The term Digital Vault has suddenly come to the fore in the last few months and now several vendors are offering technology under the umbrella of digital vaulting. So what should you understand? A simple acid test to apply to anything claiming to be a digital vault is the following. Does the digital vault hide items from those who have no right to see them, and does it ensure that those with access rights are monitored every step of the way.
The term vault should be used because it relates to the vault in the physical world. Every enterprise relies on few priceless items that must never be lost or exposed. The danger of losing or exposing these priceless items is vital to the enterprise’s business continuity and can even threaten its very existence. In today’s business world, a large percentage of those items is in digital format. Most business enterprises today will still use the physical vault to securely store copies of the critical data, but this is impractical when on the one hand you are required to make that data available on a day to day basis for those who need to view, and modify the data, and at the same time you are required to keep it under “lock and key” so that those who are not entitled to see it are kept away from it.
Bringing it back to the physical world analogy; the physical vault can only be accessed by those who have privileges to do so, and once in the vault, only those safety deposit boxes that you have the right to open should be made available to you. For those who saw the Bourne Identity, you may remember the scene when the hero enters the bank and gains access to the vault. He is then provided access to his private safety deposit box – well the digital vault needs to mirror this physical scenario. So the digital vault should be a mirror image of the physical vault. Critical data needs to be stored in a secure location, and should be visible only to those with the rights to see it.
Another key factor in identifying a Digital Vault should be its ability to mimic all existing security processes and procedures in the organisation for handling sensitive information. For example, most organisations will have clearly defined policies and procedures defining how sensitive physical items are handled. For example, who has access to the physical vault, and the security boxes? Are individuals allowed to access on their own, or is a dual control mechanism in place, for example dual keys? Does staff have to be authorized to enter, and are there times of day when access is permitted. These and many more procedures are found in organisations, and a Digital Vault must be able to address these procedures as is. It is not advisable to try and redefine policies and procedures to fit technology – the technology has to fit.
A digital vault by its very nature is going to provide some standard services to ensure that its contents are protected, such as being a long-term repository, highly secured regardless of overall network security and regardless of the physical topology of the network. It must offer an effective way to protect and control critical information, and it allows an organisation to focus its defense resources to a vault at any location. It is easier for an organisation to defend one point effectively that to try and defend a complete network.