Despite the prevalence of data breaches, Data Access Governance (DAG) is still security’s big unaddressed to-do item. In the first blog post of this 6-part Checkbox Compliance to True Data Security blog series, we discussed how DAG is a crucial aspect of security for companies because it is the last line of defense against theft of an organization’s data. Organizations are starting to shift their focus to establish a core set of principles around protecting their data, and they need a blueprint to help them get started. This series serves as the blueprint that will help your organization chart a course to proper data security. The first step in establishing a Data Access Governance program is Discovery.
In order to govern access to data, you must first understand where all of your data resides. The discovery process can help an organization begin to fully understand the depth and breadth of their data footprint. Then you can begin to understand the full scope of your DAG initiative and focus on the most sensitive data, which is where you’ll want to begin. Discovery isn’t something you can do only once, it is a process you will need to continue to perform periodically to catch the inevitable changes made by stakeholders.
Find Your Structured Data First
Start by identifying and locating your structured data first. According to Datamation, structured data is “comprised of clearly defined data types whose pattern makes them easily searchable.” The location of structured data repositories are likely well-known within most organizations, as they’re backend-ing critical systems like ERP, HR, and CRM. However, more portable database solutions like Microsoft SQL Express can exist virtually anywhere, requiring organizations to scan desktop and server infrastructure for database instances of which they are otherwise unaware. Databases are really important, for obvious reasons, since what’s really at stake is sensitive data, like social security numbers and financial information for example, that are often stored in structured format. A lot of the older data breaches occurred because an attacker got access to sensitive information that is typically stored within your structured data.
The table below from Datamation will help you better understand the differences between structured and unstructured data.
At present, many companies have gotten better at protecting their structured data, so hackers had to find a new avenue to get the data they want. That’s why protecting your unstructured data is more important than ever before, because it is now the easiest target for external and insider threats.
The Real Challenge is Finding Unstructured Data
Locating your unstructured data may be a bit of a challenge. Organizations simply may not know where their unstructured data assets are. Most have an idea that the data lives in file shares and NAS devices, but may not be able to say exactly how many shares they have or how the NAS devices are organized from the end user’s perspective. There are also huge piles of data outside of standard file systems, in collaboration portals like SharePoint and cloud storage repositories like Dropbox and Box, for instance. According to Deloitte, although it has long been said that 80% of an organization’s data is unstructured, that number is now estimated to be upwards of 90%. This will likely be the data most of your organization’s employees will be accessing and creating regularly, such as emails, Word documents, spreadsheets and images. The difficulty of tackling and locating unstructured data is also covered in our whitepaper which aims to help data security professionals control their unstructured data.
Think about how hard it is to control the information your organization’s employees send through something as common as email. This article from Forbes reminds us of the time Colin Powell’s personal Gmail account was hacked and he had been sending proprietary information about Salesforce’s acquisition plans and M&A strategy because he was a board member with access to that information. Those emails were all leaked on Dclinks.com for the world to read.
That is one example of why it is important focus your attention on locating not only structured data, but also unstructured data. This discovery will become the foundation of your true data security program. In the next post of this 6-part series, we’ll show you how to collect and analyze the data you found to prioritize that which puts your organization at the most risk.
See upcoming blog posts in the series below:
- POST #1: Moving From Checkbox Compliance to True Data Security
- POST #2: Prioritizing Data Governance Initiatives Through Discovery
- POST #3: Collect and Analyze Relevant Data Points to Assess Risk
- POST #4: Monitoring Sensitive Data Activity and Identifying Data Owners
- POST #5: Restructuring Permissions to Achieve a Least Privilege Access Model
- POST #6: Governing Access to Meet Security, Compliance and Operational Standards
Join Adam Laub, our SVP of Product Marketing, on September 5, 2018, for the 2nd webinar in this 3-part series, Data Footprint: Understanding Data Sensitivity and Prioritizing Risk. He’ll guide you through how to find your data footprint, the most effective techniques to analyze your data’s sensitivity, and what you should be looking for in your search to establish stakeholders. At the end of this webinar, you’ll be able to compile a priority list of the active files and shares that put your company at most risk. This series qualifies for CPE credit.
Register for the upcoming Data Footprint: Understanding Data Sensitivity and Prioritizing Risk webinar, here.
Don’t want to miss any blog posts in this series? Subscribe to be notified as new posts are added to this series, here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Latesha Lynch began her career working on VoIP technology, distributed antenna systems (DAS), and voice biometrics before delving into application and data security. Latesha can be found on Twitter @lateshalynch.