Get Control of the Mayhem: A Day in the Life of a Piece of Unstructured Sensitive Data

Sensitive and relevant data, such as personally identifiable information (PII) or intellectual property, may be running rampant in your organization. It can be received or created and often duplicated. Additionally, you can receive sensitive and relevant data from partners or associates via email or FTP. Within your organization people and machines are also creating or generating sensitive and relevant data to support the business.  

Technology and business processes are geared to protect the data when it’s stored in applications and databases. Programs like identity and access management (IAM), and technologies like database activity monitoring, are meant to provide privacy and protection of the data in its structured format. 

The machine or human generated data, or the data that is exported from applications or databases, is often referred to as ‘unstructured’ data. This type of data presents a real challenge to your organization because it’s everywhere, constantly changing, disjointed and often neglected. With new regulations such as the General Data Protection Regulation (GDPR) and expanded data protection requirements expected in the near future, the stakes are high to get this data under control. 

Everywhere
Once the data leaves the application, the location of where it resides is no longer visible. It can be saved on desktops, laptops, tablets or mobile devices. It may also be moved to the cloud or other file share locations or even end up on collaboration sites, such as SharePoint. Some organizations might have an idea, but no valid proof of where that data is located.

Constantly Changing
This data can transform and even duplicate within the organization. Here is a simple example. An employee exports the data and saves it to an Excel file. From there the employee may add other elements of data they need and create a pivot table. The table is then embedded into a PowerPoint presentation. The data and PowerPoint file are updated frequently creating multiple versions. Once the presentation has been finalized, it’s transformed into a PDF file.

Disjointed
When the data is exported or downloaded the policies, processes, and technologies that provided privacy and protection are left behind. Those controls no longer apply to this original piece of data. Since the location of the data is unknown, the privacy or protection controls are also unknown. To further confuse things, different storage locations use different authentication methods and data access policies.

Neglected
The data is now missing any controls or process to fully protect it. Processes don’t exist to manage its lifecycle. Access to the data is given based on similar employee accounts, while never really understanding from the business who can, is and should be accessing it and for how long. 

While most organizations make significant investments in firewalls, IAM, intrusion protection systems, data loss prevention (DLP), and security information event management (SIEM), none of these technologies can identify or prevent over-provisioned access, therefore over exposing the data to risk of misuse.

Insert Data Access Governance

Over exposed resources are often due to the accumulation of employee access over time. Employees might change roles or perhaps get promoted and their access to applications and data remain unchanged. In most cases the employee doesn’t even realize they have access to the data. In a 2016 Ponemeon Institute survey conducted for Varonis, it was discovered that “Seventy-one percent of end users say that they have access to company data they should not be able to see.”

It's no surprise that IT alone is unable to make decisions on who has access to what information.   Aligning IT with the business, for example HR and functional groups, is critical to reducing the risk of unauthorized user access or over exposure to sensitive data. Together they can lay the foundation for change by establishing an awareness program that will inspire the desired behavior and gain control of the mayhem.  

To get started, focus on the departments with the highest risk, typically finance, HR or legal, and execute on the following steps.

1. Establish the decision committee. At a minimum it should involve HR, legal, risk, technology and the head of the targeted department(s). 
2. Develop an awareness program to inspire business unit participation.
3. Assess the health, operations and infrastructure of your Active Directory environment.
4. Scan the critical data repositories. 
5. Identify a business data owner for those directories with sensitive information. 
6. Work with the business owner to identify resources that have access and identify users whose access needs to be revoked.
7. Revoke users whose access is no longer needed.
8. Business data owner attests to the access.
9. Remove data that is considered stale and not used by the business (archive or delete).
10. Rinse and repeat for all remaining organizations, until you have a comprehensive program that incorporates all key stakeholders and can be repeated on a regular basis according to your access governance policies.

Most organizations focus on protecting people, applications and devices, but the biggest risk today, and in the future, is the data that has escaped the confines of traditionally protected applications. A comprehensive and inclusive data access governance program is not just a requirement for the upcoming GDPR mandate, but it’s also the right thing to do to protect your organization. How are you controlling the mayhem?