W H I T E P A P E R
This document contains Confidential, Proprietary and Trade Secret Information (“Confidential Information”) of Informatica Corporation and may not be copied, distributed, duplicated, or otherwise reproduced in any manner without the prior written consent of Informatica.
While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Informatica does not accept responsibility for any kind of loss resulting from the use of information contained in this document. The information contained in this document is subject to change without notice.
The incorporation of the product attributes discussed in these materials into any release or upgrade of any Informatica software product—as well as the timing of any such release or upgrade—is at the sole discretion of Informatica.
Table of Contents
Executive Summary . . . . 2
The Challenge: Enforcing GRC Policies for Data in Databases . . . . 3
Compliance Challenges. . . 3
Legal Challenges. . . 4
IT Challenges . . . 4
Data Privacy Challenges . . . 5
Line-of-Business Challenges . . . 5
The Right Strategy to Support GRC Programs:
Information Lifecycle Management . . . . 6
The Right Tools: Database Archiving, Application Retirement, and
Data Masking . . . . 7
Comply with Legal and Regulatory Requirements by Archiving Database Data and Retiring Legacy Applications . . . 7
Keep Database Data Manageable with Database Archiving. . . 9
Reduce the Risk of Security Violations by Masking Sensitive Data in Nonproduction Copies. . . 9
The Solution: Database Archiving, Application Retirement, and
Data Masking Solutions from the Informatica ILM Product Family . . . .10
Informatica Data Archive . . . 10
Informatica Data Masking . . . 11
Meeting GRC Challenges . . . 12
The Proof: Informatica ILM Software in Action . . . .13
Executive Summary
One of your company’s most valuable assets is the information stored in business applications and databases, both live and legacy. A governance, risk, and compliance (GRC) program can help your company codify the proper policies, guidelines, and procedures for managing its information assets in accordance with corporate goals and objectives.
But adhering to and enforcing GRC policies can be a real challenge when the volume of electronically stored information (ESI) keeps growing. Because database data is retained for longer and longer periods of time, volumes build up and become increasingly difficult and expensive to manage. Large database volumes create challenges for your IT, legal, compliance, records management, and data security teams, as well as your line-of-business managers. An information lifecycle management (ILM) strategy can help your company define how database data is used, how and when it can be archived, and when it can be disposed. The Storage Network Industry Association defines ILM as “the policies, processes, practices, and tools used to align the business value of information with the most appropriate and cost-effective IT infrastructure from the time information is conceived through its final disposition.”
The Informatica® ILM product family delivers solutions through tools for database archiving, application retirement, and data masking. These software solutions are ideal for controlling data growth and protecting data in databases. These solutions can help your company:
Establish and enforce data retention and disposition schedules
•
Ensure that archived data from retired legacy applications is easily accessible and searchable
•
and retains its full application context for e-discovery
Comply with privacy regulations by masking sensitive, confidential, or private information in
•
copies of production databases After reading this paper, you’ll understand:
The challenges of enforcing GRC programs that include data in databases
•
How an ILM framework supports a GRC program
•
Why database archiving, application retirement, and data masking are critical parts of an ILM
•
strategy
Why the Informatica ILM product family that includes Informatica Data Archive and Informatica
•
Data Masking is the ideal solution
How Informatica software helped a large financial institution implement a GRC program and
•
The Challenge: Enforcing GRC Policies for Data
in Databases
Let’s examine some of the challenges of maintaining an effective GRC program for structured data in databases and files, along with related unstructured data, such as documents, audio, and images.
Compliance Challenges
Most companies maintain corporate data retention, disposition, and privacy policies. Proper disposition of aged data needs to be controlled and legally defensible. But records managers and compliance teams struggle to audit adherence to these policies when:
Information stores are scattered all over an organization, so there’s a tendency to retain data
•
in legacy applications when it should be archived, which only exacerbates the data volume problem.
