For any organization, carefully protecting business content that is collected explicitly and systematically comes natural. CRM data is a good example of this kind of content.
In many organizations, people store personal dumps of CRM data for quick and easy access to customer information. Creating these working copies of data may be due to users seeking to avoid the need to re-logging into the system or to avoid being dependent on network connectivity, for example. Many users store a variety of business files on folders in local PCs or in the cloud, and users rather frequently share these with colleagues and partners.
From a cybersecurity point-of-view, it is essential to pay attention to how data-in-use is stored: in a structured and an unstructured format. From the perspective of content security, there seems to be a very different level of expected and applied security.
Structured data is collected in relational databases on purpose and it is generally well organized and classified. The value and sensitivity of the data is well understood, and it is, consequently, usually well protected as per many relevant regulatory mandates. Most mature organizations have clear processes that address how such data should be handled, who has access, and how this access is protected.
The same cannot be said for the unstructured data in shared and personal folders on SharePoint, Dropbox, Google Drive etc. Not to mention the files stored on users’ laptops, computers and email folders. In all of these, there often exists Excel and Word documents about internal and external matters that by their nature and by policy would require strict access control and strong protection. This kind of data is unstructured and heterogeneous – and in many cases unprotected.
Unstructured data clearly poses an important and growing threat. It is a soft target for cybercriminals.
Typically, there is little visibility into unstructured data – there is no clear picture of how sensitive it is, where it resides, and how it is protected. Security policies may be unclear, missing or not observed. There is typically limited user guidance, and data ownership may be somewhat undefined.
In a recent case, our security team discovered that the customer’s end-users had stored countless snapshots and documents from production databases containing personal data of end-customers. The customer found the situation unacceptable and demanded swift solutions.
A straightforward option would be to prevent taking personal copies of structured data. This would, however, have an adverse effect on employees performing their tasks. Another option would be to delete unstructured data to counter the risk, but this too may be asking for trouble in the form of information loss. As usual, the real-life problems call and demand careful study and a working compromise.
Perform a mapping of unstructured data. Remember to include cloud assets. As a matter of fact, mapping all potential privacy-related data, including unstructured data, should have been part of GDPR preparations. If it was not, now is the time.
Classify unstructured data. Data needs classification to determine the appropriate level and method of protection.
Create data/content protection policies, rules, and processes.
Create data classification and ownership policies.
Implement technical protection measures: encryption with effective key management, DLP(data loss prevention), IAM (identity and access management) and PAM (privileged access management).
Determine access rights to structured data and rules for legitimate use.
Educate and guide end-users. For rules and processes to work, they must become routines. Also, urge end-users to delete old files with sensitive business information.
Cloud may complicate the situation and may create novel challenges for data architecture and processes. All organizations will need to address and enforce rules for cloud use. Our advice is to see if similar (or even exactly the same) methods and controls are applicable across cloud, on-premise and hybrid environments. Widely usable security frameworks can turn out to be a competitive advantage.
While encryption and key management are important technical methods, they alone are not going to solve the problem: employees need to work with data in a plain-text format, and all data can’t be encrypted (all the time).
To control users’ identities and access to data is a security fundamental, which makes effective IAM (including PAM) a must for every organization. It also goes a long way towards preventing authorized access. Without effective IAM, there is no way to control users’ access and entitlements to content, be it structured or not.
Why should PAM, privileged access management, always be a core part of IAM? Because it manages and logs systems access of administrators – people who possess the keys to the kingdom, so to speak. We will discuss PAM in detail in our forthcoming blog.
As you can see, several organizational and technical steps must be taken to get unstructured data secured. The task may seem overwhelming. A systematical and holistic approach makes it bearable – and you can always turn to us at Tieto Security Services.
Do you want to know more about IAM, PAM, DLP and protecting unstructured data? Don’t hesitate to get in touch with us!
Rasa is a Senior Product Manager at Security Services. He has worked with various security, encryption and key management technologies for two decades and has extensive experience in protecting critical digital assets. He has previously held security-related positions in companies such as SSH Communications Security, SafeNet, AuthenTec, and INSIDE Secure.