Discovering where unsecure, sensitive information resides on networks is a key factor in shaping and determining successful data protection strategy. Lack of visibility into critical data assets can leave organisations exposed to significant risks. Many well documented cases of critical data leakage only serve to highlight the consequences for organisations; including criminal and civil litigation, reputational and brand damage in addition to hefty financial implications.
Managing critical or sensitive data is a crucial corporate governance issue and organisations often struggle with the increasing complexity of compliance and legislative demands that now regulate how businesses handles particular types of information. In order to be able to protect data it is essential to firstly discover the data that needs to be protected - before you can protect it, you must find it. Identifying and determining the location of critical data across the enterprise can be challenging unless a structured data discovery strategy is implemented.
COMPLIANCE AND GOVERNANCE
Data discovery is a fundamental factor in risk mitigation and a control in assessing governance and compliance capabilities. Whether engaging in projects such as governance, compliance or information security, it is essential to establish a full and comprehensive understanding of where potentially exposed information resides on the corporate network. In order to comply with frequently changing regulation requirements, data protection must be clearly defined and include the ability to provide regular and detailed reports that address the requirements of external assessors and internal stakeholders.
Organisations often accept payment in the form of cardholder data from multiple sources (manual transactions, e-mail, web forms, web services etc) but struggle to demonstrate to external security auditors that appropriate security measures are in place to protect such data throughout its lifecycle, i.e. how this sensitive information is collected, stored and used. Within its own right, the lifecycle of data should adapt a comprehensive approach to managing an organisation's data, involving procedures, practices and applications. Discovering where sensitive and critical information is stored is the first and most critical step towards securing a data protection security programme. The ability to identify data and determine its location enables organisations to more readily assess the effectiveness of their data classification procedures.
It is essential to ensure that critical data is maintained within protected areas of the corporate network. These areas are established after due consideration to location, security and data volumes. User Access Rights to these secure information repositories should be restricted by network logon credentials, which are managed via the network administrator. Data discovery is the exercise where by the network is audited for the presence of critical data (e.g. card holder data) and frequent data discovery exercises should be used to audit for the presence of unsecured sensitive and critical data.
SOURCING DATA DISCOVERY SOLUTIONS
Effective data protection strategy drives stability within an organisation, improving structures and operating efficiencies. Taking adequate measures requires the deployment of data protection solutions which will enable organisations to detect and safeguard their unsecure, corporate sensitive data. When choosing the right solution, product offerings incorporating the following features should be considered:
- Flexible configuration of criteria for data discovery
- Speed of network scanning and network congestion
- Ease of use for data categorisation and classification models
- Ease of deployment and management
- Comprehensive reporting identifying meaningful and actionable results
These combined with well communicated corporate and governance policies will help provide organisations with an operating discipline and efficient data security initiative for managing sensitive data as a key enterprise asset.
Identifying exposures to critical data assets is fundamental to an effective data protection strategy and data discovery is core to this process. Lack of visibility will leave organisations weakened and exposed to significant risks with the potential to cause long lasting reputational damage. Through engaging comprehensive data security software and policies, organisations can significantly mitigate risk, gain clear visibility and take full control of their corporate sensitive data and IT assets.
ABOUT THE AUTHOR
Gerard Curtin is CEO of Irish software security solutions company PixAlert and is a leading security specialist in network data discovery and image detection management. Gerard’s background spans 23 years in senior engineering and management roles across IT security and network telecommunication industries including Prime Carrier, Openet Telecom, Euristix and Retix. Ger is a regular industry event and forum contributor and is a member of Info Security Ireland.