Businesses in sectors such as health care, manufacturing and financial services are under increasing pressure both to keep information for longer, and to control who has access to it. Regulators, such as the Information Commissioner rightly want to make sure personal information does not fall into the wrong hands.
Businesses also have to comply with industry-specific regulations that control who can see documents, who can amend them, and even where in the world those documents can be viewed.
Once the data is imprisoned, anyone who needs to access it needs to apply for visiting rights.
This, some businesses are finding, is causing IT and compliance departments to put an ever wider range of documents under lock and key. Whilst this might ensure compliance, it can also make it hard for employees to access the information and data they need to do their jobs.
According to Rohit Ghai, general manager for the content and case management group at EMC, the result is that companies put their information in vaults. In effect, they "imprison their data," he says. And, once the data is imprisoned, anyone who needs to access it needs to apply for visiting rights. Hard-pressed IT departments, already dealing with ever-larger quantities of information, simply do not have the time and resources to control information access.
The answer, at least in part, lies in greater automation. As Ghai argues, using automated tools to index and classify information will become a necessity, if businesses are to keep on top of petabytes of sensitive information.
Automation will also be needed to apply access policies to that information, and to determine when those policies have been breached. But at the same time, IT departments need to respond to the needs of users who want to access company documents on the move, especially from personal devices such as tablets, or smart phones.
At EMC's Momentum conference in Berlin, Ghai demonstrated a software prototype that will allow mobile workers to access documents from an iPad, but applies information access policies on the fly.
So, for example, if a user is permitted to view information that is restricted by the US' Department of Defense regulations, only when he or she is in the US, the document management application will allow that access from a US IP address. But if that same user travels outside North America, access will be blocked and the blocked access attempt logged for compliance reasons.
The attention to detail in the system is impressive: even thumbnail views of documents are suppressed, just in case sensitive information could be viewed that way.
Implementing such systems, though, is about more than investing in the software. Companies need to think about who should access their data, where, and under which circumstances. That includes from which type of device.
Automating policies - and compliance with them is well within the reach of technology. Deciding what those policies should be is not just an IT, but a board-level task.
