Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:48 PM
Connect Directly

Herding Your Cats: Strategies For Securing Unstructured Data

When is a database not a database? When large volumes of sensitive data are stored in unstructured formats

[Excerpted from "Beyond The Database: Protecting Unstructured Data," a new report posted this week on Dark Reading's Database Security Tech Center.]

Most database security tools -- indeed, most database security strategies -- assume that sensitive data is stored in structured, relational database format. But as any IT professional knows, the enterprise is full of "databases" that are stored in all sorts of ways -- and many of them are anything but structured.

Flat-file databases. Spreadsheets. Email files. Microsoft Word documents and PDFs. Any of these can be sources of sensitive data, and even with a strong database security strategy in place, might fall into the wrong hands.

This is what's known as unstructured data, and we're accumulating it at a breakneck pace — specifically, a compound annual growth rate of 61 percent, according to IDC.

This data may be stored in a variety of unstructured ways, such as folders on a file server, laptop hard drives, Microsoft Access databases, and USB drives. And it can be just as valuable in its unstructured form as the data stored in traditional structured databases. It needs protection, and there must be a strategy for securing it. That means gaining an understanding of this data's characteristics.

The first step is to create a list of important data types you may hold. For Acme Inc., an e-commerce company, we might include cardholder data; personally identifiable information (customer and employee); intellectual property; financial information; and business operations data, such as email and contracts. The main idea is to understand the types of data and how we will respond once each is discovered.

Once a list is compiled, map these data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, be flexible -- provide a range of solutions, rather than mandates.

Finding data can be tricky. You know where it should be stored, but where else is data you want to protect hiding? The 2009 Verizon Data Breach Incident Report concluded that 67 percent of data lost was of an unknown type and took the companies affected by surprise.

List the places known to house the data you want to protect. Next, ask your users where they store data. You may be surprised to find shares on laptops, data stored inside applications, application logs, and file shares containing sensitive information that shouldn’t be open to the world. Most users will be forthcoming, but some will overlook locations they have forgotten about or don't access any longer.

Find data strings that indicate sensitive data -- such as credit card numbers or other data formats that suggest sensitive information -- and begin searching file shares, laptops, and connected storage devices anywhere you can. Another approach is to ask users to review documents they own and identify those with sensitive data that needs to be protected or organized. This moves the burden from a small group of people and spreads it to a larger group, thus less effort per person. The only issue is getting people to actually do it.

Once you've found the data you need to secure, you'll need to apply the appropriate controls, which may include access control, encryption, and/or data leak prevention. To find out more about the data discovery process -- and the tools and processes used to secure the sensitive data you find -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...