Data discovery and classification is fast becoming the must have data security feature – and for good reason. Considering that businesses are creates vast amounts of unstructured data every day, it’s increasingly important to ensure that you can tell what that data is and what levels of protection need to be applied to it.
As a result of the demand for this kind of functionality, naturally vendors have been popping up that claim to offer a solution. These vendors purport to be able to help you reduce the risk of expensive data breaches, increase employee involvement in data security and meet compliance requirements. I’m not going to call out any vendors in particular, but it’s likely that if you visit the website of most data discovery and data classification vendors, you’ll see this kind of language.
I think this kind of messaging is very misleading. Often, organizations looking to mitigate the risks of data breaches and meet compliance will find that Data Discovery and Classification (DDC) is not enough on its own.
Why Data Discovery and Classification Vendors Exist
Now, there is a reason we at Lepide provide data discovery and classification functionality as part of our overall data security solution; it’s a vital piece of the data security puzzle.
Thanks to a wealth of research on the topic, organizations are beginning to realize that one of the biggest threats to security stems from their own employees. This is an important thing to know because, quite contradictory to this, the majority of security budgets seem to be spent on defending against external threats.
Organizations really should be focussing on their data first. Everything revolves around the data; it’s what the hackers want access to, it’s the reason compliance mandates exist and the value it holds is increasing year on year. With this in mind, before you can start improving your data security, you need to know where it is – this is why DDC vendors exist.
The Problem with Discovery and Classification Vendors
To clarify, as I mentioned in passing before, DDC on its own holds no intrinsic value and I don’t think any organization should get this functionality in silo and expect to be able to improve their security and meet compliance. The benefits of DDC only manifest themselves when they are used in conjunction with a range of other data security functionality.
DDC enables you to locate where your most sensitive data is (such as credit card numbers, passport information, company secrets, financial information and more). They also enable you to classify and tag this data based on the content so that you can easily categorize them into groups. Most solutions will also enable you to score files and folders based on risk.
That’s all well and good but, now what? You’ve identified your sensitive data and you know where your most at risk areas are but that information on its own is useless. The problem that many organizations face is where to look next.
Common sense should dictate that the next step would be to determine who has access to these files and folders to ensure that you limit access to the most sensitive data. This would usually involve looking at a solution that provides analysis of permissions and privileges, which would need to be installed separately to the DDC solution.
Once you’ve ensured least privilege you can’t stop there, you should be able to determine what changes are being made to your sensitive data and who is making those changes. This should be an automated and ongoing process and requires yet another solution, this time a User & Entity Behavior Analytics (UEBA) solution.
Then, once this is covered, you should be able to determine whether your environment states and changes pose a risk to your data. For this, it’s likely you will need another change auditing solution.
This means that, in order for DDC to be useful, you will need to combine it with at least three other solutions. Unfortunately, this is what a lot of organizations think they have to do and is the reason many of them get put off. Vendors partner with each other in an attempt to offer all this functionality together but can end up being expensive and complex for the customer, as they have to deal with disparate support teams to ensure a successful implementation.
A Better Way
There are a handful of vendors emerging in a space that Gartner defines as Data-Centric Audit & Protection (DCAP). Essentially, vendors in this space offer functionality that addresses the key areas of data security outlined above in one solution (at least, in theory).
Our solution, LepideAuditor is one of the very few solutions that provides all this functionality without the reliance on third-party vendor partnerships or integrations. As a result of being fully developed in-house, this means our customers will only have to deal with one (world class) support team, making the whole implementation process that much easier.