It’s time to give unstructured data some structured protection

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­pa­nies are gen­er­at­ing moun­tains of unstruc­tured data and, in doing so, unwit­ting­ly adding to their secu­ri­ty exposure.

Unstruc­tured data is any piece of infor­ma­tion that doesn’t get stored in a data­base or some oth­er for­mal data man­age­ment system.

Some 80 per­cent of busi­ness data is said to be unstruc­tured and that per­cent­age quite obvi­ous­ly has to be ris­ing. Think of it as employ­ee-gen­er­at­ed busi­ness information—the sum total of human inge­nu­ity that we dis­play in the work­place, typ­ing away on pro­duc­tiv­i­ty and col­lab­o­ra­tion soft­ware, and dis­pers­ing our pearls of wis­dom in dig­i­tal communications.

Free IDT911 white paper: Breach, Pri­va­cy, And Cyber Cov­er­ages: Fact And Fiction

Unstruc­tured data is all of the data that we are gen­er­at­ing on our lap­tops and mobile devices, stor­ing in cloud ser­vices, trans­fer­ring in email and text mes­sages, and pitch­ing into social media sites.

Many com­pa­nies are just start­ing to come to grips with the com­plex chal­lenge of fig­ur­ing out how to cat­e­go­rize and man­age this del­uge of unstruc­tured data.

Sen­si­tive data at risk

But what’s more con­cern­ing is the gap­ing secu­ri­ty exposure.

It was unstruc­tured data—in the form of a text mes­sage tran­script of employ­ees con­vers­ing about deflat­ing foot­balls—that blind­sided the New Eng­land Patri­ots NFL team and its star quar­ter­back, Tom Brady.

Yet the full scope of risk cre­at­ed by unstruc­tured data is much more profound.

The risk that unstruc­tured data pos­es dwarfs that of any oth­er type of data,” says Adam Laub, prod­uct man­age­ment vice pres­i­dent at STEALTH­bits Tech­nolo­gies.  “It is the least under­stood form of data in terms of access, activ­i­ty, own­er­ship and content.”

Laub
Laub

I met with Laub as he was pitch­ing STEALTH­bits’ tech­nol­o­gy at the recent RSA Con­fer­ence in San Fran­cis­co. “Any sin­gle file can con­tain the data that puts an orga­ni­za­tion in the head­lines, and turn­ing a blind eye to the prob­lem or claim­ing it’s too big to han­dle is not a valid excuse for why unstruc­tured data hasn’t been secured prop­er­ly,” Laub says.

STEALTH­bits helps com­pa­nies that use Win­dows Active Direc­to­ry iden­ti­fy and keep more detailed track of shared files the hold unstruc­tured data. That may sound basic. Yet the fact that STEALTH­bits is part of a thriv­ing cot­tage indus­try of tech­nol­o­gy ven­dors help­ing orga­ni­za­tions get a grip on unstruc­tured data is tru­ly a sign of the times.

A decade and a half has elapsed since the Y2K scare. Dur­ing that peri­od, busi­ness net­works have advanced and mor­phed and now tie exten­sive­ly into the Inter­net cloud and mobile devices.

Close the secu­ri­ty gap

Along the way, no one had the fore­sight to cham­pi­on a stan­dard archi­tec­ture to keep track of—much less man­age and secure—unstructured data, which con­tin­ues to grow by leaps and bounds.

Crim­i­nals cer­tain­ly rec­og­nize the oppor­tu­ni­ty for mis­chief that has result­ed. It’s dif­fi­cult to guard the cream when the cream can be accessed from end­less dig­i­tal paths.

Just ask Mor­gan Stan­ley. Ear­li­er this year, a low-rank­ing Mor­gan Stan­ley finan­cial advis­er pil­fered, then post­ed for sale, account records, includ­ing pass­words, for 6 mil­lion clients. The employ­ee was fired and is being inves­ti­gat­ed by the FBI. But Mor­gan Stan­ley has to deal with the hit to its reputation.

The urgency is that your infor­ma­tion is under attack today,” says Ronald Arden, vice pres­i­dent at Fasoo USA, a data man­age­ment tech­nol­o­gy ven­dor. “Some­body is try­ing to steal your most impor­tant infor­ma­tion, and it doesn’t mat­ter if you’re a small com­pa­ny that makes wid­gets for the oil and gas indus­try or you’re Bank of America.”

Fasoo’s tech­nol­o­gy encrypts any new­ly gen­er­at­ed data that could be sen­si­tive and fos­ters a process for clas­si­fy­ing which types of unstruc­tured data should rou­tine­ly be locked down, Arden told me.

Tech­nol­o­gy solu­tions, of course, are only as effec­tive as the peo­ple and process­es in place behind them. It is incum­bent upon exec­u­tives, man­agers and employ­ees to help make secu­ri­ty part and par­cel of the core busi­ness mis­sion. Those that don’t do this will con­tin­ue to be easy targets.

Steps for­ward

Sim­ple first steps include include proac­tive­ly iden­ti­fy­ing where sen­si­tive data exists. This should lead to clar­i­ty about data own­er­ship and bet­ter choic­es about grant­i­ng access to sen­si­tive data, says STEALTH­bits’ Laub.

This can pave the way to more for­mal “Data Access Gov­er­nance” pro­grams, in which data access activ­i­ties are mon­i­tored and user behav­iors are base­lined. “This  will  go a long way towards enabling secu­ri­ty per­son­nel to focus on the events and activ­i­ties that mat­ter most,” says Laub.

Small­er orga­ni­za­tions may have to move much more quick­ly and effi­cient­ly. Tak­ing stock of the most sen­si­tive infor­ma­tion in a small or mid sized orga­ni­za­tion is doable, says Fasoo’s Arden.

If you are a man­u­fac­tur­ing com­pa­ny, the intel­lec­tu­al prop­er­ty around your designs and process­es are the most crit­i­cal pieces of infor­ma­tion in your busi­ness, if you are a finan­cial com­pa­ny it’s your cus­tomer records,” Arden says. “Think about secur­ing that infor­ma­tion with lay­ers of encryp­tion and secu­ri­ty poli­cies to guar­an­tee that that infor­ma­tion can­not leave your company.”

Some unstruc­tured busi­ness data is benign and may not need to be locked down.  “If I write you a memo that says, ‘We’re hav­ing a par­ty tonight,’ that’s not a crit­i­cal piece of infor­ma­tion,” says Arden. “But a finan­cial report or intel­lec­tu­al prop­er­ty or some­thing relat­ed to health­care or pri­va­cy, that’s prob­a­bly some­thing that you need to start think­ing about lock­ing down.”

More on emerg­ing best practices

3 steps for fig­ur­ing out if your busi­ness is secure
5 steps to secure cryp­tog­ra­phy keys, dig­i­tal certificates
6 steps for stop­ping hacks via a con­trac­tor or supplier