Database data is not properly classified, so the business doesn’t know when to keep or purge
•
it. Failure to comply with data retention policies and schedules is almost inevitable. Data management policies are managed at the department—not the enterprise—level,
•
increasing the chances of data being improperly stored or accidentally deleted. To successfully comply with corporate data retention, disposition, and privacy policies, your company must manage them from a central location. Processes and tools for data classification need to be implemented across the enterprise.
Compliance officers require complete and authoritative audit information that must be presented in a legally defensible manner. All departments and business units need to know how and when to purge obsolete data. Everyone needs to understand the data model. And data volumes must be curbed so that there’s less data overall to manage.
WhAT IS GRC?
Governance: The overall approach to managing an organization—including organizational structure, processes, and controls—to ensure that business activities and directions are executed systematically Risk: The identification of adverse results when activities and directions are not executed according to plan or when a company falls out of compliance
Legal Challenges
To support litigation, mergers, acquisitions, and other corporate legal functions, legal departments need to be able to find and access documentation quickly and easily. But legal teams struggle to meet e-discovery deadlines for several reasons:
The information they need may reside in both live and legacy database applications on archaic
•
technology stacks.
Searching, accessing, and delivering this data in useful formats can be time consuming and
•
costly, especially when highly specialized IT skills are required.
As the databases grow in size, it takes longer to find and extract specific data sets.
•
All of these factors can significantly delay the e-discovery process, which causes legal costs to skyrocket and potentially puts your company at risk.
To avoid these delays, data stores should be classified based on the data’s business value and the complete application context needs to be maintained in archives. Original data and copies should be easily distinguishable. Data retention and disposition schedules should be determined based on legal requirements.
IT Challenges
When databases are bogged down with more and more data—and the underlying data management infrastructure isn’t optimized for scalability—uncontrolled data growth can trigger a cascade of problems for your IT organization:
Application performance may significantly deteriorate.
•
Standard IT maintenance processes may take longer and require more IT resources.
•
Application and business outages may occur more frequently and for longer periods.
•
Service-level agreements (SLAs) or operational-level agreements (OLAs) may be compromised.
•
Data Privacy Challenges
Most database applications used in a business setting contain information that is considered private, sensitive, or confidential. When testing, developing for, or training on these database applications, development teams typically make copies of the production data because it eliminates data errors and provides the most realistic environment for testing and development purposes.
The risk of sensitive or private information being accessed or stolen multiplies with every nonproduction copy made. Keeping track of all copies becomes nearly impossible when testing, development, or training tasks are outsourced or sent off shore.
To comply with data privacy laws, your company needs to ensure that sensitive information is being protected no matter where it resides. Sensitive, private, or confidential data must be classified as such.
Line-of-Business Challenges
The key to a successful GRC program is effective communication between line-of-business managers and the IT organization. IT looks to business teams to:
Define the data’s business context and application metadata
•
Set end-user access requirements
•
Determine regulatory compliance requirements and privacy policies associated with data
•
Properly classify data to establish eligibility and schedules for retention or disposal
•
The Right Strategy to Support GRC Programs: Information
Lifecycle Management
The Storage Network Industry Association defines information lifecycle management (ILM) as “the policies, processes, practices, and tools used to align the business value of information with the most appropriate and cost-effective IT infrastructure from the time information is conceived through its final disposition.”
ILM provides a framework and a set of procedures for managing every phase of the data lifecycle, from development and testing to archiving and retirement. Backed by a solid ILM strategy, your company can establish more effective GRC programs, better enforce GRC policies, and reap greater returns from your investment in GRC programs.
A key component of ILM is data classification. When classified correctly, data’s retention and access requirements, usage, business value, sensitivity, and ownership can be properly managed in support of GRC policies (see Figure 1).
