It seems like everyone I talk to right now is wondering what in the world they’re going to do about their file problem.
I was working with a small hospital group, they’ve merged together 6 or 7 hospitals and they’re looking to acquire more. Their biggest challenge: “Where are all of the sensitive HIPAA files located?” Not “Hey, what about different domain schemas?” or “What applications are they running?” or even “Hey, what kind of hardware am I going to need?” Their biggest problem: “Where are the files that are going to get us fined if we can’t find and secure them properly?”
Earlier this month, I was at a large manufacturing company – you haven’t heard of them, but you’ve heard of the brands they own. Cool place. Their biggest challenge right now? Keeping track of their credit card information. Customer credit cards, internal credit cards, you name it. They need to get a handle on them before their next audit, or it’s going to cost them money, and that audit is coming up soon.
I spent some time out of the country at a multi-national bank and what’s their biggest problem? You guessed it – where are our sensitive files? Where are our client records? Credit cards? PII? They’ve outsourced a lot of their storage, they have multiple acquired subsidiaries, and they need to know where the data is that is going to turn customers into people with pitchforks and an eye to doing them harm if it gets out.
So what do you do? First, if you’re of a smaller size there are some manual possibilities. Powershell is your friend here, although performance of powershell for this is tricky and you’re going to mess up your last-read timestamps.
If you’re larger, there are tools out there to help you. It’s important to choose carefully – finding sensitive data is not really a DLP problem, although a lot of DLP vendors will try to sell you their solution anyways. Their approach in general “protect all of the data in case something might be sensitive” which is certainly not also a bad idea, but it doesn’t help you identify where the sensitive stuff actually is.
Instead, you’re going to want a solution that can find your data and prioritize where to start cleaning up. A solution that gives you visibility into file contents for classification (HIPAA, PCI, SOX, NERC, whatever), and who is reading/creating/deleting those sensitive files. A solution with out-of-the-box rules for your specific compliance needs and also allows you to create your own rules for the data that’s specific to your company and your line of work. A solution that stays with you as your governance matures, providing a long-term solution that automatically onboards new data and enforces the correct security posture while notifying you of any policy exceptions that it finds.
They say that all publicity is good publicity, but compliance violations are the exception that makes the rule. Get the right solution, ingest and embrace it, and get ahead of your file problems before you become the next example of how-to-do-it-wrong.