralized information.
The rest of the article talks about the role of CIOs, CTOs, "chief information strategists," etc., but I don't care about that. I care about the data centralization aspect.
For me, data centralization will be a major theme in my new job. If only to meet ediscovery requirements, at the very least, copies of all business information will need to be stored centrally. This strategy will give users of any computing platform the flexibility to create information locally, but that data will quickly find a second home (at the very least) in the central data store. Ideally (once bandwidth is ubiquitous) all business data will reside centrally, from creation to destruction (in accordance with data rentention and data destruction policies). Furthermore, that data will be subjected to protections at the document level, not just at the application, OS, and platform level.
This strategy addresses many problems very nicely.
- Ediscovery: With at least copies of all data stored locally, all relevant data can be searched and produced.
- Business Continuity: If your computing platform is destroyed, all your data (or at least a copy) is stored elsewhere.
- Incident Recovery: As I said in my Five Thoughts on Incident Response:
Today, in 2007, I am still comfortable saying that existing hardware can usually be trusted, without evidence to the contrary, as a platform for reinstallation. This is one year after I saw John Heasman discuss PCI rootkits (.pdf)... John's talks indicate that the day is coming when even hardware that hosted a compromised OS will eventually not be trustworthy.
One day I will advise clients to treat an incident zone as if a total physical loss has occurred and new platforms have to be available for hosting a reinstallation. If you doubt me now, wait for the post in a few years where I link back to this point. In brief, treat an incident like a disaster, not a nuisance. Otherwise, you will be perpetually compromised.
With thin client computing and data centralization, incident recovery means discarding the old computing platform and starting with a fresh one.
- System Administration: We will avoid Marcus Ranum's "Infocalypse," preventing every man, woman, and child from becoming a Windows system administrator. Scare IT staff will administer centralized systems and end users will no longer have the power or need to install software. The Personal Computer will be replaced by a window to the Business Computer, although the platform itself might be a consumer platform like a smartphone. (Of course, PCs will still be options outside business needs.)
- Information Lifecycle Management: ILM includes data classification, defense, retention, and destruction. With all data in a central location, it will be easier to classify it and apply classification-appropriate handing and defense tools and techniques. It is important to remember that not all data is worth the same value and trying to protect it all with the same tools and techniques is too costly. (Did you know the US Postal Service will carry up to Secret classified data within the US, provided it is wrapped appropriately and sent via registered mail? The idea is that the risk of interception is worth the savings over having a courier transport Secret material.)
What data centralization and/or thin computing is your organization pursuing, and why?