Criteria for Data
Classification WIThOUT ILM WITh ILM
Retention • All data is treated equally
Data may be retained longer than
•
required or improperly destroyed Data volumes go unchecked, driving up
•
maintenance, management, and storage costs
Data is treated according to its
•
classification
Records can be managed accurately
•
Proper data retention, disposition, and
•
audit procedures can be enforced Data volumes and corresponding
•
management costs are controlled
Access • How users need to access data is not
considered for current or legacy systems Record authenticity and e-discovery
•
rules and timelines may be compromised
Data access requirements can be
•
designed into the IT system architecture Legal requirements can be met during
•
litigation
Usage • All data is stored the same, regardless
of whether the data is used all the time or not at all
For data that is used often, IT
•
infrastructure costs increase Database performance degrades with
•
increasing volumes of unused data Application SLAs or OLAs may be
•
compromised
Data is identified, partitioned
•
appropriately, and stored in the most appropriate format and location Database performance improves
•
IT infrastructure costs decrease
•
When SLAs or OLAs exist, potential fines
•
or litigation can be avoided
Business Value • Data’s value to the business isn’t taken into account when designing the IT infrastructure
IT infrastructure management and
•
maintenance costs may increase
The IT infrastructure is designed to reflect
•
data’s value to the business
Storage, maintenance, and management
•
costs go down
Greater and faster returns on IT
Criteria for Data
Classification WIThOUT ILM WITh ILM
Sensitivity • Private and confidential data is at risk of unauthorized access or theft, especially in nonproduction database environments Data privacy and security rules may be
•
compromised
Information is protected no matter where
•
it resides
Privacy rules are followed
•
Risks of data security breaches are
•
minimized
Owner • Without assigned data ownership,
unmanaged data volumes grow with associated risks
Accountability and responsibility for data
•
can be properly assigned and tracked, minimizing risk
Improved communications between
•
the business and IT result in greater efficiencies
Figure 1 . When data is properly classified as part of an ILM strategy, database data can be more effectively managed in support of GRC programs.
The Right Tools: Database Archiving, Application
Retirement, and Data Masking
Once data has been properly classified as part of an ILM strategy, your company then needs, according to the Storage Network Industry Association definition, “tools used to align the business value of information with the most appropriate and cost-effective IT infrastructure from the time information is conceived through its final disposition.”
Your ILM strategy should include tools for:
Database archiving to manage data growth, relocate data to the most appropriate location
•
based on its business value, maintain SLAs, enforce data retention and disposition, meet audit and compliance requirements, and keep costs down
Application retirement to cost-effectively retain data housed in legacy database applications
•
and reduce e-discovery costs
Data masking to protect sensitive data in databases and reduce the risk of security violations
•
Let’s examine how these ILM tools serve to overcome the GRC challenges introduced earlier in this paper.
Comply with Legal and Regulatory Requirements by Archiving
Database Data and Retiring Legacy Applications
When a company faces a lawsuit and needs to review its ESI for records relevant to the case, the cost of e-discovery is directly proportional to the volume of ESI, how easily accessible it is, and what format it is in.
Furthermore, the Uniform Electronic Transactions ACT (UETA) Section 12 states that if a law requires that a record be retained, it needs to accurately reflect the information when the record was first generated and it needs to remain accessible for later reference. To be legally defensible, legacy data can be archived as long as it keeps its original appearance and can be accessed. Falling out of compliance can result in multimillion-dollar fines.
An ILM strategy that includes database archiving and application retirement tools can help your company avoid these risks and fines. The right tools enable your company to:
Evaluate legacy applications for their retirement eligibility
•
Classify data within these legacy applications according to its retention requirements
•
Retain archived data in a central location
•
Archive the data model along with the data itself to preserve its referential integrity and
•
application context
Assign and enforce data retention and disposition policies
•
Protect data against spoliation by ensuring the authenticity and immutability of archived data
•
Place relevant data on legal hold to prevent disposition, even if the retention period has expired
•
Because official records have been classified and archived, the location of the official source or “original” also becomes irrelevant during e-discovery.
Archiving data in live production database applications that are rarely accessed, and retained only for compliance reasons, is also important. The right database archiving tools help you identify inactive data that can be relocated while maintaining data integrity and application context. The relocated data is then stored in a central, secure, immutable archive, which can be easily searched and accessed.
