There are two kinds of digital data: structured data and unstructured. By volume, the vast majority of all stored digital information is unstructured. Businesses find it incredibly difficult to secure unstructured information because it is constantly changing. For example, a PDF version of an employment application is not sensitive until someone completes it and enters his or her Personally Identifiable Information (PII). The issue is not theoretical. Recent data breaches at Mossack Fonseca and the Democratic National Committee in the United States, and anything published by Wikileaks demonstrate the damage that occurs when sensitive unstructured data is breached.
Securing unstructured data requires a different approach from securing database applications. Consider a database application used for mortgage approval. The application has a single function; it is directly tied to revenue, and there is a team of IT personnel that administer it. Now consider a file server shared among many departments and thousands of users. There may be several Terabytes of information stored on this file server representing hundreds of thousands of files. Which files are directly tied to revenue? Which files are sensitive or fall within scope of privacy compliance? Who has access to the sensitive and regulated files? Is that access necessary? What are authorized users doing with the sensitive files?
To properly secure unstructured information and answer the questions in the previous paragraph, businesses much implement the following best practices.
- Iterative Data Discovery: The nature of the problem changes constantly so our understanding of the problem needs to adapt constantly.
- Centralized Permissions Management: Users are more empowered than ever in their ability to grant access to sensitive information. Organizations must ensure continuous enforcement of proper data access while still allowing users to collaborate.
- User Activity Monitoring: Logging all access requests to sensitive data provides a clear picture of malicious activity, especially when the logs are correlated with events from other sources.
- Data Security Controls: Encryption of data at rest, in use, and in flight makes data exponentially more difficult for attackers to steal in a usable form. When implemented properly, encryption also provides safe harbor from the breach notification requirements of many privacy regulations.
- Appropriate Use: The ability to “follow the data” and continue to enforce users’ ability to print, email, or copy data ensures that authorized users continue to safely use sensitive information.
Your life will be easier, and your data will be more secure if the above are done with a single, integrated data security platform as opposed to multiple point products from different vendors.
November 15, 2017