A data warehouse is defined as the collective content of a collection of databases; usually normalized and sanitized in the process of moving out of an operational database into the data warehouse. It's primary use is for reporting and business intelligence.i
Data-warehousing on the web, or using a cloud to host the data-warehouse presents a number of issues and risks we have listed them in no specific order;
Privacy
Within the United States, Canada and most G8 countries there exists legislation that is enacted to protect the privacy of the citizens of said country. In Canada it's refereed to as the Privacy Act. With respect to digital information in Canada there exists a separate act refereed to as PIPEDAii. With respect to the operations and storage of personally identifiable information, if a company does not take “due care” to protect said information they may end up getting sued by the Crown in Canada for a gross violation of the act; within industry this is known as privacy associated risk. Gross violations include making any of that personally identifiable information available on the Internet, with or without the owners consent.
Security
There are entire volumes written on the appropriate methods for security to be used in conjunction with a data-warehouse; these include concepts such as Logical, Phyiscal and Technical access controls; Formalized data security models, such as Biba, Bell-LaPaullda, and others as mentioned in various U.S. DoD, NIST, CMMI and ISO standards; procedural controls for access including Separation of Duties, Two Factor authentication, biometrics, and various other methods and procedures too numerous to list. All of these standards, guidelines, and procedural concepts are designed to achieve one goal, to ensure that the risk of fraud internal and external sources is reduced to an acceptable level.iii; thus the business may trust the data within the warehouse to be sound.
Availability
Assuming that an organization utilized Software as a Service, or a 3rd party provider for data-warehousing; with the Internet as an intermediary, having a “Service Level Agreement” and “Business Continuity Plan” in place with the provider and including the “Right to independent Security Audits” are critical in nature to the business that conducts the outsourcing. Both the ISC^2 and the ISACA cite the “Right to independent security Audits” as a critical factor in conjunction with High Level Sponsorship; ie; the board of directors signs off on the risks associated with hosting a companies data-warehouse to ensure that various mitigating measures are met to accommodate any and all potential business impacts including the saftey of employees and clients as well as to ensure the business itself is not at risk.iv v
Non-repudiation
The other major issue is the implementation of technical controls and validation and sanitation methods and processes; With either Normalization or Dimensional approaches to be usedvi; the business itself must implement measures to ensure that security and privacy regulations are met; these include the use of encryption of a military grade or greater to assure that client data in transit is protected from unwanted disclosure and that the integrity of the Data warehouse is maintained.
Regulations
One of the major risks to data-warehousing with regards to businesses are the creation of new regulations; Sarbanes Oxley was created to mitigate fraud from an organizational balance sheet, GLBA exists to ensure that Bank's do not engage in reckless behavior with deposits; HIPPA exists to ensure that patient data is not exposed during transit and that insurers and health providers adhere to the privacy requirements of both the public and the letter of the law.
Each of these regulations was created by the American congress to mitigate some major legal issue that arose from industry recklessness; these include the fiduciary and privacy scandals of Enron, MCI world-com, Nortel, TimeWarner, America Online, Investors group, Bank of America and others. The ISACA and ISC^2 stipulate that global policies with local versions that meet any local regulations be enacted in any enterprise that operates on a global scale; however the ISACA state that the data owner must agree to any data transit policies upon submission of any data.
The major issue with regulations and their respective risk to a data warehouse is that the acceptable use and client notifications must include what will occur to the data that is disclosed by the end user and they must also comply to all regulations for all countries that the businesses operates in.
This creates a compound issue where a company collects client information in north America and stores it in China or India for more efficient processing. The major problem is that China and India do not have stellar records when it comes to upholding American privacy legislation. Therefore it is up to the Business to ensure that American legislation and requirements are met within the operations of the third party within it's country of residence. Although this is difficult it requires both strategic oversight and governance form the parent organization.
The nature of organizational change is that global operations will maintain an executive board and security steering committee whom meet to determine the appropriate behaviors to mitigate the above risks, and to meet audit and legal and policy requirements. The person responsible for these operations in most organizations is usually the CIO, CISO or COO. The rise and prominence of information and it's value in the Internet age has created many new and complicated issues. To navigate these waters with clarity adds both to the business value and competitive nature.
How these new requirements affect a web based data-warehouse are that any 3rd party provider of data-warehousing services must meet the regulations and legal requirements for privacy of the country of origin and country of residence.
References
in.a. (Wikimedia 2010) Data Warehouse [Online] World Wide Web, Available from: http://en.wikipedia.org/wiki/Data_warehouse (Accessed on December 5th 2010)
iiGoC (Canadian Parlement, November 14th 2010) Personal Information and Electronic Documents Act [Online] World Wide Web, Available from: http://laws.justice.gc.ca/eng/P-8.6/page-1.html#anchorbo-ga:l_1 (Accessed on December 6th 2010)
iiiHarold F. Tipton (CRC Press, 2010) Offical ISC Guide to the CISSP CBK 2nd ed.
ivGoC (Canadian Parlement, November 14th 2010) Personal Information and Electronic Documents Act [Online] World Wide Web, Available from: http://laws.justice.gc.ca/eng/P-8.6/page-1.html#anchorbo-ga:l_1 (Accessed on December 6th 2010)
vISACA (ISACA, 2009) CISM Review Manual 2010 ISBN: 978-1-60420-086-7
viE.F. Codd (ACM, 1970) Communiations of the ACM “A relational Model of data for large shared banks [Online] PDF Document, Available from: http://portal.acm.org/citation.cfm?doid=362384.362685 (Accessed on December 6th 2010)
No comments:
Post a Comment