Keep Database Data Manageable with Database Archiving
Database archiving can help your company keep data management costs under control without sacrificing performance.
When the business accurately defines data retention, disposition, and access requirements, IT can implement efficient, cost-effective solutions that centralize metadata collection, policy management, and execution across the enterprise. Archive stores can be standardized and made easily accessible for legal and compliance teams and line-of-business managers. Data age and access requirements directly translate into storage specifications, giving IT the flexibility to design solutions that are easier and cheaper to maintain and have lower licensing costs.
Read-only, aged production data can be relocated to an on-line archive that maintains native application access for end users. Smaller production databases ultimately improve database performance and streamline operations. Costly server upgrades can be deferred or avoided entirely because aged data no longer bogs down servers. Maintenance windows shrink, as do recovery windows, improving IT support’s ability to maintain SLAs with the same or fewer resources.
Reduce the Risk of Security Violations by Masking Sensitive Data in
Nonproduction Copies
Database data that gets copied or replicated for nonproduction purposes exposes sensitive data to the risk of unauthorized access or theft. Industry studies highlight that most security violations relating to data access or theft involve internal personnel.
Data masking tools enable companies to properly protect data that has been classified as sensitive, confidential, or private. Data is automatically masked during application cloning or data replication processes. Application-aware metadata ensures that masking occurs in a way that maintains the characteristics and format of the original data set. There is no manual interaction, so the risk of confidential data being exposed or stolen is greatly reduced.
The Solution: Database Archiving, Application Retirement,
and Data Masking Solutions from the Informatica ILM
Product Family
The Informatica ILM product family offers robust database archiving, application retirement, and data masking solutions. The solutions delivered by the Informatica products help companies better manage their growing database volumes and protect sensitive data so that they can establish more effective GRC programs, better enforce GRC policies, and reap greater returns from their investment in GRC programs.
Informatica Data Archive
Informatica Data Archive™ is highly scalable, high-performance software that helps IT organizations
cost-effectively manage the proliferation of data volumes in databases, as well as in many other enterprise applications. The software enables IT teams to safely and easily archive data and then readily access it when needed.
With Informatica Data Archive, IT organizations can identify and move inactive data to another database or to a secure, highly compressed, immutable file (see Figure 2). Application-specific business rules ensure that data integrity is maintained after data has been archived. All access to retired data is tracked and audited to establish a chain of custody.
Informatica Data Masking
Informatica Data Masking™ is comprehensive, flexible, and scalable software for managing access
to sensitive data and reducing the risk of data breaches. The software enables IT organizations to prevent the unintended exposure of sensitive or confidential database data, such as credit card information, national identification numbers, names, addresses, and phone numbers.
Informatica Data Masking protects confidential or sensitive data by masking it so that it can be safely replicated to nonproduction systems and de-identified for development, testing, and training purposes (see Figure 3).
Meeting GRC Challenges
Informatica Data Archive and Informatica Data Masking meet the challenges that your compliance, legal, IT, data privacy, and line-of-business managers face in establishing and enforcing GRC policies (see Figure 4).
