4 Steps to Securing Unstructured Data for Compliance

Danny Murphy by   04.27.2018   Auditing

There are two kinds of data that is stored digitally in your organization; structured and unstructured. Unstructured data is data which does not have any sort of pre-defined data model or isn’t organized in a pre-defined way. It usually comprises the majority of the digital information that an organization stores. The problem is, many companies find it tricky to keep their unstructured data secure due to it’s changing nature.

Because the vast majority of people-centric data is unstructured, it has an intrinsic value on the data black market. Many high-profile security breaches involve the release of unstructured data containing personal information, such as addresses, names, card information and much more. Therefore, it is essential that you are able to secure it.

However, many of the organizations we speak to struggle to get to grips with their unstructured data. So, in order to try and illuminate the issue, I thought I would introduce 4 ways in which you can start securing your unstructured data today.

1. Identify Which Data Contains Sensitive Information

This is the first step you need to take on the journey of Data Access Governance. Of your unstructured data, which files and folders contain personally identifiable information (PII)? You need to ensure you have a system in place to discover, tag and classify data containing names, addresses, dates of birth, credit card information and other PII. This needs to be a continuous process as unstructured data is growing and changing every day. You also should have in place a process by which you can run reports on this data that help to satisfy compliance mandates.

2. Identify Who Has Permissions to Access this Data

Once you know which files and folders contain PII, you need to be able to identify which of your users have access to them. Again, you should be able to run this as a report on a regular basis. Ideally, only a handful of employees should have access to these critical assets, such as C-Level executives, HR and the IT Team.

Once you have identified user permissions, you can begin to implement a Policy of Least Privilege, whereby users only have access to the data they need and nothing more. By limiting the number of people who have access to sensitive data, you can limit mitigate the risk of data breach breaches that may occur as a result of privilege abuse.

3. Ensure you can Report on Changes to this Data

One of the most important aspects of ensuring you are maintaining an environment that is both compliant and secure, is being able to track when changes are made to sensitive data and permissions.

If a user copies, moves, deletes, renames or modifies a file containing valuable PII, you need to know about it. Most of the time the change will be innocuous, but even so, many compliance mandates require you to prove that you are being responsible when monitoring this data. If you do spot a change you deem to be unauthorized or malicious, you should be able to reverse it.

The same can be said about permissions. If a junior level employee’s permissions are elevated to the point where they now have access to PII, you need to be aware of this. Unfortunately, the native auditing process of doing this is time consuming, complex and does not provide any pre-defined reports. That’s where LepideAuditor comes in.

Using the File Server auditing component of LepideAuditor, you can make use of real-time alerts and pre-defined reports that enable you to keep a continuous and proactive track of the changes taking place to both data and permissions. The solution contains over 300 pre-set reports that are specifically designed to meet a number of compliance and security challenges that organizations regularly face.

4. Rinse and Repeat

The process of maintaining a compliance and secure IT environment when it comes to unstructured data is a continuous one. Don’t ever be tempted to think that once is enough. Due to the ever-evolving nature of unstructured data, regular reviews and updates need to be made to permissions to ensure that you maintain that policy of least privilege. The roles of employees may change, people may leave, and unwanted permission changes may take place. If left unmonitored, these scenarios could potentially be very dangerous.

In summary, it’s essential that you take unstructured data seriously and, if you need to, don’t be afraid to shop around for a solution that enables you to discover and classify sensitive data and then audit changes being made to that data and its surrounding permissions. Remember, it’s a continuous process that requires constant vigilance!


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.