Taking control of unstructured data

How data governance and defining ownership can be key to managing the problem of access to unstructured data

Tags: BlackSafe FZZ LLC (www.blacksafe.ae/)Data governanceUnstructured data
  • E-Mail
Taking control of unstructured data Growing volumes of unstructured data are causing ongoing problems for IT admins.
By  Robert MacMillan Published  March 12, 2010

Data protection is a becoming a top priority for organizations large and small and if an organization is not currently evaluating data protection options it is in their future plan to do so. Recent high profile data losses have raised the pressure on IT departments to find solution fast.

Few IT Administrators would dispute that they are by default charged with protecting their organizations unstructured data that is stored on endpoints, network file systems, content management systems, databases, and emails. In pragmatic terms, IT administrators face a daunting task: entitlement management is a business process yet the access control and permissions management systems typically in place to safeguard information are unable to provide business context to the data being restricted. Put simply, IT Administrators are expected to manage permissions to data without knowledge of the business context of the information.

Efforts to protect unstructured data are further frustrated when factoring in the growth in volume of unstructured data being created and stored within the enterprise. The term unstructured data as used herein refers to information stored as spreadsheets, presentations, multimedia, and so forth. This is information that tends to account for the vast majority of business data. No matter whose statistics are used to prove the growth of volume of data, it can be generally agreed that there is simply too much of it to protect using manual processes.

From personal experience, several organizations have mandated periodic reviews of permissions in an attempt to tighten access controls. Such an undertaking can be onerous and frustrating to complete and the results discouraging - productivity will trump observance and security with the net result that the systems quickly fall out of compliance. Organizations are not able to realize effective and rightful access to business data.

To address the business need to protect information, companies through the GCC are turning to IT Security vendors who are introducing a number of data protection technologies aimed at providing controls of who can access information and what users can do with information. There are two classes of technology that tend to feature more prominently in these vendor strategies: Enterprise Rights Management (ERM) and Data Loss Prevention (DLP). In very simplistic terms, ERM solutions allow for file level encryption of documents to protect information from being shared with unauthorized internal or external users. The DLP solutions offer organizations control over what users can do with information based on what the information is.

One of the most obvious challenges that these data protection technologies expose during implementation is that companies generally lack an understanding of what information they are trying to protect or are unable to clearly define it. Without an understanding of what data is being protected, these kinds of data protection systems lead to a false sense of security and result in a data protection initiative that ultimately fails to deliver on the core objective: to provide effective and rightful access to business data.

To maximize value from these new data protection systems, organizations will ideally undertake some form of review and analysis that ultimately results with the creation of an information classification structure. The classification structure created will generally document at minimum; what data is being created, who is creating it, who owns it, who should have access to it, what users should be able to do with it and how to identify the data from a systems point of view. Consolidation of this information into a document that data protection policies can be based on requires identifying data owners and in most organizations this can be problematic.

At this point we revert to the original challenge: Organizations are not able to realize effective and rightful access to business data. Adoption of data protection technologies such as ERM and DLP without understanding what data is to be protected does not help the organization meet this challenge but rather creates the illusion of security. To achieve value from these data protection technologies, an activity involving data owners has to be undertaken to identify the data that is to be protected. Existing entitlement management processes are generally manual and clearly do not answer this need.

An alternative approach to realizing effective and rightful access to business data within the enterprise is to recognize that data protection initiatives are multi-step processes. The first step is to begin with Data Governance.

Data Governance technologies can provide the organization visibility and auditing into who is accessing information, how they have gained access, and what rights they have. The systems also contain an analytics function that allows IT Administrators or other stakeholders to periodically review access rights, access behavior and actionable reports. Most importantly, a data governance solution will provide the tools required to identify and keep track of these owners.

One of the key principles of a Data Governance system is acknowledgement that entitlement management is a business process and that that data owners should retain control over who is accessing their information. After all, it is the data owner that understands what the data is, why it is important, and how it should be maintained and secured. Once data owners have been identified, the Data Governance system should be capable of automating reporting to allow owners to see who has been accessing their data.

Organizations tend to discover that data owners recognize the value of taking responsibility for protecting and securing their data when they become aware of who is accessing the data. Equally important, users become motivated to help establish and enforce data protection policies making buy-in to a larger data protection roadmap is easier.

Shifting responsibility for managing and securing information to data owners does not mean that IT Administrators are ceding absolute control of the systems. Detailed reporting and system feedback should also be expected to help simplify and focus attention on problem areas.

As organizations in the GCC take steps to protect their information, there seems to be a growing trend to gravitate to solutions that are infact later steps in the greater roadmap to data protection. A more reasoned starting point is to begin with data governance. From a business process perspective the automation, reporting and finally step of delegating access control decisions to data owners will help organizations achieve effective and rightful access to business data and support later down-stream data protection activities.

Robert MacMillan is in technical presales for Black Safe FZZ LLC.

2928 days ago
Lisa S

Price will no longer be the factor in determining whether a Data Loss Prevention system can be implemented within an organization. With Prevensys.com, an entire DLP system costs only $4,995! With a free download trial, there is now no reason why a Small - Medium Size Business will be unable to protect their sensitive data.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code