Challenges Solution Benefits Informatica Product
Compliance • Archive database data
Centrally manage retention
•
and disposition policies Apply a legal hold to records
•
that are relevant to legal cases and audits to prevent them from being purged when the retention period expires
Compliance officers and records managers can:
Enforce and ensure retention,
•
disposition, and privacy policies
Comply with internal, industry,
•
and government regulations
Informatica Data Archive
Legal • Migrate inactive and legacy
data to a centrally managed, common database archive Ensure the database archive
•
is centralized, standardized, accessible, and searchable
Legal departments can: Quickly and easily access
•
and search centralized and standardized database archives
Reduce the risk of missing
•
e-discovery timelines while better controlling costs
Informatica Data Archive
IT • Archive data to reduce production data volumes Maintain appropriate end-
•
user access to archived data
IT teams can:
Reduce production data
•
volumes
Improve application
•
performance
Boost operational efficiencies
•
Keep IT (e.g., hardware,
•
software, and data management) costs under control
Meet all SLAs
•
Informatica Data Archive
Line-of-Business • Archive database data
Simplify the collection and
•
management of metadata on how data is classified Align data classification with
•
retention, disposition, and privacy requirements
Line-of-business managers can: Classify database data so
•
that effective data retention and disposition policies can be followed
IT organizations can: Deploy the most
cost-•
effective technology to meet business requirements
Challenges Solution Benefits Informatica Product
Privacy • Mask data in nonproduction
copies
Obfuscate sensitive data
•
in a way that maintains likeness to the original data
Data privacy and security experts can:
Prevent unauthorized access
•
to sensitive data without compromising IT’s ability to effectively test, develop, and train
IT organizations can: Improve test data quality
•
Informatica Data Masking
Figure 4 . Informatica Data Archive and Informatica Data Masking handle all the challenges that your company faces in establishing and enforcing GRC policies
The Proof: Informatica ILM Software in Action
A large financial institution was struggling with its complex IT environment, which included several 30-terabyte financial application databases and database data that was more than 10 years old. For each production database, IT made six additional copies for patch, test, development, training, backup, and disaster recovery. Each copy contained sensitive information. Several legacy applications remained on unsupported technologies, relics of corporate acquisitions.
This financial institution recognized that its unwieldy IT environment posed potential risks. The company used established ILM best practices to conduct a data classification and legal policy review and establish data management procedures in accordance with its corporate data governance policies.
Informatica Data Archive was used to archive the last two years plus the current quarter of financial data from the financial database. Data from two to seven years old was archived to a highly compressed, file-based archive. All legacy applications, including servers and proprietary storage, were retired, retaining only critical data in a common archive repository. Data integrity and application context is maintained in the archive, and business users have complete access to the archived data for reporting.
Informatica Data Masking was implemented on the table columns identified with storing confidential data, eliminating the risk of exposure to unauthorized users while maintaining all application level functionality.
By properly aligning business requirements and technology with the GRC process, this financial institution reduced administration and maintenance costs, as well as avoided costs and risks. By relying on Informatica Data Archive and Data Masking for archiving database applications, retiring legacy applications, and masking sensitive data, this company successfully:
Archived and compressed five years’ worth of data by 95 percent, reducing the size of the
•
production financial database by 80 percent
Moved all archived data from high-end, expensive storage systems to a more cost-effective
•
storage system that requires less maintenance
Reduced the production data size by 80 percent, decreasing the total raw storage footprint
•
Safely stored nonproduction test copies on lower-cost storage without compromising testing
•
and development cycles or SLAs
Cut database storage consumption in half over three years
•
Reduced IT infrastructure costs by $15 million by database archiving and implementing tiered
•
storage
Avoided risks and costs of e-discovery and lost business due to data breaches
•
Conclusion
It’s inevitable. The volume of data stored in your databases will continue to grow. The overall amount of ESI will increase. Without proper data volume management procedures in place, growing database volumes will inhibit your company’s ability to implement, adhere to, and enforce GRC policies.
The success of your GRC program depends on how you classify your database data and how you manage your database applications. Informatica Data Archive and Informatica Data Masking can help by:
Moving data eligible for archiving to a highly compressed, immutable, easily accessible
file-•
based archive, significantly reducing storage requirements
Retiring legacy applications, relieving IT organizations of the cost of supporting archaic systems
•
Shrinking data volumes to a controllable amount and archiving inactive data to an easily
•
accessible central store, allowing legal teams to complete e-discovery searches within the prescribed deadlines
Maintaining archived data in a centrally controlled archive repository, making it easier for
•
records management teams to enforce retention and disposition requirements
Upholding the performance of production databases because aged data is no longer slowing
•
down servers and maintenance windows
Avoiding the risk of unauthorized access to sensitive data
•
Learn More
Learn more about the Informatica ILM product family and the entire Informatica Platform. For more information, call +1 650-385-5000 (1-800-653-3871 in the U.S.), or visit www.informatica.com.
