The amount of unstructured data in organizations is increasing exponentially and so is the risk of unprotected sensitive data hiding amongst it. Typically, 80% of an organization's data is unstructured data. Unstructured data is found in mails, documents, spreadsheets, presentations, and just about any other data generated by people. This is also often the place to locate sensitive data such as personal identifiable information, credit card numbers, credentials and passwords, and also business critical data and confidential material.
Data Access Governance is one way of mitigating the risk of sensitive data falling in the hands of the wrong people. There is an increased interest for protecting business critical data and concerns about the ability to comply with regulations such as the European Union General Data Protection Regulation. If you experience some of the same challenges you might benefit from NNIT's 4-step approach to implementing Data Access Governance.
The foundation is Identity and Access Management including the governance processes which ensure that the right people get the right access at the right time. This means having access to perform the job you are hired to do – and no more, also known as the principle of least privilege.
When you are in control of who has the keys to access the "cabinet drawer" you can focus on the sensitive data stored inside – and "check the locks". You are in-fact then performing Data Access Governance.
First you need to define what data is sensitive to your organization and locate it. Credit card numbers are easy to define as sensitive, but it may be necessary to apply advanced analytics and search criteria in order to locate the business critical data. The good news is that once those search criteria have been defined, you can use Data Access Governance tools to scan and locate data which gives a holistic overview of who has access to it. Often a considerable number of privileged users effectively have access to this data, such as system administration groups and shared accounts, besides those users given direct access intentionally. Most Data Access Governance tools provide both the opportunity to see a specific user's access to all shares, sites and mailboxes and the other way around all users with access to e.g. a specified share.
The IT professionals cannot decide if sensitive data access is appropriate, this is a task for the business. Ownership can be assigned automatically based on who has created the data or who is using it, or through a more advanced process. Be patient, this can be a time consuming task depending on the level of maturity in your organization and industry.
When ownership of sensitive data has been determined, the owners should certify that the users with access to data are appropriate. At the same time it is likely that unknown file-shares and document sites are created and detected and might need to be locked down and access control normalized. As processes for establishing new file-shares and document sites including appropriate access control are matured, this task will decrease over time.
Establish activity policies, detect and prevent actions like e.g. copying or emailing sensitive data, perhaps raise an alert or alarm when certain sensitive data is being used or other defined suspicious behavior. Real- time detection comes at a price of performance, but structured detection and timely prevention minimizes risk of data leaks.
Increasing data growth, complexity and strict regulations places demands on IT operations and requires a need for IT security to expand. The effort put into each step of Data Access Governance requires careful consideration, be balanced to business needs, and needs to be based on how important it is to keep your sensitive data secure.
This is an article from NNIT Security Insights, a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.
NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage.
You are welcome to contact us at firstname.lastname@example.org if you want to know more about how NNIT can help your business increase its information security level.