Unstructured data (which includes emails, PDFs, documents, presentations, intellectual property and any other data that may exist beyond the scope of your application or database) is fast becoming a prime target for cyber-criminals.
To ensure that your unstructured data is sufficiently protected, you will need a Data Access Governance (DAG) program. A common issue, however, is that organizations don’t know where to start in developing such a program. Outlined below are some basic steps you can take to implement an effective DAG program.
1. Know Your Data
You will need to start by performing a scan of your entire system and take an inventory of all the assets you store. You can use data discovery tools which can locate, classify and report on a wide variety of data types. Doing so will make it easier for you to organize your data based on a set of pre-defined categories – a process known as data classification. You will need to know the volume of data you store, who access to what data, and how the data is being accessed and used.
2. Take Notice of Sensitive Data
Naturally, you will need to pay close attention to your most critical assets. These include things like personally identifiable information (PII), protected health information (PHI), intellectual property (IP), and payment card industry data (PCI). You will need to start by removing open access to this information, identifying any elevated access rights, and then taking the necessary steps to enforce least privilege access. Likewise, it is generally good practice to encrypt all sensitive data.
3. Educate Your Entire Organization
Once you have a clear understanding of who owns what data, you will need to contact all relevant parts of the organization (anyone who has an affiliation with this data), such as HR, legal, contractors and suppliers, and ask them questions pertaining to: why they need the data, who has access to the data, and how the data is being used. You will need to make sure they understand the flow of data and what their responsibilities are in protecting the data.
4. Take Action
It is now time to review the findings of your initial investigation and take action where necessary. You will need to start by revoking global access groups such as “everyone”, as such groups often result in excessive and unnecessary privileges. Allow business owners to review the privileges and encourage them to provide feedback.
5. Repeat the Process
Data Access Governance (DAG) programs are a part of an on-going data protection strategy. You will need to periodically review the program, carry out additional scans, identify your critical assets, and review the privileges as often as necessary. Consider utilizing solutions which can help streamline the process.
There are a number of sophisticated data access governance solutions which can help to ensure that all data security controls are actively monitored. File Auditing Solutions, such as LepideAuditor, can integrate with the discovery and classification capabilities of File Server Resource Manager and provide detailed analysis and alerts on user behaviour associated with your most critical files and folders. LepideAuditor will enable you to discover, tag and classify data containing PII, and monitor any changes that take place to the files, folders or permissions surrounding them.