More on Enterprise Data Centralization

I'd like to respond to a few comments to my post Enterprise Data Centralization. The first paragraph includes the following:

However, I haven't written about a natural complement to thin client computing -- enterprise data centralization. In this world, the thin client is merely a window to a centralized data store (sufficiently implemented according to business continuity processes and methods like redundancy, etc.).

The bolded part is my answer to those who think my "centralization" plan means building the Mother of All Storage Servers/Networks. Please. Do you think I would really advocate that? The bolded part is my shorthand for saying I do NOT mean to build the Mother of All Storage Servers/Networks.

Instead, I envision something similar to the way Google operates. One of you used Google as an example of data decentralization. Sure, the data is decentralized at the level of bits on media, but it's exceptionally centralized where it matters -- the user interface. I can access all of my Google-related content through one portal. If my data needed to be explored for ediscovery purposes, all you need is my Google login. Easy. That's the kind of centralization I'm talking about.

That explanation should also calm those who think I'm building the Mother of All Targets; i.e., nuke the primary and secondary data centers and the whole company is dead. Again, you're thinking at the level of bits and media. I'm thinking in terms of a single interface to all company data.

Now you might be thinking that what I'm advocating isn't all that special. Consider this: do you have a single place to go for all of your company data? If you do, that is awesome. I doubt that it's the case for most of us, however. Unfortunately, we have to move in that direction if we wish to meet legal business requirements.

Christopher Hoff used the term "agile" several times in his good blog post. I think "agile" is going to be thrown out the window when corporate management is staring at $50,000 per day fines for not being able to produce relevant documents during ediscovery. When a company loses a multi-million dollar lawsuits because the judge issued an adverse inference jury instruction, I guarantee data will be centralized from then forward.

The May 2007 ISSA Journal features a great article titled E-discovery: Implications of FRPC Changes on IT Risk Management by Bradley J. Schaufenbuel. It features this excerpt:

Adverse inference jury instruction: If electronic evidence is not produced in a timely manner, a judge may instruct the jury to assume that the missing evidence would have been adverse to the party that failed to produce it. This will greatly diminish this party’s chances of legal success.

Two highly visible examples include Zubulake v. UBS Warburg and Coleman v. Morgan Stanley. The defendant financial institutions in both lawsuits lost their cases due to their failure to adequately produce e-mail evidence, and the resulting assumption that evidence was willfully destroyed or withheld. Laura Zubulake, a former UBS employee, was awarded $29 million in 2005 in her sexual discrimination lawsuit.

And billionaire Ronald Perelman was awarded $1.45 billion in 2005 based on his claim that Morgan Stanley defrauded him in the 1998 sale of his company, camping goods manufacturer Coleman.


Email provides a good example of a place to start centralizing data. Look at the trouble the White House has created in the story House Report Shows White House Officials Sent Thousands of Official Emails Using Outside Accounts.

It's fine to be advocating Google Gears and all these other Web 2.0 applications and systems. There's one force in the universe that can slap all that down, and that's corporate lawyers. If you disagree, whom do you think has a greater influence on the CEO: the CTO or the corporate lawyer? When the lawyer is backed by stories of lost cases, fines, and maybe jail time, what hope does a CTO with plans for "agility" have?

Incidentally, I wouldn't be promoting centralization if I thought it was impossible. Centralization was a word in the first sentence the GE CTO said to me during out first meeting.

Comments

Anonymous said…
Response too long for a comment:

http://rationalsecurity.typepad.com/blog/2007/06/i_see_your_more.html

/Hoff
dre said…
with regards to web 2.0 (and third party code in general) i would tend to agree with you.

however, google gears is no different than google.com when it really comes down to it. stealing search engine queries from organizations can be a very effective attack. it is certainly more effective than infecting a few random intranet machines with malware.

but a GC does have options, for example: secure software contract annexes built around open process certifications and review. or arbitration.
Anonymous said…
Sounds like someone is drinking the njini (www.njini.com) Kool-Aid(tm). I thought GE already tried this and it failed miserably. Just like thier bubbled access/communities concept.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics