Skip to main content

Get Control of the Mayhem: A Day in the Life of a Piece of Unstructured Sensitive Data

March 22, 2018

Sensitive and relevant data, such as personally identifiable information (PII) or intellectual property, may be running rampant in your organization. It can be received or created and often duplicated. Additionally, you can receive sensitive and relevant data from partners or associates via email or FTP. Within your organization people and machines are also creating or generating sensitive and relevant data to support the business.  

Data Blog

Technology and business processes are geared to protect the data when it’s stored in applications and databases. Programs like identity and access management (IAM), and technologies like database activity monitoring, are meant to provide privacy and protection of the data in its structured format. 

The machine or human generated data, or the data that is exported from applications or databases, is often referred to as ‘unstructured’ data. This type of data presents a real challenge to your organization because it’s everywhere, constantly changing, disjointed and often neglected. With new regulations such as the General Data Protection Regulation (GDPR) and expanded data protection requirements expected in the near future, the stakes are high to get this data under control. 

Once the data leaves the application, the location of where it resides is no longer visible. It can be saved on desktops, laptops, tablets or mobile devices. It may also be moved to the cloud or other file share locations or even end up on collaboration sites, such as SharePoint. Some organizations might have an idea, but no valid proof of where that data is located.

Constantly Changing
This data can transform and even duplicate within the organization. Here is a simple example. An employee exports the data and saves it to an Excel file. From there the employee may add other elements of data they need and create a pivot table. The table is then embedded into a PowerPoint presentation. The data and PowerPoint file are updated frequently creating multiple versions. Once the presentation has been finalized, it’s transformed into a PDF file.

When the data is exported or downloaded the policies, processes, and technologies that provided privacy and protection are left behind. Those controls no longer apply to this original piece of data. Since the location of the data is unknown, the privacy or protection controls are also unknown. To further confuse things, different storage locations use different authentication methods and data access policies.

The data is now missing any controls or process to fully protect it. Processes don’t exist to manage its lifecycle. Access to the data is given based on similar employee accounts, while never really understanding from the business who can, is and should be accessing it and for how long. 

While most organizations make significant investments in firewalls, IAM, intrusion protection systems, data loss prevention (DLP), and security information event management (SIEM), none of these technologies can identify or prevent over-provisioned access, therefore over exposing the data to risk of misuse.

Insert Data Access Governance

Over exposed resources are often due to the accumulation of employee access over time. Employees might change roles or perhaps get promoted and their access to applications and data remain unchanged. In most cases the employee doesn’t even realize they have access to the data. In a 2016 Ponemeon Institute survey conducted for Varonis, it was discovered that “Seventy-one percent of end users say that they have access to company data they should not be able to see.”

It's no surprise that IT alone is unable to make decisions on who has access to what information.   Aligning IT with the business, for example HR and functional groups, is critical to reducing the risk of unauthorized user access or over exposure to sensitive data. Together they can lay the foundation for change by establishing an awareness program that will inspire the desired behavior and gain control of the mayhem.  

To get started, focus on the departments with the highest risk, typically finance, HR or legal, and execute on the following steps.

  1. Establish the decision committee. At a minimum it should involve HR, legal, risk, technology and the head of the targeted department(s). 
  2. Develop an awareness program to inspire business unit participation.
  3. Assess the health, operations and infrastructure of your Active Directory environment.
  4. Scan the critical data repositories. 
  5. Identify a business data owner for those directories with sensitive information. 
  6. Work with the business owner to identify resources that have access and identify users whose access needs to be revoked.
  7. Revoke users whose access is no longer needed.
  8. Business data owner attests to the access.
  9. Remove data that is considered stale and not used by the business (archive or delete).
  10. Rinse and repeat for all remaining organizations, until you have a comprehensive program that incorporates all key stakeholders and can be repeated on a regular basis according to your access governance policies.

Most organizations focus on protecting people, applications and devices, but the biggest risk today, and in the future, is the data that has escaped the confines of traditionally protected applications. A comprehensive and inclusive data access governance program is not just a requirement for the upcoming GDPR mandate, but it’s also the right thing to do to protect your organization. How are you controlling the mayhem?

    Ralph Martino

By: Ralph Martino

Senior Director, IAM Data Security and Analytics

See More

Related Blogs

May 17, 2018

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on th...

See Details

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

May 23, 2016

Next Generation Identity and Access Management (Next Gen IAM)

Having spent the last 17 years in the identity and access management (IAM) space, I know two things are certain: Evolution is inevitable, and change i...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.