Data is everywhere in your organization, it’s really the life blood in terms of your success (or lack thereof). A loss of blood can be bad and ultimately life threatening if not stopped so when it comes to data, it’s no wonder that as it continues to grow at an exponential rate in your organization, you must increase your security to protect it.
We often focus on securing the large databases that house records and carefully ensure that only certain people have access to those applications. While that’s obviously important and regularly talked about, the following are a list of new concerns that have now entered the foray of 21st century data security initiatives:
Unstructured Data – What is often overlooked is all the unstructured data that also lurks on your environment on servers, SharePoint sites and even workstations. Think the PDF scan of a health test, or a copy of a customer order that shows the credit card used for payment. Sure the data from those examples have likely been entered into an application, but what is the security on those PDF scans that a front line employee saved on their workstation when helping a customer? How much unstructured data do you have in your environment, what does it contain, who should be responsible for it and who has access to it now? Those are all questions that security professionals tackling the challenges of data must ask themselves.
Classification – As the security and compliance regulations continue to grow, a focus on classifying data within the virtual borders of our organization also grows. Add to that the physical borders of different laws and regulations of which country the data is housed in and classification becomes increasingly important. An international company with offices in the US may have specific regulations to adhere to in the US that state that no US account/customer data can be accessed by an employee of the same company based in a different country in Asia for example or vice versa. As such, it can be very important for security professionals to tag and classify data by specific parameters such as the country, security regulation (PCI, HIPAA, etc.) and so on. But this poses the question of whether you classify the data by relying on your end-users to do so during its initial creation (i.e. during the save or send process) which can be affected by human error or deceit. Alternatively you could tackle this challenge by scanning all the data at rest on an ongoing basis to identify key parameters such as content (i.e. credit card numbers) as well as where it was created and by whom to classify it.
Business Involvement – Though IT may be tasked with spearheading the implementation of some of the tools to take on the challenges of ensuring security with data, if the entire responsibility is placed on their shoulders, the organization will ultimately fail. The reason why is that IT does not have the proper understanding of the context as to what data should be secured, and who should be permitted access. This is why it is crucial that the business side of the organization be tasked with the responsibility of approving access requests and be involved in the classification process. Who has a better understanding of which employees in the finance department should be permitted access to specific files on the finance share – the Director of Finance or the Director of IT? Identifying who the appropriate data custodians are of the various data in your organization is the first step to building your army of staff who can help you ensure the security of the data in your organization. Additionally, having each of those individuals who have been identified as responsible for those segments of data do a regular recertification of who has access to the data they are responsible for is a must.
Because data is ever expanding, it’s not a “set it and forget it” situation, and the more sensitive the data in question, the more often you’ll want to review, classify and schedule those recertification checks.