More companies look to structure safety of unstructured data

Access governance plans should strive to integrate data systems

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

2Ed note_Jonathan SanderAccess gov­er­nance has been a huge suc­cess for secu­ri­ty and com­pli­ance.

The idea is sim­ple: Have busi­ness own­ers, who (hope­ful­ly) under­stand the busi­ness val­ue of infor­ma­tion tech­nol­o­gy assets, review and approve the access grant­ed to employ­ees and all new access requests. Like all suc­cess­ful ven­tures, busi­ness­es are look­ing to build on it.

Many com­pa­nies are expand­ing reviews of unstruc­tured data—all that human-gen­er­at­ed stuff liv­ing in file-shares, on por­tals such as Share­Point, and in a thou­sand oth­er cor­ners of your infra­struc­ture. Ana­lysts esti­mate 80 per­cent of a typ­i­cal organization’s data is unstruc­tured. Every time some­one copies data from an appli­ca­tion into a spread­sheet to work on while rid­ing the com­muter train, a piece of unstruc­tured data is added that could con­tain sen­si­tive infor­ma­tion. It makes sense to wor­ry about who could have access to it.

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

Why haven’t busi­ness­es includ­ed unstruc­tured data in their access-gov­er­nance plans? It’s anoth­er case of look­ing for nails because the only tool you have is a ham­mer. Access gov­er­nance grew out of pro­vi­sion­ing, and pro­vi­sion­ing sys­tems get things done with con­nec­tors. Con­nec­tors are point to point. They talk to the pro­vi­sion­ing or access-gov­er­nance sys­tem on one end and the tar­get appli­ca­tion on the oth­er.

If you have three human resources appli­ca­tions, even if they’re the same type,  you’ll have a con­nec­tor for each. When con­nec­tors talk to appli­ca­tions, the appli­ca­tions tell them the secu­ri­ty details they need. But access man­age­ment for unstruc­tured data lives in sev­er­al areas—within the data itself, with­in the fold­er and share struc­tures, with­in the sys­tems host­ing that data, and with­in the cre­den­tial man­age­ment and direc­to­ry sys­tems. Con­nec­tors were nev­er designed to han­dle that kind of com­plex­i­ty, so unstruc­tured data has been left out of the plan until now.

There are a few pat­terns emerg­ing in this data access gov­er­nance push. Some orga­ni­za­tions are set­ting up par­al­lel sys­tems. Oth­ers are inte­grat­ing unstruc­tured data sys­tems into their exist­ing access gov­er­nance plat­forms. Some are tak­ing a hybrid approach. They will han­dle some unstruc­tured data issues on their own, for exam­ple, iden­ti­fy­ing data own­ers, then inte­grate the infor­ma­tion into their access gov­er­nance sys­tem lat­er. Any of these can work, but inte­gra­tion seems to be the best long-term strat­e­gy.

Remem­ber, access gov­er­nance is a life­long effort.

Fol­low Jonathan Sander on Twit­ter at @sanderiam

More on emerg­ing best prac­tices:
Encryp­tion rules ease retail­ers’ bur­den
Track­ing priv­i­leged accounts can thwart hack­ers

Impen­e­tra­ble encryp­tion locks down Inter­net of Things