Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/1/2010
04:48 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Herding Your Cats: Strategies For Securing Unstructured Data

When is a database not a database? When large volumes of sensitive data are stored in unstructured formats

[Excerpted from "Beyond The Database: Protecting Unstructured Data," a new report posted this week on Dark Reading's Database Security Tech Center.]

Most database security tools -- indeed, most database security strategies -- assume that sensitive data is stored in structured, relational database format. But as any IT professional knows, the enterprise is full of "databases" that are stored in all sorts of ways -- and many of them are anything but structured.

Flat-file databases. Spreadsheets. Email files. Microsoft Word documents and PDFs. Any of these can be sources of sensitive data, and even with a strong database security strategy in place, might fall into the wrong hands.

This is what's known as unstructured data, and we're accumulating it at a breakneck pace — specifically, a compound annual growth rate of 61 percent, according to IDC.

This data may be stored in a variety of unstructured ways, such as folders on a file server, laptop hard drives, Microsoft Access databases, and USB drives. And it can be just as valuable in its unstructured form as the data stored in traditional structured databases. It needs protection, and there must be a strategy for securing it. That means gaining an understanding of this data's characteristics.

The first step is to create a list of important data types you may hold. For Acme Inc., an e-commerce company, we might include cardholder data; personally identifiable information (customer and employee); intellectual property; financial information; and business operations data, such as email and contracts. The main idea is to understand the types of data and how we will respond once each is discovered.

Once a list is compiled, map these data types to a classification and handling policy that outlines how groups of data should be managed. The most common mistake we see when IT groups write these policies is specifying exactly how data should be protected. That approach is inefficient and causes more work for you later. Instead, be flexible -- provide a range of solutions, rather than mandates.

Finding data can be tricky. You know where it should be stored, but where else is data you want to protect hiding? The 2009 Verizon Data Breach Incident Report concluded that 67 percent of data lost was of an unknown type and took the companies affected by surprise.

List the places known to house the data you want to protect. Next, ask your users where they store data. You may be surprised to find shares on laptops, data stored inside applications, application logs, and file shares containing sensitive information that shouldn’t be open to the world. Most users will be forthcoming, but some will overlook locations they have forgotten about or don't access any longer.

Find data strings that indicate sensitive data -- such as credit card numbers or other data formats that suggest sensitive information -- and begin searching file shares, laptops, and connected storage devices anywhere you can. Another approach is to ask users to review documents they own and identify those with sensitive data that needs to be protected or organized. This moves the burden from a small group of people and spreads it to a larger group, thus less effort per person. The only issue is getting people to actually do it.

Once you've found the data you need to secure, you'll need to apply the appropriate controls, which may include access control, encryption, and/or data leak prevention. To find out more about the data discovery process -- and the tools and processes used to secure the sensitive data you find -- download the free report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9717
PUBLISHED: 2019-09-19
In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
CVE-2019-9719
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-9720
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-16525
PUBLISHED: 2019-09-19
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
CVE-2019-9619
PUBLISHED: 2019-09-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.