When is a database not a database? When large volumes of sensitive data are stored in unstructured formats

Adam Ely, COO, Bluebox

July 1, 2010

3 Min Read

[Excerpted from "Beyond The Database: Protecting Unstructured Data," a new report posted this week on Dark Reading's Database Security Tech Center.]

Most database security tools -- indeed, most database security strategies -- assume that sensitive data is stored in structured, relational database format. But as any IT professional knows, the enterprise is full of "databases" that are stored in all sorts of ways -- and many of them are anything but structured.

Flat-file databases. Spreadsheets. Email files. Microsoft Word documents and PDFs. Any of these can be sources of sensitive data, and even with a strong database security strategy in place, might fall into the wrong hands.

This is what's known as unstructured data, and we're accumulating it at a breakneck pace — specifically, a compound annual growth rate of 61 percent, according to IDC.

This data may be stored in a variety of unstructured ways, such as folders on a file server, laptop hard drives, Microsoft Access databases, and USB drives. And it can be just as valuable in its unstructured form as the data stored in traditional structured databases. It needs protection, and there must be a strategy for securing it. That means gaining an understanding of this data's characteristics.

The first step is to create a list of important data types you may hold. For Acme Inc., an e-commerce company, we might include cardholder data; personally identifiable information (customer and employee); intellectual property; financial information; and business operations data, such as email and contracts. The main idea is to understand the types of data and how we will respond once each is discovered.

Once a list is compiled, map these data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, be flexible -- provide a range of solutions, rather than mandates.

Finding data can be tricky. You know where it should be stored, but where else is data you want to protect hiding? The 2009 Verizon Data Breach Incident Report concluded that 67 percent of data lost was of an unknown type and took the companies affected by surprise.

List the places known to house the data you want to protect. Next, ask your users where they store data. You may be surprised to find shares on laptops, data stored inside applications, application logs, and file shares containing sensitive information that shouldn’t be open to the world. Most users will be forthcoming, but some will overlook locations they have forgotten about or don't access any longer.

Find data strings that indicate sensitive data -- such as credit card numbers or other data formats that suggest sensitive information -- and begin searching file shares, laptops, and connected storage devices anywhere you can. Another approach is to ask users to review documents they own and identify those with sensitive data that needs to be protected or organized. This moves the burden from a small group of people and spreads it to a larger group, thus less effort per person. The only issue is getting people to actually do it.

Once you've found the data you need to secure, you'll need to apply the appropriate controls, which may include access control, encryption, and/or data leak prevention. To find out more about the data discovery process -- and the tools and processes used to secure the sensitive data you find -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Adam Ely

COO, Bluebox

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led security and compliance at TiVo and held various security leadership roles within The Walt Disney Company where he was responsible for security operations and application security of Walt Disney web properties including ABC.com, ESPN.com, and Disney.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights