It’s time to close the security loophole on unstructured data

SMBs, other enterprises must restrict access to treasure trove of hackable information

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Approximately 80 percent of the data generated in the course of conducting digital commerce does not get stored in a database or in any other formal data management system, according to IBM.

This massive, swelling ocean of business data is referred to as “unstructured data.” It includes Word docs, PDFs, spreadsheets, slide presentations, images, videos and audio files—in short, the stuff organizations of all sizes generate and widely share all day long.

Related article: SMBs face unprecedented digital risks

Security professionals have long warned that a poor understanding and lackadaisical management of unstructured data represents a profound exposure. And now that fear has materialized in a big way.

Adam Laub, STEALTHbits Technologies senior vice president

I spoke to Adam Laub, senior vice president at STEALTHbits Technologies, about this at RSA 2017. A few takeaways:

Ubiquitous exposure. Unstructured data represents the largest amount of data within any given organization, SMBs and enterprises alike. “It is the type of data that users interact with the most,” Laub says. “This is familiar to anyone who has worked in a corporate environment—again doesn’t really matter the size of the organization. You create a file, put it on a common drive where everybody has access to it, and it sits out there and often goes completely unchecked or unknown about.”

This is precisely the type of data that is attractive to hackers. “It’s easily lost and it represents probably the biggest unknown within any organization,” Laub says. “What’s inside these files? Who has access to them? How do they have access? Who’s accessing them? Is it even needed? It’s a subject to any compliance standard?”

In IT jargon, this state is known as “open-access.” Laub says open access exists everywhere you turn in most businesses. “Sometimes it’s by mistake, but most often it occurs because it’s just easier to leave something open, than to figure out how to provide the proper access to something like a file share,” he says. “This very scenario is why so many Security Groups exist within directories like Microsoft Active Directory in the first place, because if you do decide to secure this new file share that has just been created, you’ll just create another group, even though one or multiple groups may already exist with the same exact members.”

A ransomware magnet. To ransomware purveyors, unstructured data is mana from heaven. These opportunistic extortionists have determined that seeking out—and encrypting—unstructured data is a path to fast cash. When the victim company has nonexistent or weak disaster recovery systems in place, the best option suddenly becomes paying the ransom demand to obtain a decryption key.

“Ransomware actually seeks out the data that exists out on those file shares on your desktops, or in all places where it exists,” Laub says. “This is the type of data that is easily lost, and it represents probably the biggest unknown within any organization.”

New security imperative. If you’re a company decision-maker, and you thought you were doing well because you protect your network perimeter and devices, keep your systems updates and train your employees, think again. You need to also take a long, hard look at the unstructured data your organization generates.

“You actually want to start with determining where a condition called ‘open access’ exists,” Laub says. “This is where basically everyone in the organization has access to a particular data resource. There’s virtually no scenario where every user in an organization should have access to a repository of data, yet it is a very prevalent condition.”

Not everyone should have access to everything, even in a business environment that encourages creative collaboration. Governance controls that strike the right balance between productivity and security are needed. “The next piece of the equation is to actually verify user rights and affirm that they are accurate on an ongoing basis,” Laub says. “This is the type of review that you perform, let’s say, quarterly or at least semiannually to make sure that the people who have access to data have the right level of access or no access at all if they don’t need it.”

A properly implemented data access governance program can strike the perfect balance productivity and security. “It’s all about putting the power in the hands of the owners of the data,” says Laub. “After all, who knows their data better than them?  When someone needs access to a new resource, it may take hours, days, or weeks before IT or the helpdesk can service such a request.”

For a deeper dive into my conversation with Laub, please listen to the accompanying podcast.

More stories related to unstructured data:
It’s time to give unstructured data some structured protection
More companies look to structure safety of unstructured data
Compromised credentials still the culprit in many data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page