Best practices for protecting sensitive data

Legislation such as the Protection of Personal Information Act (which seeks to protect consumers from abuse of their personal details) and King 3 (which requires formalised IT governance, including security) are highlighting the need for organisations to protect sensitive data, such as draft financial results, credit card numbers or customer contact details.

Approximately 80% of enterprise data sits on shared file systems or Sharepoint sites in the form of spreadsheets, presentation or documents. These volumes are growing by 50% per year and within months much of this data is stale. Most IT people will never be able to identify sensitive corporate information largely because there is just too much information floating around the system.

Combine this with constantly changing access requirements and it is no wonder that manual approaches to managing and protecting data access cannot keep up - users' typical levels of access to sensitive information is in breach of legislation.

Of course, IT managers will naturally want to ramp up compliance and security to try to keep everybody in line. But as we all know, productivity usually trumps those issues, so the question is: where can IT find another line of defence to at least secure the data that people access on all kinds of applications and devices?

The only viable approach is to use automation and intelligent analysis from solutions that are tailored to address unstructured data governance.

Five areas where automation can maximise labour and cost savings while enabling IT to manage these issues are:

Solutions such as Varonis DatAdvantage help IT to identify business data owners by providing a comprehensive audit trail on who is accessing data. These business owners know what the data is, why it's important, and who should have access to it. This reduces the workload on IT by allowing business to reduce access to levels based on business needs.

Data on shared servers and Sharepoint portals is frequently accessible by large numbers of people who do not have a justified business need. In general, this is because access permissions simply do not keep pace with business changes and data dynamics.

Solutions such as Varonis DatAdvantage identify overly accessible data and even point out those users and groups that should have their access to data revoked. Data owners simply need to review reports containing this information and confirm with IT that access should be revoked.

Businesses that take the time to identify and assign data owners will find themselves well positioned to manage data access problems proactively.

Organisations are also well served by undertaking projects to classify content. Solutions such as the Varonis IDU Data Classification Framework identify sensitive data buried in documents, spreadsheets and presentations.

It produces highly actionable results - results you can do something constructive with - by using intelligence about your data to prioritise its classification searches. It knows who owns data, who has permission to access data, who actually accessed data, and whose access to data should be revoked.

Though 70% of unstructured data goes stale after three months, the data remains the responsibility of the IT staff, and is part of their data management workload during such tasks as migrations, backups, etc.

Organisations can reclaim wasted space, save the time of IT staff, and reduce risk by automating the process of identifying and managing stale, unused data. The most direct way to do this is through comprehensive auditing of all data access by all users. When access to a data set tapers off and then stops completely, it's time to archive or delete that data.

Once data owners have more control over their data, organisations can further extend labour and cost savings by automating data governance processes such as entitlement management and reviews (“attestations”).

Using entitlement management workflow applications such as Varonis DataPrivilege, organisations can have data owners decide directly who gets access to their data and for how long.

Doing that eliminates the time IT spends brokering and managing these requests. Furthermore, periodic data owner reviews can be scheduled and audited, enabling IT staff to ensure data is being protected without having to do much of the day-to-day administrative work.

Unstructured data is simply too massive and dynamic to process and manage manually. By not keeping pace with data growth and changes, the data itself becomes vulnerable.

By following the best practises outlined above, organisations can comply with incoming legislative requirements to increase data security without placing unrealistic burdens on the IT staff.