It’s time to close the security loophole on unstructured data

SMBs, other enterprises must restrict access to treasure trove of hackable information

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Approx­i­mate­ly 80 per­cent of the data gen­er­at­ed in the course of con­duct­ing dig­i­tal com­merce does not get stored in a data­base or in any oth­er for­mal data man­age­ment sys­tem, accord­ing to IBM.

This mas­sive, swelling ocean of busi­ness data is referred to as “unstruc­tured data.” It includes Word docs, PDFs, spread­sheets, slide pre­sen­ta­tions, images, videos and audio files—in short, the stuff orga­ni­za­tions of all sizes gen­er­ate and wide­ly share all day long.

Relat­ed arti­cle: SMBs face unprece­dent­ed dig­i­tal risks

Secu­ri­ty pro­fes­sion­als have long warned that a poor under­stand­ing and lack­adaisi­cal man­age­ment of unstruc­tured data rep­re­sents a pro­found expo­sure. And now that fear has mate­ri­al­ized in a big way.

Adam Laub, STEALTH­bits Tech­nolo­gies senior vice president

I spoke to Adam Laub, senior vice pres­i­dent at STEALTH­bits Tech­nolo­gies, about this at RSA 2017. A few takeaways:

Ubiq­ui­tous expo­sure. Unstruc­tured data rep­re­sents the largest amount of data with­in any giv­en orga­ni­za­tion, SMBs and enter­pris­es alike. “It is the type of data that users inter­act with the most,” Laub says. “This is famil­iar to any­one who has worked in a cor­po­rate environment—again doesn’t real­ly mat­ter the size of the orga­ni­za­tion. You cre­ate a file, put it on a com­mon dri­ve where every­body has access to it, and it sits out there and often goes com­plete­ly unchecked or unknown about.”

This is pre­cise­ly the type of data that is attrac­tive to hack­ers. “It’s eas­i­ly lost and it rep­re­sents prob­a­bly the biggest unknown with­in any orga­ni­za­tion,” Laub says. “What’s inside these files? Who has access to them? How do they have access? Who’s access­ing them? Is it even need­ed? It’s a sub­ject to any com­pli­ance standard?”

In IT jar­gon, this state is known as “open-access.” Laub says open access exists every­where you turn in most busi­ness­es. “Some­times it’s by mis­take, but most often it occurs because it’s just eas­i­er to leave some­thing open, than to fig­ure out how to pro­vide the prop­er access to some­thing like a file share,” he says. “This very sce­nario is why so many Secu­ri­ty Groups exist with­in direc­to­ries like Microsoft Active Direc­to­ry in the first place, because if you do decide to secure this new file share that has just been cre­at­ed, you’ll just cre­ate anoth­er group, even though one or mul­ti­ple groups may already exist with the same exact members.”

A ran­somware mag­net. To ran­somware pur­vey­ors, unstruc­tured data is mana from heav­en. These oppor­tunis­tic extor­tion­ists have deter­mined that seek­ing out—and encrypting—unstructured data is a path to fast cash. When the vic­tim com­pa­ny has nonex­is­tent or weak dis­as­ter recov­ery sys­tems in place, the best option sud­den­ly becomes pay­ing the ran­som demand to obtain a decryp­tion key.

Ran­somware actu­al­ly seeks out the data that exists out on those file shares on your desk­tops, or in all places where it exists,” Laub says. “This is the type of data that is eas­i­ly lost, and it rep­re­sents prob­a­bly the biggest unknown with­in any organization.”

New secu­ri­ty imper­a­tive. If you’re a com­pa­ny deci­sion-mak­er, and you thought you were doing well because you pro­tect your net­work perime­ter and devices, keep your sys­tems updates and train your employ­ees, think again. You need to also take a long, hard look at the unstruc­tured data your orga­ni­za­tion generates.

You actu­al­ly want to start with deter­min­ing where a con­di­tion called ‘open access’ exists,” Laub says. “This is where basi­cal­ly every­one in the orga­ni­za­tion has access to a par­tic­u­lar data resource. There’s vir­tu­al­ly no sce­nario where every user in an orga­ni­za­tion should have access to a repos­i­to­ry of data, yet it is a very preva­lent condition.”

Not every­one should have access to every­thing, even in a busi­ness envi­ron­ment that encour­ages cre­ative col­lab­o­ra­tion. Gov­er­nance con­trols that strike the right bal­ance between pro­duc­tiv­i­ty and secu­ri­ty are need­ed. “The next piece of the equa­tion is to actu­al­ly ver­i­fy user rights and affirm that they are accu­rate on an ongo­ing basis,” Laub says. “This is the type of review that you per­form, let’s say, quar­ter­ly or at least semi­an­nu­al­ly to make sure that the peo­ple who have access to data have the right lev­el of access or no access at all if they don’t need it.”

A prop­er­ly imple­ment­ed data access gov­er­nance pro­gram can strike the per­fect bal­ance pro­duc­tiv­i­ty and secu­ri­ty. “It’s all about putting the pow­er in the hands of the own­ers of the data,” says Laub. “After all, who knows their data bet­ter than them?  When some­one needs access to a new resource, it may take hours, days, or weeks before IT or the helpdesk can ser­vice such a request.”

For a deep­er dive into my con­ver­sa­tion with Laub, please lis­ten to the accom­pa­ny­ing podcast.

More sto­ries relat­ed to unstruc­tured data:
It’s time to give unstruc­tured data some struc­tured protection
More com­pa­nies look to struc­ture safe­ty of unstruc­tured data
Com­pro­mised cre­den­tials still the cul­prit in many data breaches