In listening to Adam Rosen’s recent webinar, I learned that nearly 60 percent of security breaches involve the theft of unstructured data.[i] And, only 12 percent of organizations are confident they can detect a breach involving unstructured data.[ii]
Given that 80% of an organization’s data is unstructured,[iii] is it any wonder a hacker was able to steal login credentials and personal information from Sony, including Sylvester Stallone’s social security number? Going Rambo won’t protect you. What will is a successful Data Access Governance (DAG) program.
Some organizations shy away from Data Access Governance because they just don’t know where to start. In this webcast, 5 Steps to Building a Successful Data Access Governance Program, Adam Rosen, VP of DAG Solutions at STEALTHbits, helps you jumpstart your success by making these steps easy to understand and put into practice.
Step 1: Survey and Analyze
Start by scanning your file shares, servers, and systems to find out:
- How much data you have
- Who has access to it
- What they are doing with it
Scan across your entire organization so you know all the data that’s out there. This approach will help you better prioritize initiatives over time.
Think of it like cleaning out a dresser drawer in your house. You’d want to take an inventory of all the items in the dresser’s drawers so you can best plan how to organize them.
Step 2: Focus on What Matters Most
Even though you want to know what’s in each drawer, you’d still start with the drawer that’s most important. In security, that drawer is often Sensitive Data Discovery so you can protect your most valuable assets like intellectual property (IP), protected health information (PHI), and financial or customer data.
Sensitive Data Discovery can be addressed by itself, or in tandem with two other focus areas:
- Open Access Remediation—mitigate risk by removing open access and restricting it to only those who need it
- Privileged User Access—identify users who have elevated rights and tightly control what they have access to
Protecting sensitive data by limiting access is like locking jewelry in your dresser drawer and giving the combination to only your immediate family.
Step 3: Get the Right Stakeholders Involved
That drawer, let alone the whole dresser, will never be organized and secure if you don’t get your family members onboard.
In data governance, that translates into your needing to win the support of business users who utilize the data and have an interest in protecting it, e.g., cross-functional teams, legal, and HR.
Their knowledge is invaluable to determining why the data exists, as well as:
- Permissions – who has access to it
- Content – who created it / what’s there
- Activity – how is it being used
These business users will not only help you gain executive support, they’ll also assume responsibilities as data owners to assist you in your DAG efforts.
Step 4: Review and Remediate
Here’s where your hard work pays off. You’re now ready to use the findings from your initial scan to take action:
- Remove global access groups like “everyone” that give users too much access
- Assign business owners to the data so they can perform entitlement reviews
- Move to self-service provisioning where users can request access from business owners
Step 5: What’s Next?
You can’t clean out your drawer once and expect it to stay neat forever. Your family members will put new items in or take items out, and you’ll need to keep track while maintaining the drawer’s tidiness. You also can’t expect to clean one drawer and have the whole dresser, room, or house become neat.
It’s the same with Data Access Governance. DAG is a “rinse and repeat” cycle where you start with your first priority, then move onto your second, your third, and so on. Ultimately, you want to establish a secure, repeatable process that you can expand across data sets within your organization.
You wouldn’t wait until after your jewelry drawer was robbed to protect it. So why wait to implement a Data Access Governance program until after a security breach or failed audit?
Get going by combining your DAG program with a related initiative like Identify and Access Management (IAM), Data Loss Prevention (DLP), and Privileged Identify Management (PIM). Start preparing by taking advantage of STEALTHbits’ free assessment tools to begin surveying and analyzing your data.
To watch the full webcast, 5 Steps to Building a Successful Data Access Governance Program, please click here.
[i] Survey on the Governance of Unstructured Data, Ponemon Institute
[ii] The State of Data Centric Security, Ponemon Institute
[iii] Big Content: The Unstructured Side of Big Data, Gartner
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Tuula Fai is the Senior Marketing Director of StealthAUDIT at STEALTHbits. For the past 20 years, she has worked in a variety of roles within the software industry, starting as a developer and implementation engineer before moving into product marketing and digital campaigns. Having worked in both customer service and human resources, she is passionate about safeguarding customer and employee data as part of overall security initiatives. She graduated Summa cum Laude from Georgetown with an MBA in marketing and IT, and has won two technology marketing awards. You can find her running and writing in the Rocky Mountains of Colorado.