Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2013-12-22 19:00:00Format, images and links may no longer function correctly.
In a recent eDJ Reviewed briefing session, Geoff Bourgeois (CTO of Acaveo) highlighted the Smart Information Server’s rapid installation by pointing out that the only preparatory requirement was a single service account with essentially “Superuser” access rights to every data source that you want to see, search or collect from. Having sat through hundreds of product demos, I know that it takes nerve to do a cold installation, configuration, search and collection in a one hour demo on a live remote environment. It occurred to me that every enterprise discovery collection system on the market assumed that the corporate IT group would give Legal/Compliance full access rights. I have observed increasing tension between IT, Security, Legal and other stakeholders over these ‘keys to the data kingdom’. The Sarbanes-Oxley Act of 2002 was the first big access rights wake-up call to IT. Every new article on massive data breaches (example Target stores) drives IT/Security to slam the gates of the corporate castle and scream “None shall pass!”
This struggle between access and security leads us to the next question. Who will carry out and certify compliance with discovery, regulatory and audit requests? Is this an IT function or is this a business function that should be carried out by non-IT personnel in respective business units? Historically, about a third of my consulting clients had a dedicated Data Security group within IT who fulfilled requests using specialized forensic tools to image full drives, mailboxes and other data sources. AccessData and Guidance dominated this niche market until recently. Now that we are slowly moving the age of Big Data and live search on data in the wild, the tools are being adapted for non-IT end users. As ‘data in the wild’ becomes directly accessible through native (example Microsoft FAST 2013) or third party indexes, end users of all kinds will want to search, analyze and otherwise leverage these systems while IT/Security struggles to protect that same data.
All of this reminds me of our national debate over the NSA surveillance programs. Who do we trust enough to give unfettered access? SOX requirements conditioned IT to grant minimal access and compartmentalize data systems. You cannot tackle Big Data when it is shut away in millions of boxes (file shares) that each require a separate key. Efficient enterprise discovery requires something approximates global access, but it should be logged and monitored to prevent inadvertent or deliberate misuse. That is why it was impossible to ‘delete’ searches within Symantec’s Discovery Accelerator until after I left as the product manager. I was well aware of the danger posed by access to executive and HR emails without the appropriate audit logs to defend end users. Customers hated that particular security design and I would do it differently now, but they did understand the need for oversight and protections when given such unfettered access. IT cannot keep the business users locked away from vital search/analysis functionality. They need it to do their jobs. End users need to be aware of the risks that come with increased access. They need to demand documented system and process controls that will assuage IT/Security concerns. This should bring IT and discovery users back into alignment.
Greg Buckles can be reached at Greg@eDJGroupInc.com for offline comments or questions. His active research topics include mobile device discovery, the discovery impact of the cloud, Microsoft’s 2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.