It should be no surprise to anyone that the digital age has created data sprawl. Information and critical data are no longer confined to desks and filing cabinets in locked rooms, but stretched across the enterprise in locations far and wide.
Data locations first expanded to structured databases, then unstructured local user systems and then file shares. As the internet and collaboration needs have grown, so have data sprawl options. The explosion of cloud services exacerbated this issue, facilitating streaming around the world to reside in locations never previously thought of or documented.
Download the IBM executive guide: Protecting your company’s most critical information
A Growing Challenge
Global organizational data sprawl increased business risk immensely. A 2016 SANS survey indicated that the risk of theft of employee information is most common, followed by the loss of intellectual property such as source code and PCI data. The incident rate of each increased year over year from 2015 to 2016.
Organizations need to track these ever-increasing and progressively valuable arrays of data types, but the task is becoming more and more difficult. The risk of accidental exposure, unauthorized access and data loss can be the result of employees sharing data without regard to where it will end up once collaborative projects are complete.
E-commerce and the global business economy drive further data sharing across both political and geographical boundaries. That means data owners and custodians are now responsible for ensuring web applications, data sharing and other operational data flows are not violating the growing library of local, state, federal and international protection regulations.
Four Steps for Securing Critical Data
Locating, categorizing, protecting and providing ongoing insight into risks for both structured and unstructured data is a necessity for any organization that maintains sensitive or business-critical data. Creating a programmatic means to providing these data services may seem overwhelming and even impossible to manage, and while it is definitely not a trivial pursuit, it is not impossible. It requires a methodical and diligent approach.
Providing any of these services at scale requires automation. By automating each step in the process, you can ensure that the appropriate checks and balances are in place.
Locating structured and unstructured data follows the same general process, but with different tool capabilities. Locating structured data requires the ability to find all databases created (in use or not) and scan them for relevant data types. The same goes for unstructured data.
Critical data can be located on user systems, private or hosted data centers, or in private or public clouds anywhere in the world. To be effective, discovery tools should be able to consolidate their findings to provide a single view of critical data of any type, regardless of the storage repository, in an effective, programmatic and coordinated approach to solving this problem.
Once located, the data must be classified. This next step is identifying which data belongs to a protected category and which does not. Subsequent subdivision into the chosen taxonomy is also a best practice. Most organizations need more than basic public and private data classifications.
Another significant step is identifying the data stakeholder, including owners and custodians, and the data users and consumers (remember, users are both human and applications). Parallel to identifying the stakeholders, applications, business processes and data flows should also be mapped and put into a business context. As stakeholders are identified, they will facilitate the identification of applications and flows they use and vice versa.
The goal of the first two stages is to begin protecting data. However, data protection and use policies should be in place before any effort is made to locate and classify it. If there is no policy, then there is no point in going through the exercise.
Policy updates can be done parallel to locating data. This is where all the efforts make a difference. Ensure organizational (e.g., written) data policies are complete, and make sure the automated (e.g., technology-monitored and enforced) policies are accurate and align properly with the organizational policy. Gaps or misalignments in monitoring and enforcement can incur significant cost, especially in regulated environments.
4. Managing Risk
Management needs to be kept informed of the efficacy of the implemented monitoring solutions and controls. Security operations need to be in the loop on detected violations to apply remedial actions. This requires customizable dashboards and reporting to meet the various business and operational requirements. With visibility into potential security risks that could impact a business, incremental improvements can be made to ensure security policies and compliance requirements are being continuously met, and ultimately justify the cost of the program on an ongoing basis.
Evolving Security With Data
While data classification is often the longest step, locating all data across environments is the foundational aspect of this sort of project, and that is often the most difficult step. Data is a growing organism, so discovery must be a regularly repeatable process to identify new data types and repositories. Failure to locate both structured and unstructured critical data across all existing platforms leaves the company open to greater risk and potential fines.
Data management is about risk management. Executive teams are responsible for managing risk in their organizations, and they are being increasingly held accountable for data breaches and faults in compliance. Managing data is an increasingly important project. Delaying data management only makes the problem worse.
Purposefully and methodically define the business requirements for data discovery and ensure the selected solution operates effectively across private data centers, hosted environments and the public cloud. It’s OK to start small and build, but you must start.
Download the executive guide: Protecting your company’s most critical information
Managing Research Director for Security and Risk Management, Enterprise Management Associates
Prior to becoming an analyst, David was an information security executive for over 20 years. He used his diverse audit and compliance, and risk and privacy e...